Protecting Privacy– Meld best practices into your policy and procedures
Privacy Bill of Rights calls up online transactions
One of the most recent national developments in privacy protection comes from the White House. The Obama administration drafted the Consumer Privacy Bill of Rights (CPBR) as a blueprint for protecting consumers online in the digital age.
Unveiled last February, the document applies to both nonprofits and for-profit businesses and is meant to improve consumers’ control over how their personal information is used on the Internet. Concurrently, it aims to help businesses maintain consumer trust and grow Internet commerce. It focuses on such “rights” as security, transparency, access and accuracy.
The White House has asked the U.S. Department of Commerce to begin convening companies, private advocates and other stakeholders to develop and implement enforceable privacy policies based on the document. In July, the topic of mobile applications and data processing was the first in a series of meetings, held by the National Telecommunications and Information Administration, designed to enforce the CPBR.
GAPP provides principles
Another authority for nonprofits that are creating — or reevaluating — their privacy policies and procedures is the American Institute of Certified Public Accountants’ Generally Accepted Privacy Principles (GAPP). Revised in 2010, the principles overlap with the CPBR and are organized into 10 areas:
1. Management. The organization defines, documents, communicates and assigns accountability for its privacy policies and procedures.
2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.
3. Choice and consent. The organization describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information.
4. Collection. The entity collects personal information only for the purposes identified in the notice.
5. Use, retention and disposal. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulation and thereafter appropriately disposes of such information.
6. Access. The organization provides individuals with access to their personal information for review and updating.
7. Disclosure to third parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
8. Security. The organization protects personal information against unauthorized access.
9. Quality. The organization maintains accurate, complete and relevant personal information for the purposes identified in the notice.
10. Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures and puts in place procedures to address privacy-related complaints and disputes.
Follow-up is crucial
Information about the Consumer Privacy Bill of Rights can be found here, including a fact sheet. Visit for a detailed report, Consumer Data Privacy in a Networked World.
The American Institute of Certified Public Accountants’ Privacy Maturity Model provides specifics about establishing and evaluating privacy policies and procedures under Generally Accepted Privacy Principles (GAPP), as well as related articles and a listing of other resources.
At the U.S. Department of Health and Human Services website, you can find information on the Health Insurance Portability and Accountability Act (HIPAA) that addresses the security and privacy of health data in health care systems under its “administrative simplification” provisions.