All of the stakeholders in a data governance program bear responsibility for protecting the privacy of personal information under their care. In this video, you will learn about the ten principles of the generally accepted privacy principles and how data governance programs should enforce those principles.
- [Instructor] All of the stakeholders in a data governance program, bear a responsibility for protecting the privacy of personal information under their care. In this video, you'll learn about the 10 principles of the Generally Accepted Privacy Principles, and how data governance programs should enforce these practices. The Generally Accepted Privacy Principles, or GAPP, were developed through a collaboration between four major industry organizations, The American Institute of Certified Public Accountants, AICPA, The Canadian Institute of Chartered Accountants, CICA, The Information Systems Audit and Control Association, ISACA, and the Institute of Internal Auditors, IIA.
The first GAPP principle is management. This principle states that an organization handling private information, should have policies, procedures, and governance structure in place to protect the privacy of that information. For example, as I discussed in the last video, the organization should clearly define the roles of data owner, data steward, and data custodian. The second GAPP principle is notice. Anyone who is the subject of records maintained by the organization, should receive notice of that fact, as well as access to the privacy policies and procedures followed by the organization.
The third GAPP principle is choice and consent. The organization should inform data subjects of all of their options regarding the data that they own, and obtain consent from those individuals for the collection, storage, use, and sharing of their personal information. The fourth GAPP principle is collection. The organization should only collect personal information for purposes disclosed in their privacy notices.
The fifth GAPP principle is use, retention, and disposal. When the organization collects personal information, it should only use that information for the disclosed purposes, and not use it for other reasons because they already have the data. Additionally, the organization should dispose of the data securely, as soon as it is no longer needed for the disclosed purpose. The sixth GAPP principle is access. Organizations should provide data subjects with the ability to review, and update their personal information.
The seventh GAPP principle surrounds disclosure to third parties. The organization should only share information with third parties if that sharing is consistent with the purposes disclosed in privacy notices, and the organization has the consent of the individual to share that information. The eighth GAPP principle is security. The organization must secure private information against any unauthorized access. The ninth GAPP principle is data quality.
The organization should take reasonable steps to ensure that the personal information they maintain is accurate, complete, and relevant. And the final GAPP principle is monitoring and enforcement. The organization should have a program in place to monitor compliance with its privacy policies, and provide a dispute resolution mechanism. Each of these 10 GAPP principles plays an important role in developing a comprehensive information privacy program.
Data owners should ensure that these principles are followed for each element of personal information, under their control.
Members who take all eight courses in the series will be prepared to take and pass the CISSP exam. Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- Understanding data security policies and roles
- Limiting data collection
- Developing security baselines
- Leveraging industry standards
- Restricting access to data with Windows and Linux file permissions
- Encrypting data
- Securing cloud storage