Generally Accepted Privacy Principles (GAPP)

Professional accountant institutions in the United States and Canada collaborated to publish a document describing the Generally Accepted Privacy Principles (GAPP). The GAPP facilitate management of privacy policies and programs on a local, national and international level. Accountants, among other professionals, face a number of differing privacy legislation and regulations. The GAPP offers a comprehensive framework for designing an effective, privacy program that can be applied in a number of industries and professions.

Canadian Institute of Chartered Accountants

The Canadian Institute of Chartered Accountants (CICA) consists of about 75,000 Chartered Accountants and 12,000 students in Canada and Bermuda. Its mission is to foster public confidence in the Chartered Accountant profession. As such, the CICA carries out research into current business issues and supports setting accounting, auditing and assurance standards in business, not-for-profit organizations and government. The CICA represents the Chartered Accountant profession nationally and internationally.

American Institute of Certified Public Accountants

The American Institute of Certified Public Accountants (AICPA) has been involved with the accounting profession since 1887. It is the national, professional organization for Certified Public Accountants and it endeavors to provide members with resources, information and leadership to help them provide their services in the most professional manner. The AICPA works with state Certified Public Accountant organizations.

In order to meet its objectives, the AICPA fulfills the following functions:

  • Advocacy
  • Certification and licensing
  • Communications
  • Recruiting and education
  • Standards and performance

Generally Accepted Privacy Principles

The GAPP present a comprehensive framework that assists Chartered Accountants and Certified Public Accountants in creating an effective privacy program for managing and preventing privacy risks. It was developed through joint consultation with the CICA and the AICPA through the AICPA/CICA Privacy Task Force.

The GAPP are to be used by any organization as part of an effective privacy program. It may be used to address privacy risks, obligations and business opportunities, or by boards responsible for governance and oversight. The GAPP offer a useful resource for those who:

  • implement and manage security or privacy in an organization
  • oversee and monitor privacy and security programs
  • oversee and manage risks and compliance in an organization
  • assess compliance and audit privacy and security programs
  • regulate privacy

The GAPP were previously known as the AICPA/CICA Privacy Framework and is founded on a single privacy principle, being that personal information must be collected, used, retained and disclosed in compliance with the commitments in the entity’s privacy notice and with criteria set out in the GAPP issued by the AICPA/CICA. This privacy objective is supported by ten main principles and over seventy objectives, with associated measurable criteria.

The GAPP are crucial for the appropriate protection and management of personal data. The principles are based on internationally agreed upon fair information practices. They incorporate privacy laws and regulations from various jurisdictions around the world and encourage the implementation of good privacy practices from a business perspective.

Ten Principles

The ten Generally Accepted Privacy Principles and their criteria are:

1. Management

  • The organization defines, documents, communicates and assigns accountability for its privacy policies and procedures.
  • Criteria:
    • privacy policies define and document all ten GAPP
    • review and approval of changes to privacy policies conducted by management
    • risk assessment process in place to establish a risk baseline and regularly identify new or changing risks to personal data
    • infrastructure and systems management takes into consideration impacts on personal privacy
    • privacy awareness training

2.  Notice

  • The organization provides notice of its privacy policies and procedures. The organization identifies the purposes for which personal information is collected, used and retained.
  • Criteria:
    • communication to individuals
    • provision of notice
    • use of clear and conspicuous language

3. Choice and consent

  • The organization describes the choices available to the individual. The organization secures implicit or explicit consent regarding the collection, use and disclosure of the personal data.
  • Criteria:
    • communicating the consequences of denying/withdrawing consent
    • consent for new purposes/uses of the personal data
    • explicit consent for sensitive data
    • consent for online data transfer

4. Collection

  • Personal information is only collected for the purposes identified in the notice (see #2).
  • Criteria:
    • document and describe types of information collected and methods of collection
    • collection of information by fair and lawful means, including collection from third parties
    • inform individuals if information is developed or additional information is acquired

5. Use, retention and disposal

  • The personal information is limited to the purposes identified in the notice the individual consented to. The organization retains the personal information only for as long as needed to fulfill the purposes, or as required by law. After this period, the information is disposed of appropriately.
  • Criteria:
    • systems and procedures in place to ensure personal information is used, retained and disposed appropriately

6. Access

  • The organization provides individuals with access to their personal information for review or update.
  • Criteria:
    • confirmation of individual’s identity before access is given to personal information
    • personal information presented in understandable format
    • access provided in reasonable time frame and at a reasonable cost
    • statement of disagreement; the reason for denial should be explained to individuals in writing

7. Disclosure to third parties

  • Personal information is disclosed to third parties only for the identified purposes and with implicit or explicit consent of the individual.
  • Criteria:
    • communication with third parties should be made known to the individual
    • information should only be disclosed to third parties that have equivalent agreements to protect personal information
    • individuals should be aware of any new uses/purposes for the information
    • the organization should take remedial action in response to misuse of personal information by a third party

8. Security for privacy

  • Personal information is protected against both physical and logical unauthorized access.
  • Criteria:
    • privacy policies must address the security of personal information
    • information security programs must include administrative, technical and physical safeguards
    • logical access controls in place
    • restrictions on physical access
    • environmental safeguards
    • personal information protected when being transmitted (e.g. mail, internet, public or other non-secure networks)
    • security safeguards should be tested for effectiveness at least once annually

9. Quality

  • The organization maintains accurate, complete and relevant personal information that is necessary for the purposes identified.
  • Criteria:
    • personal information should be relevant for the purposes it is being used

10. Monitoring and enforcement

  • The organization monitors compliance with its privacy policies and procedures. It also has procedures in place to address privacy-related complaints and disputes.
  • Criteria:
    • individuals should be informed on how to contact the organization with inquiries, complaints and disputes
    • formal process in place for inquires, complaints or disputes
    • each complaint is addressed and the resolution is documented for the individual
    • compliance with privacy policies, procedures, commitments and legislation is reviewed, documented and reported to management

These ten principles can be applied by organizations to establish and manage privacy programs. Developing a privacy program requires the following activities:


  • Strategizing is about long-term direction and prosperity. A strategic vision defines the organization’s culture and helps determine how the organization will interact with customers, competitors, and legal, social and ethical issues.
  • Establishing a strategy with an eye to the privacy principles helps the organization to incorporate its privacy goals.


  • This involves assessment and includes analysis of the organization’s environment, identifying where weaknesses, vulnerabilities and threats may exist.
  • At this stage, the organization evaluates itself against its privacy goals and determines to what extent the organization is currently achieving its goals and objectives.
  • As a legislative-neutral benchmark, the GAPP can allow organizations to assess its current privacy standards against its desired standards and practices.


  • This step involves developing and documenting a privacy program and action plan. It also involves all the tasks necessary to make the action plan operational.
  • At the end of this step, the organization should have the following prepared:
    • Systems, procedures, processes to address desired privacy requirements
    • Privacy compliant forms, brochures, contracts
    • Internal/external privacy awareness programs

Sustaining and Managing

  • This is the process of monitoring work to identify how the practice differs from the action plan. This gives the organization an opportunity to initiate corrective action.
  • Monitoring refers to the management policies, processes and technologies that help facilitate compliance with privacy policies.
  • The GAPP can be applied to develop necessary reporting criteria and to ensure that the parties who are receiving the information are entitled to do so.

Internal Privacy Audit

  • This provides objective assurance and consultation in order to add value and improve upon an organization’s operations.
  • Auditors can use the GAPP as a benchmark for reporting back to management.

External Privacy Audit

  • This refers to Certified Public Accountants and Chartered Accountants who perform assurance services in order to build trust and confidence for individuals, management, customers, business partners and other stakeholders.
  • Auditors can evaluate using the GAPP and provide reports.

The above principles and associated criteria offer organizations and professionals with a basis for designing, implementing, maintaining and evaluating their privacy program.


This article describes how the need for privacy protection tools and frameworks in the Chartered Accountant/Certified Public Accountant profession led to the development of a comprehensive framework for privacy policies and programs. The article outlines the ten key principles of the GAPP (Generally Accepted Privacy Principles) and explores the associated criteria and stages in the creation of an effective privacy program.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

  • Model codes and cooperation – AICPA/CICA Generally Accepted Privacy Principles (GAPP) (III.B.i.i.)

1 comment to Generally Accepted Privacy Principles (GAPP)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>