Generally Accepted Privacy Principles

Generally Accepted Privacy Principles (GAPP) is a framework intended to assist Chartered Accountants and Certified Public Accountants in creating an effective privacy program for managing and preventing privacy risks. The framework was developed through joint consultation between the Canadian Institute of Chartered Accountants (CICA) and the American Institute of Certified Public Accountants (AICPA) through the AICPA/CICA Privacy Task Force. It is a component of SOC 2.

The GAPP framework was previously known as the AICPA/CICA Privacy Framework, and is founded on a single privacy principle: personally identifiable information must be collected, used, retained and disclosed in compliance with the commitments in the entity's privacy notice and with criteria set out in the GAPP issued by the AICPA/CICA. This privacy objective is supported by ten main principles and over seventy objectives, with associated measurable criteria. The ten principles are:


 * 1) Management
 * 2) Notice
 * 3) Choice and consent
 * 4) Collection
 * 5) Use, retention and disposal
 * 6) Access
 * 7) Disclosure to third parties
 * 8) Security for privacy
 * 9) Quality
 * 10) Monitoring and enforcement

Privacy is defined in Generally Accepted Privacy Principles as "the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information."