Review and Critique of Generally Accepted Privacy Principles — Part 2

2. Critique

2.1. GAPP’s Definition of Privacy

GAPP Approach: The AICPA and CICA define privacy as “the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information.”[1]

Critique: There are four main areas of privacy: information, bodily, territorial, and communications.[2] As shown by the AICPA and CICA definition, however, the scope of GAPP is limited to “personal information.” This is precisely what is meant by information privacy. Thus, the name of the framework is somewhat misleading insofar as it aims to provide principles for information privacy, not privacy in general.

2.2. GAPP’s Definition of Personal Information

GAPP Approach: The AICPA and CICA define personal information as “information that is about, or can be related to, an identifiable individual. It includes any information that can be linked to an individual or used to directly or indirectly identify an individual.”[3] Furthermore, they provide standard examples of personal information: name; home or e-mail address; identification number; physical characteristics; and consumer purchase history. Finally, they note that some laws and regulations identify a subset of personal information as sensitive personal information and impose additional safeguarding requirements. Such data includes information on medical or health conditions, financial information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual preferences, and information related to offenses or criminal convictions.

Critique: Everything that the AICPA and CICA state regarding the definition of personal information is correct, as far as it goes. But their explanation of personal information is unlikely to be informative or even useful to experienced privacy professionals, since the AICPA and CICA only summarize the easy, obvious cases. They do not acknowledge, much less provide any useful guidance on, how to apply the definition of personal information to potentially ambiguous, controversial, or hard cases involving information about an identifiable individual. Indeed, criterion 1.2.3, “Personal Information Identification and Classification,” places the burden on organizations using GAPP to figure out the hard cases. Organizations clearly should have the freedom to customize a data categorization scheme. But the customization process would surely be easier if GAPP included, at least, a recommended data categorization scheme which addressed some of the more common hard cases. In this sense, the AICPA’s and CICA’s guidance on personal information is, at best, incomplete.

Post a Comment

Your email is never published nor shared. Required fields are marked *