Jeff Lowder

Review and Critique of Generally Accepted Privacy Principles — Part 3

2.3. The Structure of GAPP

Apart from the problem of how to determine the scope of personal information, GAPP faces a further problem concerning how to interpret the overall framework.  In database terminology, GAPP may be thought of as a database consisting of two tables: principles and criteria. The ‘principles table’ has two columns: a reference number (the primary key) and the text of the principles. The ‘criteria table’ has five columns: the criteria reference number (the primary key), the corresponding principle reference number (a foreign key), the text of the management criteria, illustrative controls and procedure, and additional considerations.

First, the architecture or organizational structure of the framework is unclear. The meaning of two crucial elements of the organizational structure, principles and criteria, are undefined. It seems reasonable to interpret the privacy principles as control objectives, i.e., statements of the desired result or purpose to be achieved by implementing controls. The role of criteria, on the other hand, is less clear. The AICPA and CICA write, “Each principle is supported by objective, measurable criteria that form the basis for effective management of privacy risk and compliance in an organization.”[19] This suggests that the criteria function as controls, i.e., the method of implementation for one or more control objectives. Later in the same document, however, they write, “For each of the 10 privacy principles, relevant, objective, complete, and measurable criteria have been specified to guide the development and evaluation of an entity’s privacy policies, communications, and procedures and controls.”[20] This suggests the criteria play another (and complementary?) role, namely, assessment procedures, i.e., a method for testing or measuring the existence and effectiveness of controls.  The control vs. assessment procedure ambiguity is further reflected by the shifting name of the criteria in the GAPP Business Guide: in one place the criteria are called “management criteria” while in another they are called “measurement criteria.”[21]

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*