Initial Audit

To carry out your initial audit, we've adapted tools developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) based on their Generally Accepted Privacy Principles (GAPP).

GAPP converts complex privacy requirements into a single privacy objective supported by 10 privacy principles. Each principle is supported by objective, measurable criteria (73 in all) that form the basis for effective management of privacy risk and compliance.

The ten principles that comprise GAPP:

Management

The entity defines, documents, communicates and assigns accountability for its privacy policies and procedures.

Notice

The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.

The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information.

Collection

The entity collects personal information only for the purposes identified in the notice.

Use, retention and disposal

The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.

Access

The entity provides individuals with access to their personal information for review and update.

Disclosure to third parties

The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.

Security for privacy

The entity protects personal information against unauthorized access (both physical and logical).

Quality

The entity maintains accurate, complete and relevant personal information for the purposes identified in the notice.

Monitoring and enforcement

The entity monitors compliance with its privacy policies and procedures and has procedures to address privacyrelated complaints and disputes.

Getting Started

Data Transfers

Initial Audit #

Management #

Notice #

Choice and consent #

Collection #

Use, retention and disposal #

Access #

Disclosure to third parties #

Security for privacy #

Quality #

Monitoring and enforcement #