CASE $9-2$ Generally Accepted Privacy Principles

Obtain a copy of Generally Accepted Privacy Principles

from the AICPA's website $($

www$.$aicpa.org$).$ Use it to

answer the following questions:

What is the difference between confidentiality and

privacy?

How many categories of personal information ex$-$

ist? Why?

In terms of the principle of choice and consent,

what does GAPP recommend concerning opt$-$in

versus opt$-$out?

Can organizations outsource their responsibility for

privacy?

What does principle $1$ state concerning top manage$-$

ment's and the board of directors' responsibility for

privacy?

What does principle $1$ state concerning the use of

customers' personal information when organiza$-$

tions test new applications?

Obtain a copy of your university's privacy policy

statement. Does it satisfy GAPP criterion $2\mathrm{.}2\mathrm{.}3?$

Why?

What does GAPP principle $3$ say about the use of

cookies?

What are some examples of practices that violate

management criterion $4\mathrm{.}2\mathrm{.}2?$

What does management criterion $5\mathrm{.}2\mathrm{.}2$ state

concerning retention of customers' personal in$-$

formation? How can organizations satisfy this

criterion?

What does management criterion $5\mathrm{.}2\mathrm{.}3$ state con$-$

cerning the disposal of personal information? How

can organizations satisfy this criterion?

What does management criterion $6\mathrm{.}2\mathrm{.}2$ state con$-$

cerning access? What controls should organizations

use to achieve this objective?

According to GAPP principle $7,$ what should orga$-$

nizations do if they wish to share personal informa$-$

tion they collect with a third party?

What does GAPP principle $8$ state concerning the

use of encryption?

What is the relationship between GAPP principles

$9$ and $10?$