Manufacturers & Distributors ARTICLE -

10 Principles Every Privacy Policy Should Address

Target Audience: Manufacturing and Distribution Companies, M&D Industry, Manufacturing Distributors, Marketing Department Employees, Public Relations

In the course of doing business, you collect a significant amount of information that you must protect. This can be a challenge in the best of circumstances; it can be especially daunting if you do business in more than one country.

Recognizing the legal risk for companies that inadvertently run afoul of domestic privacy requirements as well as foreign ones (which often are stricter than those in the United States), the American Institute of Certified Public Accountants (AICPA) developed “Generally Accepted Privacy Principles — a Global Privacy Framework.”

The 10 principles provide a framework for establishing corporate privacy and security programs that may reduce your legal liability risk, tarnishment of your reputation, and loss of employee trust because of improper disclosure of personal or confidential information.

10 Principles Unveiled

The AICPA developed the principles from a business perspective, basing them on recognized good practices and the privacy laws and regulations of jurisdictions around the world. The areas that the 10 principles apply to are:

1. Management. Define, document, communicate and assign accountability for privacy policies and procedures. Your procedures should include steps to ensure that your suppliers maintain policies consistent with yours to reduce the risk that information you protect is released by third parties. In addition, periodically review your policies to keep them in line with changing business and regulatory requirements.

2. Notice. Notify relevant parties, including employees and customers, of your privacy policies and procedures. The notification should specify how and why you collect, retain and disclose personal information; the type of information you collect; and whom to contact with questions.

3. Choice and consent. Let relevant parties know they have choices with respect to the collection, use and disclosure of personal information. For sensitive information, such as medical records, people must give their permission for you to release it to a third party.

4. Collection. Collect only the information needed for the stated purpose, and confirm that third parties are doing likewise.

5. Use and retention. Use personal information for only specified purposes, and retain it only as long as it’s required for those purposes. You must have implicit or explicit consent from the individual before using any personal information.

6. Access. Tell your employees how to review, update and correct their personal information. If you deny them access or don’t accept a correction, state why in writing and describe any available recourse (such as an appeal). In most cases, employees should have access to their own information, but there are exceptions. If, for example, another person’s rights would be violated or the information is prohibitively expensive to provide, you may legitimately deny access.

7. Disclosure to third parties. Reach agreements with any third parties to which you disclose personal information, such as insurers or retirement plan managers, that the data will be protected after you release it. Also, establish procedures to ensure that personal information is disclosed to only third parties with which you have an agreement.

8. Security for privacy. Implement a procedure that restricts access to personal information stored in your facility or system and that protects the data against loss or damage. Test the effectiveness of your safeguards at least once a year. Also, check that passwords are in use for password-protected computer files and that firewalls and other protective systems are functioning properly. Internal auditors can evaluate your program using the privacy principles as a benchmark; external auditors can include nonfinancial information in the scope of their activities to identify potential problems.

9. Quality. Implement controls to ensure personal information is accurate and complete, and design procedures by which individuals may correct inaccurate or outdated information.

10. Monitoring and enforcement. Develop a complaint process to make sure every grievance is addressed. In addition, design controls that ensure you comply with all laws, regulations, service-level agreements, contracts and other applicable covenants.

Using these principles can help you manage and protect personal information internally, as well as avoid running afoul of regulations outside the country. That’s an important consideration, even for companies with limited international exposure, because some countries (including the European Union) require compliance with their data protection and privacy laws as a condition of doing business.

Outsourcing Data Concerns

If you outsource some of your processes — particularly to companies in other countries — realize that privacy policies can vary. You may outsource some responsibility for protecting personal information, but you remain accountable for your business processes. Thus, you’ll need to make sure your privacy policies remain consistent across all your processes, regardless of where the processes are being used.

Ease the Pain of Privacy Protection

The AICPA’s “Generally Accepted Privacy Principles” are applicable globally. Used as the foundation for a privacy policy that fits your operations, they can eliminate some of the headaches that come with doing business stateside and abroad.

What Types of Information to Protect?

There are several types of information you’ll need to consider in developing a comprehensive privacy policy. Personal identifiers, including names, addresses, e-mail addresses, Social Security or other identification numbers, and similar data that can be used to identify a person are one type. Another is sensitive personal information, such as medical records, financial information and union membership. You can’t readily release this information. In the case of sensitive personal information, in fact, you may need permission to do so.

Also consider confidential information, such as transaction details, business plans and price lists. Even though this information isn’t protected under international privacy laws, standing contracts may require that it be maintained on a “need-to-know” basis.

Without clearly defined and enforced privacy policies, you risk charges of deceptive business practices and damage to your reputation or brand name, as well as legal and regulatory sanctions.

Find out how our M&D accountants can add value to your business. Email us or call us at 1 (888) 875-9770.

related links

M&D Newsletters & Articles 

Tax Services

Audit Assurance and Accounting

Industries

Tax and Business Updates