It’s a Matter of Privacy.


MONTHLY CHECKLIST SERIES
Consumers have grown increasingly concerned about the misuse of their personal information, and regulatory bodies have been cracking down on offenders. You can see the many complaints filed against corporations on the FTC Web site at www.ftc.gov/privacy/privacyinitiatives/promises_enf.html . CPAs should advise clients or employers to familiarize themselves with U.S. privacy laws that protect consumers’ interests (see “ E-Mail and the Law ”) and to review their privacy policies to see whether they are adequate.
Here’s a questionnaire you can use to help an entity conduct an initial risk assessment of its information-handling activities.

Understanding privacy
What personal information about customers and employees does the organization collect and retain?

What personal data are used in carrying out business, for example, in sales, marketing, fund raising and customer relations?

What personal information is obtained from or disclosed to affiliates or third parties, for example, in payroll outsourcing?

What is the impact of U.S. privacy laws and regulations and/or international privacy requirements on the company? (This may require a legal interpretation.)

How does the organization’s business plan address the privacy of personal information?

Implementing a privacy program
To what degree is the company’s senior management actively involved in the development, implementation and/or promotion of privacy measures within the organization?

Has the entity assigned someone (for example, a chief privacy officer) the responsibility for compliance with privacy legislation?

Has the designated privacy officer been given clear authority to oversee the company’s information-handling practices?

Are adequate resources available at the company for developing, implementing and maintaining a privacy compliance system?

What privacy policies has the organization established with respect to the collection, use, disclosure and retention of personal information?

How are the policies and procedures for managing personal information communicated to employees?

How are employees with access to personal information trained in privacy protection?

Are the appropriate forms and documents required by the system fully developed?

Managing privacy risk
What specific objectives have been established in order to comply with the organization’s established privacy policies?

What are the consequences of not meeting the specific privacy objectives?

To what extent have appropriate control measures been identified and implemented?

How is the effectiveness of the privacy control measures monitored and reported?

What mechanisms are in place to effectively address failures to properly apply the company’s established privacy policies and procedures?

The results of the risk assessment will dictate whether and to what extent an entity should implement a privacy program or supplement a current one.

Source: Adapted from “Privacy Risk Assessment Questionnaire,” Privacy Matters: An Introduction to Personal Information Protection, AICPA/CICA, 2003.

SPONSORED REPORT

How to make the most of a negotiation

Negotiators are made, not born. In this sponsored report, we cover strategies and tactics to help you head into 2017 ready to take on business deals, salary discussions and more.

VIDEO

Will the Affordable Care Act be repealed?

The results of the 2016 presidential election are likely to have a big impact on federal tax policy in the coming years. Eddie Adkins, CPA, a partner in the Washington National Tax Office at Grant Thornton, discusses what parts of the ACA might survive the repeal of most of the law.

QUIZ

News quiz: Scam email plagues tax professionals—again

Even as the IRS reported on success in reducing tax return identity theft in the 2016 season, the Service also warned tax professionals about yet another email phishing scam. See how much you know about recent news with this short quiz.