The AICPA and Canadian Institute of Chartered Accountants formed a privacy task force and developed the ten principles of the Generally Accepted Privacy Principles:
Principle 1: Management
The first principle of the Generally Accepted Privacy Principles (GAPP) is Management. This principle requires that the entity define, document, communicate, and assign accountability for its privacy polices and procedures. [More Detail]
Principle 2: Notice
The second principle of the Generally Accepted Privacy Principles (GAPP) is Notice. This principle requires that the entity provide notice about its privacy policies and procedures and identify the purpose for which personal information is collected, used, retained, and disclosed. [More Detail]
Principle 3: Choice and Consent
The third principle of the Generally Accepted Privacy Principles (GAPP) is Choice and Consent. This principle requires that the entity describe the choices available to the individual and obtain implicit or explicit consent with respect to the collection, use, and disclosure of personal information. [More Detail]
Principle 4: Collection
The fourth principle of the Generally Accepted Privacy Principles (GAPP) is Collection. This principle requires that the entity collect personal information only for the purposes identified in the notice. [More Detail]
Principle 5: Use and Retention
The fifth principle of the Generally Accepted Privacy Principles (GAPP) is Use and Retention. This principle requires that the entity limit the use of personal information to the purpose identified in the notice and for which the individual has provided implicit or explicit consent. [More Detail]
Principle 6: Access
The sixth principle of the Generally Accepted Privacy Principles (GAPP) is Access. This principle requires that the entity provide individuals with access to their personal information for review and update. [More Detail]
Principle 7: Disclosure to Third Parties
The seventh principle of the Generally Accepted Privacy Principles (GAPP) is Disclosure to Third Parties. This principle requires that the entity disclose personal information to third parties only for the purposes identified in the notice and only with the implicit or explicit consent of the individual. [More Detail]
Principle 8: Security for Privacy
The eighth principle of the Generally Accepted Privacy Principles (GAPP) is Security for Privacy. This principle requires that the entity protect personal information against unauthorized access (both physical and logical). [More Detail]
Principle 9: Quality
The ninth principle of the Generally Accepted Privacy Principles (GAPP) is Quality. This principle requires that the entity maintain accurate, complete, and relevant personal information for the purposes identified in the notice. [More Detail]
Principle 10: Monitoring and Enforcement
The tenth principle of the Generally Accepted Privacy Principles (GAPP) is Monitoring and Enforcement. This principle requires that the entity monitor compliance with its privacy policies and procedures and have procedures to address privacy-related inquiries and disputes. [More Detail]
The AICPA released a Proposed Statement on Auditing Standards for Compliance Audits (.pdf) This would replace SAS No. 74 Compliance Auditing Considerations in Audits of Governmental Entities and Recipients of Governmental Financial Assistance.