GAPP & Project Management

Data privacy is an important concern in project management. The administration of a project may involve collecting, handling, or storing information from a wide variety of sources. For example, in the software consulting industry, performing a mainframe migration for a client might involve access to large quantities of data on that client’s customers and/or employees. Almost all projects will have some data elements that are considered private or confidential. This means part of the planning and administration for a project should concern how to keep data secure and ensure it is used only in appropriate ways.

What Standards Apply?

There are many standards that could be used as a framework or starting point for these policies and procedures. The Generally Accepted Privacy Principles (GAPP) developed by the AICPA is one set of standards to consider. The level of stringency with which these principles are applied should correlate to the sensitivity of the data being handled. Here is an overview of a few of these principles and how they might be applied to the project management sphere.

Privacy Management

This is the overarching strategy that is developed to safeguard sensitive data. It includes the creation of policies and procedures for the privacy program. These policies and procedures must be documented and communicated to all relevant parties. Adequate resources should be assigned to put infrastructure elements in place that help ensure the achievement of policy objectives. Accountability must be assigned to those responsible for implementing and maintaining privacy so that there are well defined consequences for program failure. The management policy must also include monitoring to identify evolving risks or any new regulations that might affect the privacy policy and practices. In project management, privacy should be discussed as it relates to both communications planning and risk management.

Collection & Use Notices

Whenever any personal identifying information or other confidential data is collected, it should be made clear why the data is being collected and how it will be used. This is typically done through the presentation of some type of notice. The notice includes the contact information for the group or individual responsible for answering questions or resolving issues regarding how private information is collected or used. For project management, the topic of confidential or proprietary information is often covered in an NDA or similar contractual document. This represents a formal agreement to follow ethical privacy practices in not disclosing a client’s confidential data to any third party without express, prior written consent. The use, retention, and eventual disposal of such data may also be addressed.

Security of Privacy

This aspect of privacy management concerns the physical, procedural, and electronic steps your organization takes to safeguard privileged project management data. It should take into consideration the potential for and consequences of accidental and deliberate destruction, unauthorized access, disclosure, or other misuse. Any administrative, physical, and technical controls put in place should include a backup plan in case the personnel authorized to access the confidential project management data become unavailable. Privacy security safeguards should be tested at least once a year to ensure they are functioning as intended.

Leave a Comment