SCF Privacy Management Principles

In support of the Security & Privacy by Design (S|P) initiative, a volunteer effort created the SCF Privacy Management Principles. When you tie the broader S|P in with these privacy management principles, you have an excellent foundation for building and maintaining secure systems, applications and services that address cybersecurity and privacy considerations by default and by design. 

We saw a need and we took action, since many cybersecurity and even privacy professionals have a hard time identifying "what right looks like" when picking a set of privacy principles for an organization to align to. What we did was select sixteen (16) of the most common frameworks and create a "best in class" approach to managing privacy expectations.

The end result is the SCF's Privacy Management Principles:

SCF - Security & Privacy by Design Princ
SCF Privacy Management Principles.JPG

For organizations, we found the “apples to oranges” comparison between disparate privacy frameworks was difficult for most non-privacy lawyers to understand. What this project did was identify a dozen of the leading privacy frameworks and create a set of simplified, yet comprehensive, privacy management principles. Below are the seventeen (17) different frameworks the SCF Privacy Management Principles is mapped to:

  1. AICPA’s Trust Services Criteria (TSC) SOC 2 (2017)

  2. Asia-Pacific Economic Cooperation (APEC)

  3. California Consumer Privacy Act (CCPA)

  4. European Union General Data Protection Regulation (EU GDPR)

  5. Fair Information Practice Principles (FIPPs) - Department of Homeland Security (DHS)

  6. Fair Information Practice Principles (FIPPs) - Office of Management and Budget (OMB)

  7. Generally Accepted Privacy Principles (GAPP)

  8. HIPAA Privacy Rule

  9. ISO 27701

  10. ISO 29100

  11. Nevada SB820

  12. NIST SP 800-53 R4

  13. NIST SP 800-53 R5

  14. NIST Privacy Framework v1.0

  15. Organization for Economic Co-operation and Development (OECD)

  16. Office of Management and Budget (OMB) - Circular A-130

  17. Personal Information Protection and Electronic Documents Act (PIPEDA)

We took these frameworks and looked for similarities and also for gaps. If you download the SCF Privacy Management Principles, you will see the direct mapping to these leading privacy frameworks so you know the origin of the principle we include in our document. This will be a great tool for organizations that may have to address multiple requirements, since it brings a common language to simply things.
The seventy-nine (79) principles of the SCF Privacy Management Principle are organized into eleven (11) domains:

  1. Privacy by Design

  2. Data Subject Participation

  3. Limited Collection & Use

  4. Transparency

  5. Data Lifecycle Management

  6. Data Subject Rights

  7. Security by Design

  8. Incident Response

  9. Risk Management

  10. Third-Party Management

  11. Business Environment

Secure Controls Framework Council, LLC (SCF Council) disclaims any liability whatsoever for the use of this website or the Secure Controls Framework™ (SCF). Use at your own risk.


If you have compliance questions, you should consult a cybersecurity or privacy professional to discuss your specific needs. This website is for educational purposes only and does not render professional services advice - it is not a substitute for dedicated professional services. There is no endorsement of any kind in the company listing of SCF Solution Providers - It is entirely your responsibility to conduct appropriate due care and due diligence in selecting and engaging with a consultant to assist in your implementation of the SCF.

SCF Council does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website, or its contents, is assumed by the user. ​


SCF Council reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.

© 2019. Secure Controls Framework Council, LLC


  • White LinkedIn Icon
  • White Facebook Icon
  • White Twitter Icon
  • White Google+ Icon