SCF Privacy Management Principles

In support of the Security & Privacy by Design (S|P) initiative, a volunteer effort created the SCF Privacy Management Principles. When you tie the broader S|P in with these privacy management principles, you have an excellent foundation for building and maintaining secure systems, applications and services that address cybersecurity and privacy considerations by default and by design. 

We saw a need and we took action, since many cybersecurity and even privacy professionals have a hard time identifying "what right looks like" when picking a set of privacy principles for an organization to align to. What we did was select sixteen (16) of the most common frameworks and create a "best in class" approach to managing privacy expectations.

The end result is the SCF's Privacy Management Principles:

SCF - Security & Privacy by Design Princ
SCF Privacy Management Principles.JPG

For organizations, we found the “apples to oranges” comparison between disparate privacy frameworks was difficult for most non-privacy lawyers to understand. What this project did was identify a dozen of the leading privacy frameworks and create a set of simplified, yet comprehensive, privacy management principles. Below are the seventeen (17) different frameworks the SCF Privacy Management Principles is mapped to:

  1. AICPA’s Trust Services Criteria (TSC) SOC 2 (2017)

  2. Asia-Pacific Economic Cooperation (APEC)

  3. California Consumer Privacy Act (CCPA)

  4. European Union General Data Protection Regulation (EU GDPR)

  5. Fair Information Practice Principles (FIPPs) - Department of Homeland Security (DHS)

  6. Fair Information Practice Principles (FIPPs) - Office of Management and Budget (OMB)

  7. Generally Accepted Privacy Principles (GAPP)

  8. HIPAA Privacy Rule

  9. ISO 27701

  10. ISO 29100

  11. Nevada SB820

  12. NIST SP 800-53 R4

  13. NIST SP 800-53 R5

  14. NIST Privacy Framework v1.0

  15. Organization for Economic Co-operation and Development (OECD)

  16. Office of Management and Budget (OMB) - Circular A-130

  17. Personal Information Protection and Electronic Documents Act (PIPEDA)

We took these frameworks and looked for similarities and also for gaps. If you download the SCF Privacy Management Principles, you will see the direct mapping to these leading privacy frameworks so you know the origin of the principle we include in our document. This will be a great tool for organizations that may have to address multiple requirements, since it brings a common language to simply things.
The seventy-nine (79) principles of the SCF Privacy Management Principle are organized into eleven (11) domains:

  1. Privacy by Design

  2. Data Subject Participation

  3. Limited Collection & Use

  4. Transparency

  5. Data Lifecycle Management

  6. Data Subject Rights

  7. Security by Design

  8. Incident Response

  9. Risk Management

  10. Third-Party Management

  11. Business Environment