PRISM Privacy + Certified Records Storage
Privacy+ is an international certification program open to all companies providing storage and protection of hard-copy records and off-line removable computer media. Participation in Privacy+ is voluntary and allows companies to publicly demonstrate their commitment to protecting the privacy of information entrusted to them by their clients. Privacy+ certification is owned and administered by PRISM International (Professional Records & Information Services Management), also referred to herein as the “Association,” the not-for-profit trade association for the commercial information management industry. Privacy+ certification is applicable only to participating companies’ physical storage and handling of hard-copy records and off-line removable computer media.
The purposes of the Privacy+ program are to:
- Provide participants a vehicle to publicly demonstrate their commitment to ensuring the privacy of information in their custody
- Share resources and best practices to help participants reduce risks in their businesses
- Reduce the number of privacy breach incidents caused by members of our industry, thereby
preserving the reputation and trusted status of our industry
- Reducing the likelihood and severity of government-imposed legislation on our industry.
Legislation and Regulation Informing Requirements
The laws, regulations and standards listed below act as privacy guidelines:
- Health Insurance Portability and Accountability Act (HIPAA)
- HIPAA Privacy RulePayment Card Industry Data Security Standard (PCI DSS)
- The Personal Information Protection and Electronic Documents Act (PIPEDA)
- Gramm-Leach-Bliley Act (GLBA)
- Federal Trade Commission (FTC) "Red Flags Rules"
- American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization
- Family Educational Rights and Privacy Act (FERPA)
- Fair and Accurate Credit Transaction Act (FACTA)
- State information security laws including 201 CMR 17.00
- European Data Protection Directive
Business Records Storage, Management, and Shredding Services