About the Privacy+ Program

PRISM International Certified Privacy+ Logo

Privacy+ is an international certification program open to all companies providing outsourced storage and protection of hard-copy records and off-line removable computer media. Participation in Privacy+ is voluntary and allows companies to publicly demonstrate their commitment to protecting the privacy of information entrusted to them by their clients. Privacy+ certification is owned and administered by PRISM International (Professional Records & Information Services Management), also referred to herein as the “Association,” the not-for-profit trade association for the commercial information management industry. Privacy+ certification is applicable only to participating companies’ physical storage and handling of hard-copy records and off-line removable computer media. Without limitation, Privacy+ is not applicable to related services such as document imaging, shredding services, or any form of cloud storage. The purposes of the Privacy+ program are to

  • provide participants a vehicle to publicly demonstrate their commitment to ensuring the privacy of information in their custody
  • share resources and best practices to help participants reduce risks in their businesses
  • reduce the number of privacy breach incidents caused by members of our industry, thereby
    • preserving the reputation and trusted status of our industry
    • reducing the likelihood and severity of government-imposed legislation on our industry.

Legislation and Regulation Informing Requirements

The laws, regulations and standards listed below act as privacy guidelines:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • HIPAA Privacy RulePayment Card Industry Data Security Standard (PCI DSS)
  • The Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Sarbanes-Oxley Act (SOX)
  • Federal Trade Commission (FTC) "Red Flags Rules"
  • American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization
  • Family Educational Rights and Privacy Act (FERPA)
  • Fair and Accurate Credit Transaction Act (FACTA)
  • State information security laws including 201 CMR 17.00
  • European Data Protection Directive