diff --git a/core/migrations/0008_board_private.py b/core/migrations/0008_board_private.py
new file mode 100644
index 0000000..ace315c
--- /dev/null
+++ b/core/migrations/0008_board_private.py
@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.26 on 2020-02-11 08:38
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('core', '0007_pin_private'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='board',
+            name='private',
+            field=models.BooleanField(default=False),
+        ),
+    ]
diff --git a/core/tests/api.py b/core/tests/api.py
index 4d0d424..28703ab 100644
--- a/core/tests/api.py
+++ b/core/tests/api.py
@@ -35,10 +35,55 @@ class ImageTests(APITestCase):
         self.assertEqual(response.status_code, 403, response.data)
 
 
-class PrivacyTests(APITestCase):
+class BoardPrivacyTests(APITestCase):
 
     def setUp(self):
-        super(PrivacyTests, self).setUp()
+        super(BoardPrivacyTests, self).setUp()
+        self.owner = create_user("default")
+        self.non_owner = create_user("non_owner")
+
+        self.private_board = Board.objects.create(
+            name="test_board",
+            submitter=self.owner,
+            private=True,
+        )
+        self.board_url = reverse("board-detail", kwargs={"pk": self.private_board.pk})
+        self.boards_url = reverse("board-list")
+
+    def tearDown(self):
+        _teardown_models()
+
+    def test_should_non_owner_and_anonymous_user_has_no_permission_to_list_private_board(self):
+        resp = self.client.get(self.boards_url)
+        self.assertEqual(len(resp.data), 0, resp.data)
+
+        self.client.login(username=self.non_owner.username, password='password')
+        resp = self.client.get(self.boards_url)
+        self.assertEqual(len(resp.data), 0, resp.data)
+
+    def test_should_owner_has_permission_to_list_private_board(self):
+        self.client.login(username=self.non_owner.username, password='password')
+        resp = self.client.get(self.boards_url)
+        self.assertEqual(len(resp.data), 0, resp.data)
+
+    def test_should_non_owner_and_anonymous_user_has_no_permission_to_view_private_board(self):
+        resp = self.client.get(self.board_url)
+        self.assertEqual(resp.status_code, 404)
+
+        self.client.login(username=self.non_owner.username, password='password')
+        resp = self.client.get(self.board_url)
+        self.assertEqual(resp.status_code, 404)
+
+    def test_should_owner_has_permission_to_view_private_board(self):
+        self.client.login(username=self.owner.username, password='password')
+        resp = self.client.get(self.board_url)
+        self.assertEqual(resp.status_code, 200)
+
+
+class PinPrivacyTests(APITestCase):
+
+    def setUp(self):
+        super(PinPrivacyTests, self).setUp()
         self.owner = create_user("default")
         self.non_owner = create_user("non_owner")
 
diff --git a/core/views.py b/core/views.py
index a23f86a..277db09 100644
--- a/core/views.py
+++ b/core/views.py
@@ -56,6 +56,7 @@ class BoardAutoCompleteViewSet(
     ordering_fields = ('-id', )
     ordering = ('-id', )
     pagination_class = None
+    permission_classes = [OwnerOnlyIfPrivate("submitter"), ]
 
     def get_queryset(self):
         return filter_private_board(self.request, Board.objects.all())