News, insights and resources for data protection, privacy and cyber security leaders

The Concept of “Accountability” as a Privacy and Data Protection Principle

The concept of “accountability” has emerged as a dominant theme in global privacy and data protection law, policy, and organizational practices and is considered fundamental to privacy management. There is an emerging trend indicating that the accountability principle requires that organisations take a proactive and structured approach to privacy management through the implementation of appropriate and demonstrable privacy and data protection measures. This trend can be seen through:

  • Updates to international data protection frameworks enhancing the accountability principle;
  • National privacy laws and regulations are incorporating the concept as a matter of legal compliance, and
  • Guidelines released by national data protection regulators that explain to organizations what they need to do in practice in order to satisfy privacy and data protection obligations.

 

Background – Accountability Principle

The accountability principle first appeared 1980 when it was included in the original OECD Guidelines. Twenty-five years later, it was again addressed in the 2005 APEC Privacy Framework. The early mentions of the accountability principle stated that data controllers should be accountable for complying with measures which give effect to the other data protection principles (e.g. Collection Limitation and Purpose Specification).  It was understood that accountability for complying with privacy and data protection remained with the data controller, even in situations involving onward transfers (where the processing was carried out by a third-parties).

 

Accountability Principle Today

International data protection instruments

In 2013 the revised OECD Guidelines emerged. The accountability principle was reserved in its original form but critically a new part was added: Part Three – Implementing Accountability. This addition expanded on the accountability principle by stating that data controllers should:

  • Have in place a privacy management program (PMP);
  • Be prepared to demonstrate their PMP as appropriate, in particular at the request of a competent privacy enforcement authority; and
  • Notify significant security breaches to enforcement or other relevant authorities, as well as affected data subjects where the breach is likely to adversely affect data subjects.

Part Three further provides that:

PMPs need to be tailored to the structure, scale, volume and sensitivity of the controller’s operations, integrated into the controller’s governance structure and routinely reviewed and updated and that ssential elements of PMPs include appropriate safeguards based on privacy risk assessments. The need for  mechanisms ensuring that third parties maintain appropriate safeguards when processing data on behalf of the controller and plans for responding to incidents and inquiries as well as internal oversight mechanisms were codified.

Neither the OECD Guidelines nor the APEC Framework are binding on organisations, yet they play a significant role in shaping global privacy laws and guidelines from national regulators.

Teresa Troester Falk

Chief Global Privacy Strategist at Nymity
Leading Nymity’s global privacy strategy, Teresa Troester-Falk is a thought leader in the privacy industry. An accomplished privacy professional (CIPP/US), lawyer, and leader in managing and integrating complex data privacy compliance issues and strategy, Teresa is an expert in cross-border data transfers and the challenges faced by the privacy office.

Leave A Reply

Your email address will not be published.

Subscribe and Get 50% Off 6-Hour Workshop Video

PIAs and the ISACA Privacy Principles: Effective Tools to Identify and Mitigate Security and Privacy Risks

Thanks for subscribing!

Pin It on Pinterest

Share This