The concept of “accountability” has emerged as a dominant theme in global privacy and data protection law, policy, and organizational practices and is considered fundamental to privacy management. There is an emerging trend indicating that the accountability principle requires that organisations take a proactive and structured approach to privacy management through the implementation of appropriate and demonstrable privacy and data protection measures. This trend can be seen through:
- Updates to international data protection frameworks enhancing the accountability principle;
- National privacy laws and regulations are incorporating the concept as a matter of legal compliance, and
- Guidelines released by national data protection regulators that explain to organizations what they need to do in practice in order to satisfy privacy and data protection obligations.
Background – Accountability Principle
The accountability principle first appeared 1980 when it was included in the original OECD Guidelines. Twenty-five years later, it was again addressed in the 2005 APEC Privacy Framework. The early mentions of the accountability principle stated that data controllers should be accountable for complying with measures which give effect to the other data protection principles (e.g. Collection Limitation and Purpose Specification). It was understood that accountability for complying with privacy and data protection remained with the data controller, even in situations involving onward transfers (where the processing was carried out by a third-parties).
Accountability Principle Today
International data protection instruments
In 2013 the revised OECD Guidelines emerged. The accountability principle was reserved in its original form but critically a new part was added: Part Three – Implementing Accountability. This addition expanded on the accountability principle by stating that data controllers should:
- Have in place a privacy management program (PMP);
- Be prepared to demonstrate their PMP as appropriate, in particular at the request of a competent privacy enforcement authority; and
- Notify significant security breaches to enforcement or other relevant authorities, as well as affected data subjects where the breach is likely to adversely affect data subjects.
Part Three further provides that:
PMPs need to be tailored to the structure, scale, volume and sensitivity of the controller’s operations, integrated into the controller’s governance structure and routinely reviewed and updated and that ssential elements of PMPs include appropriate safeguards based on privacy risk assessments. The need for mechanisms ensuring that third parties maintain appropriate safeguards when processing data on behalf of the controller and plans for responding to incidents and inquiries as well as internal oversight mechanisms were codified.
Neither the OECD Guidelines nor the APEC Framework are binding on organisations, yet they play a significant role in shaping global privacy laws and guidelines from national regulators.