The concept of “accountability” has emerged as a dominant theme in global privacy and data protection law, policy, and organizational practices and is considered fundamental to privacy management. There is an emerging trend indicating that the accountability principle requires that organisations take a proactive and structured approach to privacy management through the implementation of appropriate and demonstrable privacy and data protection measures. This trend can be seen through:
Updates to international data protection frameworks enhancing the accountability principle;
National privacy laws and regulations are incorporating the concept as a matter of legal compliance, and
Guidelines released by national data protection regulators that explain to organizations what they need to do in practice in order to satisfy privacy and data protection obligations.
Background – Accountability Principle
The accountability principle first appeared 1980 when it was included in the original OECD Guidelines. Twenty-five years later, it was again addressed in the 2005 APEC Privacy Framework. The early mentions of the accountability principle stated that data controllers should be accountable for complying with measures which give effect to the other data protection principles (e.g. Collection Limitation and Purpose Specification). It was understood that accountability for complying with privacy and data protection remained with the data controller, even in situations involving onward transfers (where the processing was carried out by a third-parties).
Accountability Principle Today
International data protection instruments
In 2013 the revised OECD Guidelines emerged. The accountability principle was reserved in its original form but critically a new part was added: Part Three – Implementing Accountability. This addition expanded on the accountability principle by stating that data controllers should:
Have in place a privacy management program (PMP);
Be prepared to demonstrate their PMP as appropriate, in particular at the request of a competent privacy enforcement authority; and
Notify significant security breaches to enforcement or other relevant authorities, as well as affected data subjects where the breach is likely to adversely affect data subjects.
Part Three further provides that:
PMPs need to be tailored to the structure, scale, volume and sensitivity of the controller’s operations, integrated into the controller’s governance structure and routinely reviewed and updated and that ssential elements of PMPs include appropriate safeguards based on privacy risk assessments. The need for mechanisms ensuring that third parties maintain appropriate safeguards when processing data on behalf of the controller and plans for responding to incidents and inquiries as well as internal oversight mechanisms were codified.
Neither the OECD Guidelines nor the APEC Framework are binding on organisations, yet they play a significant role in shaping global privacy laws and guidelines from national regulators.
In 2000, the Canadian Government adopted the Personal Information Protection and Electronic Documents Act (PIPEDA). Schedule 1 of PIPEDA sets out a number of data protection principles, the first of which is the accountability principle. Clause 4.1 identifies a variety of measures that responsible organizations must implement in order to comply with the principle of accountability (e.g. designate one or more individuals who shall be accountable for the organization’s compliance with the data protection principles and require organizations ‘to implement policies and practices to give effect to the principles.
The EU General Data Protection Regulation (compromise text agreed to on 18 December 2015) makes several references to accountability and demonstrating compliance, including:
Article 5: Principles relating to personal data processing: Paragraph 1 outlines the data privacy principles which the processing of personal data must adhere to: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality. Paragraph 2 states that “the controller shall be responsible for and be able to demonstrate compliance with paragraph 1 (“accountability”).”
Article 22: Responsibility of the Controller: “Taking into account the nature, scope, context and purposes of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of individuals, the controller shall implement appropriate technical and organisational measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation…”
Guidelines by National Data Protection Regulators
Many privacy and data protection regulators have published guiding principles on their expectations with regard to responsible data privacy program management. It is clear that the concept of accountability has evolved beyond strict compliance with the law to include implementing an effective privacy management program to help ensure ongoing, demonstrable compliance. The below table provides a partial overview of this regulatory guidance.
The Office of the Australian Information Commissioner (OAIC) released a privacy management framework to assist public sector organizations and private sector businesses to meet their ongoing compliance obligations and embed a culture that respects privacy. The Privacy management framework provides practical guidance on how to establish and implement a privacy management plan, including a four step approach that will help organisations protect privacy and improve their processes.
The Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) issued a Best Practice Guide for implementing a Privacy Management Programme (PMP). Apart from ensuring legal compliance, PMP demonstrates the organisation’s commitment to good corporate governance and is conducive to building trustful relationships with customers, employees, shareholders, and regulators.
The Office of the Privacy Commissioner of Canada (OPC), and the Offices of the Information and Privacy Commissioners (OIPCs) of Alberta and British Columbia have worked together to develop this document with the goal of providing consistent guidance on what it means to be an accountable organisation.
The Colombian Superintendent of Industry and Commerce has launched the Accountability Guidelines that will allow individuals and companies to create a compliant privacy program. The guidelines provide tools to produce Accountability evidence in case the authorities request it.
In Part Two of this series, we will examine how a “structured approach” to privacy management can help organisations implement an accountability strategy for privacy management, the outcome of which is compliance.