Image of calculator representing accountability as a data protection and privacy principle
The Concept of Accountability as a Privacy and Data Protection Principle

The Concept of “Accountability” as a Privacy and Data Protection Principle

The concept of “accountability” has emerged as a dominant theme in global privacy and data protection law, policy, and organizational practices and is considered fundamental to privacy management. There is an emerging trend indicating that the accountability principle requires that organisations take a proactive and structured approach to privacy management through the implementation of appropriate and demonstrable privacy and data protection measures. This trend can be seen through:

  • Updates to international data protection frameworks enhancing the accountability principle;
  • National privacy laws and regulations are incorporating the concept as a matter of legal compliance, and
  • Guidelines released by national data protection regulators that explain to organizations what they need to do in practice in order to satisfy privacy and data protection obligations.

Background – Accountability Principle

The accountability principle first appeared 1980 when it was included in the original OECD Guidelines. Twenty-five years later, it was again addressed in the 2005 APEC Privacy Framework. The early mentions of the accountability principle stated that data controllers should be accountable for complying with measures which give effect to the other data protection principles (e.g. Collection Limitation and Purpose Specification).  It was understood that accountability for complying with privacy and data protection remained with the data controller, even in situations involving onward transfers (where the processing was carried out by a third-parties).

Accountability Principle Today

International data protection instruments

In 2013 the revised OECD Guidelines emerged. The accountability principle was reserved in its original form but critically a new part was added: Part Three – Implementing Accountability. This addition expanded on the accountability principle by stating that data controllers should:

  • Have in place a privacy management program (PMP);
  • Be prepared to demonstrate their PMP as appropriate, in particular at the request of a competent privacy enforcement authority; and
  • Notify significant security breaches to enforcement or other relevant authorities, as well as affected data subjects where the breach is likely to adversely affect data subjects.

Part Three further provides that:

PMPs need to be tailored to the structure, scale, volume and sensitivity of the controller’s operations, integrated into the controller’s governance structure and routinely reviewed and updated and that ssential elements of PMPs include appropriate safeguards based on privacy risk assessments. The need for  mechanisms ensuring that third parties maintain appropriate safeguards when processing data on behalf of the controller and plans for responding to incidents and inquiries as well as internal oversight mechanisms were codified.

Neither the OECD Guidelines nor the APEC Framework are binding on organisations, yet they play a significant role in shaping global privacy laws and guidelines from national regulators.

National laws

In 2000, the Canadian Government adopted the Personal Information Protection and Electronic Documents Act (PIPEDA). Schedule 1 of PIPEDA sets out a number of data protection principles, the first of which is the accountability principle. Clause 4.1 identifies a variety of measures that responsible organizations must implement in order to comply with the principle of accountability (e.g. designate one or more individuals who shall be accountable for the organization’s compliance with the data protection principles and require  organizations ‘to implement policies and practices to give effect to the principles.

The EU General Data Protection Regulation (compromise text agreed to on 18 December 2015) makes several references to accountability and demonstrating compliance, including:

  • Article 5: Principles relating to personal data processing: Paragraph 1 outlines the data privacy principles which the processing of personal data must adhere to: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality. Paragraph 2 states that “the controller shall be responsible for and be able to demonstrate compliance with paragraph 1 (“accountability”).”
  • Article 22: Responsibility of the Controller: “Taking into account the nature, scope, context and purposes of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of individuals, the controller shall implement appropriate technical and organisational measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation…”
Guidelines by National Data Protection Regulators

Many privacy and data protection regulators have published guiding principles on their expectations with regard to responsible data privacy program management. It is clear that the concept of accountability has evolved beyond strict compliance with the law to include implementing an effective privacy management program to help ensure ongoing, demonstrable compliance. The below table provides a partial overview of this regulatory guidance.

RegulatorGuidance DocumentDescription
AustraliaPrivacy Management Framework: Enabling Compliance And Encouraging Good Practice (2015)The Office of the Australian Information Commissioner (OAIC) released a privacy management framework to assist public sector organizations and private sector businesses to meet their ongoing compliance obligations and embed a culture that respects privacy. The Privacy management framework provides practical guidance on how to establish and implement a privacy management plan, including a four step approach that will help organisations protect privacy and improve their processes.
Hong KongPrivacy Management Programme, A Best Practice Guide (2014)The Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) issued a Best Practice Guide for implementing a Privacy Management Programme (PMP). Apart from ensuring legal compliance, PMP demonstrates the organisation’s commitment to good corporate governance and is conducive to building trustful relationships with customers, employees, shareholders, and regulators.
CanadaGetting Accountability Right with a Privacy Management Program (2012)The Office of the Privacy Commissioner of Canada (OPC), and the Offices of the Information and Privacy Commissioners (OIPCs) of Alberta and British Columbia have worked together to develop this document with the goal of providing consistent guidance on what it means to be an accountable organisation.
ColombiaGuidelines for the Accountability Principle Implementation (2015)The Colombian Superintendent of Industry and Commerce has launched the Accountability Guidelines that will allow individuals and companies to create a compliant privacy program. The guidelines provide tools to produce Accountability evidence in case the authorities request it.
FranceGovernance Procedure Seal Request Form (2015)On January 13, 2015, the French DPA (the CNIL) published an accountability standard. It is divided into 25 requirements relating to the existence of both an internal privacy policy and an outward-facing privacy policy as well as the appointment of a data protection officer. Companies that demonstrate that they comply with the new standard will be able to obtain an “accountability seal” from the CNIL.

In Part Two of this series, we will examine how a “structured approach” to privacy management can help organisations implement an accountability strategy for privacy management, the outcome of which is compliance.