Centre for Information Policy Leadership

Accountability-Based Privacy Governance

In its first year, the Accountability Project articulated the essential elements that an organisation must adopt to be accountable. It stated that an organisation demonstrates commitment to accountability, implements data privacy policies linked to recognized external criteria and implements mechanisms to promote responsible decisions about the management and protection of data. Such external criteria include applicable law and regulation, and recognized external guidelines. The Project’s first year established that to be accountable, an organisation should design and implement comprehensive data and privacy protection programmes based on analysis of the risks data use raises for individuals and on responsible decisions about how those risks can be appropriately mitigated.

In its second year, the Project proposed the fundamental conditions that an organisation should put in place and be able to demonstrate to regulators. It further considered how, and under what circumstances, regulators, data protection authorities and their designated agents would measure accountability. The Project anticipated that organisations and regulators must be able to implement and measure the fundamentals in a manner suitable for the organisation, its business model and the way it collects, uses and stores data.

In year three, the Project considered accountability as an approach to privacy and data protection required and implemented across the marketplace, and articulated the benefits that would accrue to individuals, the market and organisations as a result. While in such a model all organisation would adopt accountability, the Project identified instances in which an organisation might seek recognition of its accountability. It also described under what circumstances organisations would be required to demonstrate their accountability, and what that demonstration would entail.

When the Project continued into its fourth year in 2012, accountability had emerged as a recognized approach to privacy and data protection. The European Commission had proposed a data protection regulation that would apply across European Union member countries and in which accountability played a critical role. The Privacy Commissioners of Alberta and British Columbia in Canada had released a document articulating what data protection authorities would expect of organisations under an accountability approach. The Organisation for Economic Cooperation and Development is considering possible revisions to the Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data, among them a more fully developed description of the principle of accountability. The Asia-Pacific Economic Cooperation forum (APEC) finalized its Cross-Border Privacy Rules system, an accountability-based code of conduct for businesses in the APEC region.

In light of the evolution of accountability into an accepted, practical approach to privacy and data protection, the Accountability Project set as a goal development of a tool that would assist organisations in evaluating the steps they have taken internally to establish the conditions for accountability and in demonstrating them to data protection authorities or their recognized third-party agents.

Phase V of the Accountability Project to be carried out in 2013. Phase V will focus on the element of risk and how to apply accountability in environments such as the public cloud and mobile.

The Inspector General for Personal Data Protection (GIODO) will serve as the facilitator of the Project.