Privacy regulators around the world are increasingly embracing the notion of accountability as a vehicle to drive privacy compliance within organisations. So far, the privacy regulators in Canada, Hong Kong, France, Australia and Colombia have issued “Accountability Guides” or “Privacy Governance Frameworks” intended to assist private sector (and in some instances, also public sector) organisations setting up appropriate processes and procedures to ensure privacy compliance. Those documents have a lot in common and provide helpful (non-binding) guidance. In this and the next post, we will analyse those guides and extract the key takeaways for private sector organisations.
The Canadian, Hong Kong And Colombian Accountability Guides
The privacy commissioners of Canada, Alberta and British Columbia were the pioneers when they jointly issued the Guide “Getting Accountability Right with a Privacy Management Program” in April 2012.
The Hong Kong privacy commissioner followed the Canadian example in February 2014 when it issued the “Privacy Management Programme – A Best Practice Guide“. The Hong Kong Guide is modelled on the Canadian Guide and identical in many points and so are the Colombian “Guidelines for the Implementation of the Accountability Principle” issued by the Colombian DPA in May 2015 (which, so far, are available only in Spanish).
Privacy Management Programs As The Tool To Ensure Privacy Compliance
The respective Canadian, Hong Kong and Colombian Guides all promote privacy management programs (“PMPs”) as the appropriate tool to ensure privacy compliance. According to the guides, the two key components for creating a comprehensive PMP are organisational commitment and program controls. In addition, PMPs need to be continuously assessed and revised.
Organisations need to implement an internal governance structure that fosters a culture of privacy. This requires:
- top management to strongly and actively support the PMP;
- the appointment ofa data protection officer who will be responsible for designing and managing the PMP and overseeing the organisation’s privacy compliance in general (potentially supported by a team of privacy staff);
- internal reporting mechanisms which ensure that the right people (generally senior management) know how the PMP is structured and whether it is functioning as expected.
Organisations need to put in place adequate program controls to ensure that what is mandated in the governance structure is actually implemented. There is no one-size-fits all solution as to what constitute adequate program controls. Rather, what is adequate depends on various factors such as the organisation’s nature and size as well as the amount and sensitivity of data handled. However, generally, organisations need to run a personal data inventory mapping out their processing activities, put in place and communicate clear internal and external data protection policies/ notices, conduct periodic risk-assessments, adopt a privacy-by-design approach, train staff adequately, implement data breach handling procedures and put in place contractual or other mechanisms to protect personal data handled by service providers.
Assessment And Revision
Once built and implemented, a PMP needs to be maintained through ongoing monitoring, assessment and revision to ensure its ongoing effectiveness. It should never be considered a finished product.
While issued by national regulators, the respective guides are universal in scope. In the absence of guidance from their local regulators, privacy professionals from anywhere in the world looking to build PMPs that satisfy regulator expectations would do well to consult them for guidance.
Stay tuned for our next post.
National Regulator Accountability Guidance (Part 2) - The Australian And French Accountability Guides
The Australian and French privacy regulators have also respectively issued guidance on getting accountability right but take a slightly different approach compared to the Canadian, Hong Kong and Colombian regulators in that they do not expressly refer to, or promote the implementation of, privacy management programs.
The French Approach
The French data protection authority was the first European privacy regulator to release a standard outlining what accountability means in practice. The French Standard, released in January 2015, is intended to assist organisations in preparing for their future accountability obligations under the General Data Protection Regulation.
Companies that demonstrate compliance with the 25 requirements of the French Standard will be able to obtain an accountability seal certifying their compliance. The French regulator has just released (in August 2015) the standard under which private and public sector organisations may obtain privacy seals certifying their privacy governance procedures.
While the French accountability standard does not refer to privacy management programs, the requirements under the French accountability standard largely mirror those of the respective Canadian, Hong Kong and Colombian Guides. For example, they include having adequate internal and external privacy policies, appointing an adequately trained data protection officer responsible for implementing the organisation’s privacy measures, training staff on privacy issues, undertaking privacy risk assessments, creating a comprehensive map of data processing operations within the organisation, putting in place processes for dealing with complaints and enquiries, generating and retaining logs relating to security threats and adopting and implementing a crisis management plan to handle data breaches.
The Australian Approach
The Australian Privacy Management Framework promotes the idea that “good privacy management” requires organisations to implement certain key steps and commitments. It sets out the following four steps for organisations to take to ensure they practise good privacy governance and meet their compliance obligations.
Firstly, organisations should “embed a culture of privacy that enables compliance”. This requires organisations to understand its privacy obligations, allocate responsibility for privacy management to designated staff, implement reporting mechanisms, adopt a privacy-by-design approach, and develop and implement a privacy management plan (which does not appear to be the same as PMP).
Secondly, organisations are encouraged to “establish robust and effective privacy practices, procedures and systems”. These compare to the Canadian, Hong Kong and Colombian guides’ program controls and include keeping an up-to-date personal data inventory, implementing processes which ensure compliant personal information handling practices, promoting privacy awareness within the organisation, developing and implementing good internal privacy policies, implementing risk management processes, undertaking privacy impact assessments, establishing processes for handling privacy enquiries and complaints, and developing data breach response plans.
Thirdly, organisations should “evaluate their privacy processes to ensure continued effectiveness”. In addition to regularly monitoring and reviewing their privacy processes, the Framework advises organisations to document privacy compliance and measure their performance.
As the fourth step, organisations are encouraged to “enhance their response to privacy issues”, for example, by changing privacy practices in response to the evaluation results, considering external assessments of privacy practices and monitoring and addressing new security risks and threats.
While the French and Australian regulators in their guidance documents diverge from the approach taken by the Canadian, Hong Kong and Colombian counterparts, the differences seem to lie in the form rather than in the substance.
Overall, regulators in Europe, Asia and Latin America are increasingly embracing the new and expanded meaning of the accountability principle as codified in the 2013 OECD Guidelines forcing organisations to take a more proactive, systematic and comprehensive approach to privacy compliance. No doubt - more regulators will follow those that have taken the lead on accountability guides. Organisations should keep a close eye on their national regulators. But in the absence of local guidelines, other regulators’ guides provide helpful guidance.
Contributor - Anna von Dietze