In September, we explained how privacy authorities are shifting their mindset from one that focuses on compliance and enforcement to one that requires organizations to be accountable for their information practices. Since then, there have been additional developments confirming that accountability is becoming the global paradigm of privacy regulation.
For instance, the OECD revised its “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data” to dictate how data controllers should implement accountability. The revisions crystallize over three decades of literature on accountability since the OECD introduced the concept to privacy law, and affirm that organizations are accountable when they take a holistic approach to information governance and can demonstrate the effectiveness of their data protection practices. Likewise, privacy authorities at the 35th International Conference of Data Protection and Privacy Commissioners approved a resolution designed to foster “greater accountability and transparency on the part of both private-sector organisations and their governments.” The importance of accountability has been a recurring theme of the annual conference since the principle was proposed as an international privacy standard in 2009.
The focus of this editorial is how organizations can successfully shift to an accountability approach to privacy compliance. As you will recall, an accountable organization takes ownership of its information practices and can demonstrate that its information governance program effectively protects personal information and minimizes the risk of privacy breaches. While the steps to achieving accountability will be different for every organization, there are three interrelated components that an organization must ideally implement for it to be accountable:
- Management must designate at least one individual who is responsible for the organization’s privacy obligations and provide that individual with the support and resources to implement an information governance program across the organization.
- The information governance program must be based on robust, detailed and tailored legal foundations and prescribe best practices for all individuals in the organization.
- Evidence of the success and shortcomings of the information governance program must regularly be compiled and reviewed with a view to updating the program.
The necessity of these three components is corroborated by guidance documents on accountability published by EDRM, a coalition of information governance stakeholders.
Click here to view image.
Accountability Starts with Executive Responsibility and Adequate Support
Designating someone at the executive level who is responsible for your organization’s information governance program is crucial because it signals that your organization accepts ownership of its information practices and constitutes the first step to ensuring that your organization’s information governance program is implemented consistently throughout the organization. As explained by ARMA International, a professional association of records management specialists, “[a]dherence to formal information governance policies and procedures that have been approved by senior management is essential to an organization’s ability to achieve legal and regulatory compliance. If formal support has not been obtained, records may be at risk of not being accepted as having evidentiary value.”
It is not enough for an organization to establish a token privacy department without providing it with the support and resources to implement accountable policies and procedures. When deciding how much support to provide, you should bear in mind that implementing an information governance program based on accountability is generally less costly than taking an ad hoc reactionary approach to compliance requirements. Temporary and patchwork solutions fall apart when laws evolve, while an organization that takes a holistic approach based on global best practices can be confident that most changes in the law will not require substantial and costly modifications to its information practices.
An Information Governance Program based on Global Best Practices Minimizes Privacy Risks
One of the differences between the old regulatory paradigm of prescribing discrete legal requirements and the new paradigm based on accountability is that the latter expects organizations to assess and minimize the privacy risks of their operations, even if there is no specific legal obligation addressing the risk at issue. As the OECD’s revised Guidelines explain, organizations must ideally establish “a privacy management programme that … provides for appropriate safeguards based on privacy risk assessment,” and “the determination of the necessary safeguards should be made through a process of identifying, analysing and evaluating the risks to individuals’ privacy.” To meet these expectations, organizations should model their information practices on a set of global best practices that are based on solid legal foundations and designed to minimize privacy risks, instead of simply covering off discrete legal requirements on a jurisdiction-by-jurisdiction basis.
For example, one common issue relates to developing policies and procedures surrounding the digitization of hard-copy records. The legislation of many jurisdictions permits such digitization by providing that electronic reproductions of records have the same legal status as hard-copy records, except with respect to certain types of records. In digitizing records and developing a system to organize them, a recognized best practice is that the “scanned image file should be indexed using appropriate metadata and stored in a system that can be accessed by authorized parties.” Using metadata to structure an index of electronic records is not prescribed by legislation, but it is properly a best practice because it helps to ensure that only those who are authorized to access the contents of an electronic image can do so and constitutes a cost-effective way in which to ensure that electronic records retain their integrity.
To Demonstrate Accountability, Compile Evidence and Use It to Improve the Organization
Another crucial difference between the old and new regulatory regime is the emphasis on being able to demonstrate accountability. To achieve this, an organization must implement mechanisms that ensure that it is regularly compiling evidence of its information governance program’s performance. Such mechanisms should again be modelled on global best practices, such as the recommendation to establish a “documented privacy incident and breach management program that includes … periodic testing.” In the event of a privacy audit, records of these reviews constitute the most readily available cache of documentation that can be used to demonstrate accountability.
Achieving accountability also entails regularly reviewing the results of these reviews in a productive manner. Updates to your information governance program are necessary where the results indicate that preventable privacy breaches or leaks have taken place. Comparing your information practices and the effectiveness of your information safeguards against those of established benchmarks and comparable organizations will also enable the management of an organization to determine whether and to what extent improvements to your information governance program are necessary.
When considering how best to prepare for a future in which accountability is the global standard to which organizations are held, you should put yourself in the shoes of a privacy authority and assess whether or not your organization’s policies, procedures and practices assure you that your organization successfully protects information. We have shared several key steps that can help your organization ensure that this question is answered in the affirmative. Doing so will, in turn, help your organization engender trust among your partners and bolster your business opportunities.