The Meaning of “Accountability” in the Privacy Law Context

The Meaning of
“Accountability” in the
Privacy Law Context
Data Privacy Day
by Diane McLeod-McKay
Office of the Information and Privacy Commissioner of Alberta
January 28, 2013

Presentation Overview
• Meaning of “accountability”
• Guidance provided – privacy management program
framework
• Applying the framework
• Use of the framework by the Regulators
• The benefits of being able to demonstrate
accountability

Meaning of “Accountability”
In the privacy law context it means:
“…the acceptance of responsibility for personal
information protection.”
What it means in relation to meeting your obligations under
FOIP/HIA/PIPA:
• You have a privacy management program in place that is
supported, is made up of appropriate policies and procedures,
and is kept up to date
• You have the ability to demonstrate your capacity to comply
with privacy laws
• You have a privacy management program that promotes trust
and confidence

Guidance Developed
• “Getting Accountability Right with a Privacy
Management Program” developed by OPC and
OIPC BC, and OIPC AB.
• Stemmed from work being undertaken globally
to promote organizational accountability.
• Guidelines geared toward private sector but
are applicable to all sectors.

Building Blocks –
Organizational Commitment
A. Buy in from the top
• Support from the top is key to a successful privacy
management program
Role of senior management:
• Appoints a privacy officer
• Establishes a privacy office
• Works with privacy officer to establish effective
reporting

Building Blocks - Organizational
Commitment
B. Privacy Officer
• Role exists and part of decision making processes
• Role of compliance monitoring is defined and
communicated
• Responsible to develop and implement program
controls
• Responsible for ongoing assessment of program
and revision of controls

Building Blocks - Organizational
Commitment
C. Privacy Office
• Office exists and resources identified
• Roles defined
• Works to foster a culture of privacy and to
incorporate privacy into business processes
D. Reporting
• Structure established
• Reflected in program controls

Application to PIPA/HIA/FOIP
• PIPA: “organizations”
• responsible to comply with PIPA for PI in its custody or
control (5(1))
• must designate a person to be responsible for compliance
(5(3))
• HIA: “custodians”
• responsible to comply with HIA for the collection, use and
disclosure of HI (18, 25, and 31 )
• Custodians are accountable for “affiliates” (62(2))
• FOIP: “public bodies”
• responsible to provide access to all records in the custody
or control of a public body in accordance with FOIP
• responsible to comply with FOIP for the collection, use and
disclosure of personal information
• “head” has specific responsibilities

Building Blocks –
Program Controls
a) Personal information inventory
b) Policies
c) Risk assessment tools
d) Training and education requirements
e) Breach and incident management response
protocols
f) Service provider management
g) External communication

Application to PIPA/HIA/FOIP
• You need to know what you have in order to adequately protect it:
• Personal information bank directories – FOIP
• You need to develop policies and procedures to carry out the
requirements in the Acts
• An organization must develop policies and practices that are reasonable to meet
obligations – PIPA (6)
• Each custodian must establish or adopt policies and procedures that will facilitate
compliance – HIA (63)
• No specific requirement in FOIP
• You need to assess the risks of non-compliance to properly manage
them
• Custodians must prepare a privacy impact assessment – HIA (64)
• Custodians must “periodically assess” privacy safeguards against “reasonably
anticipated threats or hazards to the security and integrity – HI Reg. (8(2))
• Requirement to make reasonably security arrangements to protection PI – PIPA (34),
HIA (60), FOIP (38)

Application to PIPA/HIA/FOIP
• You need to educate your staff to ensure compliance can be achieved
• A custodian must ensure its affiliates are aware of adhere to its safeguards – HI Reg. (8(6))
• You need to establish a breach and incident response plan in order to be prepared
for a breach or an incident
• A breach involving a real risk of significant harm to an individual must be reported to the
Commissioner – PIPA (34.1)
• No specific requirement in HIA or FOIP
• You need to have a procedure to manage the risks associated with contracted
services
• an organization that engages the services of a person, whether as an agent, by contract or
otherwise, is, with respect to those services, responsible for that person’s compliance – PIPA (5(2))
• “affiliate” includes a person who performs a service for the custodian … or under a contract or
agency relationship with the custodian – HIA (1(1)(a)(ii))
• Custodians must enter into an IMA with a person who processes, stores, retrieves or disposes of PI
– HIA (66)
• “employee” includes a person who performs a service for the public body … or under a contract or
agency relationship with the public body – FOIP (1(e))
• You need to communicate to individuals
• Notice requirements in HIA and PIPA, including out of country - PIPA

Building Blocks –
Ongoing Assessment and Review
3. Oversight and Review
• Develop a plan to assess the effectiveness of your program
• What is working and what is not
• Gap analysis
• Assess your risks
• Identify the work that needs to be done to manage risks
• Establish a plan to implement changes
• Report to senior management to gain support needed to carry out
plan
• No specific requirement in the Acts
• Essential to manage risks associated with obligations

Building Blocks –
Ongoing Assessment and Review
4. Assess and Revise Program Controls
• Update PI inventory
• Revise Policies
• Treat risk assessment tools as evergreen
• Modify training and education
• Adapt breach and incident response protocols
• Fine tune service provider management
• Improve external communication
• No specific requirement in the Acts
• Essential to manage risks associated with obligations

Regulator`s Use
• Educational
• Investigations
• Alberta Order P2012-03 – used to assess whether an
organization’s policies and procedures were
adequate
• Alberta Order No. P2012-02 – used by an
organization to support its compliance with PIPA
• In BC to assess organizational accountability

The Benefits
• Reduces risks by increasing compliance
capability
• Satisfies the Regulators if you can
demonstrate compliance
• Fosters a culture of privacy
• Improves reputation and builds trust

Longer Term Benefits – “Big Data”
• “Every two days, we create as much information as we did from the
dawn of civilization up until 2003” - Eric Schmidt, former Google CEO,
Aug. 2010
• “Wal-Mart Stores Inc. handles more than 1 million customer
transactions every hour, feeding databases estimated at more than
2.5 petabytes” – The Economist, Big Data Everywhere, Feb. 2010
• By improving our ability to extract knowledge and insights from large
and complex collections of digital data, the [Big Data Research and
Development] initiative promises to help solve some the Nation’s
most pressing challenges” - Obama Administration, Mar. 2012
• “30 billion pieces of content are shared on Facebook each month”
• “Intel estimates that there will be 15 billion devices connected to the
internet by 2015” – FSN & Oracle White Paper, Mastering Big Data, 2012

“Privacy Management Program –
At A Glance” at PIPA Display Table
“Getting Accountability Right with
a Privacy Management Program”
at: www.oipc.ab.ca

Questions?