The Meaning of âAccountabilityâ in the Privacy Law Context
The Meaning of âAccountabilityâ in the Privacy Law Context
The Meaning of âAccountabilityâ in the Privacy Law Context
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>The</strong> <strong>Mean<strong>in</strong>g</strong> <strong>of</strong><br />
“Accountability” <strong>in</strong> <strong>the</strong><br />
<strong>Privacy</strong> <strong>Law</strong> <strong>Context</strong><br />
Data <strong>Privacy</strong> Day<br />
by Diane McLeod-McKay<br />
Office <strong>of</strong> <strong>the</strong> Information and <strong>Privacy</strong> Commissioner <strong>of</strong> Alberta<br />
January 28, 2013
Presentation Overview<br />
• <strong>Mean<strong>in</strong>g</strong> <strong>of</strong> “accountability”<br />
• Guidance provided – privacy management program<br />
framework<br />
• Apply<strong>in</strong>g <strong>the</strong> framework<br />
• Use <strong>of</strong> <strong>the</strong> framework by <strong>the</strong> Regulators<br />
• <strong>The</strong> benefits <strong>of</strong> be<strong>in</strong>g able to demonstrate<br />
accountability
<strong>Mean<strong>in</strong>g</strong> <strong>of</strong> “Accountability”<br />
In <strong>the</strong> privacy law context it means:<br />
“…<strong>the</strong> acceptance <strong>of</strong> responsibility for personal<br />
<strong>in</strong>formation protection.”<br />
What it means <strong>in</strong> relation to meet<strong>in</strong>g your obligations under<br />
FOIP/HIA/PIPA:<br />
• You have a privacy management program <strong>in</strong> place that is<br />
supported, is made up <strong>of</strong> appropriate policies and procedures,<br />
and is kept up to date<br />
• You have <strong>the</strong> ability to demonstrate your capacity to comply<br />
with privacy laws<br />
• You have a privacy management program that promotes trust<br />
and confidence
Guidance Developed<br />
• “Gett<strong>in</strong>g Accountability Right with a <strong>Privacy</strong><br />
Management Program” developed by OPC and<br />
OIPC BC, and OIPC AB.<br />
• Stemmed from work be<strong>in</strong>g undertaken globally<br />
to promote organizational accountability.<br />
• Guidel<strong>in</strong>es geared toward private sector but<br />
are applicable to all sectors.
Build<strong>in</strong>g Blocks –<br />
Organizational Commitment<br />
A. Buy <strong>in</strong> from <strong>the</strong> top<br />
• Support from <strong>the</strong> top is key to a successful privacy<br />
management program<br />
Role <strong>of</strong> senior management:<br />
• Appo<strong>in</strong>ts a privacy <strong>of</strong>ficer<br />
• Establishes a privacy <strong>of</strong>fice<br />
• Works with privacy <strong>of</strong>ficer to establish effective<br />
report<strong>in</strong>g
Build<strong>in</strong>g Blocks - Organizational<br />
Commitment<br />
B. <strong>Privacy</strong> Officer<br />
• Role exists and part <strong>of</strong> decision mak<strong>in</strong>g processes<br />
• Role <strong>of</strong> compliance monitor<strong>in</strong>g is def<strong>in</strong>ed and<br />
communicated<br />
• Responsible to develop and implement program<br />
controls<br />
• Responsible for ongo<strong>in</strong>g assessment <strong>of</strong> program<br />
and revision <strong>of</strong> controls
Build<strong>in</strong>g Blocks - Organizational<br />
Commitment<br />
C. <strong>Privacy</strong> Office<br />
• Office exists and resources identified<br />
• Roles def<strong>in</strong>ed<br />
• Works to foster a culture <strong>of</strong> privacy and to<br />
<strong>in</strong>corporate privacy <strong>in</strong>to bus<strong>in</strong>ess processes<br />
D. Report<strong>in</strong>g<br />
• Structure established<br />
• Reflected <strong>in</strong> program controls
Application to PIPA/HIA/FOIP<br />
• PIPA: “organizations”<br />
• responsible to comply with PIPA for PI <strong>in</strong> its custody or<br />
control (5(1))<br />
• must designate a person to be responsible for compliance<br />
(5(3))<br />
• HIA: “custodians”<br />
• responsible to comply with HIA for <strong>the</strong> collection, use and<br />
disclosure <strong>of</strong> HI (18, 25, and 31 )<br />
• Custodians are accountable for “affiliates” (62(2))<br />
• FOIP: “public bodies”<br />
• responsible to provide access to all records <strong>in</strong> <strong>the</strong> custody<br />
or control <strong>of</strong> a public body <strong>in</strong> accordance with FOIP<br />
• responsible to comply with FOIP for <strong>the</strong> collection, use and<br />
disclosure <strong>of</strong> personal <strong>in</strong>formation<br />
• “head” has specific responsibilities
Build<strong>in</strong>g Blocks –<br />
Program Controls<br />
a) Personal <strong>in</strong>formation <strong>in</strong>ventory<br />
b) Policies<br />
c) Risk assessment tools<br />
d) Tra<strong>in</strong><strong>in</strong>g and education requirements<br />
e) Breach and <strong>in</strong>cident management response<br />
protocols<br />
f) Service provider management<br />
g) External communication
Application to PIPA/HIA/FOIP<br />
• You need to know what you have <strong>in</strong> order to adequately protect it:<br />
• Personal <strong>in</strong>formation bank directories – FOIP<br />
• You need to develop policies and procedures to carry out <strong>the</strong><br />
requirements <strong>in</strong> <strong>the</strong> Acts<br />
• An organization must develop policies and practices that are reasonable to meet<br />
obligations – PIPA (6)<br />
• Each custodian must establish or adopt policies and procedures that will facilitate<br />
compliance – HIA (63)<br />
• No specific requirement <strong>in</strong> FOIP<br />
• You need to assess <strong>the</strong> risks <strong>of</strong> non-compliance to properly manage<br />
<strong>the</strong>m<br />
• Custodians must prepare a privacy impact assessment – HIA (64)<br />
• Custodians must “periodically assess” privacy safeguards aga<strong>in</strong>st “reasonably<br />
anticipated threats or hazards to <strong>the</strong> security and <strong>in</strong>tegrity – HI Reg. (8(2))<br />
• Requirement to make reasonably security arrangements to protection PI – PIPA (34),<br />
HIA (60), FOIP (38)
Application to PIPA/HIA/FOIP<br />
• You need to educate your staff to ensure compliance can be achieved<br />
• A custodian must ensure its affiliates are aware <strong>of</strong> adhere to its safeguards – HI Reg. (8(6))<br />
• You need to establish a breach and <strong>in</strong>cident response plan <strong>in</strong> order to be prepared<br />
for a breach or an <strong>in</strong>cident<br />
• A breach <strong>in</strong>volv<strong>in</strong>g a real risk <strong>of</strong> significant harm to an <strong>in</strong>dividual must be reported to <strong>the</strong><br />
Commissioner – PIPA (34.1)<br />
• No specific requirement <strong>in</strong> HIA or FOIP<br />
• You need to have a procedure to manage <strong>the</strong> risks associated with contracted<br />
services<br />
• an organization that engages <strong>the</strong> services <strong>of</strong> a person, whe<strong>the</strong>r as an agent, by contract or<br />
o<strong>the</strong>rwise, is, with respect to those services, responsible for that person’s compliance – PIPA (5(2))<br />
• “affiliate” <strong>in</strong>cludes a person who performs a service for <strong>the</strong> custodian … or under a contract or<br />
agency relationship with <strong>the</strong> custodian – HIA (1(1)(a)(ii))<br />
• Custodians must enter <strong>in</strong>to an IMA with a person who processes, stores, retrieves or disposes <strong>of</strong> PI<br />
– HIA (66)<br />
• “employee” <strong>in</strong>cludes a person who performs a service for <strong>the</strong> public body … or under a contract or<br />
agency relationship with <strong>the</strong> public body – FOIP (1(e))<br />
• You need to communicate to <strong>in</strong>dividuals<br />
• Notice requirements <strong>in</strong> HIA and PIPA, <strong>in</strong>clud<strong>in</strong>g out <strong>of</strong> country - PIPA
Build<strong>in</strong>g Blocks –<br />
Ongo<strong>in</strong>g Assessment and Review<br />
3. Oversight and Review<br />
• Develop a plan to assess <strong>the</strong> effectiveness <strong>of</strong> your program<br />
• What is work<strong>in</strong>g and what is not<br />
• Gap analysis<br />
• Assess your risks<br />
• Identify <strong>the</strong> work that needs to be done to manage risks<br />
• Establish a plan to implement changes<br />
• Report to senior management to ga<strong>in</strong> support needed to carry out<br />
plan<br />
• No specific requirement <strong>in</strong> <strong>the</strong> Acts<br />
• Essential to manage risks associated with obligations
Build<strong>in</strong>g Blocks –<br />
Ongo<strong>in</strong>g Assessment and Review<br />
4. Assess and Revise Program Controls<br />
• Update PI <strong>in</strong>ventory<br />
• Revise Policies<br />
• Treat risk assessment tools as evergreen<br />
• Modify tra<strong>in</strong><strong>in</strong>g and education<br />
• Adapt breach and <strong>in</strong>cident response protocols<br />
• F<strong>in</strong>e tune service provider management<br />
• Improve external communication<br />
• No specific requirement <strong>in</strong> <strong>the</strong> Acts<br />
• Essential to manage risks associated with obligations
Regulator`s Use<br />
• Educational<br />
• Investigations<br />
• Alberta Order P2012-03 – used to assess whe<strong>the</strong>r an<br />
organization’s policies and procedures were<br />
adequate<br />
• Alberta Order No. P2012-02 – used by an<br />
organization to support its compliance with PIPA<br />
• In BC to assess organizational accountability
<strong>The</strong> Benefits<br />
• Reduces risks by <strong>in</strong>creas<strong>in</strong>g compliance<br />
capability<br />
• Satisfies <strong>the</strong> Regulators if you can<br />
demonstrate compliance<br />
• Fosters a culture <strong>of</strong> privacy<br />
• Improves reputation and builds trust
Longer Term Benefits – “Big Data”<br />
• “Every two days, we create as much <strong>in</strong>formation as we did from <strong>the</strong><br />
dawn <strong>of</strong> civilization up until 2003” - Eric Schmidt, former Google CEO,<br />
Aug. 2010<br />
• “Wal-Mart Stores Inc. handles more than 1 million customer<br />
transactions every hour, feed<strong>in</strong>g databases estimated at more than<br />
2.5 petabytes” – <strong>The</strong> Economist, Big Data Everywhere, Feb. 2010<br />
• By improv<strong>in</strong>g our ability to extract knowledge and <strong>in</strong>sights from large<br />
and complex collections <strong>of</strong> digital data, <strong>the</strong> [Big Data Research and<br />
Development] <strong>in</strong>itiative promises to help solve some <strong>the</strong> Nation’s<br />
most press<strong>in</strong>g challenges” - Obama Adm<strong>in</strong>istration, Mar. 2012<br />
• “30 billion pieces <strong>of</strong> content are shared on Facebook each month”<br />
• “Intel estimates that <strong>the</strong>re will be 15 billion devices connected to <strong>the</strong><br />
<strong>in</strong>ternet by 2015” – FSN & Oracle White Paper, Master<strong>in</strong>g Big Data, 2012
“<strong>Privacy</strong> Management Program –<br />
At A Glance” at PIPA Display Table<br />
“Gett<strong>in</strong>g Accountability Right with<br />
a <strong>Privacy</strong> Management Program”<br />
at: www.oipc.ab.ca
Questions?