This is the fourth article in a series that explores Asia-Pacific data privacy laws and litigation exposure and readiness.

As discussed in previous articles, many Asia-Pacific countries have implemented privacy statutes. While each has its own unique provisions, they tend to utilize the same core principles as the APEC Privacy Framework (2005). Corporations that operate in the region must comply with the statutes for each country in which they do business and will also want to demonstrate their commitment to the protection of personal information. To achieve these objectives, two principal assurance methods are available. The first is to become certified under a domestic privacy certification program, such as Japan’s Privacy Mark or Singapore’s voluntary system or the various trustmark systems for Internet Web sites. The second is to undergo a privacy audit. The privacy audit can be based on the applicable domestic statutes or for those countries that have not yet passed privacy legislation, on the privacy principles in the APEC Framework. In addition, corporations can undergo an audit based on a third-party standard, such as the Generally Accepted Privacy Principles (2009) from the American Institute of CPAs (AICPA) and Canadian Institute of Chartered Accountants (CICA) or on the information systems guidance from the Information Systems Audit and Control Association (ISACA). This article will focus on all of these options, assuming a base understanding of the Asian privacy laws explained in the March 2010 issue of the Privacy Advisor.

ADVERTISEMENT

PLI Ad, Cybersecurity, A practical guide to the law of cyber risk

Privacy certifications/trustmarks

Certification

Japan’s Privacy Mark is a voluntary scheme under which businesses can achieve certification for their systems protecting personal data. Developed by the Japan Information Processing Development Corporation (JIPDEC) in 1998, it requires an independent certifier to verify compliance with the Japan Industrial Standard (JIS) Q 15001 (2006). The objectives of the Privacy Mark are to enhance consumer consciousness about personal information protection using the display of the Privacy Mark symbol and to promote appropriate handling of personal information through enhanced credibility for business operators. In the certification process, the certifier will first review the applicant’s documents offsite, then will go onsite to further review documents, perform interviews, investigate the privacy related procedures, and provide suggested remediations. Upon resolving the material remediations, the Privacy Mark can be granted to the applicant, who may then display it prominently on the company’s Web site, envelopes, letters, contracts, and business cards. The general requirement of the JIS Q 15001 standard is to establish, implement, maintain, and improve a personal information protection management system, including policies, organizations, plans, implementations, audits, and reviews. The specific requirements are:

  • Personal information protection policy that addresses collection, use and disclosure, adherence to laws, prevention of loss of personal information, response to complaints, continuous improvement, and a named representative

  • Plan that includes an inventory of personal information, risk assessment and response, roles and responsibilities, internal procedures across a number of areas, plans for training and audits, and how to respond to loss or leakage of information

  • Documents, including the policy, plan, and related procedures, plus records sufficient to show the plan meets the standard

  • Procedures for implementation and operation, including acquisition, use and provision, controls over security, accuracy and supervision, for responding to the rights of persons identified by personal information and for educating employees

  • Procedures for handling complaints

  • Periodic internal audits, periodic management reviews, and implementation of corrective and preventive actions for identified non-conformances

More than 12,000 Privacy Mark certifications have been granted in Japan through 2009. In the Republic of Korea, the Korea Association of Information and Telecommunications (KAIT) is responsible for a similar privacy security mark system. KAIT and the Dalian Software Industry Association in China have mutual privacy mark recognition programs with Japan. In Singapore, the Model Data Protection Code (2003) is a voluntary scheme that stands in lieu of a statute. (Singapore is one of the few developed countries without a uniform privacy law.) Although based on widely accepted privacy principles, it also serves as a template to which industry-specific privacy rules may be attached. There is a great deal of flexibility provided, such as the ability to exclude employment data from the rules and in defining how the companies subscribe to the included privacy principles. Proper understanding of systems claiming compliance with the code includes judging whether the exceptions taken and the amount of flexibility used still provides for a complete and appropriate privacy program.

Trustmarks

The Asia-Pacific Trustmark Alliance (ATA) was created by the respective domestic trustmark owners to allow Internet e-commerce Web sites to be “instantly recognizable by end-users, not just in their domestic markets but also in the global marketplace.” This alliance creates opportunities for businesses accredited by domestic trustmark owners beyond their local markets. The regional organization currently has the following members in Asia:

  • Japan: EC Network (ECNetwork); Tradesafe Inc (Tradesafe)

  • Korea: Korea Institute for Electronic Commerce (KIEC)

  • Philippines: Qartas Corporation (Sure Seal)

  • Singapore: CommerceNet Singapore (CNSG); Consumers Assoc. of Singapore (CASE)

  • Taiwan Secure Online Shopping Association (SOSA)

  • Thailand: Ministry of Commerce’s Department of Business Development (DBD)

  • Vietnam: E-commerce Development Center (EcomViet)

The ATA’s Guidelines for Trustmark Operators (2008) cover the practice areas for online merchants. One of the stated goals of these guidelines is for the trustmark operators to have the ability to act as “APEC privacy accreditation service providers” using the APEC Privacy Framework and therefore deal with market demand for privacy assurance services. The practice areas are information disclosure, practices, security, privacy, alternative dispute resolution, and monitoring. In the privacy area, there are a number of requirements, based on the nine principles of the APEC Framework, which are as follows: Preventing Harm, Notice (existence, clarify, accessibility, provision), Collection Limitation (limitation, means), Uses of Personal Information, Choice (existence, clarity, accessibility), Integrity of Personal Information, Security Safeguards (existence, proportionality, review, retention), Access and Correction (confirmation, receipt, challenge, rectification, denial, challenge) and Accountability (compliance, transfer).

Privacy audits

GAPP

A privacy audit should compare a company’s actual privacy situation against a known benchmark, such as the domestic statutes in each applicable Asian country, the APEC framework for countries without privacy statutes, or the derived superset of model corporate privacy principles (as explained in a previous article). In practice though, the privacy principles in these statutes are typically at a high level. To derive a detailed audit approach, the ACIPA’s/CICA’s Generally Accepted Privacy Principles (GAPP) can be used. The GAPP are slightly different in how they are formulated than the APEC Framework privacy principles but in essence are the same principles. A combination of the GAPP plus any additional domestic statute-specific provisions should address the base privacy compliance requirements in each applicable jurisdiction. The AICPA/CICA principles allow privacy practitioners to provide either privacy advisory services or privacy audit examination services. The audit services can be performed on either management’s assertion that they maintain effective controls over the privacy of personal information in accordance with their privacy notice and GAPP or directly on the subject matter of the privacy controls and privacy notice. The GAPP document includes a table with measurement criteria for each principle, illustrative controls and procedures, and additional considerations. This can be used both proactively when setting up the privacy controls and then during the audit itself to measure actual operational compliance of the controls and procedures with GAPP.  As an example of the use of the GAPP approach, under section 2.1.1 Communication to Individuals, the measurement criteria is that notice is provided to the individual on all policies covered by the privacy principles. The controls are that the entity’s privacy notice:

  • describes the personal information collected, the sources of such information, and purposes for which it is collected

  • indicates the purpose for collecting sensitive personal information and whether such purpose is part of a legal requirement

  • describes the consequences, if any, of not providing the requested information

  • indicates that certain information may be developed about individuals, such as buying patterns

  • may be provided in various ways (for example, in a face-to-face conversation, on a telephone interview, on an application form or questionnaire, or electronically), however written notice is the preferred method.

Additional considerations here include: Notice also may describe situations in which personal information will be disclosed, such as during certain processing for public security or defense purposes; for public health or safety purposes; or when allowed or required by law. The purpose described in the notice should be stated in such a manner that the individual can reasonably understand the purpose and how the personal information is to be used. Such purpose should be consistent with the business purpose of the entity and not overly broad. Consideration should be given to providing a summary-level notice with links to more detailed sections of the policy.

IS audit

Because most data is now electronic (i.e. not paper-based), the privacy audit could fall within the realm of an information system (IS) audit, so ISACA’s IS audit standards and guidelines may be appropriate. Information Systems Auditing Guideline G31 (2005) deals with how to apply privacy to an IS audit. There are a number of useful features in this guideline. One is a checklist of 21 questions that allows comparison of the differences among the privacy laws in each country. Another is a list of key controls in the areas of media reuse, training, access controls, maintenance, data integrity, physical access, and risk assessments. Finally, there is a list of considerations for the protection of personal information, which covers the following areas:

  • Privacy management

  • Risk assessment

  • Security audit

  • Deviation

  • Organization

  • Staff

  • Professional secrecy

  • Physical security

  • Confidentiality

  • Integrity

  • Availability

  • Security measures

  • Security toward external partners

  • Documentation

  • Awareness and training sessions

The audit itself requires that the IS auditor determine the existence of the following: A privacy policy, privacy officer, data controller, training and awareness plans in relation to privacy, privacy complaint management process, regime of privacy audits conducted against the privacy legislation, and privacy requirements for outsourcing and contractors. The auditor is required to undertake a Privacy Impact Analysis that includes the following steps:

  • Identifying, analyzing, and prioritizing the risk of non-adherence to privacy legislation

  • Understanding the various privacy measures currently in place in the organization

  • Assessing the weaknesses and strengths

  • Recommending strategies for improvement

The audit report should document the results of the privacy review, outline the scope and objectives, and provide a summary of the types of data and information collected, stored, and used by the organization. The report should include information on the privacy-related risks that the organization faces and a summary of the risk reduction measures or privacy protection strategies that exist. Weaknesses identified in the privacy review because of missing or inadequate controls should be brought to the attention of both information owners and management responsible for privacy. Any material weaknesses should be addressed immediately. Finally, the IS auditors should include appropriate recommendations for stronger privacy controls. With the steady increase in the size and scope of privacy statutes in Asia, more effort is required to ensure compliance. Simultaneously, businesses want to increase the trust of consumers who interact with them only electronically over the Internet. When providing personal information to companies, consumers should have the confidence that their data will not be lost, disclosed, incorrectly portrayed or improperly used. As such, privacy audits and certification/trustmarks will play an increasingly larger role in the Asia-Pacific business landscape. Corporations that do business in Asia, either through a physical presence or electronically on the Internet, will need to consider employing both types of assurance mechanisms to have the proper foundations for consumer confidence and, therefore, continued business expansion. Businesses should enlist the expertise of legal and audit professionals skilled in Internet technologies, information security, and privacy laws and protections to get started and then build organizations and practices to maintain these trust mechanisms. Consumer confidence may take a long time to gain but can be lost in an instant, so corporations must invest in privacy assurance to keep that trust for the long term.