CANADA—The new paradigm: accountability

The global privacy landscape is experiencing its largest shift since the implementation of the European Union’s adoption of Directive 95/46/EC in 1995. The directive was foundational in establishing a privacy regime in Europe, with a global ripple effect for countries wishing to transfer data to and from the EU; examples include the enactment of the Personal Information Protection and Electronic Documents Actin Canada and negotiations between the U.S. and the EU resulting in the Safe Harbor agreement.

Many papers and initiatives in the last few years have paid more attention to the concepts of transparency and accountability. In March of 2012, the U.S. Federal Trade Commission issued a final staff report, “

,” calling for organizations to implement Privacy by Design into every stage of the development of products and services—shifting the burden away from consumers and placing obligations on businesses to treat consumer data in a responsible manner—and recommended that companies increase transparency of their data-handling practices by means of shorter and clearer privacy notices, reasonable access and providing education to consumers about commercial data privacy practices. The proposed European Commission Regulation on the Protection of Individuals with Regards to the

, released in January, requires that data controllers adopt policies and implement measures to be able to demonstrate that processing of personal data is performed in compliance with the regulation, maintain documentation of all processing operations under their responsibility and incorporate the concepts of data protection by design and default.

In April, the Canadian federal privacy commissioner and the information and privacy commissioners of Alberta and British Columbia issued a paper, “

,” which significantly “moved the yardsticks” for Canadian organizations. The commissioners noted that in relation to privacy, accountability is the “acceptance of responsibility for personal information protection” and that accountable organizations must be able to “demonstrate to privacy commissioners that they have an effective, up-to-date privacy management program in place.” The ability to demonstrate—or attest—that the organization not only has a privacy management program but one which is effective and updated is an important step forward within the global privacy framework.

The commissioners’ paper identifies the building blocks companies need to put in place to be “accountable” organizations, including organizational commitment; i.e., buy-in from the top, appointment of a privacy officer and a privacy office where appropriate and internal reporting mechanisms; program controls such as a personal information inventory; internal policies that give effect to the privacy principles; conducting risk assessments; ongoing training and awareness for employees; a breach management protocol; management of service provider by means of contracts, and external privacy notices. An accountable organization must also, on an ongoing basis, assess and revise its privacy management program, including the program controls.

The above steps, where fully implemented, allow an organization to demonstrate to all relevant stakeholders, including customers, employees, privacy commissioners, etc., that it has a privacy program in place. As noted in the commissioners’ paper, “During an investigation or audit, our offices will expect that organizations can demonstrate that they have an up-to-date, comprehensive privacy program in place.” Whether or not an organization has such a program in place will inform the commissioners’ decisions as to whether the organization has reasonable safeguards in place and is complying with the accountable requirements or if the organization will require additional work to create—or update—such a program.