Demonstrating privacy accountability
The IAPP is pleased to bring you this interview with Terry McQuay, CIPP, CIPP/C, CIPP/E, CIPP/G, president of Nymity.
IAPP: How does Nymity describe privacy accountability?
McQuay: Nymity views privacy accountability as an organization being responsible for privacy by implementing an effective privacy program, maintaining compliance and being able to demonstrate they are doing both. In other words, an organization must be responsible for personal information and be able to “account for it” within the organization and when it flows to business partners (vendors and service providers) by being able to demonstrate the status of their privacy program to internal stakeholders such as senior management and, if desired (or required), to external stakeholders such as regulators, commissioners, data protection authorities, attorneys general and business partners.
IAPP: How do the privacy principles fit this perspective?
McQuay: The accountability privacy principle was first introduced in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980. It states that a “data controller should be accountable for complying with measures which give effect to the principles stated above,” referring to the privacy principles in the guideline. This makes the organization that collects the personal data responsible for the data while it or its agents have control or custody of the data.
At Nymity, we have operationalized the accountability principle since our beginning in 2002. Nymity’s team of privacy experts conducts its research using the Canadian Standards Association’s accountability privacy principle, which is included in Canada’s private-sector privacy law. This principle is more definitive than the OECD’s. One of the requirements is that the organization must designate an individual or individuals to be accountable for compliance with the principles. This shifts accountability to the individual(s) in the organization, which we generally refer to as the privacy office. At Nymity we see it’s the role and responsibility of the privacy office to demonstrate that the organization is being accountable.
Since the Canadian CSA’s accountability principle in 1995, there has been an accountability principle included in the APEC Privacy Framework, the Organization of American States Protection of Personal Data Recommendations and in the International Standards on Privacy Protection.
IAPP: Since an accountability principle from a privacy perspective has been around for a long time, why is there now a renewed look at accountability?
McQuay: The attention to accountability started about three years ago, led by Marty Abrams and the Centre for Information Policy Leadership. The centre saw a need for an added focus for data protection as consumers now have access to an unprecedented array of products, resources and services using personal information due to significant innovations in technology; rapid increases in data collection, analysis and use, and an unprecedented global flow of this information. Notice and choice alone in this increasingly complex environment were clearly no longer working as privacy principles and mechanisms. They placed an undue burden on the consumer, who clearly did not have the ability to fully understand what they were consenting to. The centre saw accountability as a way of ensuring the responsibility for data protection remains with the organization that benefits from the consumer’s data. It believes accountability formalizes the focus of privacy governance by focusing on an organization’s ability to demonstrate its capacity to achieve specified privacy objectives. The centre has a three-phased approach to the accountability discussion:
Phase 1: The centre started with a consensus whitepaper to inform the creation of better business practices and encourage responsible privacy governance. The paper is called “Data Protection Accountability: The Essential Elements - A Document for Discussion October 2009,” often referred to as the Galway project.
Phase II: On October 26, 2010, the centre released "Demonstrating and Measuring Accountability, Accountability Phase II - The Paris Project.” This paper continued the discussion as it addresses concepts, principles, methodologies and techniques that could apply across legal frameworks and cultural orientations.
Phase III of the Accountability Project will be facilitated by the Spanish Data Protection Agency in 2011. It will produce the final paper “Accountability Phase III – The Madrid Project Session on Validation.” The paper is expected this fall.
I should note that Nymity is a member of the Centre for Information Policy Leadership (CIPL). At Nymity, we see the value we can provide is to assist organizations with being accountable, or, in other words, Nymity’s focus is on implementation and, of course, Nymity’s approach to accountability is consistent and complementary to the work done at the centre.
IAPP: What are the organizational drivers for accountability?
McQuay: As Nymity sees it, there are three main drivers and benefits to being accountable.
Consumers /Business Partners
With the advances in new technologies that collect personal information, such as mobile devices, and the advances in use of individual’s data, such as behavioral advertising, the current model of notice and choice (a consent-based model) is no longer sufficient. Many consumers do not understand the notices and organizations do not have effective mechanisms to provide notice in the new digital world. Accountability ensures the responsibility for data protection remains with the organization, to indeed be compliant with their regulations and company notices.
In today’s world it takes a group of companies, Business Partners (vendors and service providers) to deliver the unprecedented array of new products and services. Often these Business Partners span the world, creating a global flow of personal data. Accountability ensures the responsibility for data protection flows with the data from Business Partner to Business Partner and jurisdiction to jurisdiction. Naturally, an organization wants a mechanism to ensure their Business Partner is accountable and wants a cost-effective mechanism, when they are indeed the Business Partner to demonstrate their accountability to their clients.
Data protection is now often a regular part of the board of directors’ agenda. The board wants to know the state of compliance as part of their fiduciary and risk-management duties. Being able to demonstrate accountability up through the privacy office to senior management on to the board becomes that vehicle. Cost is also a driver. Early studies are showing that organizations that are able to demonstrate accountability have fewer security breaches and brand-impacting incidents, and their overall compliance and incident-management costs are lower, according to the Ponemon Institute.
Some organizations also see accountability as a comprehensive way consolidate a multitude of privacy compliance requirements from many jurisdictions—including laws that sometimes conflict—as they focus their attention on creating and maintaining an effective privacy program. This results in a high standard of data protection that strives to encompass all compliance requirements without the need to address every specific rule. It also reduces the risks on non-compliance and demonstrates due-diligence should an event occur.
Some organizations are taking steps to prepare for requests from enforcement authorities, either because of previous interaction, an enforcement action or consent decree, as a risk management strategy to reduce the probability of strong enforcement actions or for a possible regulatory requirement to demonstrate accountability to an enforcement authority.
Regulators, DPAs and commissioners look to demonstrate accountability as a means to increase overall data protection compliance in a cost-effective manner. If they were to receive some form of demonstration of accountability from organizations, either regularly or on demand, they would have a low-cost method to survey more organizations, risk-rank the results and leverage their few resources on higher risk organizations.
IAPP: What is taking place in the legislative and regulatory community from an accountability perspective?
McQuay: There is activity in most regions of the world related to accountability. Here are a few examples:
The European Union is looking to make changes to the EU Data Protection Directive or issue a regulation—or some combination therein—and one of the proposed amendments is an new article that is referred to as the “accountability principle.” This amendment is compelling, as it states, “b) The controller shall demonstrate compliance with paragraph 1 to the supervisory authority on its request.”
In the United States, privacy is very active right now, with several privacy bills at both the federal and state level. Plus, in December, the Federal Trade Commission issued the Protecting Consumer Privacy in an Era of Rapid Change staff report and the Department of Commerce (DOC) Internet Policy Task Force issued its privacy green paper, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework, both of which will result in changes in privacy in the United States. Another development is the draft “Commercial Privacy Bill of Rights Act of 2011” co-sponsored by Sens. John Kerry (D-MA)and John McCain (R-AZ), which contains the following accountability principle:
SEC. 102.ACCOUNTABILITY. Each covered entity shall, in a manner proportional to the size, type, and nature of the covered information it collects—(1) have managerial accountability, proportional to the size and structure of the covered entity, for the adoption and implementation of policies consistent with this Act;(2) have a process for being responsive to non-frivolous complaint from individuals regarding the collection, use, transfer, or maintenance of their covered information; and(3) describe its programmatic means of compliance with the requirements of this Act upon request from the Commission or an appropriate safe harbor program.
This approach to privacy accountability is similar to what’s proposed in the European Union and in line with the international standards on the protection of privacy. (Madrid Resolution)
In the Asia-Pacific region, the APEC Data Privacy Sub-Group, which includes economies that border the Pacific Ocean in Asia Pacific, North and South America, are nearing completion of the Cross-Border Privacy Rules (CBPR). The CBPR include the creation of “accountability agents” in each of the joining member economies. These accountability agents will have the ability to certify an organization accountable.
In Canada, currently, there is a complaint-based privacy regime, and the federal commissioner’s office conducts investigations related to the complaint and does not assess an organization’s privacy program. In a recent speech in the context of a review of the Canada’s federal private-sector privacy law, federal Privacy Commissioner Jennifer Stoddart stated, “Too many organizations are collecting too much information about too many people for us to continue to rely solely on a complaint-based system in order to assure Canadians that the organizations they deal with are accountable and compliant with PIPEDA.” She then spoke about work from the Centre for Information Policy Leadership and the proposed changes in the EU (discussed above). Changes in the federal law are unlikely in the near future, but this could mark a policy shift from her office as we may see more on accountability from Stoddart’s office in the future. If so, proactive organizations will, as they have in the past, embrace the commissioner’s message and prepare to demonstrate accountability. Not only is there federal momentum in accountability but also there is interest provincially. Information and Privacy Commissioner for British Columbia, Elizabeth Denham, spoke on the matter in Madrid and Washington DC, and Ontario Information and Privacy Commissioner Ann Cavoukian co-authored a paper with Marty Abrams entitled “Privacy by Design: Essential for Organizational Accountability and Strong Business Practices.”
IAPP: How do you distinguish between Privacy by Design and accountability?
McQuay: In the context of business practices, Nymity looks at Privacy by Design as seven principles that help an organization implement privacy into operational practices without putting unnecessary restrictions on business and ensuring privacy for the individuals. Nymity’s view is that Privacy by Design provides an organization a framework on how to develop methodologies and implement effective privacy compliant mechanisms. We believe Privacy by Design results in accountability in practice.
Nymity is a Privacy by Design Ambassadors. We think demonstrating accountability requires privacy mechanisms that are effectively built according to Privacy by Design.
IAPP: What do you consider “demonstrating accountability”?
McQuay: Nymity believes that demonstrating accountability is equivalent to being able to report on the status of the organization’s privacy program against compliance requirements and privacy commitments made in its notices and policies. Our view is that there are four levels of demonstrating accountability. They are:
- Assertions: The privacy office reports the status of the privacy program based on their knowledge gained by implementing and maintaining the privacy program within the organization and its Business Partners.
- Attestations: The privacy office reports the status of the privacy program and attests to its effectiveness, possibly by conducting survey-based self-assessments from others in the organization and/or from Business Partners to attain evidence to support the assertion.
- Validation: The organization may choose to validate the status of the privacy program using a more rigorous assessment method such as an internal audit.
- Verification: The organization uses an external entity to assure the effectiveness of their privacy program and optionally to provide some form of certification or trustmark.
We realize most of the accountability discussion is currently in the verification space. At Nymity, we focus on the assertion and attestation space. We believe that an organization that can report the status of its privacy program, either as an assertion or an attestation, is more accountable than an organization that cannot. We also believe that assertions and attestations are prior steps to validation and verification.
We believe that a privacy office that reports the status of their privacy program is demonstrating accountability. We see organizations starting with the privacy office creating a report to internal stakeholders about the status of the privacy program as an assertion. Then, based on organization’s risk and the resources available, the organization will likely implement more privacy controls, and the privacy office could conduct some form of privacy self-assessment (an attestation) of the organization and/or Business Partners and produce a new report. We believe that attestation is the next step in demonstrating accountability, as the entire organization and its Business Partners are more accountable then they were with the assertion report alone. Naturally, the next step would be to perform internal audits and potentially external validation which are even higher levels of validation and verification—thus also demonstrating accountability.
Nymity’s four levels allow an organization to map their demonstration accountability method based on risk and cost. In fact, we believe that organizations with high-risk profiles will use all four levels, for example, external validations to the areas of high risk and conduct assertions and attestation in areas of lower risk.
IAPP: Is there a good privacy framework for assertions and attestations?
McQuay: As of last month, yes. In March, the AICPA/CICA announced their Privacy Maturity Model, which we feel is an ideal framework for reporting the status of a privacy program, as it provides a high degree of flexibility on implementation and creditable in delivery. Nymity has an agreement with AICPA and has developed a web-based Accountability Reporting Tool. As a maturity model, it provides an organization the ability to report on the status of privacy program according to the 73 criteria from the AICPA/CICA GAPP framework in a clear manner. The maturity categories of Adhoc, Defined, Repeatable, Managed and Optimized form the criteria for the state of the status. Their definitions allow an individual to clearly state the status of each element of their privacy program.
The flexibility of the maturity model includes:
- Deployment: It can be deployed by department, data store, division and Business Partner (s) presented as an organizational report.
- Application: Being based on a maturity model, it reports the status of the privacy program in a business friendly, risk-based format.
- Goal Setting: As a reporting tool, it allows for the setting of goals should the organization need reports to include desired state, when applicable.
- Applicable: As a reporting tool, it takes into consideration criteria that do not apply, for example, when reporting the status of service-providers.
Its creditability is gained as the reporting tool was built using the AICPA/CICA Privacy Maturity Model, which is based on the Generally Acceptable Privacy Principles. The Privacy Maturity Model has also received international endorsement from ISACA. Over time, this framework and others will grow to form a solid foundation for assertions and attestations.
IAPP: Do you believe the Privacy Maturity Models can be a tool for reporting to enforcement bodies?
McQuay: Perhaps. Nymity has partnered with an international organization to create a pilot to test this theory. We will create assertions and attestations based on the Privacy Maturity Models for a division of this organization’s business. Together, we plan to visit the Canadian commissioner’s office this spring, the offices of several DPAs in Europe during May and a few regulators in the United States in June to present the assertions/attestations for feedback. Based on these visits, we will expand our outreach and approach other enforcement bodies around the world.
The goal is twofold. One, to explore the possibility of an attestation being one of the options for demonstrating accountability to a regulator or enforcement body, and two, to assess the Privacy Maturity Model as a framework for such attestations.
Once the project is complete, we will have a much more definitive answer to this question. If any other organization would like to participate please give me a call.
IAPP: Are there other accountability initiatives Nymity is working on?
McQuay: Yes, several. We have a number of attestation pilots operational in healthcare, the public sector and private sector. Additionally, we have:
- A Demonstrating Accountability session at the IAPP Privacy Symposium May 4-6 in Toronto Canada:
- Privacy Accountability Charts
Nymity has developed three charts that are visual aids designed to assist privacy professionals when explaining privacy compliance, privacy accountability and how Nymity can help.
- Free trials of Nymity’s New Accountability Reporting Tool
For organizations interested in better understanding the potential of producing assertions and attestation based on the AICPA/CICA Privacy Maturity Model, Nymity is providing free trials of our New Accountability Reporting tool.
Free Demonstrating Accountability Webinars
Nymity will provide a series of accountability educational webinars starting in May. In some cases we will have guest speakers, for example we have a co-hosted Nymity/RSA Archer webinar planned for June.
Hear more from Terry McQuay, CIPP, CIPP/C, CIPP/G, CIPP/E, at the IAPP Privacy Symposium, May 4-6, in Toronto, Canada. In the session, “Demonstrating Accountability,” Terry will join James Byrne, CIPP, associate general counsel and chief privacy officer of Lockheed Martin Corporation, and Constantine Karbaliotis, CIPP, CIPP/C, CIPP/IT, Americas privacy leader at Mercer. The charts and tables found in this interview will be handed out during this session.