From the introduction to the paper (pdf):
Professor Paul A. Schwartz recently wrote:
“Companies are now putting internal policies in place, centered on forward looking rules of information management and training of personnel. Such policies are, at the very least, a necessary precondition for an effective accountability regime that develops a high level of privacy protection.”1
An accountability-based regulatory structure is one where organizations are charged with societal objectives, such as using information in a manner that maintains individual autonomy and protecting the individual from social, financial and physical harms that might come from the mismanagement of information, while leaving the actual mechanisms for achieving those objectives to the organization. One of the best conceptual models for building in the types of controls suggested by Professor Schwartz is Privacy by Design. The best in class companies in Schwartz’s study, “Managing Global Data Privacy: Cross-Border Information Flows in a Networked Environment,” are using Privacy by Design concepts to build business process that use personal information robustly with clear privacy-protective controls built into every facet of the business process. In other words, Privacy by Design and accountability go together in much the same way that innovation and productivity go together.
Accountability is the governance model that is based on organizations taking responsibility for protecting privacy and information security appropriately and protecting individuals from the negative outcomes associated with privacy-protection failures. Accountability was first framed as a privacy principle in the OECD Privacy Guidelines.
The Centre for Information Policy Leadership at Hunton & Williams LLP has recently acted as secretariat for the Galway project that defined the essential elements of accountability.
The conceptual model, Privacy by Design, was developed by Ontario Privacy Commissioner Ann Cavoukian in the 1990s to address the development of technologies, but she has since expanded it to include business processes.2
Hewlett Packard is in the midst of implementing an accountability tool built on both accountability principles and the key concepts of Privacy by Design. HP’s accountability tool is an example of the trend described by Professor Schwartz.
This paper discusses the essential elements of accountability, Privacy by Design principles, and provides an example of a control process that uses the principles to implement the essential elements.