In 1980, the Organization for Economic Cooperation and Development (“OECD”) first published privacy guidelines that included an accountability principle. Since that time, little work has been done to define accountability or to describe what it means for organizations to be accountable for the responsible use and protection of data. In an effort to fill that gap, The Centre for Information Policy Leadership has authored “Data Protection Accountability: The Essential Elements” which articulates the conditions organizations would have to meet to be accountable. The Accountability paper is the result of the Galway Accountability Project, an initiative facilitated by Ireland’s Office of the Data Protection Commissioner and co-sponsored by the OECD. As the project’s secretariat, the Centre served as principal drafter of the Accountability paper, which considers the concept of accountability as it applies in the current data environment where data collection and use is ubiquitous, data flows are difficult or impossible to track, and jurisdictional issues abound as data crosses national borders. The Galway Project enlisted specialists from twelve countries, and the participation of privacy protection agencies from Europe, Asia and North America. Consumer advocates and business representatives also took part. The Accountability paper will bring a critical international perspective to the dialogue on changing privacy law in Europe, the United States and Canada.
On Monday, November 2, Peter Hustinx, European Data Protection Supervisor, said accountability would figure prominently in the joint initiative to develop global standards led by the Spanish Data Protection Agency. Hustinx, speaking at the Privacy-By-Design preconference to the 31st International Conference of Data Protection and Privacy Commissioners in Madrid, said that organizations will have to demonstrate they are accountable. Martin Abrams, Senior Policy Advisor and Executive Director, Centre for Information Policy Leadership at Hunton & Williams, commented that an accountable organization is responsible for understanding and mitigating the risks to individuals related the organization’s collection and use of information, and is answerable to regulators and individuals for the effectiveness of its processes. Abrams further said that accountable organizations must demonstrate both the willingness and capacity to be accountable, and that privacy-by-design is an excellent road map for creating the mechanisms to demonstrate capacity. The Spanish Data Protection Authority is expected to release the standards and resolution of the joint initiative on Friday. The Centre announced the second phase of its work on accountability at the Madrid conference this morning.