PRINCIPLE: Accountability DEFINITON AND DESCRIPTION: Accountability: a demonstrable acknowledgement and assumption of responsibility for having in place appropriate policies and procedures, and promotion of good practices that include correction and remediation for failures and misconduct. It is a concept that has governance and ethical dimensions. It envisages an infrastructure that fosters responsible decision-making, engenders answerability, enhances transparency and considers liability. It encompasses expectations that organisations will report, explain and be answerable for the consequences of decisions about the protection of data. Accountability promotes implementation of practical mechanisms whereby legal requirements and guidance are translated into effective protection for data. (CIPL, 2010) Demonstrating and Measuring Accountability A Discussion Document http://www.huntonfiles.com/files/webupload/CIPL_Accountability_Phase_II_Pa ris_Project.PDF Frameworks Where the Principle Appears APEC “A personal information controller should be accountable for complying with measures the above.” (Paragraph 26) OECD “A data controller should be accountable for complying with measures which give effect to the principles stated above.” (Paragraph 14) Accountability and Auditing: Organizations should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements. (NSTIC) Ombudsmen. OITF Providers must ask governments where they do business to designate independent ombudsmen whose role is to look after the interests of individual users under their respective jurisdictions, and they must ensure that the OITF is designed to allow these ombudsmen to do their job. If law requires the sharing of identity information (including biometric data, behavioral data, and social graphs) without the informed consent of the person in question, parties to the OITF who are ordered to share this information must involve the ombudsmen. (OITF WP) A record-keeping organization shall be accountable for its personal-data recordkeeping policies, practices, and systems. (The Accountability Principle) (HHS; Section 8) CONTROLS ASSOCIATED WITH THE PRINCIPLE Accountability: Reporting made by the business process and technical systems which implement privacy policies to the individual or entity accountable for ensuring compliance with those policies, with optional linkages to sanctions. (ISTPA) Privacy promises - Accountable organisations fufill the promises stated in their privacy policies. (CIPL) (1) Policies (2) Executive oversight (3) Staffing and delegation (4) Education and awareness (5) Ongoing risk assessment and mitigation (6) Program risk assessment oversight and validation (7) Event management and complaint handling (8) Internal enforcement (9) Redress INTERACTIONS WITH OTHER PRINCIPLES - Organisations are accountable for their notices APPLIES TO INTERNAL OPERATION OR EXTERNAL PARTICIPANTS Applied to the internal operations and actions of an organisation.