Monday, 7 December 2009

Data protection, privacy - accountability, self-regulation - Galway paper

I wanted to mention the Galway accountability report, which came out in October. This post is somewhat after the event, but the paper doesn't seem to have received as much attention as I thought it would, and I decided to post the links after James Michael (Associate Senior Research Fellow, IALS and Editor of Privacy Laws & Business International) mentioned the paper in his recent talk on “Will Privacy Law in the 21st Century be European, American or International?

The Galway Project

The Galway Accountability Project on Commonly Accepted Elements of Privacy Accountability was convened earlier in 2009 by The Centre for Information Policy Leadership (set up by US law firm Hunton & Williams LLP) and the Irish Office of the Data Protection Commissioner, and according to the Hunton & Williams press release was also co-sponsored by the OECD (and funded by corporate participants).

Accountability is increasingly seen as perhaps the best way forward in terms of striking the right balance between individual privacy rights and corporate data protection & privacy compliance burdens.

The Galway project was intended:

"to develop a white paper articulating essential, commonly-accepted elements required of a company to establish and demonstrate accountability for its information processes".

Participants in the project deliberations included representatives from the European Data Protection Supervisor, UK Information Commissioner and other EU member state data protection authorities, the Canadian Office of the Privacy Commissioner, the US FTC, the OECD, technology corporations such as Google, Hewlett-Packard, IBM, Intel, Microsoft, Oracle, Salesforce.com, academics from e.g. MIT, and privacy advocates Privacy International.

The paper was released in October 2009 and, while the paper points out that the participants do not necessarily endorse its contents, given the expertise of those who took part in the debates, this report is clearly worthy of note.

Accountability - the essential elements

The Galway paper describes the elements of an accountability based approach and how it differs from other current approaches, and suggests that the 5 essential elements of accountability are:

  1. Organisation commitment to accountability and adoption of internal policies consistent with external criteria;
  2. Mechanisms to put privacy policies into effect, including tools, training and education;
  3. Systems for internal, ongoing oversight and assurance reviews and external verification;
  4. Transparency and mechanisms for individual participation; and
  5. Means for remediation and external enforcement.

It suggests that the key public policy issues include:

  1. How does accountability work in currently existing legal regimes?
  2. What is the role of third-party accountability agents?
  3. How do regulators and accountability agents measure accountability?
  4. How is the credibility of enforcement bodies and third-party accountability programmes established?
  5. What are the special considerations that apply to small- and medium sized enterprises that wish to demonstrate accountability, and how can they be addressed?

In his speech, James Michaels said he saw this project for the implementation of data protection principles in the private sector as as the latest bridge between the EU "legalistic" approach and the US self-regulatory approach.

See:

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.