University of Strathclyde
Privacy Accountability Management Framework for Data Controllers Operating across Asia
by Henry Chang
July 2014
A dissertation submitted to the Law School, University of Strathclyde, for the partial fulfilment of the requirements of the degree of LLM in Internet Law and Policy
Dissertation supervisor: Professor Lilian Edwards
Preface Copyright The copyright of this dissertation belongs to the author under the terms of the United Kingdom Copyright Acts as qualified by the University of Strathclyde Regulation 3.51. Due acknowledgement must always be made of the use of any material contained in, or derived from, this dissertation.
Originality I certify that to the best of my knowledge any help received in preparing this work, and all sources used, have been acknowledged in this dissertation. The original version of this dissertation was submitted in July 2014 to the Law School of Strathclyde University and has been marked with distinction. This version of the dissertation has been editorially touched up to improve readability. The author wishes to thank Meaghan McCluskey of Nymity for providing the editorial advice. A minor point in the Introduction has also been corrected. However, none of the editing work has changed the material contents of this dissertation. A marked-up copy showing the difference between this version and the originally submitted version can be found in here: http://goo.gl/s6tJ0B
i
Abstract For data controllers operating across Asian jurisdictions that have data protection laws, the adoption of a privacy management programme, through the use of privacy accountability framework, could demonstrate to privacy regulators and customers their commitments to the protection of personal data, and to earn their trust. However, many of the available privacy accountability frameworks pre-dated the majority of Asian data protection laws so it is unclear how suitable they are for data controllers operating across Asia. This dissertation therefore seeks to answer the question “If a data controller is to implement accountability, which accountability framework, with or without modifications, can be practically deployed by data controllers operating across Asian jurisdictions?” The study examined six privacy accountability frameworks available in the public domain, selected the Nymity Accountability Framework as the most creditable, practical and relevant framework and compared it with the data protection laws of nine Asian jurisdictions to identify gaps. With a view to improving its user-friendliness to Asian data controllers who are often new to data protection legislation, the framework was then further analysed for improvements in terms of manageability and wording. The result of the study is a number of proposals believed to make the framework more readily applicable to data controllers operating across Asia.
ii
Table of Contents
Preface......................................................................................................................................... i Abstract ......................................................................................................................................ii Table of Contents ..................................................................................................................... iii List of Tables ...................................................................................................................... viviii 1.
2.
Introduction ........................................................................................................................ 1 1.1.
Overview to the study ................................................................................................. 1
1.2.
Introduction to Chapter One ........................................................................................ 2
1.3.
Data protection laws and accountability frameworks ................................................. 2
1.4.
Gap analysis with Asia data protection laws ............................................................... 4
1.5.
Modifications to the Nymity Framework .................................................................... 5
1.6.
Findings and suggested further studies ....................................................................... 5
1.7.
Structure of the dissertation......................................................................................... 6
Accountability Frameworks ............................................................................................... 8 2.1.
Introduction to Chapter Two ....................................................................................... 8
2.2.
The Significance of Accountability Frameworks........................................................ 8
2.2.1.
The Significance of the Accountability Principle ................................................ 8
2.2.2.
The Significance of Accountability Frameworks .......................................... 1213
2.3.
Accountability Frameworks Advocated by DPAs .................................................... 13
2.3.1.
Accountability Frameworks Recommended by DPAs ...................................... 13
2.3.2.
Limitations of DPAs’ Accountability Frameworks ........................................... 17
2.4.
Accountability Frameworks Advocated by Third-parties ......................................... 18
2.4.1.
Accountability Frameworks Recommended by Third-parties ........................... 18
2.4.2.
Limitations of Third-parties’ Accountability Frameworks ................................ 22
2.5.
The Nymity Accountability Framework ................................................................... 23
2.6.
Summary of Chapter Two ......................................................................................... 26 iii
3.
Asian data protection laws ................................................................................................ 27 3.1.
Introduction to Chapter Three ................................................................................... 27
3.2.
Selection of Asian Jurisdictions ................................................................................ 27
3.3.
Methodology for the gap analysis ............................................................................. 28
3.4.
Jurisdiction-by-Jurisdiction report ............................................................................ 29
3.4.1.
Hong Kong ......................................................................................................... 29
3.4.2.
Taiwan................................................................................................................ 32
3.4.3.
Japan .................................................................................................................. 33
3.4.4.
Macau ................................................................................................................. 35
3.4.5.
Malaysia ............................................................................................................. 37
3.4.6.
Vietnam .............................................................................................................. 39
3.4.7.
The Republic of Korea ....................................................................................... 40
3.4.8.
The Philippines .................................................................................................. 42
3.4.9.
Singapore ........................................................................................................... 44
3.5. 4.
5.
Summary of chapter three ......................................................................................... 45
How can the Nymity Framework be extended to cover Asia? ......................................... 47 4.1.
Introduction to chapter four....................................................................................... 47
4.2.
Adequacy of the Nymity Framework to cover Asia ................................................. 47
4.3.
Manageability of the Nymity Framework ................................................................. 49
4.4.
A closer look at the activities .................................................................................... 51
4.5.
A critical look on the effectiveness of PMP .............................................................. 52
4.6.
Summary of chapter four........................................................................................... 53
Findings and recommendations ........................................................................................ 54 5.1.
Introduction to chapter five ....................................................................................... 54
5.2.
The Research question .............................................................................................. 54
5.3.
Summary of findings ................................................................................................. 56
5.4.
Thoughts and recommendations................................................................................ 56
Reference: ................................................................................................................................ 60 Annex A: Original Nymity Privacy Management Accountability Framework ....................... 64 iv
Annex B: Modified Nymity Privacy Management Accountability Framework ...................... 77
v
List of Tables Table 1 Summary of assessment on frameworks ..................................................................... 24 Table 2 Sample of Nymity Scorecard in tracking activities .................................................... 25 Table 3 Asia jurisdictions that fulfil the selection criteria ....................................................... 28 Table 4 Data Controller Responsibilities under the Hong Kong PDPO .................................. 30 Table 5 Nymity Framework coverage to the Hong Kong PDPO ............................................ 31 Table 6 Data Controller Responsibilities under the Taiwan PDPL ......................................... 32 Table 7 Nymity Framework coverage to the Taiwan PDPL.................................................... 33 Table 8 Data Controller Responsibilities under the Japan APPI ............................................. 34 Table 9 Nymity Framework coverage to the Japan APPI........................................................ 35 Table 10 Data Controller Responsibilities under the Macau PDPA ........................................ 36 Table 11 Nymity Framework coverage to the Macau PDPA .................................................. 36 Table 12 Data Controller Responsibilities under the Malaysia PDPA .................................... 37 Table 13 Nymity Framework coverage to the Malaysia PDPA .............................................. 38 Table 14 Data Controller Responsibilities under the Vietnam LPCR ..................................... 39 Table 15 Nymity Framework coverage to the Vietnam LPCR................................................ 40 Table 16 Data Controller Responsibilities under the Korea PIPA .......................................... 41 Table 17 Nymity Framework coverage to the Korea PIPA ..................................................... 42 Table 18 Data Controller Responsibilities under the Philippines DPA ................................... 43 Table 19 Nymity Framework coverage to the Philippines DPA ............................................. 43 Table 20 Data Controller Responsibilities under the Singapore PDPA .................................. 44 Table 21 Nymity Framework coverage to the Singapore PDPA ............................................. 45 Table 22 Asia-specific activities that are to be added to the Nymity Framework ................... 48
vi
1. Introduction 1.1.
Overview to the study
This dissertation documents the study undertaken to find and modify a privacy management accountability framework to be used by organisations (“data controllers” within the context of data protection laws) operating across Asia.
There are currently over 101 jurisdictions around the world that have data protection laws, of which sixno less than nine are in Asia and were enacted over the past four years..1 Asia is one of the regions where growth in data protection law is predicted. 2
For organisations operating across Asian jurisdictions that have data protection laws, the adoption of privacy management programmes (PMPs), through the systematic approach of using a privacy management accountability framework, could demonstrate to regulators and customers (“data subjects” within the context of data protection laws) their commitments to the protection of personal data, and to earn their trusts.
However, many of the available accountability frameworks pre-date the majority of Asian data protection laws so it is unclear how suitable they are for data controllers operating across Asia. The question this study seeks to answer is, therefore, “If a data controller is to implement accountability, which accountability framework, with or without modifications, can be practically deployed by data controllers operating across Asian jurisdictions?”
1
Greenleaf G, ‘Global Tables of Data Privacy Laws and Bills (3rd Ed, June 2013)’ UNSW Law Research Paper
No 2013-39 accessed 18 July 2014 2
Greenleaf G, ‘Sheherezade and the 101 Data Privacy Laws: Origins, Significance and Global Trajectories’
Journal of Law, Information & Science accessed 11 June 2014
1
1.2. Introduction to Chapter One Having introduced the research question in Section 1.1, the remaining part of Chapter 1 serves as an executive summary for the whole study in the following sections:
Section 1.3:
The importance of accountability frameworks and why the Nymity accountability framework is chosen for this study;
Section 1.4:
How a gap analysis was used to find out how the Nymity accountability framework fits with data protection laws in Asia;
Section 1.5:
What needs to be changed in the Nymity accountability framework needs to be changed for use by data controllers operating across Asia; and
Section 1.6:
1.3.
The significance of the study and how it could be further tested.
Data protection laws and accountability frameworks
The importance of accountability principles in data protection 2014 marks the 41st anniversary of data privacy laws since Sweden’s Data Act 1973. Currently there are more than 101 jurisdictions whichthat have enacted substantial data privacy laws covering the private and/or the public sectors. In Asia, no less than 11 jurisdictions have enacted their privacy laws, of which six were new ones since 2010. There are about nine countries in Asia that are yet to have data protection laws3.
Not only is the number of data protection laws around the world is on the increase, the requirements on privacy protection are tightening too. The European Union (EU) is proposing a new Data Protection Regulation (the EU Regulation) 4 with a view to further
3
Greenleaf G, ‘Global Data Privacy Laws 2013: 99 Countries and Counting’ Privacy Laws & Business
International Report accessed 10 July 2014 4
‘Proposal for a regulation of the European Parliament and of the council on the protection of individuals with
regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)’ (European Commission) accessed 19 June 2014
2
modernise and harmonise the Data Protection Directive 95/46/EC further for its member states. The Organisation for Economic Co-operation and Development (OECD) has just updated its 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data5 (OECD Guidelines) in 2013.6 One common thread across these modernisation efforts is on the introduction of or re-emphasis ofon accountability as a key principle.
The importance of accountability frameworks An Aaccountability principle requires data controllers to implement a PMP with appropriate data protection measures, to ensure its effectiveness in meeting all the data protection principles and obligations, and to demonstrate its implementation on request. 7 In order to demonstrate the effectiveness of the implementation, the use of a systematic and standardised accountability framework to implement the PMP becomes necessary and important.
Available accountability frameworks Because of the importance of an accountability framework, it is not surprising that a number of accountability frameworks have been promoted by various parties, from regulators, and advocacy groups to commercial firms. This study has examined six better-known accountability frameworks, three proposed by the regulatory community and three by thirdparties, to determine if any of them can be used by data controllers operating in Asia.
Practical issues related to accountability frameworks The purpose of the examination is to find out if any of the existing accountability frameworks may be applied to Asia based on the selection criteria of (1) credibility, (2) practicality and (3) Asia coverage. After the examination, the Nymity Privacy Management Accountability Framework (the Nymity Framework) was selected as the only viable framework to be further
5
OECD, ‘OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data’ (OECD)
accessed 11 June 2014 6
OECD, ‘The 2013 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data’
(OECD) accessed 11 June 2014 7
‘Opinion 3/2010 on the Principle of Accountability’ (Article 29 Working Party, 2010)
accessed 19 June 2014
3
studied as to whether it can be applied to or be modified for Asias jurisdictions with data protection laws. The Nymity Framework was selected because it contains not only 13 highlevel processes that describe how to implement a PMP, but also 153 activities onregarding what regulatory measures to track and monitor.
Data protection laws and the importance of an accountability framework Full details on the principles of data protection laws, the importance of the accountability principle within the data protection legislation, the significance of accountability frameworks to data controllers, an appraisal of better-known accountability frameworks, and why the Nymity Framework was selected as the only viable framework for further testing on Asian data protection laws are elaborated in Chapter 2.
1.4. Gap analysis with Asia data protection laws Which Asia data protection laws are in scope? The aim of this study is to find out how data controllers operating across Asian jurisdictions can deploy an accountability framework. A list of nine relevant data protection laws enforceable in the private sector was drawn up so that a gap analysis could be performed to check whether the Nymity Framework covers all of their requirements.
Gap analysis A systematic gap analysis was carried out on each relevant provision of the nine pieces of data protection legislations against the 13 processes depicted under the Nymity Framework. The result suggests that the 13 processes in Nymity Framework are broad enough to cover the nine Asian data protection laws but there are is rooms for improvement over the specificity of existing activities in the Nymity Framework.
The results Full details on how the relevant Asian data protection laws were selected, and the gap analysis methodology and results, are documented in Chapter 3.
4
1.5. Modifications to the Nymity Framework Asia activities, framework hierarchy and editorial change to the Nymity Framework As a result of the gap analysis, five activities are added to the Nymity Framework to address some important and specific regulatory requirements in Asia. Furthermore, during the selection of the Nymity Framework, it was observed that there are too many activities assigned to each process which makes their monitoring and tracking difficult. Further analysis suggests that sub-processes should be introduced to subdivide the activities into more focused groups. Apart from making all the activities easier to remember because of the tighter focus, the reduction of on the number of activities for each sub-process also helps privacy practitioners to manage, track and monitor them easier. Finally, editorial amendments are suggested to some activities to make the Nymity Framework more user-friendly to new users who need to developmentdevelop a PMP from the ground up.
The modified Nymity Framework Full details on whichthe Nymity Framework process to which new activities have been assigned to, how each processes have has been sub-divided into more manageable subprocesses, and editorial changes to make the Nymity Framework easier to follow when building PMPs for the first time, are described in Chapter 4, and the modified Nymity Framework is made available under Annex B.
1.6.
Findings and suggested further studies
The research question answered The question this study seeks to answer is, “If a data controller is to implement accountability, which accountability framework, with or without modifications, can be practically deployed by data controllers operating across Asian jurisdictions?”
The study selected the closest accountability framework that could be useful to privacy practitioners in Asia, and modified it according to a systematic gap analysis, its level of manageability and its user-friendliness.
5
The significance of the research question and answer The findings onfrom this study isare significant because the demands on data controller accountability are on the increase, both by regulators and data subjects. In order to address and prove to stakeholders the commitment onto personal data privacy by data controllers, a systematic and proven tool of accountability framework must be found by data controllers to consistently demonstrate accountability. Data controllers in Asia face an additional challenge in that many data protection laws are recently enacted, so there is an uncertainty as to whether any known accountability framework is equally applicable to Asia.
The findings of this study suggests that, with some modifications, it is possible to make the Nymity Framework applicable for Asian jurisdictions in a practical way.
Further studies The modified Nymity Framework is a result of a desktop research and must be verified in practice. Further refinements may be needed when it is applied by practitioners onin the field.
The findings, itstheir significance, reflections on the study process and future research directions are fully depicteddetailed in Chapter 5.
1.7.
Structure of the dissertation
This Chapter 1 only serves as an executive summary of the study. Details of the study are documented in Chapter 2 to Chapter 5 and are recapped as follows:
Chapter 2:
The significance of the Nymity Framework for Asian data controllers to support the increasingly important accountability principle found in data protection laws.
Chapter 3:
A gap analysis on the Nymity Framework against relevant data protection laws in Asia to find out if and how the Nymity Framework can be applied to Asia.
6
Chapter 4:
An account onof how (1) Asian specific regulatory activities, (2) structural changes, and (3) editorial changes are applied to the Nymity Framework to make it relevant to Asian data controllers.
Chapter 5:
The findings and recommendations of the study.
7
2. AccountablyAccountability Frameworks 2.1. Introduction to Chapter Two Chapter 1 provides an overview toof this study on how the Nymity Framework was selected and modified for use by data controllers operating across Asian jurisdictions.
This chapter now goes into the full details of the study and begins onwith the topic of accountability frameworks. It starts withby introducing the significance of accountability frameworks and ends with the explanation onof why the Nymity Framework was selected for this study.
More specifically, the following topics are explored in their respective sections:
Section 2.2: The significance of accountability frameworks Section 2.3: Various accountability frameworks being advocated by DPAs Section 2.4: Various accountability frameworks being advocated by third-parties Section 2.5: The Nymity accountability framework
2.2. The Significance of Accountability Frameworks In this section 2.2, the significance of the privacy accountability principle is first introduced. It
then
explains
how
an
accountability
framework
helps
data
controllers
to
systemicallysystematically demonstrate their compliance to the accountability principle.
2.2.1. The Significance of the Accountability Principle Historic Development of Data Protection Principles The number of jurisdictions enacting data protection laws has been on the increase steadily since the first comprehensive data privacy law was introduced toin Sweden in 1973. There
8
are now currently over 101 jurisdictions with privacy laws enacted.8 Apart from the numbers, the sophistication of data protection laws over the years has evolved considerably.
Chronologically speaking, Alan Westin has been attributed to beas the person who advocated in 1967 the concept of what is now known as “informational self-determination” individuals to determine for themselves when, how, and to what extents their personal data is communicated to otherothers.9 Many have then credited this concept as the basis of the Fair Information Practice Principles (FIPPs), first published by the US Department of Health, Education and Welfare in 1973, which then formed the basis of the US Privacy Act of 1974.10
FIPPs originally appeared as a code which consists of (headings are added to map them to modern data protection principles) five statements:11:
1. Openness and transparency: There must be no secret personal data record keeping systems;
2. Individual participation and Purpose limitation: There must be a way for an individual to find out what information about him is in a record and how it is used;
3. Use limitation: There must be a way for an individual to prevent information about him obtained for one purpose from being used or made available for other purposes without his consent;
4. Individual participation: There must be a way for an individual to correct or amend a record of identifiable information about himself; and
8
See note 2.
9
Bennett CJ, ‘In defense of privacy: the concept and the regime’ 8 Surveillance & Society 485
10
Langheinrich M, Privacy by design—principles of privacy-aware ubiquitous systems (Springer 2001)
11
‘The Code of Fair Information Practices’ (Electronic Privacy Information Center)
accessed 11 June 2014
9
5. Data quality: and Use limitation: Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take reasonable precautions to prevent misuse of the data.
FIPPs are generally considered as the precedent, if not the foundation, on which many other organisations, such as the Council of Europe, OECD and the EU, have developed their data protection regimes.
The Emergency of the Accountability Principle In 1980, the OECD published the OECD Guidelines. In addition to the five principles listed under FIPPs, the OECD Guideline also introduced the following three additional principles12:
1. Collection limitation: Personal data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject;
2. Security safeguards: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data;
3. Accountability: A data controller should be accountable for complying with measures which give effect to all the principles stated.
From a governance point of view, the accountability principle represented a significant advancement over the original FIPPs giving just direct individual rights. It introduced the need of a management commitment and structure to sustain a data controller’s efforts in protecting personal data.
Similarly, the Asia-Pacific Economic Cooperation (APEC) also listed Accountability as one of the nine information privacy principles under its Privacy Framework published in 2005.13
12
See note 5
13
APEC Privacy Framework (APEC#205-SO-012, 2005)
10
Despite the efforts of the OECD and the APEC, for a number of years, the accountability principle has not often been prescribed in legislations for a number of years.legislation. For example, the 1981 Council of Europe Convention 108 on for the protection of individuals with regard to automatic processing of personal data, the 1995 EU Data Protection Directive 95/46/EC, and the 1995 Hong Kong Personal Data (Privacy) Ordinance have all not includedfailed to include accountability as one of the data protection principles.
That said, accountability as a data protection governance tool is gaininghas gained momentum over the past decade. In 2000, Canada enacted the Personal Information Protection and Electronic Documents Act (PIPEDA) and it is probably the first national privacy legislationlaw that has a written principle on Accountability.14
Article 22 of the proposed EU Regulation on the responsibility of the data controller may be interpreted as a formal accountability requirement as it requires data controllers to adopt policies, measures and mechanisms to demonstrate and ensure the processing of personal data is effective and in compliance with the proposed Regulation.15
The OECD Guidelines were revised in 2013 with three additional concepts. One of which is on the requirement on data controllers to implement a PMP.16 This may be considered as a more concrete elaboration on the original accountability requirement.
The Significance of the Accountability Principle The significance of the accountability principle cannot be better emphasised than by the Office of the Privacy Commissioner of Canada (OPCC). ItThe OPCC defines accountability as the acceptance of responsibility by a data controller onfor personal information protection.
14
Personal Information Protection and Electronic Documents Act, Canada
15
See note 4
16
See note 6
11
When done properly, it should promote trust and confidence on the part of consumers, and thereby enhance competitive and reputational advantages for organisations.17
Furthermore, together with Article 35 of the proposed EU Regulation on the mandatory designation of a data protection officer, the accountability requirement is believed to replace and provide an alternative to the notification requirements under Data Protection Directive 95/46/EC which isare considered burdensome and ineffective.18
A PMP may appear to be optional to data controllers in locations where accountability is not a mandatory requirement. However, in reality, if a regulator engages a data controller into any degree ofin an enforcement action, whether a data controller has established a holistic programme on data protection could make a considerable difference to the enforcement outcome. As such, it is always to data controllers’ benefit to formalise the PMP’s implementation, particularly if they are genuine about and have already put in the necessary resources to protect customer’s’ personal data.
Naturally there are criticisms to accountability, such as the concept being twisted into a marketing tool, mediocre effectiveness, conflicting self-regulatory roles or even deceptive at best, aswhich have been quite comprehensively debated elsewhere. 19 Others have called accountability a reinvention of the wheel. 20 However, such debate on the value and effectiveness of the accountability principle is not the focus of this study. Instead, the reality is that the increased emphasis by regulators means accountability willshould always be on the agenda of data controllers.
2.2.2. The Significance of Accountability Frameworks
17
‘Getting Accountability Right with a Privacy Management Program’ (The Office of the Privacy
Commissioner, Canada, 2012) 18
See note 4
19
Butin D, Chicote M and Le Métayer D, ‘Strong Accountability: Beyond Vague Promises’ in Gutwirth S,
Leenes R and De Hert P (eds), Reloading Data Protection: Multidisciplinary Insights and Contemporary Challenges (Springer) 20
Guagnin D and others, Managing Privacy through Accountability (Palgrave Macmillan 2012)
12
According to the Oxford dictionary, “principle” is defined as “a fundamental truth or proposition that serves as the foundation for a system of belief or behaviour or for a chain of reasoning” and “framework” is defined as “a basic structure underlying a system, concept ofor text”.21 As such, the deployment of an accountability framework is one valid way for data controllers to demonstrate their adherence to the accountability principle.
Specifically, the OPCC stresses the importance of an accountability framework (or programme) as it can help data controllers to demonstrate to regulators that they have an effective system in place to correctly identify privacy obligations and risks. Such a framework will also help to persuade regulators that data controllers hold protecting personal data to a higher level than the bare legal minimum in protecting persona data, and hence any mistakes are likely to be isolated incidents.22
2.3.
Accountability Frameworks Advocated by DPAs
Having introduced the importance of accountability frameworks to data controllers and regulators in Section 2.2, this Section 2.3 looks at the accountability tools being advocated by three major DPAs or their equivalent (The Article 29 Working Party, Canada and Hong Kong), as well as their limitations. These three tools are found after an extensive Internet search as the only DPA frameworks available in English.
2.3.1. Accountability Frameworks Recommended by DPAs The Article 29 Working Party Chronologically, The Article 29 Working Party’s Opinion 3/2010 on the principle of accountability23 (the Opinion 3/2012010) dated 13 July 2010 is probably the first official publication on the topic by DPAs. The Article 29 Working Party is set up under Article 29
21
See http://www.oxforddictionaries.com/definition/english/principle?q=principle and
http://www.oxforddictionaries.com/definition/english/framework respectively, accessed 19 June 2014 22
See note 17
23
See note 7
13
and 30 of the EU Directive 95/46/EC to adviceadvise on data protection matters. 24 The Opinion 3/2010 therefore carries considerable weight and influence across the EU.
Apart from laying out the basis and benefits of the accountability principle, paragraphs 27 to 42 of the Opinion 3/2010 suggest the following elements on which to build a privacy framework:
1. Adoption of relevant privacy internal privacy policies and processes, covering cross border data flow controls, access, correction and deletion requests, complaints, data breach, and privacy impact assessments; 2. Building of a privacy governance structure, including the appointment of a data protection officer and adequate training; and 3. Establishing review mechanisms to ensure the continuous compliance and effectiveness of the privacy programme.
The main purpose of the Opinion 3/2010 is future-looking and to pave the way for the formal introduction of the accountability principle toin the successor of EU Directive 95/46/EC. It can therefore be considered as a high level vision statement instead of as a practical guide.
Canada The document “Getting Accountability Right with a Privacy Management Program”25 (The OPCC document) issued by the OPCC on 17 April 2012 may have the most reference value because the accountability principle is embedded in Canada’s PIPEDA.
In comparison with Opinion 3/2010, the OPCC document is more comprehensive as it describes not only the building blocks of a privacy accountability programme, but also how it should be maintained and improved on an on-going basis.
24
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data 25
See note 17
14
The OPCC document outlines the following building blocks as essential components of a privacy accountability framework:
1. Organisational Commitment a. Management Buy-in; b. Establishing Data Protection Officer; c. Establishing Data Protection Office; d. Monitoring and Reporting of Controls. 2. Programme Controls a. Building upa Personal Data Inventory; b. Developing Privacy Policies on: i. Collection, Use and Disclosure of Personal Data; ii. Facilitating Data Access and Correction Requests; iii. Retention and Disposal of Personal Data; iv. Reasonable Security Protection; v. Complaint and Issue Handling. c. Risk and Privacy Impact Assessment; d. Training and Education; e. Breach and Incident Management; f. Service Provider Management; g. External Communications.
The OPCC document further provides that a privacy management framework must be sustainable by the following two on-going management processes:
1. Oversight and Annual Review Plan to keep the Privacy Management Programme Ontrack and Up-to-date; and 2. Assess and Revise Programme Controls to ensure the Continuous Effectiveness of the Programme.
By comparison, the OPCC document is more practicablepractical than the Opinion 3/2010 as it is more readily executable by data controllers by providing a list of processes to build and maintain a PMP. 15
Hong Kong Although not as part of a specific requirement under the Hong Kong’s Personal Data (Privacy) Ordinance (PDPO), the Office of the Privacy Commissioner for Personal Data (PCPD) published a Best Practice Guide on Privacy Management Programme (the Best Practice Guide) on 18 February 2014 as part of a campaign for data controllers to go beyond the law and adopt a more holistic governance model in data protection.26 Similar to the EU, a PMP is meant to replace the onerous, yet-to-be-implemented, notification obligation under the PDPO.
The Best Practice Guide has openly acknowledged that it is modelled on the OPCC document so unsurprisingly the structure and details of the substance are almost identical to it. It suggests three management commitments, seven programme controls and two processes to implement thean accountability framework:
1. Organisational Commitments a. Management Buy-in; b. Establishing Data Protection Office and/or Officer; c. Establishing Reporting Mechanism. 2. Programme Controls a. Building upa Personal Data Inventory; b. Developing Privacy Policies; c. Deploying Risk Assessment Tools; d. Meeting Training and Education Requirements; e. Establishing Data Breach Handling; f. Management of Data Processors; g. Communication. 3. On-going processes
26
‘Best Practice Guide on Privacy Programme Management’ (The Office of the Privacy Commissioner for
Personal Data, Hong Kong, 2014) accessed 19 June 2014
16
a. Oversight and Periodic Review Plan to monitor and assess the Privacy Management Programme controls; and b. Assess and Revise Programme Controls where Necessary.
2.3.2. Limitations of DPAs’ Accountability Frameworks Bearing in mind that the scope of this study is on the finding and adapting of an accountability framework to be used by data controllers operating across Asian jurisdictions, the three examined frameworks from DPAs have been found withto have the following limitations:
The Article 29 Working Party The Opinion 3/2010 is a forward-looking policy document instead of a practical guide. The main purpose of the document is to convince policy makers the importance and benefits of including accountability as a main data protection principle. Its relevance to organisations operating across multiple Asian jurisdictions is therefore relatively low.
Not only is it advocating about a principle that has not been embraced in the legislation, it is also showing some degree of indecisiveness on the effectiveness of an accountability framework: On one hand it is putting a lot of emphasis that there is no one-size-fit-all approach or framework on accountability, on the other hand it is suggesting the possibility of a model data compliance programme or even certification and seal of approval.
Canada and Hong Kong Both the OPCC document and the Best Practice Guide were issued by DPAs so their reference value for data controllers operating under their respective jurisdictions should be high.
Indeed, for organisations operating under OPCC, they are obliged to follow the PIPEDA and therefore they must prove that they comply with the accountability principle. Adopting the advice in the OPCC document should go a long way to demonstrate their compliance to the regulator. For Hong Kong based organisations, it is not a legal requirement that they must
17
implement a PMP. However, if they do thenthan it is obvious that adopting the Best Practice Guide will only be a safe option. That said, both documents may be criticised as ‘without context’ because they only describe how to implement a PMP but not what to implement. None of the documents hashave made any specific reference to the legislative requirements of their respective laws. For example, as a first in the world the PDOP was amended in 2013 to make certain direct marketing activities criminal offences but the Best Practice Guide makes no reference to direct marketing activities. Anyone following these documents must therefore develop further details to ensure that their PMPs indeed cover all the activities stipulated or prohibited by the applicable laws.
Furthermore, organisations operating in more than one location may find these guides limited in scope and may prefer third-party guides that are applicable across multiple jurisdictions.
2.4. Accountability Frameworks Advocated by Third-parties The previous Section 2.3 explores accountability frameworks advocated by DPAs and finds them too high-level, not practical enough or limited in jurisdictional scope. This Section 2.4 therefore attempts to looklooks at accountability frameworks published by well-known thirdparties with a view to finding more practical ones. Frameworks from three third-parties are chosen because they are the only active participants in the International Conference of Data Protection and Privacy Commissioners, the annual international conference for privacy commissioners.
2.4.1. Accountability Frameworks Recommended by Third-parties Centre for Information Policy Leadership (CIPL) CIPL is a policy development organisation set up under the law firm Hunton & Williams LLP to develop and propose pragmatic approaches to data protection that take into account
18
the requirements of data controllers. It draws on membership from large organisations including many leading privacy practitioners.27
Against this background, it is understandable why CIPL wants to develop an accountability framework that its members are comfortable to implementimplementing. Their latest efforts inon accountability frameworks can be found in an April 2011 publication titled “Accountability: Data Governance for the Evolving Digital Marketplace“. 28 In this CIPL document, it lists out five essential elements of accountability are listed:
1. Organisation commitment to accountability and adoption of internal policies consistent with external criteria; 2. Mechanisms to put privacy policies into effect, including tools, training and education; 3. Systems for internal, on-going oversight and assurance reviews and external verification; 4. Transparency and mechanisms for individual participation; 5. Means of remediation and external enforcement;
The CIPL document suggests that organisations handling personal data should implement these essential elements proportional to the need. However, the document goes on to say that in order to demonstrate accountability, organisations should implement nine common fundamentals:
1. Written policies and procedures that reflect applicable laws; 2. Internal executive oversight and responsibility for data protection; 3. Allocation of resources to ensure that the organisation’s privacy program is appropriately supported; 27
‘Centre for Information Policy Leadership’ accessed 19 June
2014 28
‘Accountability: Data Governance for the Evolving Digital Marketplace’ (The Centre for Information Policy
Leadership ) accessed 19 June 2014
19
4. Providing up-to-date education and awareness programs to stakeholders; 5. Implementing on-going risk assessment and mitigation; 6. Periodic review, oversight and validation; 7. Procedures for responding to inquiries, complaints and data protection breaches; 8. Internal enforcement of the organisation’s policies; 9. Redress and remedies for privacy risks.
Working with a number of DPAs, CIPL has been developing this set of accountability elements and fundamentals since 2009.
International Association of Privacy Professionals (IAPP) The IAPP is the only professional association dedicated for privacy practitioners and has a membership of over 14,000 located in 83 countries. 29 It also issues examination-based certifications to prove its members’ proficiency in the data protections laws in Canada, the EU and the US, and in managing PMPs. As part of the PMP certification preparation, IAPP published a book “Privacy Program Management – Tools for Managing Privacy Within Your Organization”30 (the IAPP book) which is a “collection of best practices, books, manuals and training materials to build a PMP”.
Under the Privacy Program Governance section, it introduces various concepts of:
1. Strategic Management 2. Develop and Implement a Framework 3. Performance Measurement
29
‘The International Association of Privacy Professionals ’
accessed 8 July 2014 30
Byrne JM and others, Privacy Program Management: Tools for Managing Privacy Within Your Organization
(Densmore RR ed, International Association of Privacy Professionals 2013)
20
And in the second Privacy Operational Life Cycle section, it introduces the various stages of a programme management cycle of:
1. Assess 2. Protect 3. Sustain 4. Respond
Despite these simple headings, the book is a rich resource of all concepts on data protection. For example, under the Framework section, it mentioned the APEC Privacy Framework, guides from the US, the UK and France regulators, principles enshrined in privacy laws in Australia and Canada, as well as the Privacy by Design concept.
The IAPP Book may therefore be described as a compilation of many resources, a toolkit or a knowledge collection for the preparation of the PMP certification.
Nymity Based in Canada, Nymity is a private research firm focused on privacy compliance tools based in Canada.31 It offers free tools and associated paid services to support those tools for data controllers that may need them. One of the core free tools it has developed is the Nymity Framework32 which contains 13 processes:
1. Maintain Governance Structure 2. Maintain Personal Data Inventory 3. Maintain Data Privacy Policy 4. Embed Data Privacy into Operations 5. Maintain Training and Awareness Program 6. Manage Information Security Risk
31
‘Nymity Inc.’
32
‘A Privacy Office Guide to Demonstrating Accountability’ (Nymity Inc.)
accessed 8 July 2014
21
7. Manage Third-party Risk 8. Maintain Notices 9. Maintain Procedures for Inquiries and Complaints 10. Monitor for New Operational Practices 11. Maintain Data Privacy Breach Management Program 12. Monitor Data Handling Practices 13. Track External Criteria
The most interesting feature of the Nymity Framework which sets it apart from other framework is, that apart from listing 13 processes on how to implement a PMP, it also proposes 153 practical and specific regulatory activities to be monitored/tracked by data controllers.
A full version of the Nymity Framework with its 13 processes and 153 activities can be found under Annex A.
The inclusion of regulatory activities in the Nymity Framework makes it most appealing to practitioners who are interested in using practical tools that require little or no further development or judgement calls. This end-to-end “concept-to-checklist” approach makes the Nymity Framework a unique framework among all the available ones studied.
2.4.2. Limitations of Third-parties’ Accountability Frameworks Centre for Information Policy Leadership Again, bearing in mind the scope of this study and applying the same analysis criteria on DPAs’ frameworks, the framework depicted under the CIPL document suffers the same issue of being too high-level and containing only the processes without the practical jurisdictionspecific requirements.
International Association of Privacy Professionals The IAPP book appears to have all the ingredients for a PMP. It not only introduces all the relevant concepts of privacy protection, it also walks through the operational life cycle of data protection management. However, the emphasis of the IAPP book is to enable readers to 22
pass a certification examination. Breadth and knowledge of diverse, or even contrasting, concepts can be found throughout the book. This is demonstrated, for example, by the section of Framework where it introduces a variety of framework, from conceptual, to jurisdictional, inter-governmental to legislative proposals without explaining their relevance or how they should be applied in a PMP for a data controller. In short, the IAPP book can be considered as a knowledge toolkit of what are available, rather than a practical guide on how to select and apply the tools.
Nymity Sub-section 2.4.1 has indicated that the practical element of activities in the Nymity Framework makes it the most appealing framework for privacy practitioners. That said, it does suffer from two potential shortcomings: Firstly, it claims to cover Asia but it is unsureunclear how extensive it is. For example, the only Asia -specific activity it has mentioned is the APEC Cross-Border Privacy Rules but it is unclear if this is sufficient. Secondly, the inclusion of activities has greatly improved the usability of the framework. However, currently it is organised in a flat structure with a large activity-to-process ratio. In one extreme example there are 31 activities in one process which could be unmanageable for practitioners to implement in practice.
2.5. The Nymity Accountability Framework The previous Section 2.4 lists out the major third-party frameworks and their limitations, as well as suggesting that the Nymity Framework appears to be the most appealing one for practitioners. This Section 2.5 explains in more details the practical advantages of adopting the Nymity Framework by organisations operating across multiple Asian jurisdictions.
Why the Nymity accountability framework is being chosen for this study? The aim of this study is on finding a PMP framework for data controllers operating across multiple Asian jurisdictions. As such, the criteria to select the appropriate framework to adopt and build on have to be (1) proven/authoritative, (2) practical and (3) cross-jurisdictional. So far the studies of all the frameworks available from DPAs and third-parties suggest that only the Nymity Framework is the closest one to meet these criteria. How each framework has fared against the criteria has been described in Sections 2.3 and 2.4 and will not be repeated. 23
Instead, the table below summarises the comparison of each of the frameworks against these criteria.
Frameworks Opinion 3/2010
Pros and Cons Pro: High acceptability by EU DPAs Con: It is a policy document and not a practical guide Cross-EU but not covering Asia OPCC document Pro: High acceptability by OPCC Con: Requiring addition of regulatory activities to suit local law Canada-based but not covering Asia Hong Kong Best Pro: High acceptability by PCPD PracticalPractice Con: Requiring addition of regulatory activities to suit local law Guide Hong Kong based but not covering Asia CIPL document
Pro: Con:
CIPL has a good reputation in the industry Requiring addition of regulatory activities to suit local laws Coverage for Asia is untested IAPP book Pro: IAPP has a good reputation in the industry Con: Requiring selection/reconstruction of appropriate processes for target data controller and addition of activities to suit local laws Coverage for Asia is untested Nymity Pro: Nymity has a good reputation in the industry Framework Containing both processes and activities for immediate application Con: Although claimed as sosuch, the coverage for Asia is untested Possibly too many activities per process to be manageable Table 1 Summary of assessment on frameworks
The Nymity Framework could be by far the most practical framework ready to be applied by data controllers when compared with all others studied. It stands out against others in two ways.
First, in addition to containing management processes like others, the Nymity Framework is the only one that is further supported by 153 regulatory activities. This makes the Nymity Framework a concept-to-checklist implementation that meets the practical needs of data controllers who would rather follow established action plans than developing their own untried ones. For practitioners, the use of an accountability framework is not an academic activityies but a way to prove and demonstrate the meeting of an expectation. Therefore, it is to their interests to adopt frameworks that do not need any customisation, amendments or 24
exercising of judgement calls which may make their version of the framework derivate from others who are using it. As any organisation using frameworks other than the Nymity one will have to further customise those frameworks to include regulatory activities which could introduce uncertainty, the use of the all-inclusive Nymity Framework becomes an obvious, one-stop-shop, choice that is likely to be more readily acceptable and recognised by regulators.
Second, Nymity has provided data controllers with an additional tool of a scorecard to implement the proposed processes and activities. The scorecard helps to assess, track and monitor the readiness and maturity of each activity in terms of status and attributes. The table below is an example illustrating how status and attributes are assigned to activities to fasttrack and standardise the implementation of the Nymity Framework.
Ref.
Unit
5.7
Firmwide
5.8
Shopfloors
5.8
IT
Privacy Management Activity
Measure participation in data privacy training activities Require completion of data privacy training as part of performance reviews Require completion of data privacy training as part of performance reviews
Status N/A Desired
Planned
Implemented
Update planned
Scheduled
Up-to-date
Attributes Core/ Frequency Elective
Owner
Core
Annually
Head of HR
Elective
Annually
COO
Core
Annually
CISO
Table 2 Sample of Nymity Scorecard in tracking activities
The Nymity Framework may not be the best solution for implementing accountability principles for data controllers as there are at least a couple of shortcomings as mentioned under Section 2.4.2. However, in terms of credibility, practicality and scope, and when comparing withcompared to other available frameworks, the Nymity Framework may be
25
regarded as the best- choice for use by data controllers operating across multiple Asian jurisdictions as it requires the least modification to address its shortcomings.
2.6. Summary of Chapter Two Section 2.2 first introduces the concepts of data protection principles in order to bring out the importance of the accountability principle. It then expounds on the importance of accountability frameworks that would help data controllers to demonstrate their adherence to the accountability principle.
Section 2.3 and 2.4 present key accountability frameworks advocated by DPAs and thirdparties, and list out their various practical limitations to data controllers operating across multiple Asian jurisdictions. Section 2.5 then explains why the Nymity Framework, although not the best, is currently the best-fit solution in terms of credibility, practicality and scope.
Having homed in on the Nymity Framework as the best-choice, Chapter 3 will use a gap analysis to examine if and how the Nymity Framework can be enhanced for useing across multiple Asian jurisdictions.
26
3. Asian data protection laws 3.1. Introduction to Chapter Three This Chapter 3 selects relevant Asian data protection laws, compares them to the Nymity Framework to see if the framework is sufficiently universal to cover them, and finds outdiscover if any enhancement is needed.
More specifically, the following topics are explored in their respective sections:
Section 3.2:
Which Asian jurisdictions are included in this study?;
Section 3.3:
The methodology of the gap analysis between various Asian laws and the Nymity Framework; and
Section 3.4:
A jurisdiction-by-jurisdictions report on each data protection law against the 13 Nymity Framework processes.
3.2. Selection of Asian Jurisdictions This Section 3.2 describes the criteria by which Asian data protection laws were selected for this study and lists them out.
The objective of this study is to find out how an accountability framework may be applied to data controllers operating across Asia. The results are supposedintended to be beneficial to commercial organisations subject to the relevant data protection laws across multiple Asian jurisdictions. The data protection laws selected must therefore fulfil the following criteria:
1. Cross-sectorialsector universal privacy laws (i.e., not industry-specific laws such as banking or telecommunications laws with provisions on protecting customer data); 2. Applicable to the private sector; and 3. Currently in operation in Asia.
27
Based on these criteria and cross-checking with Global Tables of Data Privacy Laws and Bills33 and The Data Protection Laws of the World34, there are ten Asian jurisdictions that fulfil these criteria (see Table 3). However, on close examination, the law in India is only applicable to information technology (IT) firms and excludes all service providers. As such, it is considered as a sectorialsectoral law and was excluded from the final analysis. The final nine Asian data protection laws fulfilling these criteria are listed below chronologically:
Jurisdiction Law Hong Kong Personal Data (Privacy) Ordinance Taiwan Personal Data Protection Law Japan Act on Protection of Personal Information Macau Personal Data Protection Law Malaysia Personal Data Protection Act 2010 Vietnam Law on Protection of Consumers’ Rights SouthThe Personal Information Protection Act Republic of Korea India Information Technology Act 2000 (s43A) The Philippines Data Privacy Act of 2012 Singapore Personal Data Protection Act 2012 Table 3 Asian jurisdictions that fulfil the selection criteria
Year of enactment 1995, 2012 1995, 2010 2003 2005 2010 2010 2011
2011 2012 2012
3.3. Methodology for the gap analysis The previous Section 3.2 identifies the data protection laws to be studied and this Section 03.3 describes the gap analysis methodology by which these laws were compared to the coverage of the Nymity Framework.
The purpose of this gap analysis is to identify which data controller -related provisions or activities of each law that are not covered by the Nymity Framework. As such, the following steps were undertaken during the gap analysis for each piece of relevant law:
33
See note 1
34
‘Data Protection Laws of the World’ (DLA Piper, 2014)
accessed 18 July 2014
28
1. Identifying the specific data controller -related data protection provisions or activities under each law; and 2. Mapping each of such provision or activity to the 13 processes under the Nymity Framework with a view to identifying any provisions or activities not covered.
It should be noted that, unlike the EU where 28 pieces of data protection laws have the EU Data Protection Directive 95/46/EC as the common core, Asian data protection laws are spurred up forby different reasons and are backed by different ideologies. As such, the difference of data protection laws between Asian jurisdictions can be wide and need to be noted.
3.4. Jurisdiction-by-Jurisdiction report Having described the methodology of the gap analysis between Asian data protection laws and the Nymity Framework in the previous Section 03.3, a jurisdiction-by-jurisdiction report is shown and summarised in this Section 3.4. The respective laws were used as the primary source of reference in the analysis. For clarity and ease of comparison, the results for each jurisdiction are depicted in table forms and in the chronological order inof when they were enacted.
3.4.1. Hong Kong Background Hong Kong enacted its data protection law, the PDPO35, in 1995 as the first in the region36. The PDPO is centred around the six data protection principles (DPPs) which are attached as a schedule to PDPO.
35
‘Personal Data (Privacy) Ordinance, Hong Kong’
accessed 10 July 2014 36
See note 2
29
The PDPO was updated and amended in 2012, with the introduction of what is believed to be the first criminal sanction in the world against the use of personal data for direct marketing activities without the consent of data subjects. Section 33 regarding transborder data flows is currently not in effect and sections 14 to 17 regarding data user returns isare not requiredenabled at the moment but these sections are included in the analysis for completeness.
Relevant Provisions The whole of the PDPO was analysed and all the provisions and activities related to the responsibilities of data controllers extracted. Given the importance of the six DPPs, requirements of the DPPs are also extracted in the table below. For ease of reference, the corresponding OCEDOECD principles have been listed against each provision for reference purposes. Sections/DPPs 14 - 17 17A – 25, 28 – 29, DPP6 26 30 - 32 33 35A – 35M 65 DPP1
Provisions Data user return Data access and correction
OECD Principles Accountability Principle Individual Participation Principle
Erasure Automated matching Cross-border data flow Direct marketing Data processor Purpose and manner of collection
Data Quality Principle Use Limitation Principle Security Safeguards Principle Use Limitation Principle Collection Limitation Principle Purpose Specification Principle DPP2 Accuracy and retention Data Quality Principle DPP3 Use Use Limitation Principle DPP4 Security Security Safeguards Principle DPP5 Policies and practices to be available Openness Principle Table 4 Data Controller Responsibilities under the Hong Kong PDPO How Each Provision Fits into the Nymity Framework Once all the relevant provisions of the PDPO were identified in Table 4, attempts were made to allocate each one to the 13 Nymity Framework processes. The allocation process was greatly assisted by looking at the existing activities associated with each Nymity Framework process to identify similar activities ofto the PDPO. For example, no less than five activities under Process 2 on Maintain Personal Data Inventory in the Nymity Framework are related to cross-border data flows so Section 33 of the PDPO relating to transfer of personal data to places outside Hong Kong would fit under this process. By applying this technique, 30
provisions of the PDPO were allocated to each of the Nymity Framework processes as follows: Nymity Processes Maintain Governance Structure Maintain Personal Data Inventory
Maintain Data Privacy Policy
PDPO Sections/DPPs 14 - 17 30 -32 33 DPP1
Embed Data Privacy into Operations
26 27 30 35A – 35M DPP2 DPP3
Maintain Training and Awareness Program Manage Information Security Risk Manage Third-party Risk
-
Maintain Notices
Maintain Procedures for Inquiries and Complaints
Provisions -
DPP5 17A – 25, 28 – 29 35A – 35M DPP6 DPP4 65 DPP2 DPP4 35A – 35M DPP1
Data user return Matching Cross-border data flow Collection Limitation Principle Purpose Specification Principle Data erasure Data access/correction request log Matching Direct marketing activities Data Quality Principle Use Limitation Principle
Security Safeguards Principle Data processor Data Quality Principle Security Safeguards Principle Direct marketing activities Collection Limitation Principle Purpose Specification Principle Openness Principle Individual Participation Principle Direct marketing activities Individual Participation Principle
Monitor for New Operational Practices Maintain Data Privacy Breach Management Program Monitor Data Handling Practices Track External Criteria Table 5 Nymity Framework coverage to the Hong Kong PDPO Provisions Not Covered All PDPO provisions were successfully allocated to one of the 13 Nymity Framework processes. While the Nymity Framework processes have covered all provisions of the PDPO, the criminal offence of direct marketing activities without consent is a serious matter and needs special attention. Although this is implicitly covered under the Operations Process, it is
31
recommended to include specifically the direct marketing provision in the list of activities under this process.
3.4.2. Taiwan Background Taiwan enacted the Computer Processed Personal Data Protection Law 37 Law in 1995 which was later amended and renamed as Personal Data Protection Law 38 (PDPL) in 2010. Section 6 concerning sensitive personal data and section 9 about notification obligation for personal data indirectly collected are not effective at the moment but are still included in the analysis for completeness. Furthermore, Part 2 of PDPL (sections 15 – 18) governs public organisations only and is excluded from this analysis.
Relevant Provisions PDPL was analysed with the same method stated previously and the relevant provisions related to the responsibilities of data controllers are listed below: Sections 5 6 7 8 9 10 – 11, 13 -14 12 19 - 20
Provisions Lawful collection and use Sensitive data Consent Notification of purpose Notification of data source Data access, correction and cessation Data breach Appropriate purpose
OECD Principles Collection Limitation Principle
Individual Participation Principle Accountability Principle Purpose Specification Principle Use Limitation Principle Security Safeguards Principle
21 Cross-border data flow 27 Security protection Table 6 Data Controller Responsibilities under the Taiwan PDPL How Each Provision Fits into the Nymity Framework
The identified provisions were then allocated to one of the 13 Nymity Framework processes as follows:
37
‘Personal Data Protection Law, Taiwan’
accessed 10 July 2014 38
See note 3433
32
Nymity Processes Maintain Governance Structure Maintain Personal Data Inventory Maintain Data Privacy Policy
Embed Data Privacy into Operations
PDPL Sections 21 5 8 19 - 20 6 7 9 -
Provisions -
Cross-border data flow Lawful collection and use Notification of purpose Appropriate purpose Sensitive data Consent Notification of data source
Maintain Training and Awareness Program Manage Information Security Risk 27 Security protection Manage Third-party Risk Maintain Notices Maintain Procedures for Inquiries 10 – 11, 13 Data access and correction and Complaints - 14 Monitor for New Operational Practices Maintain Data Privacy Breach 12 Data breach Management Program Monitor Data Handling Practices Track External Criteria Table 7 Nymity Framework coverage to the Taiwan PDPL Provisions Not Covered Similar to the Hong Kong situation, all PDPL provisions were covered by the 13 Nymity Framework processes. However, PDPL provides data subjects the rights to ask data controllers to cease the processing of their personal data upon request. It is recommended to include specifically include this provision, very similar to the heated debate of right to be forgotten, in the list of activities under the Inquiries and Complaints Process.
3.4.3. Japan Background Japan enacted the Act on the Protection of Personal Information 39 (APPI) in 2003. The Consumer Affairs Agency is supposed to be the authority to enforcethat enforces the APPI
39
‘Act on the Protection of Personal Information, Japan’
accessed 10 July 2014
33
but the actual investigation and enforcement work is carried out by various sectorialsectoral regulators.
Relevant Provisions APPI was analysed with the same method as othersthe other laws and the relevant provisions related to the responsibilities of data controllers are listed below: Articles 15 16 17 18 19 20 21 22 23 24
Provisions Purpose specification Consent Lawful collection Notice Accuracy Security protection Supervision and training of employee Supervision of contractors Transfer to third-parties Purpose and data access
OECD Principles Purpose Specification Principle Collection Limitation Principle
Data Quality Principle Security Safeguards Principle Accountability Principle Use Limitation Principle Openness Principle Individual Participation Principle Individual Participation Principle
25 – 26, 28 - Data access and correction 30 27 Right to request cessation of processing Individual Participation Principle 31 Compliant handling 32 Report submission to DPA on request Accountability Principle Table 8 Data Controller Responsibilities under the Japan APPI How Each Provision Fits into the Nymity Framework The identified provisions were then allocated to one of the 13 Nymity Framework processes as follows: Nymity Processes Maintain Governance Structure Maintain Personal Data Inventory Maintain Data Privacy Policy
Embed Data Privacy into Operations
Maintain Training and Awareness Program Manage Information Security Risk Manage Third-party Risk Maintain Notices
APPI Articles 15 17 18 24 16 19 23 21
Provisions
20 22 32
34
Purpose specification Lawful collection Notice Purpose and data access Consent Accuracy Transfer to third-parties Supervision and training of employee Security protection Supervision of contractors Submission to DPA
Nymity Processes Maintain Procedures for Inquiries and Complaints
APPI Articles 25 – 26, 28 – 30 27
Provisions
Data access and correction
Right to request cessation of processing Complaint handling
Monitor for New Operational Practices Maintain Data Privacy Breach Management Program Monitor Data Handling Practices Track External Criteria Table 9 Nymity Framework coverage to the Japan APPI 31 -
Provisions Not Covered All APPI provisions were successfully allocated to one of the 13 Nymity Framework processes. However, similar to Taiwan, the APPI provides the rights to data subjects that they may request for the cessation of processing of personal data about themselves. It is again recommended that such a right be specifically mentioned as an activity under the Inquiries and Complaints process.
3.4.4. Macau Background Macau’s Personal Data Protection Act40 (Macau PDPA) was passed in 2005. For historic and culturecultural reasons, the law is very similar to that of Portugal.
Relevant Provisions Macau PDPA was analysed with the same method as othersthe other laws and the relevant provisions related to the responsibilities of data controllers are listed below: Articles 5 6
40
Provisions Specific, lawful and adequate purpose and accurate collection Consent
OECD Principles Collection Limitation Principle Data Quality Principle Purpose Specification Principle
‘Personal Data Protection Act, Macau’
accessed 10 July 2014
35
Articles Provisions OECD Principles 7 Sensitive data Openness Principle 10 Notice 9 Approval required for combining data Accountability Principle 11 Data access Individual Participation Principle 12 Right to request cessation of processing 13 Not to be subject to automated decision Use Limitation Principle 15 - 16 Security protection Security Safeguards Principle 17 Third-party service provider 19 - 20 Cross-border data transfer Security Safeguards Principle 21 Notification of data processing Accountability Principle Table 10 Data Controller Responsibilities under the Macau PDPA How Each Provision Fits into the Nymity Framework The identified provisions were then allocated to one of the 13 Nymity Framework processes as follows: Nymity Processes
Provisions
Maintain Governance Structure Maintain Personal Data Inventory
Macau PDPA Articles 9
Maintain Data Privacy Policy
19 - 20 21 5
Embed Data Privacy into Operations
6 7 13
Maintain Training and Awareness Program Manage Information Security Risk Manage Third-party Risk Maintain Notices Maintain Procedures for Inquiries and Complaints
-
-
15 - 16 17 10 11 12
Approval required for combining data Cross-border data transfer Notification of data processing Specific, lawful and adequate purpose and accurate collection Consent Sensitive data Not to be subject to automated decision
Security protection Third-party service provider Notice Data access Right to request cessation of processing
Monitor for New Operational Practices Maintain Data Privacy Breach Management Program Monitor Data Handling Practices Track External Criteria Table 11 Nymity Framework coverage to the Macau PDPA
36
Provisions Not Covered All Macau PDPA provisions were successfully allocated to one of the 13 Nymity Framework processes. However, similar to Japan, the PDPA provides the data subject rights for the cessation of processing of personal data and therefore should be mentioned as an activity under the Inquiries and Complaints process.
3.4.5. Malaysia Background Malaysia enacted the Personal Data Protection Act41 (Malaysia PDPA) in 2010. There are many similarities of Malaysia PDPA to Hong Kong’s PDPO in terms of its principle-based approach and various regulatory tools and instruments listed.
Relevant Provisions Malaysia PDPA was analysed with the same method as othersthe other laws and the relevant provisions related to the responsibilities of data controllers are listed below: Sections Provisions OECD Principles 6 General principle on consent Collection Limitation Principle 38 Withdrawal of consent 40 Sensitive personal data 7 Notice and choice principle Openness Principle 8 Disclosure principle Purpose Specification Principle 39 Extent of disclosure Use Limitation Principle 9 Security principle Security Safeguards Principle 10 Retention principle Data Quality Principle 11 Data integrity principle 12 Access and correction principle Individual Participation Principle 30 - 37 Data access and correction rights 14 - 20 Registration of data processing Accountability Principle 42 Not to be subject to adverse decision Use Limitation Principle 43 Direct marketing 129 Cross-border data transfer Security Safeguards Principle Table 12 Data Controller Responsibilities under the Malaysia PDPA
41
‘Personal Data Protection Act, Malaysia’
accessed 10 July 2014
37
How Each Provision Fits into the Nymity Framework The identified provisions were then allocated to one of the 13 Nymity Framework processes as follows: Nymity Processes
Maintain Governance Structure Maintain Personal Data Inventory Maintain Data Privacy Policy Embed Data Privacy into Operations
Maintain Training and Awareness Program Manage Information Security Risk Manage Third-party Risk Maintain Notices Maintain Procedures for Inquiries and Complaints
Malaysia PDPA Sections 14 - 20 129 6 8 10 11 38 39 40 -
Provisions
9 7 12 30 – 37 42 43 -
Security principle Notice and choice principle Access and correction principle Data access and correction rights Not to be subject to adverse decision Direct marketing -
Registration of data processing Cross-border data transfer General principle on consent Disclosure principle Retention principle Data integrity Withdrawal of consent Extent of disclosure Sensitive personal data -
Monitor for New Operational Practices Maintain Data Privacy Breach Management Program Monitor Data Handling Practices Track External Criteria Table 13 Nymity Framework coverage to the Malaysia PDPA Provisions Not Covered
All Malaysia PDPA provisions were successfully allocated to one of the 13 Nymity Framework processes.
38
3.4.6. Vietnam Background Vietnam does not have a comprehensive universal privacy law. Protection of personal information is provided under its Law on Protection of Consumers’ Rights 42 (LPCR), enacted in 2010, in a most basic form. As the law covers all commercial organisations interacting with consumers, the law falls within the scope of this study and is therefore included.
Relevant Provisions LPCR was analysed with the same method as othersthe other laws and the relevant provisions related to the responsibilities of data controllers are listed below: Articles 6.1 6.2 a) 6.2 b) 6.2 c)
Provisions Safe and confidential Clear purpose Use conformity Safety, accuracy and completeness
OECD Principles Security Safeguards Principle Purpose Specification Principle Use Limitation Principle Data Quality Principle Security Safeguards Principle 6.2 d) Correction Individual Participation Principle 6.2 e) Only transfer with consent Use Limitation Principle Table 14 Data Controller Responsibilities under the Vietnam LPCR
How Each Provision Fits into the Nymity Framework The identified provisions were then allocated to one of the 13 Nymity Framework processes as follows: Nymity Processes Maintain Governance Structure Maintain Personal Data Inventory Maintain Data Privacy Policy Embed Data Privacy into Operations Maintain Training and Awareness Program Manage Information Security Risk Manage Third-party Risk 42
LPCR Articles 6.2 b) 6.2 e) -
Provisions
6.1 -
Safe and confidential -
Use conformity Only transfer with consent -
‘Law on Protection of Consumers' Rights, Vietnam’
accessed 10 July 2014
39
Nymity Processes
LPCR Articles 6.2 a) 6.2 d)
Provisions
Maintain Notices Clear purpose Maintain Procedures for Inquiries Correction and Complaints Monitor for New Operational Practices Maintain Data Privacy Breach Management Program Monitor Data Handling Practices Track External Criteria Table 15 Nymity Framework coverage to the Vietnam LPCR Provisions Not Covered All LPCR provisions were successfully allocated to one of the 13 Nymity Framework processes.
3.4.7. SouthThe Republic of Korea Background The Republic of Korea (South Korea) enacted the Personal Information Protection Act 43 (PIPA) in 2011 as the first comprehensive data protection law covering both the private and the public sectors. Prior to this, the protection regime was mainly sectorialsectoral and for the public sector only.44
Relevant Provisions PIPA was analysed with the same method as othersthe other laws and the relevant provisions related to the responsibilities of data controllers are listed below:
43
‘Personal Information Protection Act, SouthThe Republic of Korea’
accessed 10 July 2014 44
‘Country Report: Korea’ (Business Software Alliance)
accessed 5 July 2014
40
Articles 15 17 22 23 24 25 27 16 18 - 19 20 21 26 28 29 30
Provisions Collection and use Provision of personal information Consent Sensitive data Unique identifier Visual data processing devices Business transfer Limitation to collection Limitation to use and provision Notification of data source Destruction Consignment of work Internal supervision and training Safeguard Privacy policy
OECD Principles Collection Limitation Principle
Data Quality Principle Use Limitation Principle Individual Participation Principle Data Quality Principle Accountability Principle Security Safeguards Principle Accountability Principle Openness Principle Accountability Principle Accountability Principle
31 Privacy officer 33 Privacy impact assessment 34 Data breach notification 35 - 38 Access and suspension Individual Participation Principle Table 16 Data Controller Responsibilities under the South Korea PIPA How Each Provision Fits into the Nymity Framework The identified provisions were then allocated to one of the 13 Nymity Framework processes as follows: Nymity Processes Maintain Governance Structure Maintain Personal Data Inventory Maintain Data Privacy Policy
Embed Data Privacy into Operations
Maintain Training and Awareness Program Manage Information Security Risk Manage Third-party Risk Maintain Notices
PIPA Articles 31 32 16 18-19 30 21 23 22 24 25 27
Provisions
28
Privacy officer Registration by public bodies Limitation to collection Limitation to use and provision Privacy policy Erasure Sensitive data Consent Unique identifier Visual data processing devices Business transfer Internal supervision and training
29 26 15 17 22
Safeguard Consignment of work Collection and use Provision of personal information Notification
41
Nymity Processes
PIPA Articles 35 - 38
Provisions
Maintain Procedures for Inquiries Access and suspension and Complaints Monitor for New Operational 33 Privacy impact assessment Practices Maintain Data Privacy Breach 34 Data breach notification Management Program Monitor Data Handling Practices 28 Internal supervision and training Track External Criteria Table 17 Nymity Framework coverage to the South Korea PIPA Provisions Not Covered All PIPA provisions were successfully allocated to one of the 13 Nymity Framework processes. However, PIPA prohibits data controllers onfrom processing unique identifiers under specific circumstances. Due to its specificity, it is recommended to include this provision in the list of activities under the Inquiry and Complaints Process.
3.4.8. The Philippines Background The Philippines passed the Data Privacy Act 45 (DPA) in 2012 as its comprehensive data protection law.
Relevant Provisions DPA was analysed with the same method as othersthe other laws and the relevant provisions related to the responsibilities of data controllers are listed below: Sections 11
12 13 14
45
Provisions Specific and legitimate purpose, fair and adequate collection with accuracy and retention Consent Sensitive personal information Third-party contractor
OECD Principles Collection Limitation Principle Data Quality Principle Purpose Specification Principle Collection Limitation Principle -
‘Data Privacy Act of 2012, The Philippines’
accessed 10 July 2014
42
Sections 16
Provisions Rights of data subjects
OECD Principles Collection Limitation Principle Purpose Specification Principle Openness Principle Individual Participation Principle 17 Transmissibility of rights of data subjects 18 Right to data portability Individual Participation Principle 20 Security Security Safeguards Principle 21 Accountability and data protection officer Accountability Principle Table 18 Data Controller Responsibilities under the Philippines DPA
How Each Provision Fits into the Nymity Framework The identified provisions were then allocated to one of the 13 Nymity Framework processes as follows: Nymity Processes
Provisions
Maintain Governance Structure
DPA Sections 21
Maintain Personal Data Inventory Maintain Data Privacy Policy
11
Embed Data Privacy into Operations
12 13 17
18 -
-
Accountability and data protection officer Specific and legitimate purpose, fair and adequate collection with accuracy and retention Consent Sensitive personal information Transmissibility of rights of data subjects Right to data portability
Maintain Training and Awareness Program Manage Information Security Risk 20 Security Manage Third-party Risk 14 Third-party contractor Maintain Notices 16 Rights of data subjects Maintain Procedures for Inquiries 16 Rights of data subjects and Complaints Monitor for New Operational Practices Maintain Data Privacy Breach Management Program Monitor Data Handling Practices Track External Criteria Table 19 Nymity Framework coverage to the Philippines DPA
43
Provisions Not Covered All DPA provisions were successfully allocated to one of the 13 Nymity Framework processes. However, section 17 has conferred upon the lawful heirs and assigns of the data subjects the same rights as are conferred upon the data subjects as described under section 16. This is a unique provision that, although implicitly covered by the Operations Process in the Nymity Framework, should be specifically added as an activityies for completeness. Similarly the data portability conferred under section 18 has enormous implications to data controllers and should be highlighted as an activity in the corresponding Operations Process activities.
3.4.9. Singapore Background Singapore enacted the Personal Data Protection Act 46 (Singapore PDPA) in 2012 as the newest data protection law in Asia.
Relevant Provisions Singapore PDPA was analysed with the same method as othersthe other laws and the relevant provisions related to the responsibilities of data controllers are listed below: Sections Provisions OECD Principles 13 - 17 Consent Collection Limitation Principle 18 – 20 Limitation of purpose Purpose Specification Principle 21 – 22 Data access and correction Individual Participation Principle 23 Accuracy Data Quality Principle 25 Retention 24 Protection Security Safeguards Principle 26 Cross-border data flow 38 – 47 Do not call register Use Limitation Principle Table 20 Data Controller Responsibilities under the Singapore PDPA
46
‘Personal Data Protection Act 2012, Singapore’
accessed 10 July 2014
44
How Each Provision Fits into the Nymity Framework The identified provisions were then allocated to one of the 13 Nymity Framework processes as follows: Nymity Processes
Maintain Governance Structure Maintain Personal Data Inventory Maintain Data Privacy Policy Embed Data Privacy into Operations
Singapore PDPA Sections 26 18 – 20 13 – 17 23 25 38 – 47 -
Provisions
-
Cross-border data flow Limitation of purpose Consent Accuracy Retention Do not call register
Maintain Training and Awareness Program Manage Information Security Risk 24 Protection Manage Third-party Risk Maintain Notices 20 Notice Maintain Procedures for Inquiries 21 – 22 Data access and correction and Complaints Monitor for New Operational Practices Maintain Data Privacy Breach Management Program Monitor Data Handling Practices Track External Criteria Table 21 Nymity Framework coverage to the Singapore PDPA Provisions Not Covered All Singapore PDPA provisions were successfully allocated to one of the 13 Nymity Framework processes. However, the provisions under sections 38 to 47 on the Do not call register are very unique. Many other jurisdictions have put similar provisions under separate legislation to be enforced by their communications authorities instead of DPAs (UK being one of the exceptions like Singapore). As such, the Do not call register requirement should be highlighted as an activity in the corresponding Operations process.
3.5. Summary of chapter three An enormous time has been spent in this Chapter 3 studying the detailed provisions of the nine pieces of Asian data protection laws. All the data controller responsibilities have been 45
identified and managed to be allocated to the 123 Nymity Framework processes. This suggests that the 123 Nymity Framework processes are generally adequate and universal enough to cover for these Asian laws at a high level. However, during the allocation it was discovered that there are a number of unique or special requirements across these Asian data protection laws that have not been specifically covered by the activities currently associated with the 132 Nymity Framework processes.
The next Chapter will take on this discovery and describes how the Nymity Framework may be modified and improved to be applied effectively across Asian jurisdictions for data controllers.
46
4. How can the Nymity Framework be extended to cover Asia? 4.1. Introduction to chapter four In Chapter 2, the Nymity Framework was selected as the best possible framework for extending application to Asian jurisdictions because of its practicality that includes both the processes (the how) and activities (the what). In Chapter 3, nine pieces of relevant Asian data protection laws were selected and meticulously analysed to confirm that the 132 Nymity Framework Processes indeed can cover, at a high level, these data protection laws. However, the analysis also discovereds that the Nymity Framework activities need expanding in order to address specific regulatory requirements when applying to Asiaapplied to Asian data protection laws.
This Chapter 4 now attempts to address all the short comings of the Nymity Framework identified in Chapter 2 using the findings from Chapter 3 and beyond. Specifically, the various issues are discussed in the following sections:
Section 4.2:
What modifications are needed in the Nymity Framework to cover Asia?
Section 4.3:
What modifications are needed for the structuring of the Nymity Framework to make it more manageable by practitioners?
Section 4.4:
What modifications are needed in the Nymity Framework to make it more user-friendly to first time users? and
Section 4.5:
A critical look on the effectiveness of PMP.
4.2. Adequacy of the Nymity Framework to cover Asia Because of the broad and high-level nature of the Nymity Framework process descriptions, it is confirmed in Chapter 3 that all Asian requirements can be allocated to one of the 13 processes. That said, a number of unique regulatory requirements on data controllers by respective jurisdictions have been deemed to be different or important enough to warrant a special mention in the activities of the Nymity Framework. 47
These activities have been identified under Section 3.428, together with which processes they should be assigned to, and are summarised under Table 2122 below.
Jurisdiction Hong Kong Taiwan Japan Macau South Korea The Philippines Singapore
Sections/ Provisions Articles 35A – Direct marketing 35M activities 11 Request for cessation of processing 27 Request for cessation of processing 12 Request for cessation of processing 24 Processing of unique identifier 17 Transmissibility of rights to heirs 18 Data portability 38 - 47 Do not call register
Nymity Framework Process to be assigned to Data Privacy into Operations Inquiries and Complaints Inquiries and Complaints Inquiries and Complaints Data Privacy into Operations Data Privacy into Operations
Data Privacy into Operations Table 22 Asia-specific activities that are to be added to the Nymity Framework
It is recommended that these five distinct provisions arebe added to the Nymity Framework in a generic way without making specific references to the jurisdictions concerneds. This approach allows for the maximum flexibility on the parts of the data controllers to decide if they wish to meet the minimum legal compliance requirements for each specific location they operate in or to have a more uniform approach to data protection across the entire business over all the jurisdictions they operate in.
It needs to be stressed, at this point, that the inclusion of these activities would not make the Nymity Framework the only document privacy professionals will ever need. In-depth knowledge onof the data protection regulatory requirements ofin each location cannot be distilled to a simple framework. The inclusion of regulatory activities in the Nymity Framework therefore acts as a checklist on the broad, yet practical, areas privacy professionals need to pay attention to. However, they are not to replace the jurisdictionspecific legal knowledge required to ensure compliance. Nevertheless, these activities do marry and bridge the high level privacy programme management methodology on one hand,
48
towith the detailed item-by-item requirements listed in each jurisdiction’s data protection law on the other hand.
4.3. Manageability of the Nymity Framework Section 4.2 has addressed the issue of adequacy of the Nymity Framework to cover Asian jurisdictions by adding six unique activities (Direct marketing activities, Request for cessation of processing, Processing of unique identifiers, Transmissibility of rights to heirs, Data portability and Do not call register) to it.
The inclusion of additional activities makes the Nymity Framework more relevant to Asian jurisdictions. However, it also increases the activity-to-process ratio. In the extreme case of the Operation process, it has increased the number of activities from 31 to 33. Given that one of the main purposes of these activities is for privacy professionals to track their accountability implementation and maturity, the large number of activities does pose an issue for practical managers at the operational level. Previous studies on quality management suggest that practical managers have found it difficult to manage and track the 14 steps of quality management advocated by Philip Crosby, one of the gurus in the field, because 14 steps are considered too tedious, long and complicated for them to grasp.47 Further studies suggest that five is a more ideal number of factors or elements to track and manage by practitioners.48
While it would be impossible to keep the number of activities for each process to five, reducing the activity-to-process ratio will no doubt greatly enhance the usefulness and manageability of the Nymity Framework. To achieve this, it is suggested to introduce a number of sub-processes to further break down the activity-to-process ratio to single digit. For example, subdividing the first Governance Structure process into (1) Organisations, (2) Processes and (3) Monitoring, and re-allocating the appropriate activities to them helps
47
Nwabueze U and Kanji G, ‘The implementation of total quality management in the NHS: How to avoid
failure’ 8 Total Quality Management 265 48
Chang H, ‘The identification of critical success factors for quality internal IT services in public sector
organisations in Hong Kong’ (Southern Cross University, 2012)
49
practical managers not only to manage those activities easiermore easily, but also to think clearly about what those activities should cover because they are now under a more focused sub-process grouping.
After examining activities under each process and grouping them according to their common categories, sub-processes for each of the 13 processes were developed and suggested below in italic: 1. Maintain Governance Structure a. Privacy Organisation b. Privacy Processes c. Privacy Monitoring 2. Maintain Personal Data Inventory a. Data cycle management b. Regulatory obligations c. Cross-border data transfer 3. Maintain Data Privacy Policy 4. Embed Data Privacy into Operations a. Data cycle protection b. Business processes c. Marketing activities d. Use of technology policy e. Internal HR policies 5. Maintain Training and Awareness Program a. Training/Awareness tools b. Programme management c. Programme monitoring 6. Manage Information Security Risk a. Information security tools b. Programme management 7. Manage Third-party Risk a. Third-party management tools b. Contract management 8. Maintain Notices a. Tools for serving notice b. Programme management 9. Maintain Procedures for Inquiries and Complaints a. Compliance obligations b. Customer services 10. Monitor for New Operational Practices a. Tools b. Programme management 11. Maintain Data Privacy Breach Management Program a. Incident response planning b. Incident response management 12. Monitor Data Handling Practices 50
a. Periodic compliance checks b. Ad hoc compliance checks 13. Track External Criteria a. Regular events b. Ad hoc events With the introduction of these sub-processes, the extreme activity-to-process ratio is now reduced from 31 to nine, and the typically-long ones from 17 to eight.
In addition, a few activities belonging to the same nature (e.g. all the cross-border data transfer mechanisms such as Safe-Harbor, Cross-Border Privacy Rule etc.) are also grouped under a third level improve their manageability.
4.4. A closer look at the activities Further to the suggestion of adding a layer of sub-processes to the Nymity Framework, it is also proposed to make some editorial changes and fine-tuning to the listed activities. Specifically the aim of this study is to find an accountability framework for data controllers operating across Asia. Given many Asian jurisdictions have only just enacted or put into effect their data protection laws, it is understandable that many of suchthese data controllers could be new to data protection.
The original Nymity Framework often has usesd descriptions for activities that assumed prior existence of PMPs. For example, some of the activities are related to the maintenance of policies and procedures as if those policies and procedures have already existed. Since this may not often be the case for Asian data controllers, it is suggested to modify all such references of “maintaining” activities into “developing and maintaining” those activities. Such change is minor and editorial but should remind data controllers to spend adequate resources into developing PMPs from ground up first, before maintaining them at a high standard.
All the proposed modifications, including (1) Asia-specific activities, (2) additional layer of sub-processes, and (3) editorial modifications to the Nymity Framework are listed under Annex B with revision marks. 51
Ideally, the Nymity Framework can be further enhanced by listing out further explanations and examples of what each activity means and should comprise. Currently some descriptions of activities could be subject to interpretation so explanations/examples will help to ensure a more consistent implementation. That said, such enhancement would be beneficial to the Nymity Framework no matter whether it is being applied in Asia or not. As such, it is not the focus of this study.
4.5. A critical look on the effectiveness of PMP Now that the Nymity Framework has been modified for data controllers operating across multiple Asian jurisdictions, it is time to revisit the issue of the effectiveness of a PMP that may be used to prove accountability.
The apparent value of a PMP should be obvious. In an increasing number of jurisdictions (such as Canada, the EU when its EU Regulation becomes effective, and the Philippines and South Korea as found out from Chapter 3), it is required under the law that accountability be established. In these jurisdictions data controllers will find the PMP a safe and acceptable way to prove accountability to regulators and data subjects. For locations (such as Hong Kong) where accountability is not part of the legal requirement, a willingness to implement a PMP should logically be seen by regulators and data subjects as a sign of data controllers respecting personal data privacy of their customers and making it a priority.
For data controllers who genuinely want to set a high bar offor privacy protection standard, the implementation of a PMP will not necessarily guarantee full compliance with the law, but certainly can demonstrate that any mistake is likely to be an isolated incident and not of a systemic failure.49 Because of this, it is possible that data controllers are entering into a PMP under the pretence that it can be used as an “amnesty” to regulatory scrutiny or a marketing gimmick to its customers. In order to combat this possible abuse, the suggestions put forward by the Article 29 Working Party’s Opinion 03/2010 on the principle of accountability, including the development of certification schemes and/or seals of approval, could become a
49
See note 17.
52
reality. This is particularly so when the EU Regulation comes into force, the demands from data controllers among EU member states could fuel the development of a PMP certification industry into necessity. A more objective assessment of PMP implementations may become available to discern the genuine from the pretentious. Naturally, the challenge would then be on how to ensure the emphasis of the exercise is not just on the adherence onto procedures and processes, but also on the quality of the contents and controls.
4.6. Summary of chapter four Section 4.2 summarises the main findings obtained in Chapter 3 and proposes how some unique activities related to individual Asian jurisdictions should be added to the Nymity Framework. Section 4.3 then addresses the issue of the large activity-to-process ratio, that has rendered the Nymity Framework difficult to manage by practitioners, by introducing a middle layer of sub-processes to reduce the number of activities per category for easier tracking and monitoring. Section 4.4 further suggests editorial improvements to the description of some activities to make the Nymity Framework friendlier to first-time users. Finally in Section 4.5, the effectiveness of a PMP, wherewhich an accountability framework helps to implement, is briefly examined.
The next Chapter will provide an overview of the findings and contributions of this study, and also proposes possible future studies.
53
5. Findings and recommendations 5.1. Introduction to chapter five Chapter 4 fully describes how the Nymity Framework camn be modified to address the Asian regulatory requirements, the manageability issue of the large activity-to-process ratio and the user-friendliness issue for data controllers implementing PMP for the first time.
In this Chapter 5, Section 5.2 reiterates the environment leading to the need offor this study, the research question and how it was resolved. Section 5.3 then recaps the findings and the answer to the research question. Chapter 5 draws to a close in Section 5.4 by reflecting on the significance and limitation of the findings, a review of the study methods, and suggests on possible future studies and developments.
5.2. The Research question The Background leading to this study Incorporating accountability as one of the core principles of data protection laws is gaining momentum. In some jurisdictions such as Canada, the Philippines and South Korea, accountability is a minimum legal requirement.
In other jurisdictions such as the EU, it is being seriously contemplated. Even in jurisdictions, such as Hong Kong, where there is no provision on accountability, accountability is being promoted as part of a good business governance model.50
Even in jurisdictions with data protection laws but where accountability is not specified, compliance to the data protection law is mandatory. Instead of meeting the data protection laws in a piecemeal manner, data controllers could benefit from demonstrating their commitments to personal data privacy by being accountable through the implementation of a PMP. As the OPCC has somewhat subtletysubtly hinted that the adoption of PMPs helps to
50
Major Organisations Pledge to Implement Privacy Management Programme to Protect Personal Data Privacy
(The Office of the Privacy Commissioner for Personal Data 2014)
54
persuade regulators that data controllers hold data protection to a higher level than the bare legal minimum, and hence regulators may be more lenient towards them in any possible enforcement actions.
Furthermore, the reality is that the increased emphasis by regulators means accountability will always be on the agenda of data controllers.
Hence for data controllers, the benefits of implementing formal PMPs are attractive but PMPs must meet the standards and expectations of regulators and data subjects to be useful. This is where the use of accountability frameworks become valuable as itsuch a framework provides a consistent, systematic and demonstrable way of implementing a PMP, thus assuring data controllers the effectiveness and anticipated benefits of adopting the accountability principle.
For data controllers operating across Asian jurisdictions with relatively recent data protection laws and wanting to implement a PMP, they face another challenge that many of the accountability frameworks pre-date the majority of Asian data protection laws and therefore are untested in the region.
The research question. The research question for this study is therefore:
If a data controller is to implement accountability, which accountability framework, with or without modifications, can be practically deployed by data controllers operating across Asian jurisdictions?
The wayHow the research question was solved The research question was answered by firstly selecting, among the well-known accountability frameworks, the Nymity Framework that isas the most comprehensive and practical for data controllers implementing PMPs for the first time. Secondly all the relevant Asian data protection laws applicable to the private sector were gathered and their relevant responsibilities imposeding on data controllers identified. Thirdly, a gap analysis was conducted to find out if the Nymity Framework can cover all the requirements of the relevant Asian data protection laws. 55
5.3. Summary of findings The research question answered The research question was finally answered by modifying the Nymity Framework to include five additional regulatory activities specific to Asian jurisdictions, as suggested from the result of the gap analysis. Furthermore, the structure of the Nymity Framework was revised from a flat to a hierarchical one to improve manageability, and finally to have some descriptions enhanced to make it more user-friendly to those who are implementing PMPs for the first time. As indicated under Section 4.4, the modified Nymity Framework can be found under Annex B.
The modified Nymity Framework answers the research question by affirming that, with the right modifications, it can cover all the regulatory requirements posed by relevant Asian data protection laws.
5.4. Thoughts and recommendations The significance of the finding The finding onof this study is significant because the demands on data controller accountability are on the increase, both by regulators and data subjects. In order to address and prove to stakeholders the commitment onto personal data privacy by, data controllers, must find a systematic and proven tool of an accountability framework must be found by data controllersin order to reliably demonstrate accountability.
Data controllers in Asia face an additional challenge that many data protection laws are recently enacted so there is an uncertainty as to whether any known accountability framework is equally applicable to Asia.
The finding of this study suggests that, with modifications, it is possible to make the Nymity Framework applicable for Asian jurisdictions in a practical way.
56
The limitation of the finding This study only addresses the issue of finding an accountability framework that is applicable to Asia. A framework is defined as a structure on which a system can be built but the structure does not include the system. As such, the use of the accountability framework can only assure data controllers and regulators that all the necessary processes and activities of a PMP should have been considered and applied. Even with the use of an accountability framework, data controllers are still free to decide to what standards those processes and activities should attain. This means data controllers implementing PMPs still need to make business decisions and exercise judgements on how their business should comply with respective data protection laws through their own strategies and policies. The use of an accountability framework, even if it is backed by certification schemes, is no guarantee of the compliance level of the data controllers.
Could it have been done differently? Although this study has been concluded with a satisfactory answer to the research question, it is worth looking back to consider whether it could have been done differently.
Firstly, could an accountability framework be built from ground up by examining only the requirements of all Asian data protection laws?
While this might have been possible, it ignores proven efforts in the past by other parties on developing their accountability frameworks. Furthermore, even if an Asia-centric accountability framework could beis developed in this way, one may question the value of an Asia-centric accountability framework in a global economy. The current approach extends a tried and tested accountability framework to also cover Asia, and should be considered a more versatile solution. After all, a framework is only a guide that data controllers build a system on. An Asia-only data controller can ignore activities in the modified Nymity Framework that are clearly related to EU (e.g. Safe Harbor Rules) but if a framework is only built from Asian data protection laws, an Asian business expanding outside of the region may have to abandon or to make substantial efforts to update any Asia-centric framework.
Secondly, could a more neutral, third-party, framework be chosen as the basis for modification to cover Asia than the Nymity Framework? 57
The choice of a commercial framework can be a controversial one. Despite the fact that the Nymity Framework is a free tool available for any data controllers to use at this moment, there are still considerable value-added commercial activities Nymity can offer to assist data controllers to in implementing the framework, not to mention that Nymity is free to reverse the decision and demands loyalty in using its framework in the future.
In an ideal world, the use of a non-commercial framework is always better than using a commercial one. However, it is very evident from Chapter 2 that all other commonly available accountability frameworks suffer from a fundamental issue of being too high level and impractical to implement. The Nymity Framework is the only framework available that has included regulatory activities. This is a huge advantage to Asian data controllers who often are new to data protection compliance, let alone PMP implementation. As such, the use of the commercial Nymity Framework is still atin the best interests of data controllers whose only concern is to achieve the business objective of implementing PMPs and demonstrating accountability.
Further studies and related developments The modified Nymity Framework is a result of a desktop research and further refinements will be needed when it is applied by practitioners onin the field. As such, this modified Nymity Framework will need to be verified by data controller(s) onin the field.
When more and more data controllers are adopting PMPs for good or bad reasons, the claimed use of a recognised accountability framework alone will not be sufficient to prove that a PMP has been implemented in a consistent, systematic and formal way. It is hoped that some kind of certification scheme and/or seal of approval scheme would then be developed to provide independent verification. WhetherThe possibility of certification schemes are possible and their real benefits will no doubt be a substantial and worthwhile research topic interested byof interest to many.
Another somewhat related issue withto accountability frameworks regards is about what would be the best compliance strategy a data controller operating across multiple locations should adopt. The use of an accountability framework logically, but not mandatorily, leads 58
data controllers to adopt a strategy of applying a fairly uniform data protection policy and measures across all the locations they operate in. However, further studies would be needed to ascertain whether this is the best strategy for multi-nationals. This strategy may be easier to adopt and manage, and safer for data controllers who do not just operate in multiple locations but manage personal data collected from multiple locations as one entity. Others, however, may challenge that this approach is detrimental to innovation and business opportunities in locations where the law is perhaps not as stringent as other locations. This is particularly challenging to data controllers operating only across multiple Asian jurisdictions because, as mentioned under Section 3.3, Asian data protection laws do not have a common core and can differ from one another quite markedly. The incentive for Asian data controllers to differentiate the data protection strategies in different jurisdictions to maximise business advantage is more evident than their EU/US counterparts. This issue of the best data protection strategy for data controllers operating across multiple jurisdictions could be an interesting subject and worth pursuing by many.
59
Reference: Byrne JM and others, Privacy Program Management: Tools for Managing Privacy Within Your Organization (Densmore RR ed, International Association of Privacy Professionals 2013) Butin D, Chicote M and Le Métayer D, ‘Strong Accountability: Beyond Vague Promises’ in Gutwirth S, Leenes R and De Hert P (eds), Reloading Data Protection: Multidisciplinary Insights and Contemporary Challenges (Springer) Langheinrich M, Privacy by design—principles of privacy-aware ubiquitous systems (Springer 2001) Greenleaf G, ‘Global Data Privacy Laws 2013: 99 Countries and Counting’ Privacy Laws & Business International Report accessed 10 July 2014 –––, ‘Global Tables of Data Privacy Laws and Bills (3rd Ed, June 2013)’ UNSW Law Research Paper No 2013-39 accessed 18 July 2014 –––, ‘Sheherezade and the 101 Data Privacy Laws: Origins, Significance and Global Trajectories’ Journal of Law, Information & Science accessed 11 June 2014 Guagnin D and others, Managing Privacy through Accountability (Palgrave Macmillan 2012) Bennett CJ, ‘In defense of privacy: the concept and the regime’ 8 Surveillance & Society 485 Nwabueze U and Kanji G, ‘The implementation of total quality management in the NHS: How to avoid failure’ 8 Total Quality Management 265 Major Organisations Pledge to Implement Privacy Management Programme to Protect Personal Data Privacy (The Office of the Privacy Commissioner for Personal Data 2014)
60
APEC Privacy Framework (APEC#205-SO-012, 2005) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Personal Information Protection and Electronic Documents Act, Canada Chang H, ‘The identification of critical success factors for quality internal IT services in public sector organisations in Hong Kong’ (Southern Cross University, 2012) ‘Accountability: Data Governance for the Evolving Digital Marketplace’ (The Centre for Information Policy Leadership ) accessed 19 June 2014 ‘Act
on the Protection of Personal Information, Japan’ accessed 10 July 2014
‘Centre for Information Policy Leadership’ accessed 19 June 2014
‘The Code of Fair Information Practices’ (Electronic Privacy Information Center) accessed 11 June 2014 ‘Country Report: Korea’ (Business Software Alliance) accessed 5 July 2014 ‘Data Privacy Act of 2012, The Philippines’ accessed 10 July 2014 ‘The
International Association of Privacy Professionals accessed 8 July 2014
‘Law
on Protection of Consumers' Rights, Vietnam’ accessed 10 July 2014
‘Nymity Inc.’ accessed 8 July 2014 61
’
‘Nymity
Privacy Management Accountability Framework’ (Nymity Inc.) accessed 8 July 2014
‘Personal Data (Privacy) Ordinance, Hong Kong’ accessed 10 July 2014 ‘Personal Data Protection Act 2012, Singapore’ accessed 10 July 2014 ‘Personal Data Protection Act, Macau’ accessed 10 July 2014 ‘Personal Data Protection Act, Malaysia’ accessed 10 July 2014 ‘Personal Data Protection Law, 10 July 2014
Taiwan’ accessed
‘Personal Information Protection Act, South Korea’ accessed 10 July 2014 ‘A
Privacy Office Guide to Demonstrating Accountability’ (Nymity Inc.) accessed 8 July 2014
‘Proposal for a regulation of the European Parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)’ (European Commission) accessed 19 June 2014
62
‘Opinion 3/2010 on the Principle of Accountability’ (Article 29 Working Party, 2010) accessed 19 June 2014 ‘Getting Accountability Right with a Privacy Management Program’ (The Office of the Privacy Commissioner, Canada, 2012) accessed 19 June 2014 ‘Best Practice Guide on Privacy Programme Management’ (The Office of the Privacy Commissioner for Personal Data, Hong Kong, 2014) accessed 19 June 2014 ‘Data
Protection Laws of the World’ (DLA Piper, 2014) accessed 18 July 2014
OECD, ‘The 2013 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data’ (OECD) accessed 11 June 2014 –––, ‘OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data’ (OECD) accessed 11 June 2014
63
Annex A Original Nymity Privacy Management Accountability Framework
Annex A: Original Nymity Privacy Management Accountability Framework 1. Maintain Governance Structure Ensure that there are individuals responsible for data privacy, accountable management, and management reporting procedures 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17.
Conduct a Privacy Risk Assessment Maintain a Privacy Strategy Maintain a privacy program charter/mission statement Maintain job descriptions for individuals responsible for data privacy (e.g. data protection officers) Assign accountability for data privacy at a senior level Allocate resources to adequately implement and support the privacy program (e.g. budget, personnel) Assign responsibility for data privacy Appoint a representative in member states where the organization does not maintain a physical presence Conduct regular communication between individuals accountable and responsible for data privacy Consult with stakeholders throughout the organization on data privacy matters Report, on a scheduled basis, on the status of the privacy program (e.g. board of directors, management board) Integrate data privacy into business risk assessments/reporting Maintain a Code of Conduct Maintain ethics guidelines Maintain a strategy to align activities with legal requirements (e.g., address conflicts, differences in standards, creating rationalized rule sets) Require employees to acknowledge and agree to adhere to the data privacy policies Report periodically on the status of the privacy program to external stakeholders, as appropriate (e.g. annual reports, third-parties, clients)
64
Annex A Original Nymity Privacy Management Accountability Framework 2. Maintain Personal Data Inventory Maintain an inventory of the location of key personal data storage or personal data flows with defined classes of personal data 1. 2. 3. 4. 5. 6.
7. 8. 9. 10. 11. 12.
Maintain an inventory of key personal data holdings (what personal data is held and where) Classify personal data holdings by type (e.g. sensitive, confidential, public) Obtain approval for data processing (where prior approval is required) Register databases with data protection authority (where registration is required) Maintain flow charts for key data flows (e.g. between systems, between processes, between countries) Maintain documentation for all crossborder data flows (e.g. country, mechanism used as a basis for the transfer such as Safe Harbor, model clauses, binding corporate rules, or approvals from data protection authorities) Use Binding Corporate Rules as a data transfer mechanism Use Standard Contractual Clauses as a data transfer mechanism Use Cross-Border Privacy Rules as a data transfer mechanism Use the Safe Harbor framework as a data transfer mechanism Use Data Protection Authority approval as a data transfer mechanism Use adequacy or one of the derogations from adequacy (e.g. consent, performance of a contract, public interest) as a data transfer mechanism
65
Annex A Original Nymity Privacy Management Accountability Framework 3. Maintain Data Privacy Policy Maintain a data privacy policy that meets legal requirements and addresses operational risk 1. 2. 3. 4. 5.
Maintain a data privacy policy Maintain a separate employee data privacy policy Obtain board approval for data privacy policy Document legal basis for processing personal data Document guiding principles for consent
66
Annex A Original Nymity Privacy Management Accountability Framework 4. Embed Data Privacy into Operations Maintain operational policies and procedures consistent with the data privacy policy, legal requirements, and operational risk management objectives 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31.
Maintain policies/procedures for collection and use of sensitive personal data (including biometric data) Maintain policies/procedures for maintaining data quality Maintain policies/procedures for pseudonymization/anonymization of personal data Maintain policies/procedures to review processing conducted wholly or partially by automated means Maintain policies/procedures for secondary uses of personal data Maintain policies/procedures for collecting consent preferences Maintain policies/procedures for secure destruction of personal data Integrate data privacy into use of cookies and tracking mechanisms Integrate data privacy into records retention practices Integrate data privacy into direct marketing practices Integrate data privacy into e-mail marketing practices Integrate data privacy into telemarketing practices Integrate data privacy into behavioural advertising practices Integrate data privacy into hiring practices Integrate data privacy into employee background check practices Integrate data privacy into social media practices Integrate data privacy into Bring Your Own Device (BYOD) policies/procedures Integrate data privacy into health & safety practices Integrate data privacy into interactions with works councils Integrate data privacy into practices for monitoring employees Integrate data privacy into e-mail monitoring practices Integrate data privacy into use of CCTV/video surveillance Integrate data privacy into use of geolocation (tracking and or location) devices Integrate data privacy into delegate access to employees' company e-mail accounts (e.g. vacation, LOA, termination) Integrate data privacy into e-discovery practices Integrate data privacy into conducting internal investigations Integrate data privacy into practices for disclosure to and for law enforcement purposes Integrate data privacy into customer/patient/citizen facing practices (e.g. retail sales, provision of healthcare, tax processing) Integrate data privacy into back office/administrative procedures (e.g. facilities management) Integrate data privacy into financial operations (e.g. credit, billing, processing transactions) Integrate data privacy into research practices
67
Annex A Original Nymity Privacy Management Accountability Framework 5. Maintain Training and Awareness Program Provide ongoing training and awareness to promote compliance with the data privacy policy and to mitigate operational risks 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17.
Conduct data privacy training needs analysis by position/job responsibilities Maintain a core training program for all employees Conduct training for newly appointed employees upon assignment to privacysensitive positions Maintain a second level training program reflecting job specific content Conduct regular refresher training to reflect new developments Integrate data privacy into other training programs, such as HR, security, call centre, retail operations training Measure participation in data privacy training activities (e.g. numbers of participants, scoring) Require completion of data privacy training as part of performance reviews Deliver a privacy newsletter, or incorporate privacy into existing corporate communications Maintain ongoing awareness material (e.g. posters, intranet, and videos) Maintain an internal data privacy intranet, privacy blog, or repository of privacy FAQs and information Hold an annual data privacy day/week Measure comprehension of data privacy concepts using exams Provide data privacy information on system logon screens Maintain certification for individuals responsible for data privacy, including continuing professional education Conduct one-off, one-time tactical training and communication dealing with specific, highly-relevant issues/topics Provide ongoing education and training for the privacy office (e.g. conferences, webinars, guest speakers)
68
Annex A Original Nymity Privacy Management Accountability Framework 6. Manage Information Security Risk Maintain an information security program based on legal requirements and ongoing risk assessments 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13.
Conduct a security risk assessment which considers data privacy risk Maintain an information security policy Maintain technical security measures (e.g. intrusion detection, firewalls, monitoring) Maintain administrative and technical measures to encrypt personal data in transmission and at rest, including removable media Maintain an acceptable use of information resources policy Maintain procedures to restrict access to personal information (e.g. role-based access, segregation of duties) Maintain a corporate security policy (protection of physical premises and hard assets) Maintain human resource security measures (e.g. pre-screening, performance appraisals) Maintain backup and business continuity plans Maintain a data-loss prevention strategy Maintain procedures to update security profile based on system updates and bug fixes Conduct regular testing of data security posture Maintain a security verification
69
Annex A Original Nymity Privacy Management Accountability Framework 7. Manage Third-party Risk Maintain contracts and agreements with third-parties and affiliates consistent with the data privacy policy, legal requirements, and operational risk tolerance 1. 2. 3. 4. 5. 6. 7. 8.
Maintain data privacy requirements for third-parties (e.g. vendors, processors, affiliates) Maintain procedures to execute contracts or agreements with all processors Maintain a vendor data privacy risk assessment process Conduct due diligence around the data privacy and security posture of potential vendors/processors Maintain a policy governing use of cloud providers Maintain procedures to address instances of non-compliance with contracts and agreements Conduct ongoing due diligence around the data privacy and security posture of vendors/processors based on a risk assessment Review long-term contracts for new or evolving data protection risks
70
Annex A Original Nymity Privacy Management Accountability Framework 8. Maintain Notices Maintain notices to individuals consistent with the data privacy policy, legal requirements, and operational risk tolerance 1. 2. 3. 4. 5. 6. 7. 8. 9.
Maintain a data privacy notice that details the organization’s personal data handling policies Provide data privacy notice at all points where personal data is collected Provide notice by means of onlocation signage, posters Provide notice in marketing communications (e.g. emails, flyers, offers) Provide notice in all forms, contracts and terms Maintain scripts for use by employees to provide the data privacy notice Maintain a data privacy notice for employees (processing of employee personal data) Maintain a privacy Seal or Trustmark to increase customer trust Provide data privacy education to individuals (e.g. preventing identity theft)
71
Annex A Original Nymity Privacy Management Accountability Framework 9. Maintain Procedures for Inquiries and Complaints Maintain effective procedures for interactions with individuals about their personal data 1. 2. 3. 4. 5. 6. 7. 8. 9.
Maintain procedures to address complaints Maintain procedures to respond to access requests Maintain procedures to respond to requests to update or revise personal data Maintain procedures to respond to requests to opt-out Maintain procedures to respond to requests for information Maintain customer Frequently Asked Questions Maintain escalation procedures for serious complaints or complex access requests Maintain procedures to investigate root causes of data protection complaints Maintain metrics for data protection complaints (e.g. number, root cause)
72
Annex A Original Nymity Privacy Management Accountability Framework 10. Monitor for New Operational Practices Monitor organizational practices to identify new processes or material changes to existing processes and ensure the implementation of Privacy by Design principles 1. 2. 3. 4. 5. 6. 7.
Maintain a Privacy by Design framework for all system and product development Maintain PIA guidelines and templates Conduct PIAs for new programs, systems, processes Maintain a procedure to address data protection issues identified during PIAs Maintain a product sign-off procedure that involves the privacy office Maintain a product life cycle process to address privacy impacts of changes to existing programs, systems, or processes Maintain metrics for PIAs (e.g. number completed, turnaround time)
73
Annex A Original Nymity Privacy Management Accountability Framework 11. Maintain Data Privacy Breach Management Program Maintain an effective data privacy incident and breach management program 1. 2. 3. 4. 5. 6. 7. 8. 9.
Maintain a documented data privacy incident/breach response protocol Maintain a breach notification (to affected individuals) and reporting (to regulators, credit agencies, law enforcement) and protocol Maintain a breach incident log to track nature/type of all breaches Maintain data privacy incident/breach metrics (e.g. nature of breach, risk, root cause) Conduct periodic testing of breach protocol and document findings and changes made Engage a breach response remediation provider Engage a forensic investigation team Obtain data privacy breach insurance coverage Maintain a record preservation protocol to protect relevant log history
74
Annex A Original Nymity Privacy Management Accountability Framework 12. Monitor Data Handling Practices Verify operational practices comply with the data privacy policy and operational policies and procedures 1. 2. 3. 4. 5. 6. 7.
Conduct self-assessments managed by the privacy office Conduct ad-hoc audits/assessments based on complaints/inquiries/breaches Conduct audits/assessments of the privacy program outside of the privacy office (e.g. Internal Audit) Benchmark results of audits/assessments (e.g. comparison to previous audit, comparison to other business units) Conduct ad-hoc walk-throughs Conduct assessments through use of an accountability agent or third-party verification Maintain privacy program metrics
75
Annex A Original Nymity Privacy Management Accountability Framework 13. Track External Criteria Track new compliance requirements, expectations, and best practices 1. 2. 3. 4. 5. 6. 7. 8.
Conduct ongoing research on developments in law Maintain subscription to compliance reporting service/law firm updates to stay informed on new developments Maintain records or evidence that alerts are read and actions are taken (e.g. read daily and forwarded to key individuals as required) Attend/participate in privacy conferences, industry association, or think-tank events Record/report on the tracking of new Rule Sources or amendments to Rule Sources Seek legal opinions regarding recent developments in law Document that new requirements have been implemented (also document where a decision is made to not implement any changes, including reason) Review or participate in studies related to best practices in data privacy management
76
Annex B Modified Nymity Privacy Management Accountability Framework
Annex B: Modified Nymity Privacy Management Accountability Framework 1. Maintain Governance Structure Ensure that there are individuals responsible for data privacy, accountable management, and management reporting procedures Privacy Organisation 1. Assign accountability for data privacy at a senior level 2. Assign responsibility for data privacy to individuals 3. Maintain job descriptions for individuals responsible for data privacy (e.g. data protection officers) 4. Allocate resources to adequately implement and support the privacy program (e.g. budget, personnel) 5. Appoint a representative in member stateslocations where the privacy organization does not maintain a physical presence 6. Conduct regular communication between individuals accountable and responsible for data privacy Privacy Processes 1. Develop and mMaintain a privacy program charter/mission statement 2. Develop and mMaintain a Privacy Strategy 3. Conduct a Privacy Risk Assessment 4. Integrate data privacy into business risk assessments/reporting 5. Develop and mMaintain a strategy to align activities with legal requirements (e.g., address conflicts, differences in standards, creating rationalized rule sets) 6. Develop and mMaintain a Code of Conduct 7. Develop and mMaintain ethics guidelines 8. Consult with stakeholders throughout the organization on data privacy matters Privacy Monitoring 1. Require employees to acknowledge and agree to adhere to the data privacy policies 2. Report, on a scheduled basis, on the status of the privacy program: a. Internally (e.g. board of directors, management board); b. Externally (e.g. annual report, third-parties, clients). 2. Report periodically on the status of the privacy program to external stakeholders, as appropriate (e.g. annual reports, third-parties, clients)
77
Annex B Modified Nymity Privacy Management Accountability Framework 2. Maintain Personal Data Inventory Maintain Build and maintain an inventory of the location of key personal data storage or personal data flows with defined classes of personal data Data cycle management 1. Build and mMaintain an inventory of key personal data holdings (what personal data is held and where) 2. Classify personal data holdings by type (e.g. sensitive, confidential, public) 3. Develop and mMaintain full-cycle flow charts for key data flows (e.g. from sources, between systems, between processes, between countries) Regulatory obligations 1. Obtain approval for data processing (where prior approval is required) 2. Register databases with data protection authority (where registration is required) Cross-border data transfer 1. Select applicable data transfer mechanism and achieve compliance: a. Use Binding Corporate Rules as a data transfer mechanism b. Use Standard Contractual Clauses as a data transfer mechanism c. Use Cross-Border Privacy Rules as a data transfer mechanism d. Use the Safe Harbor framework as a data transfer mechanism e. Use Data Protection Authority approval as a data transfer mechanism f. Use adequacy or one of the derogations from adequacy (e.g. consent, performance of a contract, public interest) as a data transfer mechanism 2. Maintain compliance and documentation for all cross-border data flows (e.g. country, mechanism used as a basis for the transfer such as Safe Harbor, model clauses, binding corporate rules, or approvals from data protection authorities)
78
Annex B Modified Nymity Privacy Management Accountability Framework 3. Maintain Data Privacy Policy Maintain a data privacy policy that meets legal requirements and addresses operational risk Data privacy policy 1. Document legal basis for processing personal data 2. Document guiding principles for consent 3. Develop and mMaintain a data privacy policy 4. Develop and mMaintain a separate employee data privacy policy 5. Obtain board approval for data privacy policy
79
Annex B Modified Nymity Privacy Management Accountability Framework 4. Embed Data Privacy into Operations Develop and mMaintain operational policies and procedures consistent with the data privacy policy, legal requirements, and operational risk management objectives Data cycle protection 1. Develop and mMaintain policies/procedures for collecting consent preferences 2. Develop and mMaintain policies/procedures for collection and use of sensitive personal data (including biometric data) 3. Develop and mMaintain policies/procedures for maintaining data quality 4. Develop and mMaintain policies/procedures to review processing conducted wholly or partially by automated means 5. Develop and mMaintain policies/procedures for secondary uses of personal data 6. Develop and mMaintain policies/procedures for pseudonymization/anonymization of personal data 7. Integrate data privacy into records retention practices 8. Develop and mMaintain policies/procedures for secure destruction of personal data Business processes 1. Integrate data privacy into customer/patient/citizen facing practices (e.g. retail sales, provision of healthcare, tax processing) 2. Integrate data privacy into back office/administrative procedures (e.g. facilities management) 3. Integrate data privacy into practices for disclosure to and for law enforcement purposes 4. Integrate data privacy into financial operations (e.g. credit, billing, processing transactions) 5. Integrate data privacy into the processing of unique identifiers 6. Integrating the rights of legal heirs/guardians into business processes 7. Integrate data privacy into research practices Marketing activities 1. Integrate data privacy measures into direct marketing practices including obtaining consent where necessary 2. Integrate data privacy measures into e-mail marketing practices 3. Integrate data privacy measures into telemarketing practices including the checking of do not call registers 4. Integrate data privacy measures into behavioural advertising practices 5. Integrate data privacy measures into use of cookies and tracking mechanisms Use of technology policies 1. Integrate data privacy into social media practices 2. Integrate data privacy into Bring Your Own Device (BYOD) policies/procedures 3. Integrate data privacy into use of CCTV/video surveillance 4. Integrate data privacy into use of geolocation (tracking and or location) devices Internal HR-related policies 1. Integrate data privacy into hiring practices 80
Annex B Modified Nymity Privacy Management Accountability Framework 2. 3. 4. 5. 6.
Integrate data privacy into employee background check practices Integrate data privacy into practices for monitoring employees Integrate data privacy into interactions with works councils Integrate data privacy into e-mail monitoring practices Integrate data privacy into delegate access to employees' company e-mail accounts (e.g. vacation, LOA, termination) 7. Integrate data privacy into e-discovery practices 8. Integrate data privacy into conducting internal investigations 9. Integrate data privacy into health & safety practices
81
Annex B Modified Nymity Privacy Management Accountability Framework 5. Maintain Training and Awareness Program Provide ongoing training and awareness to promote compliance with the data privacy policy and to mitigate operational risks Training/Awareness tools 1. Deliver a privacy newsletter, or incorporate privacy into existing corporate communications 2. Develop and mMaintain ongoing awareness material (e.g. posters, intranet, and videos) 3. Develop and mMaintain an internal data privacy intranet, privacy blog, or repository of privacy FAQs and information 4. Hold an annual data privacy day/week 5. Provide data privacy information on system logon screens Programme management 1. Develop and mMaintain a core training program for all employees 2. Conduct training for newly appointed employees upon assignment to privacysensitive positions 3. Conduct regular refresher training to reflect new developments 4. Conduct data privacy training needs analysis by position/job responsibilities 5. Develop and mMaintain a second level training program reflecting job specific content 6. Integrate data privacy into other training programs, such as HR, security, call centre, retail operations training 7. Conduct one-off, one-time tactical training and communication dealing with specific, highly-relevant issues/topics 8. Provide ongoing education and training for the privacy office (e.g. conferences, webinars, guest speakers) Programme monitoring 1. Measure participation in data privacy training activities (e.g. numbers of participants, scoring) 2. Require completion of data privacy training as part of performance reviews 3. Measure comprehension of data privacy concepts using exams 4. Encourage and mMaintain certification for individuals responsible for data privacy, including continuing professional education
82
Annex B Modified Nymity Privacy Management Accountability Framework 6. Manage Information Security Risk Develop and mMaintain an information security program based on legal requirements and ongoing risk assessments Information security tools 1. Develop and mMaintain technical security measures (e.g. intrusion detection, firewalls, monitoring) 2. Develop and mMaintain administrative and technical measures to encrypt personal data in transmission and at rest, including removable media 3. Develop and mMaintain backup and business continuity plans 4. Develop and mMaintain a data-loss prevention strategy 5. Develop and mMaintain procedures to update security profile based on system updates and bug fixes Programme management 1. Conduct a security risk assessment which considers data privacy risk 2. Develop and mMaintain an information security policy 3. Develop and mMaintain a corporate security policy (protection of physical premises and hard assets) 4. Develop and mMaintain an acceptable use of information resources policy 5. Develop and mMaintain human resource security measures (e.g. pre-screening, performance appraisals) 6. Develop and mMaintain procedures to restrict access to personal information (e.g. role-based access, segregation of duties) 7. Conduct regular testing of data security posture 8. Develop and mMaintain a security verification process
83
Annex B Modified Nymity Privacy Management Accountability Framework 7. Manage Third-party Risk Mandate and mMaintain contracts and agreements with third-parties and affiliates consistent with the data privacy policy, legal requirements, and operational risk tolerance Third-party management tools 1. Develop and mMaintain a vendor data privacy risk assessment process 2. Conduct due diligence around the data privacy and security posture of potential vendors/processors 3. Conduct ongoing due diligence around the data privacy and security posture of vendors/processors based on a risk assessment 4. Develop and mMaintain a policy governing use of cloud providers Contract management 1. Develop and mMaintain procedures to execute contracts or agreements with all processors 2. Develop and mMaintain data privacy requirements for third-parties (e.g. vendors, processors, affiliates) 3. Develop and mMaintain procedures to address instances of non-compliance with contracts and agreements 4. Review long-term contracts for new or evolving data protection risks
84
Annex B Modified Nymity Privacy Management Accountability Framework 8. Maintain Notices Develop and mMaintain notices to individuals consistent with the data privacy policy, legal requirements, and operational risk tolerance Tools for serving notice 1. Develop and maintain Provide data privacy notice at all points where personal data is collected a. Provide notice in all forms, contracts and terms b. Provide notice by means of onlocation signage, posters 2. Develop and maintain Provide notice in marketing communications (e.g. emails, flyers, offers) 3. Develop and mMaintain a data privacy notice for employees (processing of employee personal data) Programme management 1. Develop and mMaintain a data privacy notice that details the organization’s personal data handling policies 2. Develop and mMaintain scripts for use by employees to provide the data privacy notice 3. Provide data privacy education to individuals (e.g. preventing identity theft) 4. Develop and mMaintain a privacy Seal or Trustmark to increase customer trust
85
Annex B Modified Nymity Privacy Management Accountability Framework 9. Develop and mMaintain Procedures for Inquiries and Complaints Develop and mMaintain effective procedures for interactions with individuals about their personal data Compliance obligations 1. Develop and mMaintain procedures to respond to access requests 2. Develop and mMaintain procedures to respond to requests to update or revise personal data 3. Develop and maintain procedures to respond to requests for cessation of personal data processing 4. Develop and mMaintain procedures to respond to requests to opt-out 5. Develop and mMaintain procedures to investigate root causes of data protection complaints 6. Develop and mMaintain metrics for data protection complaints (e.g. number, root cause) 7. Develop and mMaintain escalation procedures for serious complaints or complex access requests Customer services 1. Develop and mMaintain procedures to address complaints 2. Develop and mMaintain procedures to respond to requests for information 3. Develop and mMaintain customer Frequently Asked Questions
86
Annex B Modified Nymity Privacy Management Accountability Framework 10. Monitor for New Operational Practices Develop and mMonitor organizational practices to identify new processes or material changes to existing processes and ensure the implementation of Privacy by Design principles Tools 1. Conduct PIAs for new programs, systems, processes 2. Develop and mMaintain a procedure to address data protection issues identified during PIAs 3. Develop and mMaintain a product life cycle process to address privacy impacts of changes to existing programs, systems, or processes Programme management 1. Develop and mMaintain a Privacy by Design framework for all system and product development 2. Develop and mMaintain PIA guidelines and templates 3. Develop and mMaintain a product sign-off procedure that involves the privacy office 4. Develop and mMaintain metrics for PIAs (e.g. number completed, turnaround time)
87
Annex B Modified Nymity Privacy Management Accountability Framework 11. Maintain Data Privacy Breach Management Program Develop and mMaintain an effective data privacy incident and breach management program Incident response planning 1. Develop and mMaintain a documented data privacy incident/breach response protocol 2. Develop and mMaintain a breach notification (to affected individuals) and reporting (to regulators, credit agencies, law enforcement) protocol 3. Conduct periodic testing of breach protocol and document findings and changes made 4. Develop and mMaintain a record preservation protocol to protect relevant log history Obtain data privacy breach insurance coverage Incident response management 1. Engage a breach response remediation provider 2. Engage a forensic investigation team 3. Develop and mMaintain a breach incident log to track nature/type of all breaches 4. Develop and mMaintain data privacy incident/breach metrics (e.g. nature of breach, risk, root cause)
88
Annex B Modified Nymity Privacy Management Accountability Framework 12. Monitor Data Handling Practices Verify operational practices comply with the data privacy policy and operational policies and procedures Periodic compliance checks 1. Conduct self-assessments managed by the privacy office 2. Conduct audits/assessments of the privacy program outside of the privacy office (e.g. Internal Audit) 3. Benchmark results of audits/assessments (e.g. comparison to previous audit, comparison to other business units) 4. Conduct assessments through use of an accountability agent or third-party verification 5. Develop and mMaintain privacy program metrics Ah hoc compliance checks 1. Conduct ad-hoc walk-throughs 2. Conduct ad-hoc audits/assessments based on complaints/inquiries/breaches
89
Annex B Modified Nymity Privacy Management Accountability Framework 13. Track External Criteria Track new compliance requirements, expectations, and best practices Regular events 1. Conduct ongoing research on developments in law 2. Maintain subscription to compliance reporting service/law firm updates to stay informed on new developments 3. Maintain records or evidence that alerts are read and actions are taken (e.g. read daily and forwarded to key individuals as required) Ad hoc events 1. Attend/participate in privacy conferences, industry association, or think-tank events 2. Review or participate in studies related to best practices in data privacy management 3. Record/report on the tracking of new Rule Sources or amendments to Rule Sources 4. Seek legal opinions regarding recent developments in law 5. Document that new requirements have been implemented (also document where a decision is made to not implement any changes, including reason)
90
![Read [PDF] Getting started with Spring Framework: a hands-on guide to begin developing applications using Spring Framework Read online](https://p.pdfkul.com/img/300x300/read-pdf-getting-started-with-spring-framework-a-h_5b399cdc1723ddb5d374ec7e.jpg)
