Privacy and data protection laws are filled with concepts that are notoriously difficult to put into tangible effect.
Privacy itself is often defined, somewhat amorphously, as “Protection against intrusion” or “respect for private life.” Laws and regulations draw on principled statements and evoke laudable goals such as fairness or accountability. But what does all this mean in practice? How does a person sitting at her desk respect one’s private life or show fairness? She has a piece of paper with information on it, and has to do something with it. What actions should she take, and how does she evaluate her success meeting the principles of privacy?
Of course her lawyer would tell her, “It depends,” and fair play to that. It does depend, on factors like the type of information or the way she hopes to process the data. Regardless of the specific actions she chooses, she needs a programmatic way to demonstrate her good accountability.
Accountability is a concept that many of us have a common sense understanding of: the idea that actions have consequences or that someone will have to answer for why they chose to take any given course. Like its sibling privacy principles, that idea may be less intuitive to understand from an action-oriented perspective. When you break accountability down into its constituent parts, it becomes a road map not only for how to respect privacy, but how to structure a successful, ethical program:
When many organisations access data, which one is in charge of what happens to the data?
Who within an organisation ultimately makes decisions about what is done? Who executes those decisions?
Who answers to the public? Who would the subject of that data call or email if they had questions?
How does an organisation make these decisions? How does it ensure its staff or partners follow standards or receive the training they need?
How does an organisation show its work–both to those who trusted it with their data, and to the supervisory entities responsible for monitoring their performance?
Luckily for us all, regulators and policy-makers have been posing these questions about as long as the field of data protection has existed. The Bermuda Report on Information Accountability surveys the history of accountability from its origins and from (almost quite literally) the four corners of the globe. It describes the evolution and formalisation of accountability as a core privacy principle, essential to the success of private organisations as well as their regulatory environments.
For all those people sitting at desks with pieces of paper in front of them, the Report provides tangible examples of both “building block” and ongoing steps to ensure a successful privacy program. Organisations engaged in cutting-edge, advanced data processing through machine learning or artificial intelligence should pay special attention to the “Enhanced Data Stewardship Accountability Elements,” which provide a framework for building and maintaining strong ethical standards for decision-making even in environments where the processing is unthinkably quick or comprehensive.
I offer my thanks to the team of the Information Accountability Foundation, particularly lead writer Lynn Goldstein, and look forward to continuing this vital conversation.
Alexander McD White
Privacy Commissioner
Comments