Dear all
Following our latest meeting discussion, I wanted to suggest a new definition of an accountability service.
We’ve taken into account:
a)
WP 29 Opinion 3/2010 on the principle of accountability
a.
“One way to induce data controllers to put in place measures that deliver real protection in practice would be by adding an accountability principle in the revised version of the Directive. The expected
effects of such a provision would include the implementation of internal measures and procedures putting into effect existing data protection principles, ensuring their effectiveness and the obligation to prove this should data protection authorities
request it”
b.
“Controllers should
also ensure that the practical measures implemented to comply with data protection principles are effective. In case of larger, more complex or high risk data processing, the
effectiveness of the measures adopted should be verified regularly. There are different ways to assess the effectiveness (or ineffectiveness) of the measures: monitoring, internal and external audits, etc.”
c.
“The Article 29 Working Party considers that common accountability measures may include the following non-exhaustive list:”
i. ….
ii. Implementation and supervision of verification procedures to ensure that all the measures not only exist on paper but that they are
implemented and work in practice (internal or external audits, etc
b)
GDPR Draft
a.
Art 22. The controller shall adopt policies and implement appropriate measures to ensure and
be able to demonstrate that the processing of personal data is performed in compliance
with this Regulation
Hence, we suggest something like:
|
ACCOUNTABILITY |
Provide the procedural and technical mechanisms necessary to demonstrate the compliance with policies and regulations and the correct operation of privacy controls |
Demonstrate compliance with policies and legal regulation |
An example would be:
A DPA suspects an organization is not complying with their published privacy policy or with the regulation which reflects that some specific data must deleted after one year of storage. The organizations presents
a trustable log (which is digitally verifiable) which shows the records that have been deleted in some time period.
From PRIPARE’s point of view it would be interesting to include it in the PMRM service. In the worst case, from PRIPARE we can mention this principle as our own PMRM extension as it going to be a strong point
of the EU GDPR.
PMRM also includes a categorization of the services
If I were to locate the accountability service I would suggest two alternatives:
·
It does not fall in any of these categories, it is a transversal service. Someone could argue that it may not be a service per se but functionalities that have to be taken into account in each of the other services
·
Privacy assurance services
Best regards
From: pmrm@lists.oasis-open.org [mailto:pmrm@lists.oasis-open.org]
On Behalf Of Gershon Janssen
Sent: Monday, June 08, 2015 3:26 PM
To: pmrm@lists.oasis-open.org
Subject: [pmrm] Phone info for OASIS PMRM TC meeting -- Tuesday 9 June 2015 10:00am EDT
Hi,
I just sent out an email (to PMRM TC members and observers only) with the phone information for our PMRM Teleconference meeting scheduled for 9 June 2015. If you are a PMRM TC member or observer and didn't get that information, please let
me know.
Regards,
Gershon Janssen
As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
Este mensaje y los ficheros adjuntos pueden contener información confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente y pueden estar protegidos por secreto profesional.
Si usted recibe este correo electrónico por error, gracias por informar inmediatamente al remitente y destruir el mensaje.
Al no estar asegurada la integridad de este mensaje sobre la red, Atos no se hace responsable por su contenido. Su contenido no constituye ningún compromiso para el grupo Atos, salvo ratificación escrita por ambas partes.
Aunque se esfuerza al máximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no será responsable de cualesquiera daños que puedan resultar de una transmisión de virus.