Gail,
Thank you. It is clear that Accountability must be considered as an additional PMRM service. As you note, the Enforcement Service in PMRM is, as currently defined, focuses on functionality (including "recourse", which is important) that is triggered by failures of the actor or system to adhere to "policies or terms of permissions (agreement). It may be useful to review the definition of Enforcement as well as Accountability to ensure that they adequately capture their relationship to one other and to the other Services.
It may be helpful if TC members reviewed the current Services prior to tomorrow's discussion:
SERVICE
|
FUNCTIONALITY
|
PURPOSE
|
AGREEMENT
|
Define and document permissions and rules for the
handling of PI based on applicable policies, data subject preferences, and
other relevant factors; provide relevant Actors with a mechanism to negotiate
or establish new permissions and rules; express the agreements for use by
other Services
|
Manage
and negotiate permissions and rules
|
USAGE
|
Ensure that the use of PI complies with the terms
of any applicable permission, policy, law
or regulation, including PI subjected to information
minimization, linking, integration, inference, transfer, derivation,
aggregation, and anonymization over the lifecycle of the use case
|
Control PI use
|
VALIDATION
|
Evaluate and ensure the information quality of PI
in terms of Accuracy, Completeness, Relevance, Timeliness and other relevant
qualitative factors
|
Check PI
|
CERTIFICATION
|
Ensure that the credentials of any Actor, Domain,
System , or system component are compatible with their assigned roles in
processing PI; and verify their compliance and trustworthiness against
defined policies and assigned roles.
|
Check
credentials
|
ENFORCEMENT
|
Initiate response actions, policy execution, and
recourse when audit controls and monitoring indicate that an Actor or System
does not conform to defined policies or the terms of a permission (agreement)
|
Monitor
and respond to audited exception conditions
|
SECURITY
|
Provide the procedural and technical mechanisms
necessary to ensure the confidentiality, integrity, and availability of
personal information; make possible the trustworthy processing, communication,
storage and disposition of privacy operations
|
Safeguard privacy information and
operations
|
INTERACTION
|
Provide generalized interfaces necessary for
presentation, communication, and interaction of PI and relevant information
associated with PI; encompasses functionality such as user interfaces,
system-to-system information exchanges, and agents
|
Information
presentation and communication
|
ACCESS
|
Enable
data-subjects , as required and/or allowed by permission, policy, or
regulation, to review their PI that is held within a Domain and propose
changes and/or corrections to their PI
|
View
and propose changes to stored PI
|
All,
I too think this is worthy of consideration. The focus on accountability emerged some years after the Services were developed and has grown to be an essential component of the Privacy Office, not only in the EU, but globally.
Most large international leadership corporations have put in place accountability programs that not only audit for compliance, but collect the evidence of compliance during those audits. These accountability programs result in corporate board presentations and are often available to regulators upon demand. Many of these companies have been implementing and maturing these programs for at least the past 10 years.
When I read the current services, I do not read a reference to the demonstration of accountability.
During the last meeting we discussed embedding it in Enforcement. I would prefer for Accountability to stand on its own. When I think of Enforcement, I liken it to something like responding to a Data Breach Incident when the controls put in place recognize an anomily. Enforcement is a reaction to an out-of-normal-condition.
Accountability is a positive confirmation that the various controls are in place to recognize an issue.
Adding Accountability to the services will go a long way towards inspiring others to adopt the PMRM.
Best, Gail
|