Privacy Assessment from the Privacy Management Toolkit

Privacy Principle 8: Accountability Principle

Organizations need to assign accountability for compliance with privacy principles to a specific person or group of people. The person or group should needs to have the appropriate authority to collect, use, disclose, retain, limit, alter, and otherwise access the information, as well as set privacy standards and make personnel privacy responsibility assignments. The identity and contact information of the person or group of people accountable for compliance with established privacy principles should be made available upon request to individuals who request such information.

Question: Do you assign accountability for compliance with privacy principles to a specific person or group of people in your company? Do you make available the identity and contact information of the person or group of people in your organization who are accountable for compliance with established privacy principles?

Discussion: Most privacy related laws and requirements, including HIPAA, GLBA, Canada's PIPEDA, the EU Data Protection Directive, require a position to be established that is responsible for the organization's privacy program and activities.

The Chief Privacy Officer (CPO) is typically the position that should coordinate the development and implementation of the organization's privacy policy. This does not mean the CPO creates the policy all by him or herself; the CPO should work with HR, Law, Marketing, IT, the business units, Auditing and other appropriate areas to create a policy that is reasonable for the entire organization.

Unfortunately, it is common for companies today to make obscure references to a "privacy department" on their web site and mail communication, offering limited email contact information. While this saves the company money in the short term, it sends the wrong message to customers and business partners. Your organization may not want to provide an actual name, but at least provide the name of the position and/or department, along with a contact email address and phone number.

Suggested Policy: Company X privacy practices and policies are the responsibility of the Chief Privacy Officer, who has the authority to implement and enforce privacy policies and procedures and make privacy activity assignments throughout Company X.

Read the assessment for Privacy Principle 7: Individual Participation Principle

Note: Assessment and discussion from the Privacy Management Toolkit, Version 1. The Privacy Impact Assessment (PIA) within the Toolkit contains a complete assessment against all O.E.C.D. privacy principles.