Bermuda Report on Information Accountability

Privacy and data protection laws are filled with concepts that are notoriously difficult to put into tangible effect.

Privacy itself is often defined, somewhat amorphously, as “Protection against intrusion” or “respect for private life.” Laws and regulations draw on principled statements and evoke laudable goals such as fairness or accountability. But what does all this mean in practice? How does a person sitting at her desk respect one’s private life or show fairness? She has a piece of paper with information on it, and has to do something with it. What actions should she take, and how does she evaluate her success meeting the principles of privacy?

Of course her lawyer would tell her, “It depends,” and fair play to that. It does depend, on factors like the type of information or the way she hopes to process the data. Regardless of the specific actions she chooses, she needs a programmatic way to demonstrate her good accountability.

Accountability is a concept that many of us have a common sense understanding of: the idea that actions have consequences or that someone will have to answer for why they chose to take any given course. Like its sibling privacy principles, that idea may be less intuitive to understand from an action-oriented perspective. When you break accountability down into its constituent parts, it becomes a road map not only for how to respect privacy, but how to structure a successful, ethical program:

  • When many organisations access data, which one is in charge of what happens to the data?
  • Who within an organisation ultimately makes decisions about what is done? Who executes those decisions?
  • Who answers to the public? Who would the subject of that data call or email if they had questions?
  • How does an organisation make these decisions? How does it ensure its staff or partners follow standards or receive the training they need?
  • How does an organisation show its work–both to those who trusted it with their data, and to the supervisory entities responsible for monitoring their performance?

Luckily for us all, regulators and policy-makers have been posing these questions about as long as the field of data protection has existed. The Bermuda Report on Information Accountability surveys the history of accountability from its origins and from (almost quite literally) the four corners of the globe. It describes the evolution and formalisation of accountability as a core privacy principle, essential to the success of private organisations as well as their regulatory environments.

For all those people sitting at desks with pieces of paper in front of them, the Report provides tangible examples of both “building block” and ongoing steps to ensure a successful privacy program. Organisations engaged in cutting-edge, advanced data processing through machine learning or artificial intelligence should pay special attention to the “Enhanced Data Stewardship Accountability Elements,” which provide a framework for building and maintaining strong ethical standards for decision-making even in environments where the processing is unthinkably quick or comprehensive.

I offer my thanks to the team of the Information Accountability Foundation, particularly lead writer Lynn Goldstein, and look forward to continuing this vital conversation.

Alexander McD White
Privacy Commissioner

Demonstrable Accountability and People Beneficial Data Use

Data driven societies and economies must create a means for data that pertains to people to be used in a productive and protected manner.  Those methods include processing so complex that people need specialized knowledge beyond many people’s ability in order to effectively govern that processing through consent.  If consent is beyond a person’s capabilities… Continue Reading

Knowledge Discovery Alone Is Not a Similarly Significant Effect

New knowledge drives mankind forward.  Sometimes the knowledge is used wisely; sometimes it is not.  Sometimes inappropriate uses have negative impact on individuals.  Data, much of it relating to individuals, is key to the generation of knowledge.  However, it is important to separate out the distinct functions of data driven knowledge creation, knowledge discovery, and… Continue Reading

IAF Releases Model Legislation Summary

The California Consumer Privacy Protection Act went into effect on January 1, and a ballot initiative to update that law is slated for November.  State privacy legislation has been reintroduced in Washington state, and Nevada is following.  Privacy Shield may be overturned by the European Court of Justice, and more countries are adopting legislation that… Continue Reading

Digital Activities go Beyond Privacy and Data Protection

Sunday, November 10, the New York Times ran a story on the ability of bad persons to hide and distribute child pornography on the Internet.  Tuesday, November 12, the New York Times ran a story on a unit of Google assisting Ascension, the second largest U.S. health organization, to mine data on millions of patients… Continue Reading

IAF Releases “Advanced Data Analytic Processing – 2019 Update”

Central to the work of the Information Accountability Foundation is the concept that using data to discover new insights about people raises a different set of risks than using data to make decisions about people.  That foundational idea was first explored in a paper published by the Centre for Information Policy Leadership entitled “Big Data… Continue Reading

Christopher Docksey – Keynote on Accountability At the 41st Conference of Data Protection and Privacy Commissioners 24 October 2019 in Tirana, Albania

Good morning.  I would like to thank the International Conference  and Commissioner Besnik Dervishi and his staff for inviting me here today and for their excellent welcome. 10 years ago, on 6 November 2009, this Conference embraced accountability in the Madrid Resolution on International Standards for the Protection of Privacy.  This marked the culmination of a series… Continue Reading

The Fair Information Policy Development Vacuum

Over the past decade, policy development in the data protection field has been very robust, with some good and bad results and some results that are a muddle.  Yet, with all this activity, there still seems to be a sense that there is a policy vacuum that cries to be filled.  In the simplest terms,… Continue Reading

Hard Law Must Mesh With Contextual Based Fair Use

The 41st International Conference of Data Protection and Privacy Commissioners (ICDPPC) will take place in late October in Tirana, Albania. The ICDPPC is a conclave of enforcement agencies seeking the means to create commonalities in a world where data flows ubiquitously.  ICDPPC will explore a key dilemma that challenges the growing community of data protection… Continue Reading

Look to Baseball for an Example of Accountability Oversight

One of the ways to enhance the trustworthiness of accountability processes is for there to be oversight of the accountability process.  Sometimes this oversight concept is difficult to understand or is misunderstood because organizations worry that what is meant is second guessing of the results of the accountability process.  One of the requirements of accountability… Continue Reading