The concept of accountability can be used to describe a wide array of phenomena. Within organisations, accountability can describe attitudes, behaviours, and mechanisms at various levels within the organisation. A definition proposed by Hall et al states:
“Accountability refers to a real or perceived likelihood that the actions, decision, or behaviours of an individual, group, or organisation will be evaluated by some salient audience, and that there exists the potential for the individual, group, or organisation to receive either rewards or sanctions based on this expected evaluation.”
Information privacy and security are interrelated information management responsibilities and disciplines. They both need to be optimised and are most successful when their respective planning systems are integrated.
In relation to customer privacy, accountability would be considered to be the acceptance of responsibility for personal information protection. An accountable organisation must have appropriate policies and procedures in place that promote good practices that constitute a privacy management program.
Accountability in the context of Outsourcing
Verified security and privacy practices have the potential to enhance the brand of a product. In an increasingly competitive market, companies will leverage trusted information management to attract and keep customers who have entrusted their personal data to them. Assuring that service providers responsibly use and safeguard personal data is becoming an increasing factor in outsourcing.
One of the most important factors in creating a strong information management system in the context of outsourcing includes the ability and willingness of service operators to demonstrate commitment and competence to operate within an accountability framework that requires them to meet obligations that originate from multiple industries, companies and national systems.
It is difficult to govern cross-border data flows under any one country’s laws or legal frameworks. Attempting to apply potentially conflicting privacy obligations from various countries can impede the sharing of information and consequently interrupt business operations and communications.
A practical and effective business accountability framework will encourage privacy and information management provisions to be explicit in sourcing contracts. Clear contractual requirements will communicate data protection responsibilities of clients that are relayed to service providers. It is suggested that following the below factors will ensure that sourcing contracts reflect the required accountability:
- The outsourcing contracts must reflect the obligations that incur alongside the data being outsourced.
- These contracts may be drafted in order to reflect any legal obligations emanating from the originating country for the particular data. The contracts may also be drafted to include privacy promises made to a consumer by the organisation that collected the personal data for a particular purpose but may also be shared with a service provider.
- The obligations that come with the data being shared should reflect the details of the information being shared, rather than generic references to applicable laws. This may require clients to better identify the data being shared with service providers, its sources and the obligations attendant to the data, including limitations on use.
It is important to document and communicate what the accountability structure is for information management. As such, organisations will want to ensure their accountability structure includes:
- Clear accountability statements for the management of information within the organisation.
- A mechanism for coordinating information management within the organisation and to ensure that information management is integrated within the organisation.
- Clear identification and education around roles and responsibilities in specific business contexts.
Although accountability should extend to all sections of an organisation, it is important for organisations to develop a formal model of information management to provide leadership, expertise, and a focal point for the management of information assets. A means of achieving this model would be to create an official role to overlook the establishment of this model, best described as the Information Director, who is accountable for:
- Supporting other managers in identifying and meeting information management needs.
- Developing information management plans for the organisation
- Leading and monitoring progress in implementing the Information Management Framework within the organisation
- Facilitating a coordinated approach to information management in the organisation to ensure all sectors of the organisation are working on the same targets. the
- Developing information management policies, standards and guidelines related to collection, creation, storage, access, retention, and disposal of information.
This article takes a look at accountability in information management, or the acceptance of responsibility for personal information protection. An accountable organisation must have appropriate policies and procedures in place that promote good practices that constitute a privacy management program.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam, a privacy professional should be comfortable with topics related to this post, including:
- Information management – accountability (I.C.e.)