Policy and Institutional Issues
The principle of accountability requires that agencies be responsible for ensuring they adhere with data privacy principles. Written rules and procedures should define internal policies governing the use and disclosure of PII data. Internal policies should be consistent with local privacy and data protection laws and should be reviewed periodically to keep up with evolving regulations. Agencies should also hold their employees accountable for upholding privacy principles. Agencies are required to adhere to certain principles, like destroying data after a given time period, under a state law. Such legal requirements, coupled with regular reporting or auditing, can also create accountability in the system. An agency is accountable when there is an entity responsible for checking to see if they comply with the rules; this is often a third party auditor. Tolling agencies, for example, commonly comply with PCI Security Standards that create a variety of requirements on an entity collecting payment through credit cards. The PCI Data Security Standards are a set of requirements instituted and regulated by the PCI Security Standards Council. The Security Standards Council is a consortium of major card brands including VISA, MasterCard, American Express, DiscoverCard, and JCB International Credit Card Company. All organizations that process, store, or transmit payment card data must comply with PCI security requirements or be fined and/or risk losing their ability to process credit card payments. According to the PCI SCC website, penalties are not openly discussed nor widely publicized. These standards provide an additional level of accountability: if an agency does not comply with these standards, it can lose its ability to process credit card payments.
- Does your organization collect information on individuals or commercial firms: sensitive, PII, or otherwise?
- Does your agency have defined internal policies governing the collection of data and the use and disclosure of PII?
- Are your agency staff aware of those rules and trained in how to implement the procedures?
Answering these questions can help your agency understand if the principle of accountability applies to your data collection and use activity, and identify possible actions or tools to aid implementation. If answers to these any of these questions are “yes”, then the principle of accountability could apply to your agency.