The accountability principle is articulated in Clause 7 of the Bill as follows:
The responsible party must ensure that the principles set out in this Chapter and all the measures that give effect to the principles are complied with.
The “responsible party” is the entity that determines the purpose and the means for processing the personal information, i.e. the organisation that processes the information or on whose behalf the information is being processed.
In terms of clause 48 of the Bill, it will be the responsibility of the Information Protection Officer (IPO) to encourage and support the organisation’s overall compliance with the legislation. Depending on the size of the organisation, the IPO could be a person whose responsibilities are dedicated exclusively to managing compliance with the Bill or could form part of the daily responsibilities of an existing function within the organisation, for exampleHead of Compliance, Chief Information Officer or CEO. Irrespective of how the responsibility is allocated, the individual will have to be registered as an IPO with the Information Protection Regulator (IPR) as soon as the body has been established.
The responsibilities of the IPO will include monitoring of the organisation’s compliance with the legislation and submitting of reports to the Regulator. In order to assist with the embedding of data privacy compliance within the organisation’s governance and business processes, the IPO will be responsible for developing a high level data protection policy setting out its overall approach to personal data processing. This must be supplemented by clear, accessible documentation containing procedures for specific high-risk processing activities (for example access to records containing medical information) which allows all employees to understand their duties in respect of personal data processing as well as the consequences of non-compliance.
Ultimately, the ability of the organisation to substantively comply with its data processing responsibilities will depend on how deeply an appreciation for the information protection principles is embedded within the culture of the organisation. This in turn will depend largely on the ability of the IPO to successfully motivate and encourage overall compliance with the Bill through strongly worded policy and procedure documents, regular monitoring programmes and pragmatic training and awareness initiatives.
Applying Principle 1 to your organisation
Below are a few questions that can assist in determining how ready your organisation is to begin dealing with the implications of Principle 1:
- Does your organisation currently have an individual who is accountable for overall information security compliance?
- Does your organisation currently designate specific individuals to monitor compliance with information security standards within each business area?
- Does your organisation currently have an information security policy?
- Does your organisation currently have document retention and access to information policies?
- If yes, are these policies readily accessible to all members of staff, eg on the intranet?
- Has your organisation undertaken a classification exercise to determine the various categories of information that it processes, including the purposes for the processing?
How often does your organisation conduct training or awareness sessions for employees on information security?
Are you aware of any information security breaches that occurred within your organisation during the past year?
Are you able to rate the level of information security awareness within your organisation on a scale of 1 to 5 (1 = none, 2 = poor, 3 = fair, 4 = good, 5 = excellent)?