Accountability has been a globally recognized principle of privacy and data protection for more than three decades. But in the past few years, an important effort has been under way to clearly delineate what accountability—and the related concept of responsibility—means for organizations that collect, store and process information.
To help advance this critical conversation, today we are publishing an accountability-based analysis of Microsoft’s privacy program. We are releasing the paper to coincide with meetings at the European Parliament in Brussels this week of The Accountability Project co-hosted by the Centre for Information Policy Leadership and the European Data Protection Supervisor as part of a global Accountability Project.
Briefly, accountability, and a clear outline of the specific components, is an approach to privacy that supports the requirement that companies and organizations have to bear the primary burden for data protection and responsible data use, rather than placing the onus on individuals to make appropriate privacy choices every time they interact with a product or service.
Microsoft is a long-time participant and supporter of Accountability Project. We have partnered with national data commissioners, policymakers, business leaders and privacy advocates to clarify what it means for an organization to be accountable in its data protection policies and practices, and to demonstrate how accountability can ease the burden on consumers to police their own data, foster compliance with data protection regimes, and complement the work of privacy regulators.
We have also examined the pivotal issue of measuring accountability: How can an organization demonstrate that it has an accountable privacy program in place, and that it is fulfilling its data protection promises and obligations?
Because the concept of accountability can be broadly interpreted, we believe organizations need clear guidance on how to demonstrate accountability, and that regulators need consistent means of measuring accountability.
The aim of today’s paper is to offer an example of how an organization – in this case Microsoft – might validate its accountability claims. Our starting point is the five essential elements of accountability, which were defined in 2009 by the Accountability Project. The paper describes specific components of Microsoft’s privacy program that we believe reflect both the literal and philosophical goals of each essential element, such as “Mechanisms to Put Privacy Policies Into Effect” and “Mechanisms for Individual Participation.”
Our hope is that this exercise will contribute to the creation of accountability guidelines for organizations and help regulators establish criteria for identifying, quantifying and critiquing accountability in privacy programs. We are excited to be participating in this week’s meetings of the Accountability Project and look forward to continuing to work with regulators and policymakers around the world to help make accountability an effective and compelling component of their privacy regimes.