Ongoing APEC CBPR
requirements for Accountability Agents
The ongoing requirements
for Accountability Agents are specified in the CBPR Program Requirements. The
text provided here is only intended to highlight some of the responsibilities
and obligations. In the event of any inconsistency, the APEC CBPR system documents
If you are an
Accountability Agent, it is your responsibility to ensure that you are in
compliance with the APEC CBPR system requirements as set out in the Accountability Agent APEC Recognition Application and CBPR Program Requirements.
No actual potential conflict of interest
An Accountability Agent must have no actual or potential conflict
of interest. Your organisation must not act as an Accountability Agent for a
related entity or where there is a risk that your organisation's professional
judgement, integrity and/or objectivity could be influenced by the relationship
with that entity.
Where your organisation considers that it can
continue to act where a potential conflict of interest has arisen (e.g. due to
internal safeguards), your organisation must promptly notify the Joint Oversight Panel of the potential conflict of interest
and explain how the organisation will ensure that the circumstances will not
compromise your organisation's ability to make a fair decision.
Examples of situations where notification is
of the applicant entity serve on your organisation's board of directors in
a voting capacity (and vice versa);
- officers of the entity that your organisation has
certified serve on your organisation's board of directors in a voting
capacity (and vice versa);
- there is a commercial relationship between your organisation
and the entity applying for certification or the entity that has been
certified by your organisation;
- your organisation has entered into significant monetary
arrangement with the entity applying for certification or the entity that
has been certified by your organisation.
Please note: If the Joint Oversight Panel is not satisfied that the potential
conflict of interest can be averted, it will ask your organisation to withdraw
from the engagement.
No outside financial or other benefit
An Accountability Agent must refrain from providing other services
to entities that it has certified under the APEC CBPR system and/or to entities
that have applied for certification unless those services are not related to
the CBPR system AND the Accountability Agent has notified the Joint Oversight Panel of the proposed engagement and explained
how it has ensured that it will remain free of actual or potential conflicts of
Please note: If the Joint Oversight Panel is not satisfied that there is no actual
or potential conflict of interest, it will ask your organisation to withdraw
from the engagement.
Ongoing monitoring and compliance review
An Accountability Agent must continue to monitor
an entity's compliance with its APEC CBPR system approved certification
standards throughout the period of certification. Additionally, where there are
reasonable grounds for your organisation to believe that a certified entity has
engaged in a practice that may constitute a breach of the APEC CBPR program requirements,
your organisation must immediately investigate whether any non-compliance has
occurred. If your organisation discovers non-compliance, your organisation must
instruct the entity as to what steps need to be undertaken to rectify the
non-compliance and the reasonable time frame in which they must be completed.
Your organisation must also verify that the required steps have been taken
within the stated time frame.
Re-certification and annual attestation
An Accountability Agent must require certified
entities to annually attest to continued compliance with the APEC CBPR program
requirements. Your organisation must also review certified entities' policies
and practices before re-certification. Additionally, where a certified entity
makes a material change to its privacy policies, your organisation must
immediately review its policies and practices to ensure continued compliance
with the APEC CBPR program requirements.
Enforcing CBPRs requirements
Where a certified entity has not complied with
the APEC CBPR program requirements and has failed to remedy the compliance
within a specified time period, your organisation should take such action as is
proportional to the harm or potential harm resulting from the non-compliance.
Such measures could include:
- terminating the entity's certification under the APEC
- temporarily suspending the entity's right to display
your organisation's certification seal
- publicising the entity's non-compliance
- referring the non-compliance to the relevant Privacy Enforcement
- monetary penalties
Where your organisation has a reasonable belief
that a certified entity's failure to comply with the APEC CBPR program
requirements constitutes a contravention of applicable law(s) and the non-compliance
has not been remedied within a reasonable time period, your organisation must
refer the matter to the relevant Privacy Enforcement Authority.
Additional publication and reporting
Your organisation must publish its certification standards.
Your organisation must also promptly report to
the relevant Privacy Enforcement Authority or Authorities and the CBPR
Secretariat, any newly certified entities, any renewed certified entities, and
any suspended or terminated certified entities.
Accountability Agents are also required to
provide complaint statistics and case notes. For more information see:
Complaint Statistics FAQs
Complaint Statistics Template
Case Note FAQs
Case Note Template
Cooperation with law enforcement
Where possible, your organisation will respond
to requests from enforcement authorities in APEC economies that reasonably
relate to the requesting economy and your APEC CBPR system activities.