Certification

A process through which an organisation is certified by an Accountability Agent as CBPR-Compliant. 

Compliance Directory

A directory of organisations certified as CBPR-Compliant published by APEC economies and listed on the CBPR system website, at www.CBPRs.org.

Contact Point Directory

A list maintained by the Administrator of the main point of contact of any body, whether or not Privacy Enforcement Authority or Participant, having a role to play in the protection of privacy.

* Note: The directory is not made publicly available but is available to privacy enforcement authorities on the CPEA website. The directory is maintained pursuant to CPEA, clauses 5.3, 5.4, 11 and Annex B.

Cooperation Arrangement

APEC Cooperation Arrangement for Cross-border Privacy Enforcement

* Note: definition taken from CPEA, clause 4.1.

* Note: see fuller definition under "Cross-border Privacy Enforcement Arrangement".

CPEA

Abbreviation for Cross-border Privacy Enforcement Arrangement

Cross-border Privacy Enforcement Arrangement

A practical multilateral mechanism which enables Privacy Enforcement Authorities to cooperate in cross-border privacy enforcement by creating a framework under which authorities may share information and request and render assistance in certain ways.

* Note: The CPEA's formal title is "APEC Cooperation Arrangement for Cross-border Privacy Enforcement". The CPEA was endorsed by APEC Ministers in November 2009 and commenced on 16 July 2010. 

* Note: Definition derived from CPEA, clause 2.1.

Cross-Border Privacy Rules

The privacy policies and practices adopted by a CBPR-Compliant organisation for all Personal Information collected or received by it that is subject to cross border transfers.

Cross-Border Privacy Rules System

A voluntary, multilateral privacy and data protection program governing cross border transfers of information by organisations operating in APEC member economies.

DPS

Abbreviation for Data Privacy Subgroup.

Data Privacy Subgroup

The subgroup of the ECSG primarily responsible for the APEC Privacy Framework, the APEC Cross Border Privacy Rules System, and APEC Privacy Recognition for Processors System.

ECSG

Abbreviation for Electronic Commerce Steering Group.

Electronic Commerce Steering Group

A forum under the Committee on Trade and Investment that promotes the development and use of electronic commerce and the digital economy in the APEC region.

* Note: The ECSG seeks to create legal, regulatory and policy environments that are predictable, transparent and consistent. It performs a coordinating role for APEC's e-commerce activities based on principles in the 1998 APEC Blueprint for Action on Electronic Commerce and its mandate has been updated and guided by direction from APEC actions and priorities.

Information Privacy Principles

The principles set out in Part III of the APEC Privacy Framework.

* Note: The principles include: (1) Preventing Harm; (2) Notice; (3) Collection Limitation; (4) Uses of Personal Information; (5) Choice; (6) Integrity of Personal Information; (7) Security Safeguards; (8) Access and Correction; and (9) Accountability.

Intake Questionnaire

A detailed self-assessment questionnaire based on the Information Privacy Principles for use by an organisation seeking to participate in the CBPR system, which will be reviewed and confirmed by an approved Accountability Agent. 

Joint Oversight Panel

A three-member panel that assists the ECSG with the implementation of the CBPR System. For more information, see the "CBPR System Documents" page on this website.

* Note: This panel consists of nominated representatives from three APEC economies appointed by the ECSG. The current JOP consists of the Republic of Korea, Japan and the United States.   

JOP

Abbreviation for Joint Oversight Panel.

Participant

A Privacy Enforcement Authority in an APEC member economy that participates in the CPEA.

* Note: Definition taken from CPEA, clause 4.1.

Personal Information

Any information about an identified or identifiable individual.

Personal Information Controller

A person or organisation who controls the collection, holding, processing, use, disclosure or transfer of personal information. It includes a person or organisation who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf, but excludes a person or organisation who performs such functions as instructed by another person or organisation. It also excludes an individual who collects, holds, processes or uses personal information in connection with the individual's personal, family or household affairs.

* Note: Definition taken from APEC Privacy Framework, clause 10.

Personal Information Processor

An organisation that, at the instruction of a Personal Information Controller, collects, holds, processes, uses, transfers or discloses Personal Information on the controller's behalf.

Privacy Enforcement Authority

Any public body that is responsible for enforcing Privacy Law and that has powers to conduct investigations and/or pursue enforcement proceedings.

* Note: Definition taken from CPEA, clause 4.1.

Privacy Law

Laws and regulations of an APEC member economy, the enforcement of which have the effect of protecting Personal Information consistent with the APEC Privacy Framework.

* Note: Definition taken from CPEA, clause 4.1.

Privacy Policies

Those operational rules and procedures adopted by an organisation to guide decisions made by it and its employees related to the ongoing protection of Personal Information collected, stored, used, transferred or disclosed by them.

Privacy Practices

Actions regarding the protection of Personal Information that are taken by an organisation and its employees pursuant to that organisation's privacy policies.

Privacy Statement

A public declaration of an organisation's Privacy Policies and Privacy Practices.

* Note: A privacy statement is required under the CBPR program requirements. It should be clear and accessible.

Program Requirements

A set of baseline program requirements based on the nine Information Privacy Principles against which an APEC-recognised Accountability Agent will assess an organization's completed Intake Questionnaire.  

Program Requirements Map

A template which provides the baseline program requirements of the CBPR System in order to guide an APEC economy to explain how each CBPR System requirement may be enforced in that economy.

* Note: Annex B to the Template Notice of Intent to Participate in the APEC Cross Border Privacy Rules system.

Publicly Available Information

Personal Information about an individual that the individual knowingly makes or permits to be made available to the public, or is legally obtained and accessed from government records that are available to the public, journalistic reports, or information required by law to be made available to the public.

* Note: definition taken from APEC Privacy Framework, clause 11.

Re-attestation

A process through which an Accountability Agent is recognized by APEC Economies to have met the Accountability Agent Recognition Criteria. After an initial one-year review period, Accountability Agents undergo this process every two years.

* Note: See "Accountability Agent APEC Recognition Application - Annex A" for details

Receiving Authority

A CPEA Participant that has received a "Request for Assistance" from another Participant.

* Note: Definition taken from CPEA, clause 4.1.

Re-certification

An annual process through which an organisation is re-certified by an Accountability Agent as being CBPR-Compliant.

Request for Assistance

Includes, but is not limited to, a referral of a matter related to the enforcement of Privacy Law, a request for cooperation on the enforcement of Privacy Law, a request for cooperation on the investigation of an alleged breach of Privacy Law, and a transfer of a privacy complaint.

* Note: Definition taken from CPEA, clause 4.1.

Requesting Authority

A CPEA Participant that has made a Request for Assistance of another Participant.