Glossary for the APEC CBPR system

Accountability Agent

An entity that certifies an organisation's eligibility for participation in the Cross Border Privacy Rules (CBPR) system.

* Note: An Accountability Agent may be a public or private sector entity The certification process involves a review and verification of the applicant's privacy policies and practices by reviewing the applicant's responses to the CBPR Intake Questionnaire and by undertaking additional appropriate steps to assess the applicant's eligibility. In connection with its CBPR program, an Accountability Agent may either itself provide dispute resolution services or may delegate that function to an appropriate third-party dispute resolution provider.

Accountability Agent Recognition Criteria

The eligibility requirements that must be met by an Accountability Agent in order to be recognised by APEC economies.

* Note: See "Accountability Agent APEC Recognition Application - Annex A" for details

Administrator

The body designated by the ECSG to perform the functions of the CPEA Administrator.

* Note: Cross Border Privacy Enforcement Arrangement (CPEA), clause 5.1, provides that the ECSG may designate the APEC Secretariat or a Participant, or the Secretariat and a Participant jointly, as the Administrator. CPEA, clauses 5.3 and 5.4, sets out the Administrator's core and additional functions.

* Note: Definition derived from CPEA, clause 4.1.

* Note: The inaugural Administrator comprised the APEC Secretariat jointly with participants from Australia, New Zealand and the USA.

Annual Attestation

The declaration required to be made by an organisation participating in the CBPR system to an Accountability Agent each year confirming the organisation's continuing adherence to the Program Requirements. 

* Note: See "Accountability Agent APEC Recognition Application - Annex A" for details.

APEC-Recognised Accountability Agent

An Accountability Agent that has been recognised by APEC economies to have met the Accountability Agent Recognition Criteria.

* Note: A list of current APEC-recognised Accountability Agents is maintained on the CBPR system website at www.CPBRs.org.

APEC Privacy Framework

A framework for protecting personal information privacy adopted by APEC in 2005.

* Note: The Framework is a principles-based document intended to promote a flexible approach to information privacy protection across APEC member economies while avoiding the creation of unnecessary barriers to information flows. The Framework includes 9 information privacy principles and guidance for domestic and international implementation of the principles. 

CBPR

Abbreviation for Cross Border Privacy Rules

CBPR-Compliant

A description that an organisation fully complies with the CBPR Program Requirements and is certified by an Accountability Agent as such.

CBPR Participating Economy

An economy recognised by the ECSG as having met the requirements for participation in the CBPR system. 

* Note: An economy commences the process to participate by submitting a letter indicating its intention to participate in the CBPR system with all required information.  This information must include confirmation that at least one Privacy Enforcement Authority in that economy is a Participant in the Cross Border Privacy Enforcement Arrangement (CPEA) and that the economy intends to make use of at least one APEC-recognised Accountability Agent.  The economy must also provide a narrative description of the relevant domestic laws and regulations and administrative measures which may apply any CBPR certification-related activities of an Accountability Agent operating within the economy's jurisdiction and the enforcement authority associated with these laws and regulations and administrative measures.  The economy must also submit a completed CBPR System Program Requirements Enforcement Map. The JOP will notify the ECSG Chair when these requirements have been met at which point the economy will be considered a CBPR system participant. Participating Economies will be listed on the CBPR system website, at www.CBPRs.org. 

Certification

A process through which an organisation is certified by an Accountability Agent as CBPR-Compliant. 

Compliance Directory

A directory of organisations certified as CBPR-Compliant published by APEC economies and listed on the CBPR system website, at www.CBPRs.org.

Contact Point Directory

A list maintained by the Administrator of the main point of contact of any body, whether or not Privacy Enforcement Authority or Participant, having a role to play in the protection of privacy.

* Note: The directory is not made publicly available but is available to privacy enforcement authorities on the CPEA website. The directory is maintained pursuant to CPEA, clauses 5.3, 5.4, 11 and Annex B.

Cooperation Arrangement

APEC Cooperation Arrangement for Cross-border Privacy Enforcement

* Note: definition taken from CPEA, clause 4.1.

* Note: see fuller definition under "Cross-border Privacy Enforcement Arrangement".

CPEA

Abbreviation for Cross-border Privacy Enforcement Arrangement

Cross-border Privacy Enforcement Arrangement

A practical multilateral mechanism which enables Privacy Enforcement Authorities to cooperate in cross-border privacy enforcement by creating a framework under which authorities may, on a voluntary basis, share information and request and render assistance in certain ways.

* Note: The CPEA's formal title is "APEC Cooperation Arrangement for Cross-border Privacy Enforcement". The CPEA was endorsed by APEC Ministers in November 2009 and commenced on 16 July 2010. 

* Note: Definition derived from CPEA, clause 2.1.

Cross Border Privacy Rules

The privacy policies and practices adopted by a CBPR-Compliant organisation for all Personal Information collected or received by it that is subject to cross border transfer to other participating APEC economies.

Cross Border Privacy Rules System

A voluntary, multilateral privacy and data security program governing cross border transfers of Personal Information by organisations operating in APEC member economies.

DPS

Abbreviation for Data Privacy Subgroup

Data Privacy Subgroup

A subgroup of the ECSG

ECSG

Abbreviation for Electronic Commerce Steering Group

Electronic Commerce Steering Group

A forum under the Committee on Trade and Investment that promotes the development and use of electronic commerce in the APEC region.

* Note: The ECSG seeks to create legal, regulatory and policy environments that are predictable, transparent and consistent. It performs a coordinating role for APEC's e-commerce activities based on principles in the 1998 APEC Blueprint for Action on Electronic Commerce.

Information Privacy Principles

The principles set out in Part III of the APEC Privacy Framework.

* Note: The principles include: (1) Preventing Harm; (2) Notice; (3) Collection Limitation; (4) Uses of Personal Information; (5) Choice; (6) Integrity of Personal Information; (7) Security Safeguards; (8) Access and Correction; and (9) Accountability.

Intake Questionnaire

A detailed self-assessment questionnaire based on the Information Privacy Principles for use by an organisation seeking to participate in the CBPR system. 

Joint Oversight Panel

A three-member panel that assists the ECSG with the implementation of the CBPR system and that performs the functions set out in paragraph 6.2 of the Charter of the CBPR system.

* Note: This panel consists of nominated representatives from three APEC economies appointed by the ECSG.     

JOP

Abbreviation for Joint Oversight Panel

Participant

A Privacy Enforcement Authority in an APEC member economy that participates in the CPEA.

* Note: Definition taken from CPEA, clause 4.1.

Personal Information

Any information about an identified or identifiable individual.

* Note: Definition taken from APEC Privacy Framework, clause 9.

Personal Information Controller

A person or organisation who controls the collection, holding, processing or use of Personal Information. It includes a person or organisation who instructs another person or organization to collect, hold, process, use, transfer or disclose Personal Information on his or her behalf, but excludes a person or organisation that performs such functions as instructed by another person or organisation. It also excludes an individual who collects, holds, processes or uses Personal Information in connection with the individual's personal, family or household affairs.

* Note: Definition taken from APEC Privacy Framework, clause 10.

Personal Information Processor

An organisation that, at the instruction of a Personal Information Controller, collects, holds, processes, uses, transfers or discloses Personal Information on the controller's behalf.

Privacy Enforcement Authority

Any public body that is responsible for enforcing Privacy Law and that has powers to conduct investigations and/or pursue enforcement proceedings.

* Note: Definition taken from CPEA, clause 4.1.

Privacy Law

Laws and regulations of an APEC member economy, the enforcement of which have the effect of protecting Personal Information consistent with the APEC Privacy Framework.

* Note: Definition taken from CPEA, clause 4.1.

Privacy Policies

Those operational rules and procedures adopted by an organisation to guide decisions made by it and its employees related to the ongoing protection of Personal Information collected, stored, used or disclosed by them.

Privacy Practices

Actions regarding the protection of Personal Information that are taken by an organisation and its employees pursuant to that organisation's privacy policies.

Privacy Statement

A public declaration of an organisation's Privacy Policies and Privacy Practices.

* Note: A privacy statement is required under the CBPR program requirements. It should be clear and accessible.

Program Requirements

A set of baseline program requirements based on the nine Information Privacy Principles against which an APEC-recognised Accountability Agent will assess an organization's completed Intake Questionnaire.  

Program Requirements Map

A template which provides the baseline program requirements of the CBPR system in order to guide an APEC member economy to explain how each requirement may be enforced in that economy.

* Note: Annex B to the Template Notice of Intent to Participate in the APEC Cross Border Privacy Rules system.

Publicly Available Information

Personal Information about an individual that the individual knowingly makes or permits to be made available to the public, or is legally obtained and accessed from government records that are available to the public, journalistic reports, or information required by law to be made available to the public.

* Note: definition taken from APEC Privacy Framework, clause 11.

Re-attestation

An annual process through which an Accountability Agent is recognised by APEC Economies to have met the Accountability Agent Recognition Criteria.

* Note: See "Accountability Agent APEC Recognition Application - Annex A" for details

Receiving Authority

A CPEA Participant that has received a "Request for Assistance" from another Participant.

* Note: Definition taken from CPEA, clause 4.1.

Re-certification

An annual process through which an organisation is re-certified by an Accountability Agent as being CBPR-Compliant.

Request for Assistance

Includes, but is not limited to, a referral of a matter related to the enforcement of Privacy Law, a request for cooperation on the enforcement of Privacy Law, a request for cooperation on the investigation of an alleged breach of Privacy Law, and a transfer of a privacy complaint.

* Note: Definition taken from CPEA, clause 4.1.

Requesting Authority

A CPEA Participant that has made a Request for Assistance of another Participant.