英国 データ保護委員会 アカウンタビリティ フレームワーク

こんにちは、丸山満彦です。

英国のデータ保護委員会（Information Commissioner's Office : ICO）がアカウントビリティー フレームワークを公表していますね。大作です！

● UK-ICO

・2020.09.10 Blog: Accountability Framework: demonstrating your compliance

Ian Hulme, Director of Regulatory Assurance discusses the launch of our new Accountability Framework and how organisations can take part in the next stage of its development. 

・Accountability Framework

• Introduction to the Accountability Framework
  
  
• 01. Leadership and oversight
  • Organisational structure
  • Whether to appoint a DPO
  • Appropriate reporting
  • Operational roles
  • Oversight groups
  • Operational group meetings
    
    
• 02. Policies and procedures
  • Direction and support
  • Review and approval
  • Staff awareness
  • Data protection by design and by default
    
    
• 03. Training and awareness
  • All-staff training programme
  • Induction and refresher training
  • Specialised roles
  • Monitoring
  • Awareness raising
    
    
• 04. Individuals’ rights
  • Informing individuals and identifying requests
  • Resources
  • Logging and tracking requests
  • Timely responses
  • Monitoring and evaluating performance
  • Inaccurate or incomplete information
  • Erasure
  • Restriction
  • Data portability
  • Rights related to automated decision-making and profiling
  • Individual complaints
    
    
• 05. Transparency
  • Privacy notice content
  • Timely privacy information
  • Effective privacy information
  • Automated decision-making and profiling
  • Staff awareness
  • Privacy information review
  • Tools supporting transparency and control
    
    
• 06. Records of processing and lawful basis
  • Data mapping
  • Record of processing activities (ROPA)
  • ROPA requirements
  • Good practice for ROPAs
  • Documenting your lawful basis
  • Lawful basis transparency
  • Consent requirements
  • Reviewing consent
  • Risk-based age checks and parental or guardian consent
  • Legitimate interest assessment (LIA)
    
    
• 07. Contracts and data sharing
  • Data sharing policies and procedures
  • Data sharing agreements
  • Restricted transfers
  • Processors
  • Controller-processor contract requirements
  • Processor due diligence checks
  • Processor compliance reviews
  • Third-party products and services
  • Purpose limitation
    
    
• 08. Risks and data protection impact assessments (DPIAs)
  • Identifying, recording and managing risks
  • Data protection by design and by default
  • DPIA policy and procedures
  • DPIA content
  • DPIA risk mitigation and review
    
    
• 09. Records management and security
  • Creating, locating and retrieving records
  • Security for transfers
  • Data quality
  • Retention schedule
  • Destruction
  • Information asset register
  • Rules for acceptable software use
  • Access control
  • Unauthorised access
  • Mobile devices, home or remote working and removable media
  • Secure areas
  • Business continuity, disaster recovery and back-ups
    
    
• 10. Breach response and monitoring
  • Detecting, managing and recording incidents and breaches
  • Assessing and reporting breaches
  • Notifying individuals
  • Reviewing and monitoring
  • External audit or compliance check
  • Internal audit programme
  • Performance and compliance information
  • Use of management information

---