TRUSTe Report (July 11, 2009)

US APEC Privacy Pathfinder Testing, Projects 1 and 3

INTRODUCTION The United States Delegation, led by the Department of Commerce, volunteered to participate in Pathfinder Projects 1 and 3, including testing the usefulness of documents produced to understand how they might work in a cross-border privacy accountability process. During the period of May 13, 2009 through June 10, 2009, the US Delegation tested the utility of the Company Self-Assessment Questionnaire (Project 1 Document) in determining whether participating companies’ privacy policies and representations of their practices implemented the APEC Information Privacy Principles (Principles). Second, the test considered the usefulness of the Project 3 guidance document, which outlined for Accountability Agents how to interpret the Principles and map a company’s responses to the Project 1 Questionnaire with adherence to the Principles. US PARTICIPATION Participating Companies:

• Experian (Cheetah Mail)

• Microsoft

• Google (Gmail)

• Oracle

• Hewlett Packard

• Proctor & Gamble

• IBM Accountability Agent: TRUSTe TRUSTe is serving as the Accountability Agent for companies headquartered in the United States that are participating in the APEC Privacy Framework Pathfinder Testing. By promoting and elevating best practices for privacy and

2

business accountability, TRUSTe helps companies build trustworthy relationships with consumers around the world. TRUSTe certifies the privacy policies and practices of businesses that have an online presence. Current programs and services of TRUSTe include its Web Privacy Seal, EU Safe Harbor Seal, Children’s Privacy Seal, E-mail Privacy Seal, a Trusted Download Program, and Trusted Site Services (small business offerings currently in beta). Service features of many TRUSTe programs include capacity building for businesses to implement best practices, certification of business practices and awarding seals, monitoring and scanning of websites, compliance and enforcement oversight, and providing consumer complaint intake and dispute resolution services through our Watchdog Program. BRIEF CONCLUSIONS � It was possible to use the Project 1 Company Self-Assessment Document and the guidance of the Project 3 Document to assess whether participating companies have privacy policies and representations of their practices that are consistent with the APEC Privacy Principles. � However, from an Accountability Agent perspective, TRUSTe determined that the exercise was insufficient to verify actual practices and their consistency with a company’s privacy promises and representations. The Project 3 Document has limited utility. The current state of the Project 3 Document does not provide for measureable requirements or verification steps for an enforceable accountability program. � In order to set a baseline for APEC Privacy Framework accountability programs, there should be measurable requirements against which actual practices of companies can be measured and verified (See Recommendations Section of this Report and TRUSTe Report Appendix A). THE TESTING EXERCISE Coordination of Testing As the US Accountability Agent for the Pathfinder testing of Projects 1 and 3, TRUSTe coordinated testing with the seven US Participant Companies. Through e-mail and group conference calls, we explained testing parameters, entered into non-disclosure agreements with the individual companies, and established a testing schedule that ran from May 13 through July 10. Companies Respond to the Project 1 Questionnaire

3

Each of the Participant Companies submitted responses to the Project 1 Document on or after May 29. Some also included additional supporting documents. TRUSTe Review TRUSTe independently reviewed Participant Company submissions, supporting materials provided, and their privacy policies. TRUSTe also visually reviewed the companies’ websites. TRUSTe followed up with companies with additional questions and also took company comments about the documents and testing process via e-mail, through company responses to the Project 1 Questionnaire, and verbally through phone contacts and meetings. At the conclusion of the testing, TRUSTe hosted conference calls with Participant Companies as a group and shared its evaluation of the exercise and provided opportunities for Participant reflections on the process. Working collaboratively with financial services sectors, TRUSTe included BITS, part of the Financial Services Roundtable in the US, in TRUSTe-led industry calls at the initiation and conclusion of testing. BITS is participating in a parallel, independent testing of the Project 1 and 3 documents (with the Federal Deposit Insurance Corporation (FDIC) designated as the likely public sector accountability agent for BITS bank members that are subject to regulation). TRUSTe Report on the Testing Exercise: Accomplishments, Gaps, Challenges, and Recommendations This report reflects TRUSTe’s analysis from the perspective of an Accountability Agent. It also comprehensively reports all comments by Participant Companies regarding the documents and test experience that were shared with TRUSTe (See TRUSTe Report Appendices B and C). ACCOMPLISHMENTS � The primary accomplishment of the APEC Pilot was that TRUSTe could effectively assess whether the Participating Companies have privacy policies and represented practices that are consistent with the Principles. We could affirm this conclusion with respect to each Participating Company. The analysis, per the scope of the exercise, was limited to a review of their written responses to the Project 1 Questionnaire, their privacy policies, and a visual review of company websites.

4

• This accomplishment is positive for it indicates that each Participating Company is implementing the APEC Information Privacy Principles in their corporate approach to privacy and information use.

• The exercise itself, however, was limited in scope. The activities of the companies, including their cross-border data transfers, were not verified against specific measurable criteria or requirements. This would generally be necessary for certification of a company’s practices to their privacy promises.

• Whether an APEC Accountability Agent oversees seal programs or compliance oversight through other mechanisms and authority, verification of company practices against enforceable criteria/contracts will be key in protecting consumer privacy, including when consumer complaints are lodged. The exercise and current state of the Project 1 and 3 Documents did not provide for measureable requirements or verification steps. � In addition to the absence of accountability program requirements, some key differences in the exercise from compliance activities in a TRUSTe certification process include:

• No established interview process in conjunction with or following up on a company’s self-assessment process (although written questions were sent to participants);

• Absence of a more detailed review of websites in conjunction with internal dialogues with an applicant company;

• No review of site functionality;

• Absence of verification of company practices, such as technological scanning for pii collection methods or of passive pii collection without consumer consent, for active links to the privacy notice, for evidence of the functionality and presence of security features, or for the presence of malicious content;

• Absence of verification methods that place the Accountability Agent in circumstances where they test a company’s practices as a consumer would experience interactions with the company’s online (and offline) practices; and

• Lack of a mechanism for providing a report with a gap analysis to a company and requirements for capacity building / improvements required prior to certification or other verification of their practices.

5

Positive Discussion Points � The Project 1 and 3 Documents were a good starting point, to the extent that they clearly mapped company representations and privacy policies to cover all of the Principles. � It was helpful to see that we could assess the uptake of the principles by different business sectors and by companies that provide products or services. � The exercise also was useful in understanding operational issues in responding to the Questionnaire from various perspectives.

• For instance, many companies found it difficult to navigate how to respond based upon whether their role was a processor, rather than a controller of data. They wondered whether, and if so, to what extent, the Principles and APEC Privacy Framework apply to a processor.

• In general, from an Accountability Agent perspective, it appeared to be easier for companies to answer the Project 1 Document whose business models included a Business-to-Consumer (B2C) relationship and product sales, rather than provision of services. It was also noteworthy that difficulties arose where companies had multiple roles B2C and Business-to-Business (B2B). GAPS IN THE EXERCISE We identified and reiterate certain gaps in the Pilot Exercise. They include: � The lack of an assessment relative to baseline practice requirements for implementing the Principles and APEC Framework, including cross-border data transfers. � The absence of verification of company practices against promises and representations that reflect the Principles. � No verification of practices for consistency with pertinent aspects of local law (TRUSTe generally sets up program requirements that are consistent with key aspects of privacy regulations and laws).

• Questions continue to be raised about the application of the Framework and local law (i.e. national law) in the APEC process and testing.

• These included continuing questions about the extent to which a private sector Accountability Agent will be asked to assess compliance with collection limitation or other aspects of national laws (headquarters jurisdictions, other jurisdictions, how and to what extent).

6

• Further, questions and concerns were raised about the application of the Principles as a substitute for local law, setting a different (higher/lower) standard (for example, relating to the secondary use of information, transfers of data to joint marketing partners, proscriptions around normal business practices for access and correction). � The Project 1 Questionnaire does not address offline data collection and use practices, although the Principles reference both online and offline. CHALLENGES � Complaints received by Participants on the Questionnaire – duplicative questions, unnecessarily granular questions that did not foresee the full scope of business practices, unnecessary questions. (See TRUSTe Report Appendix B and C)

• The majority of the challenges noted by Company Participants included high degrees of frustration with the Project 1 Questionnaire, including complaints about duplicative questions and duplicative requests for references to specific provisions within their privacy notices or other policies and practices documents.

• In connection with the theme of Questionnaire fatigue, Company Participants commented strongly that they felt that many questions were unnecessarily granular. In certain cases Participants felt that questions did not reflect or recognize the full scope of business practices and the need for flexibility in certain areas, rather than a one size fits all approach – one example included questions treating an entity’s information security oversight practices.

• Participants and TRUSTe did not see the need for certain questions, particularly those specifically detailing where data would be transferred. It appeared to many Company Participants to be more akin to a registration-type of requirement. The answer could change depending on business priorities. From an Accountability Agent standpoint, such information is most pertinent when a consumer files a complaint about data handling and the Accountability Agent investigates the facts. � Absence of clarity in the application of the self-assessment to various roles of a company (processor vs. controller), or ability to segment answers by type of data or relationships (B2B, B2C, Employer HR Data vs. Consumer Data) � Lack of defined terms – third parties (affiliate or a vendor) � Approach not scalable – a very human intensive review is required by an Accountability Agent, heightened more because of the duplicative nature of the

7

questions. Participant Companies also found the Project 1 Questionnaire to be time consuming to answer. They articulated inefficiencies in the process and a lack of clarity with respect to its application in varying and changing roles and due to differences arising with the treatment of varying data types. CONCLUSIONS AND RECOMMENDATIONS � It was possible to use the Project 1 Company Self-Assessment Questionnaire and the guidance of the Project 3 Document to assess whether participating companies have privacy policies and representations of their practices that are consistent with the APEC Privacy Principles. This positively demonstrated that Participating Companies affirmatively are taking steps to reflect the APEC Information Privacy Principles in their corporate approach to privacy and information use. � From an Accountability Agent perspective, TRUSTe determined that the exercise and use of the current Project 1 and 3 documents was insufficient to verify the consistency of actual practices with a company’s privacy promises and representations. � The Project 3 Document has limited utility. It does not provide a framework for an enforceable accountability program. ���� In order to set a baseline for APEC Privacy Framework accountability programs, there should be measurable requirements against which actual practices of companies can be measured and verified. Measurable requirements will provide clarity and guidance to companies. Their development will also further assist accountability agents in understanding the scope of their compliance and oversight role.

• As next steps, baseline program requirements should be developed for accountability with the APEC Privacy Framework, including specifically for cross-border transfers and that clarify application and means for demonstrating understanding of local law requirements. (See TRUSTe Report Appendix A - Examples of Program Requirements Consistent with the APEC Privacy Framework (Notice, Choice)).

• Baseline requirements should be a starting point for private sector accountability agents to use when they develop and further refine their own APEC accountability programs.

• We recognize and wish to elevate the concern of companies that there is an equal need for clarity and development of public sector accountability agent roles and programs in parallel with the Project 1 and 3 private sector accountability development and testing.

8

� The Project 1 Company Self-Assessment Questionnaire should be streamlined, consistent with comments noted in this report, as well as reflecting information that is needed in order to measure compliance with an accountability program (See TRUSTe Report Appendices B and C – TRUSTe Analysis of the Use of the Project 1 Questionnaire, Comments on Project 1 Questionnaire by Participating Companies, respectively).

9

TRUSTe Report Appendices

Appendix A Examples of Program Requirements consistent with the APEC Privacy Framework (Notice, Choice) Appendix B TRUSTe Analysis of the Use of the Project 1 Questionnaire Appendix C Comments on Project 1 Questionnaire by Participating Companies

10

TRUSTe Report Appendix A

Examples of Program Requirements Consistent with the APEC Privacy Framework

(Notice, Choice) These proposed requirements, focusing on the Notice and Choice principles of the APEC Privacy Framework, are designed to be an illustrative example of how an accountability agent may draft requirements for their specific programs supporting the Framework. Accountability Agents may have requirements due to regulatory or legal obligations in addition to the ones presented here. At a minimum, an accountability agent would require the following around Notice and Choice. Notice Personal information controllers should provide clear and easily accessible statements about their practices and policies with respect to personal information that should include: a) the fact that personal information is being collected; b) the purposes for which personal information is collected; c) the types of persons or organizations to whom personal information might be

disclosed; d) the identity and location of the personal information controller, including

information on how to contact them about their practices and handling of personal information;

e) the fact that PII may be transferred, access, and stored globally f) the choices and means the personal information controller offers individuals

for limiting the use and disclosure of, and for accessing and correcting, their personal information.

All reasonably practicable steps shall be taken to ensure that such notice is provided either before or at the time of collection of personal information. Otherwise, such notice should be provided as soon after as is practicable. It may not be appropriate for personal information controllers to provide notice regarding the collection and use of publicly available information. 1. Existence of Notice: Personal Information Controllers must provide notice on its website regarding its practices and policies with respect to personal information by

11

(a) placing a privacy statement on its website1; or (b) proactively informing individuals about its privacy practices and policies via other mechanisms besides the World Wide Web.

2. Clarity of notice: Personal Information Controllers must provide notice that is clear and easily understandable, by making its privacy statement available and understandable for general Internet users/ average consumers in the primarily targeted economy. 3. Accessibility of notice: Personal Information Controllers must make the notice on their website prominent and accessible by

(a) displaying its privacy statement conspicuously in a convenient location, and be easy to find and access; or (b) prominently and appropriately labeling its privacy statement and be no less readable than other print or links on web page.

4. Provision of notice: Personal Information Controller must take all reasonably practical steps to ensure that notice is provided either before or at the time of collection of personal information, or as soon after as is practicable, by

(a) placing its privacy statement, or a link to the statement, on every page of its website, or at all entry points of its website; or (b) placing its privacy statement, or a link to the statement, at every point on its website where personal information is actively collected; or (c) provide its privacy statement, or a link to the statement, before personal information may be actively collected.

Choice Where appropriate, individuals should be provided with clear, prominent, easily understandable, accessible and affordable mechanisms to exercise choice in relation to the collection, use and disclosure of their personal information. It may not be appropriate for personal information controllers to provide these mechanisms when collecting publicly available information.2

1 Such as text on web page, link from URL, attached document (e.g. PDF), pop-up window,

inclusion in frequently-asked questions (FAQs) section, or other.

2 The Choice Principle recognizes, through the introductory words “where appropriate,” that there

are certain situations where consent may be clearly implied or where it would not be necessary to

provide a mechanism to exercise choice (e.g., when collecting personal information from a public

record or newspaper). In addition, in some cases, use of information may be required or

authorized by law.

12

Personal Information Controller must provide notice, consistent with the Notice requirements listed above, as to the circumstances under which affirmative consent, and/or implied consent, is sought. 1. Choice regarding information collection: Personal Information Controller must provide mechanisms that give an individual choice regarding the collection of personal information about him/her through either affirmative or implied consent. 2. Choice regarding information use: Personal Information Controller must provide mechanisms that give an individual either opt-in or opt-out choice regarding the use of personal information held about him/her. 3. Choice regarding information disclosure: Personal Information Controller must provide mechanisms that give an individual either opt-in or opt-out choice regarding which, if any, personal information about him/her is disclosed to third parties3. 4. Clarity and understandability of choice: Personal Information Controller must provide choice mechanism(s) that clearly and factually indicates the true choices individuals have about the collection, use, and disclosure of their personal information by making its choice mechanism available and understandable for general Internet users/ average consumers in the primarily targeted economy. Choices may not be misrepresented or false. 5. Accessibility of choice: Personal Information Controller must provide choice mechanism(s) that are prominent and accessible, by

(a) clearly and conspicuously4 displaying it in an easy to find and convenient location; or (b) providing choice mechanism(s) when individuals are first asked to provide personal information; or (c) providing choice mechanism(s) before personal information may be actively collected.

6. Affordability of choice: Personal Information Controller’s provision of choice is affordable to individuals. Charging the individual to inform Personal Information Controller of his/her privacy preferences is prohibited.

3Third parties could be a Participant’s affiliate or non-affiliate (such as agent or service provider),

for purposes such as order fulfillment, payment processing, marketing, etc.

4 The FTC has a good definition of “clear and conspicuous” relating to size of font, contrasting

color of background and text, placement of text relative to other text or points of collection, etc.

13

TRUSTe Report Appendix B

TRUSTe Analysis of the Use of the Project 1 Questionnaire

Questions that require a copy of a supporting document(s) *Note that most of the additional documents required are found in connection with the Notice provision. Question 1: Clear and accessible statements re privacy policies and practices before or at time of collection of PII?

- Obtain a copy of the Privacy Statement. Question 2: Notice that PII is being collected?

- Obtain a copy of the applicable notice. Question 3: Indicate purposes for which PII is collected?

- Obtain a copy of the applicable notice.

Question 4: Before making PII available to 3rd parties, notice of sharing? - Obtain a copy of the applicable notice.

Question 5: Inform individuals that PII may be subject to international transfer?

- Obtain a copy of the applicable notice. Question 7: Does privacy policy provide choices for limiting use and disclosure of PII?

- Obtain a copy of the applicable notice. Question 8: Does privacy policy provide info on how to access and correct PII?

- Obtain a copy of the applicable notice. Question 9: Are choices in Q7 re limiting use and disclosure provided in a clear and conspicuous manner?

- Obtain a copy of the applicable notice. Question 10: Notices of above practices (Q 1-9) in addition to notice of privacy policy? How?

- Obtain a copy of the applicable notice.

14

Question 65: If Applicant discloses PII to other PII controllers in situations where due diligence and mechanisms to ensure compliance with their APEC CBPRs by the recipient as described above is impractical or impossible, describe disclosures and consent…

- Obtain a copy of the applicable consent.

Questions that request, but do not require, a copy of a supporting document Question 32: Mechanisms in place so choices are honored in effective and expeditious manner.

- Applicant to provide description herein or in an attachment. Question 34: Mechanism for correcting inaccurate, incomplete, or out-dated PII?

- Applicant to provide description herein or in an attachment. Questions that are unclear or where clarifying examples may be helpful Question 51 (c): Provide examples of or clarify “corporate resolution by members of a group.” Question 61 (c): Provide examples of or clarify “corporate resolution by members of a group.” Questions that are Repetitive / Duplicative Question 3: Indicate purposes for which PII is collected?

- Same as 13 - Linked to 20

Question 7: Does privacy policy provide choices for limiting use and disclosure of PII?

- Same as 27, 28 Question 8: Does privacy policy provide info on how to access and correct PII?

- Same as 34, 50 - Linked to 49

Question 9: Are choices in Q7 re limiting use and disclosure provided in a clear and conspicuous manner?

- Same as 29

15

Question 14: Mechanism to exercise choice offered in relation to collection of PII?

- Same as 26 - Linked to 21(a), 16(a)

Question 15: Limit collection of PII to relevant purposes?

- Same as 20 - Linked to 26

Question 16: If NO to Q15, is used based on express consent of individual or compelled or expressly authorized by law?

- Same as 21 - Linked to 27

Question 17: When 3rd Parties collect PII on your behalf, limit collection to info relevant to fulfillment purposes for which it is collected?

- Linked to 59, 60 Question 19: Do you require 3rd Party collecting PII on your behalf to do so by fair and lawful means consistent with requirements of jurisdiction governing collection of PII?

- Linked to 59, 60 Question 21: If NO to Q20, collection of PII based on express consent of individual or compelled or expressly authorized by applicable laws?

- Linked to 27 Question 25: If NO to Q24, is disclosure based on express consent of individual, necessary to provide requested product / service, compelled or expressly authorized by law?

- Linked to 28, 64 Question 28: Is there a mechanism for individuals to exercise choice re disclosure of PII?

- Same as 25(a) Question 34: Do you have a mechanism for correcting incomplete and out-dated PII?

- Same as 50 Documents to obtain from Applicant Required:

- Obtain a copy of the Applicant’s Privacy Statement;

16

o See Questions 1-10 and Question 65 (above) – it is preferable that Applicant highlights the applicable provisions in the Privacy Statement or, in the least, specifically refers to the provisions within the questionnaire.

- Obtain screenshots of Notice Provisions referred to above; - Obtain screenshot of applicable consent form requirement in Question 65.

Recommended:

- Security / Data Protection Policies / Plans; - Employee Privacy Policies; - Investigation Procedures / Incidence Response Reports; - Vendor / Third Party Privacy Policies / Clauses

17

TRUSTe Report Appendix C Comments on Project 1 Questionnaire by Participating Companies

Question Number Comments or Proposed Wording Changes General Need definition for data transfer. ii Is this intended to only cover legal entities of the organization – or

should it also cover vendor processors? Should make this clear Iv Should be “place of incorporation of parent entity” as opposed to

“place of incorporation” as every sub is incorporated somewhere. vi – vii - Questions hard to answer and has impact on jurisdictional

issues due to the nature of our product. Do we need certification where the data is stored or where the data is collected? Conceivably, we have users in all of these economies.

- The intent of questions vi and vii is unclear. Is it to (1) allow accountability agents to determine whether an organization can apply for certification in the first place since it collects and transfers information within the APEC region? Or is the intent rather to (2) limit the scope of an organization’s CBPRs to the countries of collection/transfer identified at the time of certification?

o If (1), it may be preferable to replace existing question vi and vii with: “Do you collect personal information in APEC member economies?” and “Do you transfer such personal information within APEC member economies?”

o If (2), we may want to rethink the approach. Indeed, it may not be unreasonable to require that an organization’s CBPRs apply across all APEC economies, regardless of whether the collection from/transfer to any given APEC economies were foreseen at the time of certification. In other words, where information is collected in any given APEC economy, and where this information is transferred to any other APEC economy, the CBPRs would come into play. This would preclude organizations, accountability agents and regulators from having to consider whether any given collection or transfer across member economies was contemplated at the time of certification.

- Don’t need to ask Questions vi and vii. This is more information than the EU SH requires. Not sure why these questions are being asked.

vi - All of our technology is currently in the US. IS THERE ANY CHANCE WE COULD TRANSFER APEC DATA ANYWHERE OUTSIDE THE U.S.?

- This narrative seems redundant with prior questions. We are answering as if redundant with question II, V, VI

18

- We transfer FROM all of these countries, but not TO all. Is the question only intended for TO?

viii - Very broad question - This question is redundant and should be eliminated

Notice (Questions 1-11)

- Instead of Yes/No answer format – provide open text boxes to allow companies to effectively describe their privacy practices as it relates to each question.

- See proposed revised commentary and questions at the end of this appendix

1 - Comment: I assume I can answer this in the context of our B2B relations, not our clients B2C relations. I also assume a hyperlink is OK, but we’ll attach the real version as well.

- Comment: It would be hard for us to supply a copy of all privacy statements (there are so many). I would suggest a sample or templates.

- Wording Change: Do you provide clear and easily accessible statements about your practices and policies that govern the personal information described above before or at the time of collection (e.g., a privacy policy or privacy statement)? Where YES describe and provide copy or URL of applicable statement notice below. Cite all applicable qualifications listed in part II of this section in the space provided and describe.

- Comment: The qualifications below are really meant to serve as exceptions to provide “just in time” notice, not as exceptions to the need to have a general privacy statement.

2 - Comment: Awkward to jump ahead to part II at this point. If we are providing copies of privacy statements above, what additional is being asked for here? Do we need to provide the section that covers collection of data to be cut & pasted into the form?

- Wording Change: Does your privacy policy statement provide insight into how your organization collects notice that personal information is being collected? Where YES describe and provide copy of applicable notice below. Cite all applicable qualifications listed in part II of this section that apply to your notice of information collection in the space provided and describe.

- Comments: o (1) The qualifications below are really meant to serve as

exceptions to provide “just in time” notice, not as exceptions to the need to have a general privacy statement.

o (2) The question is confusing. Privacy policies will provide a list of instances where personal information may be collected. It will not provide “notice that personal information is being collected” in a particular

19

instance however, which is why we believe that re-wording the question is warranted.

o (3) In addition, since our privacy statement’s URL is referenced in our answer to question 1, there is no need to “describe”.

3 - Comment: Awkward to jump ahead to part II at this point. If we are providing copies of privacy statements above, what additional is being asked for here? Do we need to provide the section that covers collection of data to be cut & pasted into the form?

- Wording Change: Does your privacy statement policy provide insight into the indicate the purpose(s) for which personal information is being collected? Where YES describe and provide copy of applicable notice below. Cite all applicable qualifications listed in part II of this section that apply to your purpose specification in the space provided and describe. (refer to COLLECTION LIMITATION question 13; USES OF PERSONAL INFORMATION, question 20]

- Comments: o (1) The qualifications below are really meant to serve as

exceptions to provide “just in time” notice, not as exceptions to the need to have a general privacy statement.

o (2) The question is confusing. Privacy policies will provide a list of general purposes for which personal information is usually collected. It will not provide the exact purpose for which personal information is collected in a specific instance—a “just in time” notice will be used for that purpose.

o (3) In addition, since our privacy statement’s URL is referenced in our answer to question 1, there is no need to “describe”.

4 - Comment: Recommend breaking this out into a series of questions listing different types of third parties.

- Wording Change: Does your privacy statement provide insight into your sharing practices with third parties? Before making personal information available to third parties, do you notify individuals that their personal information may be shared with such third parties? Where YES describe the form in which this notice is provided, when it is provided, and provide copy of applicable notice below. Cite all applicable qualifications listed in part II of this section that apply to disclosures of information sharing with third parties in the space provided and describe.

5 - Comment: Need to clarify the difference between a privacy policy & a privacy statement - one being an internal document,

20

the other external facing. Same comment as earlier questions – should I cut and past the section here or just rely on the PS that has been shared.

- Wording Change: Does your privacy statement policy inform individuals that their personal information may be subject to an international transfer? Where YES describe and provide copy of applicable notice below. Where NO, please cite the applicable qualification listed in part II of this section in the space provided and describe.

6 Wording Change: change “policy” to “statement” 7 - Wording Change: Does your privacy policy statement provide

choices and means information to individuals for limiting the use and disclosure of their personal information? Where YES describe and provide copy of applicable notice below.

- Comment: The privacy policy cannot provide choices. It is a general statement regarding an organization’s practices, and at best, it will provide individuals with information relating to how to contact an organization with any requests. “Just in time” notice statements however will provide individuals with the opportunity to limit the use and/or disclosure of personal information.

8 Wording Change: change “policy” to “statement”

9 - Comment: #9 and #13 seems to be asking the same thing. - Comment: Impossible to provide copies of all of these

disclosures. What about providing a copy of the internal requirements?

- Wording Change: When choices are provided to the individual offering the ability to limit the collection, use and/or disclosure of their personal information, are they Are those notices presented in a clear and conspicuous manner? Where YES describe and provide copy of applicable notice below. [refer to CHOICE question 29]

- Comment: [REVERSE QUESTIONS 9 AND 10; 10 SHOULD COME FIRST]

10 - Comment: It is impossible to provide copies of all these notices – and new ones are being produced on a regular basis. Again I would suggest providing copies of the internal requirements and samples.

- Wording Change: change “policy” to “statement” - Comments:

o (1) Existing question 10 should precede question 9. o (2) Question 10 is really the place where we should be

talking about Qualifications/Exceptions as it is the only question, along with question 9 and 11, where the use of “just in time” notices is contemplated, i.e. short statement made right at the time of collection which

21

indicates to individuals the purpose of the collection, how it’s going to be used and with whom it’s going to be shared, with a reference to the privacy policy to find out more information.

o (3) Furthermore, on the topic of “qualifications”(this comment applies to this entire document): qualifications should be available in all cases, without the need to cite/describe them as they are commonly understood and self-explanatory, and most if not all organizations will want to avail themselves of them from time to time (e.g. ‘action in the event of an emergency”) as the APEC Framework itself recognizes their legitimacy. Most organizations will simply copy and paste the qualifications in each one of their answers – why wouldn’t they—so we question the usefulness of requiring organizations to cite/describe them.

11 Qualifications to the Provision of Notice

- Comment in re iii: Third Party Receipt- So the entire context for this is just B2B customers/prospects? I THINK SO

- Comment in re iv: Where collection, use or disclosure is obvious - In many instances, organizations will not provide “just in time” notice or even refer the individual from whom they are collecting personal information to their privacy policy because the purpose of the collection, use and/or disclosure of their personal information is obvious. An individual who uses their credit card for example to buy a sweater would not expect the retailer to provide them with a “just in time” notice that their credit card information is being collected, of the reason why it is being collected, and that their information will be shared with the retailer, the credit card company, and the IT service provider who manages their payment systems. They may not even refer them to their privacy policy, which may provides some information regarding the use of service providers and other entities to help them fulfill the “order”. They would rely in this case on the fact that the customer knowingly provided their credit card to buy the sweater, and that it was obvious that sharing of data would occur between some organizations in order to fulfill the individual’s request. The same could be said of an individual calling into a call centre to have a request fulfilled. The CBPRs scheme needs to recognize, as some member economies’ laws do, that it is reasonable in some circumstances to rely on this “obvious collection, use or disclosure” qualification.

Collection Limitation (Questions 12–19)

12 - Comment regarding answer choice: From third parties with

22

whom you have no ongoing relationship ______ o Unclear what kind of parties you’re referring to. Does

this related to sub contractors or a third party that we do have a relationship with

- Comment: The term “ongoing relationship”, although used in the Framework, is unclear. Are we trying to differentiate between cases where information is provided by a personal information controller (e.g. a data broker) versus cases where information is provided by a personal information processor (e.g. a service provider who conducts customer satisfaction survey on behalf of the controller)? It is difficult to see how having an ongoing relationship/not having an ongoing relationship is material to what an organization is required to do under APEC.

o Also, it is unclear how this question relates to other questions under this Principle, as none of them refer to this ‘ongoing relationship vs. non-ongoing relationship ‘ dichotomy. Considering this, we should consider eliminating this question entirely.

- Comment: The last answer choice “From third parties with whom you have no ongoing relationship” should be re-worded to read “From third parties with whom you have a previous relationship”.

13 - Comment: Not sure how this differs from earlier question. - Comment: This question is about “notice” and “accountability”,

not collection limitation. It should be deleted as it is already covered under “notice” and “accountability”.

- Comment: This question needs clarification. Identify the purposes to whom? Third parties? Data Subject? Across organization?

14 - Comment: Very confusing question. Suggest getting more granular and describing scenarios. Typically the choice over whether the data is collected is made by the user when they sign up for a service and provide the information. Scenarios might make it clearer what the real issue they are trying to get at is.

- Comment: This question isn’t relevant to the Collection Limitation principle- it is already covered under “Choices”. Suggest deleting it.

15 16 This question belongs in the Use section, not Collection Limitation.

17 - Comment: We are assuming that “third parties” does not mean subsidiaries. Need a N/A box here.

- Is this question not a subset of question 15 and as such, already covered and redundant?

- Give an example of an organization that collects data “on

23

behalf” of the Data Controller. What does this mean? 18 - Comment: How do you describe this?

- Comment: Don’t see the usefulness of asking this question. Are we expecting organizations to say that they don’t comply with applicable laws?

- Comment: Combine Questions 18 & 19. 19 We are assuming that “third parties” does not mean subsidiaries.

Need a N/A box here. Uses of Personal Information (Questions 20–25)

20 21 (a) and (b) should be available in all instances; they are not mutually

exclusive of the fact that an organization may limit their use generally. We suggest creating “qualifications” for this section as well

22 - Comment: We are taking a broad definition of “personal information controllers” to include subsidiaries.

- Comment: Provide descriptive fields instead of Yes/No answer choice

23 - Comment: We are taking an expansive view of the definition of “personal information processor” to include subsidiaries.

- Comment: Provide descriptive fields instead of Yes/No answer choice

24 25 - Comment: It seems like the answers would require the

individual’s consent (i.e., Y in Q 24). So these answers are not relevant.

- Wording Change: If you answered NO to question 24, or if otherwise appropriate, do the disclosure and/or transfer take place under one of the following circumstances?

- Comment: (a), (b) and (c) are not mutually exclusive of the answer provided in question 24. Add under “qualifications”.

- Comment: 25(c) needs to be clarified. “Compelled or expressly authorized by applicable law” – this is a permitted use.

Choice (Questions 26-32)

26 - Comment: There is an issue in this instance once again with the “applicable qualifications”, as organizations will be required or permitted to use the qualifications, despite the fact that generally, they do offer choice. Again, qualifications should always be available to all.

- Comment: Qualify this question that this applies to secondary marketing communications.

27 - Comment: How is this different than Q 14? - Comment: Same comment as Question 26

24

- Comment: Questions 27 – 32 are very similar. Splitting hairs. 28 29 Notice questions answer this.

30 - Comment: It is difficult to “describe” how one makes choices clearly worded and easily understandable—it’s all in the eye of the beholder. Is there any value in asking this?

- Comment: Notice questions answer this. 31 This question combines all the topics of the previous questions. Not

needed. 32 - Comment: Is there a need to provide documentation of the

processes used to ensure preferences are respected? That would be difficult.

- Descriptive answer format better than Yes/No format. Qualifications vii The use of implied consent is recognized as an acceptable practice in

the preamble to this section, so it is difficult to see why it is not recognized in the “qualifications” section.

Integrity of Personal Information (Questions 33-37)

33 - Comment: How do we define “the purposes of use”? The purpose is not generally affected by whether personal information is accurate or not. A preferable test would be to ask whether inaccurate personal information will affect the individual in a negative way.

- Comment: The words “and ensure” should be deleted since it is nearly impossible for an organization to ensure that the information they hold is accurate, as it largely depends on the level of responsiveness and the accuracy of the response provided by the individual affected.

34 Is this question not duplicative with the ones under “Access and Corrections”?

35 - Comment: The terms “third parties”, “ personal information processors”. “agents” and “service providers” are used throughout interchangeably. It is confusing and we would recommend the following: (1) do not use “third parties”; (2) use the term “personal information controllers” to refer to organization which controls the collection, use and disclosure, (3) use the term “personal information processors” to refer to agents/service providers and (4) create a Glossary with a definition of those terms.

- Wording change: replace “disclosure” with “transfer - Comment: Difficult to answer. B2B companies less relevant

than B2C. Allow for more description.

36 - Wording change: replace “disclosure” with “transfer - Comment: The Framework does not require controllers to

communicate to other controllers any corrections. Data

25

brokers for example, who are controllers of their own right, would not typically communicate to other controllers, i.e. their clients, any inaccuracies they become aware of (e.g. change of address). The “Accountability” principle requires controllers to be responsible for the data they control, including data that is processed by a processor on their behalf. It does not require controllers to be responsible for data that is NOT under their control.

37 Need an N/A box here. Security Safeguards (Questions 38-47)

38 39 How about providing a copy of the relevant documents? Otherwise

need a checklist of what things are included in the policy. 40 - What is a proportional response?

- What are they looking for here? 41 42 - How is this different from Question 40?

- Question unclear 43 44

45 Wording change: Do you regularly have process to test the effectiveness of the safeguards referred to above in questions 40? Describe below.

46 - Comment: Blend into Question 42. - Wording change: Do you have anHow do you usey third-party

certifications or other risk assessments based upon your risk profile? (either internal or external)? If so, how often are they performed and by whom? Describe below.

47 - Comment: Question 47(a) – define what is meant by “same level of protection”.

- Wording Change Question 47(a): Implementing an information security program that provides the same level of protection that is complimentary to the needs of the information and services provided? as your information security program?

- Wording Change Question 47(b) - Notifying you promptly when they become aware of an occurrence of breach of the privacy or security of your organization’s personal information?

Access and Correction (Questions 48-50)

48 49 Wording Change: Upon request, do you provide individuals

information about the PII you held about them access to the personal information that you hold about them? Where YES, answer questions 49(a) – (e) and describe your organization's policies/procedures for

26

receiving and handling access requests below. Where NO, cite the applicable qualification listed in part II of this section in the space provided and proceed to question 50.

50 - Comment Question 50(a): This question is redundant, and covered under Notice.

- Wording Change Question 50(a): Are your practices and policies access and collection mechanisms presented in a clear and conspicuous manner? Provide a description in the space below or in an attachment if necessary.

Accountability (Questions 51-65)

This framing language is extremely confusing. The terms “disclosure” and “transfer” are used interchangeably, and the mention of the “ongoing relationship” factor simply adds to the confusion. When personal information is disclosed to another controller, consent (implied or express) should be sought. When personal information is transferred to a processor, due diligence should be performed.

51 - Comment: Three companies submitted similar comments around the answer choice “Corporate resolution by members of group”: The phrase “corporate resolution by members of group” is unclear – which group?…, “unilateral undertaking” phrase is also unclear.… ?

- Wording Change on answer choice: Unilateral undertaking of compliance with a privacy program that agreeing to compliesy with the APEC Information Privacy Principles

52 Seems to be a repeat of 41 53 Wording Change: Has your organization appointed someone to be

responsible for your organization’s overall compliance with the Privacy Principles?

54 55 56 Need more room to explain, text box more effective than Yes/No

answer format because the nature of the compliant may impact how the question is answered.

57 See comment for Question 56.

58 59 This exercise does not only cover consumers’ data, but others’ as

well. 60 61 - Comment: As this is a test of the APEC CBPRs, this question

is prospective in nature - Comment: Same issue as 51 (two companies had this

comment) - Wording Change: How do you ensure that your personal

information processors, agents, contractors or other service providers will handle your personal information in accordance with your CBPR obligations? follow your

27

CBPRs? Please check all that apply and describe below 62 Questions 62 and 63 should be merged. The outcome this process

should be seeking is that accountable organizations find ways to obtain reassurance as needed that the data it has entrusted to others for processing is being adequately handled. The process should not dictate to organizations the series of steps it must take to achieve this goal. We suggest merging questions 62 and 63, and rewording as follows: “Do you take steps to verify that personal information processors to whom you transfer personal information handle this data as per your instructions? Please describe.” Organizations should be permitted to use any methods they deem fit to satisfy this criteria.

63

64 Not clear what this question is asking - under what scenario would an entity share without due diligence?

65 - Wording Change: If YES, please describe the disclosures and state whether you use other means, such as obtaining the individual’s consent prior to the disclosure, to assure that the information is being protected consistently with the APEC information privacy principles? [refer to CHOICE question 28; USES OF PERSONAL INFORMATION question 25(a)] Where applicable, describe the form in which the consent is obtained from individuals, when it is obtained, the mechanism used to seek the individual’s consent and honor the individual’s choice, and provide copy of the applicable consent below.

- Comment: No personal information controller can require that another controller which is not a member of the same corporate family abide by the APEC Framework.

- The Accountability principle recognizes this reality by stating that “the personal information controller should obtain (1) the consent of the individual OR (2) exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with these Principles.”

- (1) and (2) are mutually exclusive, which means that by obtaining consent, an organization does not have to assure that the information is being protected consistently with the APEC principles.

- This distinction was clearly created to accommodate between cases where a controller retains control despite the fact that the information is being handled by an agent or a service provider, and cases where a controller is no longer in control, such as when the information is shared with another controller for that controller’s own use.]

28

Proposed Revised Notice Questions and Revised Commentary Notice (Questions 1-11) The questions in this section are directed towards ensuring that individuals are able to know what information is collected about them and for what purpose it is to be used. By providing notice, personal information controllers may enable an individual to make a more informed decision about interacting with the organization. One common method of compliance with this Principle is for personal information controllers to post notices on their Web sites. In other situations, placement of notices on intranet sites or in employee handbooks, for example, may be appropriate. At the same time, the Principle also recognizes that there are circumstances in which it would not be practicable to give notice at or before the time of collection, as well as situations where it would not be necessary to provide notice. These situations are detailed in part II of this section. A notice that is consistent with the APEC Framework should provide sufficient information to allow individuals to understand what information is being collected and how it will be used. The Notice principle works in conjunction with a number of other principles, most importantly collection limitation and choice. In order to avoid duplication of answers, where the answer in the notice provision would also duplicate information provided in answer to another principle, please indicate in your notice answer that the matter is addressed in your notice, provide the notice language and cross reference the question where supplemental information is provided. The questions below reflect a compendium of best practices for privacy notice that would be consistent with the APEC Framework. The questions may break the topic into elements that are combined or otherwise not easy to address individually depending on your implementation. Please use the text field at the end of the section to address those types of issues as well as any applicable qualifications. Please also provide a copy of the notice provision in your privacy policy. (Cut and paste in a text box or can they just give you a copy of the policy?) Section II addressed qualifications to notice, please indicate which of these may be application to your notice. You may do so in the context of the questions related to the principles or in the supplemental section following Section II. The elements of notice are broken out below into separate questions, with short descriptive fields. This presentation is hoped to help organize your answer and make it more easily comparable to the principle, but feel free to link answers to the questions, where needed for completeness. As was highlighted above, in some cases the notice language itself may provide a complete answer to the question.

29

1. How does your notice provide clear and easily accessible statements about your practices and policies that govern the personal information described above before or at the time of collection (e.g., a privacy policy or privacy statement)?

2. How does your notice describe that personal information is being

collected?

3. How does your notice indicate the purpose(s) for which personal information is being collected?

4. How does your notice inform the individual about sharing of personal information?

5. How does your notice address the possibility of International Transfer of PII

6. How does your notice identify your organization and what kind of contact information/process is available?

30

7. What choices are offered in your notice related to use and disclosure of information?

8. What information/ process does your notice provide/specify related to access and correction?

9. Is there any instrument or information provided that is not included in, or supplemental to the privacy policy?

II. Qualifications to the Provision of Notice The following are situations in which the APEC Notice Principle may not be necessary or practical.

i. Collection of Publicly Available Information: Personal information controllers do not need to provide notice regarding the collection and use of publicly available information.

ii. Technological Impracticability: Personal Information controllers do not

need to provide notice at or before the time of collection in those cases where electronic technology automatically collects information when a prospective customer initiates contact [e.g. through the use of cookies]. However, the notice should be provided to the individuals as soon after as is practicable.

iii. Third-Party Receipt: Where personal information is received from a third

party, the recipient personal information controller does not need to provide notice to the individuals at or before the time of collection of the information.

31

iv. Disclosure to a government institution which has made a request for the information with lawful authority: Personal information controllers do not need to provide notice of disclosure to law enforcement agencies pursuant to warrants or subpoenas.

v. For legitimate investigation purposes: When providing notice would

compromise the availability or accuracy of the information and the collection, use and disclosure are reasonable for purposes relating to investigating a violation of a code of conduct, breach of contract or a contravention of domestic law.

Action in the event of an emergency: Personal Information controllers do not need to provide notice in emergency situations that threaten the life, health or security of an individual. Please provide any supplemental information on how these qualifications apply to your development of notice provisions.