Ongoing APEC CBPR and PRP Systems requirements
for Accountability Agents
The ongoing requirements for Accountability Agents are specified in the CBPR and PRP Program Requirements. The text provided here is only intended to highlight some of the responsibilities and obligations. In the event of any inconsistency, the APEC CBPR and PRP Systems documents will prevail.
If you are an Accountability Agent for the APEC CBPR System, it is your responsibility to ensure that you are in compliance with the APEC CBPR System requirements as set out in the Accountability Agent APEC Recognition Application and CBPR Program Requirements.
If you are an Accountability Agent APEC PRP System, it is your responsibility to ensure that you are in compliance with the APEC PRP system requirements as set out in the Accountability Agent APEC Recognition Application and PRP Program Requirements.
No actual potential conflict of interest
An Accountability Agent must have no actual or potential conflict of interest. Your organisation must not act as an Accountability Agent for a related entity or where there is a risk that your organisation’s professional judgement, integrity and/or objectivity could be influenced by the relationship with that entity.
Where your organisation considers that it can continue to act where a potential conflict of interest has arisen (e.g. due to internal safeguards), your organisation must promptly notify the Joint Oversight Panel of the potential conflict of interest and explain how the organisation will ensure that the circumstances will not compromise your organisation’s ability to make a fair decision.
Examples of situations where notification is required:
- officers of the applicant entity serve on your organisation’s board of directors in a voting capacity (and vice versa);
- officers of the entity that your organisation has certified serve on your organisation’s board of directors in a voting capacity (and vice versa);
- there is a commercial relationship between your organisation and the entity applying for certification or the entity that has been certified by your organisation;
- your organisation has entered into significant monetary arrangement with the entity applying for certification or the entity that has been certified by your organisation.
Please note: If the Joint Oversight Panel is not satisfied that the potential conflict of interest can be averted, it will ask your organisation to withdraw from the engagement.
No outside financial or other benefit
An Accountability Agent must refrain from providing other services to entities that it has certified under the APEC CBPR or PRP Systems and/or to entities that have applied for certification unless those services are not related to the CBPR or PRP Systems AND the Accountability Agent has notified the Joint Oversight Panel of the proposed engagement and explained how it has ensured that it will remain free of actual or potential conflicts of interest.
Please note: If the Joint Oversight Panel is not satisfied that there is no actual or potential conflict of interest, it will ask your organisation to withdraw from the engagement.
Ongoing monitoring and compliance review
An Accountability Agent must continue to monitor an entity’s compliance with its APEC CBPR or PRP Systems approved certification standards throughout the period of certification. Additionally, where there are reasonable grounds for your organisation to believe that a certified entity has engaged in a practice that may constitute a breach of the APEC CBPR or PRP program requirements, your organisation must immediately investigate whether any non-compliance has occurred. If your organisation discovers non-compliance, your organisation must instruct the entity as to what steps need to be undertaken to rectify the non-compliance and the reasonable time frame in which they must be completed. Your organisation must also verify that the required steps have been taken within the stated time frame.
Re-certification and annual attestation
An Accountability Agent must require certified entities to annually attest to continued compliance with the APEC CBPR program requirements. Your organisation must also review certified entities’ policies and practices before re-certification. Additionally, where a certified entity makes a material change to its privacy policies, your organisation must immediately review its policies and practices to ensure continued compliance with the APEC CBPR program requirements.
Enforcing CBPR and PRPs requirements
Where a certified entity has not complied with the APEC CBPR or PRP program requirements and has failed to remedy the compliance within a specified time period, your organisation should take such action as is proportional to the harm or potential harm resulting from the non-compliance. Such measures could include:
- terminating the entity’s certification under the APEC CBPR or PRP System
- temporarily suspending the entity’s right to display your organisation’s certification seal
- publicising the entity’s non-compliance
- referring the non-compliance to the relevant Privacy Enforcement Authority
- monetary penalties
Reporting non-compliance
Where your organisation has a reasonable belief that a certified entity’s failure to comply with the APEC CBPR or PRP program requirements constitutes a contravention of applicable law(s) and the non-compliance has not been remedied within a reasonable time period, your organisation must refer the matter to the relevant Privacy Enforcement Authority.
Additional publication and reporting requirements
Your organisation must publish its certification standards.
Your organisation must also promptly report to the relevant Privacy Enforcement Authority or Authorities and the CBPR Secretariat, any newly certified entities, any renewed certified entities, and any suspended or terminated certified entities.
Accountability Agents are also required to provide complaint statistics and case notes. For more information see:
Cooperation with law enforcement
Where possible, your organisation will respond to requests from enforcement authorities in APEC economies that reasonably relate to the requesting economy and your APEC CBPR or PRP System activities.