Glossary

Abbreviation for Cross-Border Privacy Rules.

A description that an organisation fully complies with the CBPR Program Requirements, utilizes high-standard privacy practices, and is certified by an Accountability Agent as such to transfer and process information in line with CBPR system requirements.

An economy recognised by APEC as having met the requirements for participation in the CBPR system.

* Note: An economy commences the process to participate by submitting a letter indicating its intention to participate in the CBPR system with all required information outlining domestic privacy laws in compliance with CBPR System guidelines. This information must include confirmation that at least one Privacy Enforcement Authority in that economy is a Participant in the Cross-border Privacy Enforcement Arrangement (CPEA) and that the economy intends to make use of at least one APEC-recognised Accountability Agent. The economy must also provide a narrative description of the relevant domestic laws and regulations and administrative measures which may apply any CBPR certification-related activities of an Accountability Agent operating within the economy’s jurisdiction and the enforcement authority associated with these laws and regulations and administrative measures.  The economy must also submit a completed CBPR System Program Requirements Enforcement Map outlining its enforcement procedure, law or regulation for each CBPR System requirement. The JOP, after conducting a thorough review and consultation, will notify the ECSG Chair when these requirements have been met at which point the economy will be considered a CBPR System participant. Participating Economies will be listed on the CBPR system website, at www.CBPRs.org.

A process through which an organisation is certified by an Accountability Agent as CBPR-Compliant.

A directory of organisations certified as CBPR-Compliant published by APEC economies and listed on the CBPR system website, at www.CBPRs.org.

A list maintained by the Administrator of the main point of contact of any body, whether or not Privacy Enforcement Authority or Participant, having a role to play in the protection of privacy.

* Note: The directory is not made publicly available but is available to privacy enforcement authorities on the CPEA website. The directory is maintained pursuant to CPEA, clauses 5.3, 5.4, 11 and Annex B.

APEC Cooperation Arrangement for Cross-border Privacy Enforcement

* Note: definition taken from CPEA, clause 4.1.

* Note: see fuller definition under “Cross-border Privacy Enforcement Arrangement”.

Abbreviation for Cross-border Privacy Enforcement Arrangement

A practical multilateral mechanism which enables Privacy Enforcement Authorities to cooperate in cross-border privacy enforcement by creating a framework under which authorities may share information and request and render assistance in certain ways.

* Note: The CPEA’s formal title is “APEC Cooperation Arrangement for Cross-border Privacy Enforcement”. The CPEA was endorsed by APEC Ministers in November 2009 and commenced on 16 July 2010.

The privacy policies and practices adopted by a CBPR-Compliant organisation for all Personal Information collected or received by it that is subject to cross border transfers.

A voluntary, multilateral privacy and data protection program governing cross border transfers of information by organisations operating in APEC member economies.

* Note: Organisations that choose to participate in the CBPR system should implement privacy policies and practices consistently with the CBPR Program Requirements for all personal information that they have collected or received that is subject to cross border transfers from participating APEC economies. These privacy policies and practices should be evaluated by an APEC-recognised Accountability Agent for compliance with the CBPR Program Requirements. Once an organisation has been certified for participation in the CBPR System, these privacy policies and practices will become binding as to that participant and will be enforceable by an appropriate authority to ensure compliance with the CBPR Program Requirements.

Abbreviation for Data Privacy Subgroup.

The subgroup of the ECSG primarily responsible for the APEC Privacy Framework, the APEC Cross Border Privacy Rules System, and APEC Privacy Recognition for Processors System.

A Privacy Enforcement Authority in an APEC member economy that participates in the CPEA.

* Note: Definition taken from CPEA, clause 4.1.

Any information about an identified or identifiable individual.

A person or organisation who controls the collection, holding, processing, use, disclosure or transfer of personal information. It includes a person or organisation who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf, but excludes a person or organisation who performs such functions as instructed by another person or organisation. It also excludes an individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.

* Note: Definition taken from APEC Privacy Framework, clause 10.

An organisation that, at the instruction of a Personal Information Controller, collects, holds, processes, uses, transfers or discloses Personal Information on the controller’s behalf.

Any public body that is responsible for enforcing Privacy Law and that has powers to conduct investigations and/or pursue enforcement proceedings.

* Note: Definition taken from CPEA, clause 4.1.

Laws and regulations of an APEC member economy, the enforcement of which have the effect of protecting Personal Information consistent with the APEC Privacy Framework.

* Note: Definition taken from CPEA, clause 4.1.

Those operational rules and procedures adopted by an organisation to guide decisions made by it and its employees related to the ongoing protection of Personal Information collected, stored, used, transferred or disclosed by them.

Actions regarding the protection of Personal Information that are taken by an organisation and its employees pursuant to that organisation’s privacy policies.

A public declaration of an organisation’s Privacy Policies and Privacy Practices.

* Note: A privacy statement is required under the CBPR program requirements. It should be clear and accessible.

A set of baseline program requirements based on the nine Information Privacy Principles against which an APEC-recognised Accountability Agent will assess an organization’s completed Intake Questionnaire.

A template which provides the baseline program requirements of the CBPR System in order to guide an APEC economy to explain how each CBPR System requirement may be enforced in that economy.

* Note: Annex B to the Template Notice of Intent to Participate in the APEC Cross Border Privacy Rules system.

Personal Information about an individual that the individual knowingly makes or permits to be made available to the public, or is legally obtained and accessed from government records that are available to the public, journalistic reports, or information required by law to be made available to the public.

* Note: definition taken from APEC Privacy Framework, clause 11.