APEC Cross Border Privacy Rules (CBPR)

Certification Process and Minimum Requirements

Audit and Certification Process

Schellman provides audit and certification services in full accordance with all relevant standards. Our audit and certification process is provided to prospective clients and addresses each major stage of the audit and certification processes. Prospective clients are also informe

APEC Certification Overview

The Asia-Pacific member economies developed a privacy framework as a volunteer system that outlines standards relating to personal information protection as the data moves across borders. Controllers that volunteer in the program are assessed by an Accountability Agent against the Cross Border Privacy Rules (CBPR) and if compliant, receive a certification. Processors are assessed against the Privacy Recognition for Processors and would also receive a certification if compliant with the program.

Program Requirements

As an APEC Accountability Agent, Schellman’s APEC Privacy Certification program evaluates a United States based organization’s privacy practices against the certification minimum requirements included below. These certification standards follow the APEC’s Cross Border Privacy Rules (CBPR) Program Requirements.

The Schellman certification seal is a service mark of Schellman. The Schellman certification seal may not be used in connection with any product or service that was not within the scope of the CBPR certification review, or in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Schellman. The certification seal should be used only upon the granting or extending of a CBPR certification.

Certification Process

Below is the process for the APEC Cross Border Privacy Rules (CBPR)

Initial Certification Assessment

Planning

Fieldwork Process

Ongoing Monitoring and Compliance Review

Re-Certification and Annual Attestation

In order for clients to maintain their certification, recertification must take place every year following the date of initial certification. The recertification process will include:

An updated and completed CBPR Intake Questionnaire provided by the client. Schellman will review the completed form looking for any changes since the initial certification.
If there has been a material change, reasonably determined by the Accountability Agent, Schellman will perform a review process that will be similar to the initial certification fieldwork process as outlined above.
An audit report will be provided to the Participant outlining the Accountability Agent’s findings regarding the Participant’s level of compliance with the program requirements. The report will include any areas of non-compliance and corrections the Participant needs to make to correct areas and the time-frame within which the corrections must be completed for purposes of obtaining re-certification.
If non-compliance areas were found during the re-certification process, Schellman will review documentation provided by the Participant to verify that correction has been completed and is compliant, prior to obtaining re-certification.
Upon verification that the requirements are in compliance, a final report will be provided to the Participant as notice of compliance with the program requirements and that the Participant has been re-certified.

Certification shall be suspended in cases when, for example:
- The client was found to be in breach of the program’s requirements and the findings have not been resolved within the required time-frames, which shall not exceed a period of six (6) months or upon the due date of annual recertification;
- The certified client does not allow re-certification audits to be conducted at the required frequencies;
- Where there are reasonable grounds to believe that a Participant has engaged in a practice that may constitute a breach of the program requirements; or
- The certified client has voluntarily requested a suspension.

Schellman will communicate to the client the suspension status along with the remediation requirements. Under suspension, the client's certification is temporarily invalid. Included within the JAL are the enforceable arrangements regarding the suspension of the certification, including additional agreed upon fees for the additional compliance review, to help ensure, that in case of suspension, the client refrains from further promotion of its certification and use of the Schellman certification seal. Schellman is required to make publicly accessible, on the company website, the suspended status of the certification.

The certificate is suspended until the Participant has provided sufficient evidence of the remediation within the required timeframe, which shall not exceed a period of six (6) months or upon the due date of the annual recertification. Upon receipt of sufficient evidence of remediation within the required timeframe, Schellman will perform a review of the evidence to determine if the certificate should be reinstated. The results are communicated to the client via an audit report. Failure to resolve the issues that have resulted in the suspension in the time established by Schellman will result in withdrawal or reduction of the scope of certification, if applicable.

A reduction in the scope of the certification may be applicable and would exclude the parts not meeting the requirements, when the client has persistently or seriously failed to meet the program requirements for those parts of the scope of certification.

Certification Minimum Requirements

Clients must meet the following minimum certification requirements before certification is granted.

Notice

The privacy notice or statement must provide clear and easily accessible statements about your practices and policies that govern personal information and must include the following:

Outline the services covered by the notice or statement;
Be available on the client’s Website, such as text on a Web page, link from URL, attached document, pop-up windows, or included in frequently asked questions (FAQs);
Be easy to find and be accessible;
Include an effective date;
Name of the organization and location;
Include information on how to contact the organization about the practices and handling of personal information upon collection;
Apply to all personal information, whether collected online or offline;
Describe the collection practices and policies applied to all covered personal information collected by the client (i.e., how your organization collects personal information);
Indicate what types of personal information, whether collected directly or through a third party or agent, are collected;
Report the categories or specific sources of all categories of personal information collected;
Describe the purpose(s) for which personal information is collected;
Inform individuals as to whether information is shared with third parties and for what purpose you make personal information available to third parties including the identification of the categories or specific third parties;
Include information regarding the use and disclosure of an individual’s personal information;
Include information regarding whether and how an individual can access and correct their personal information including the following:
1. The process through which the individual may access his or her personal information (including electronic or traditional non-electronic means);
2. The process that an individual must follow in order to correct his or her personal information;
Provide notice to the individual at the time of collection of personal information, whether directly or through the use of third parties acting on your behalf, that such information is being collected*;
Indicate the purpose(s) for which personal information is being collected at the time of collection of personal information, whether directly or through the use of third parties acting on your behalf*(the communication must be in writing, for example on the Applicant’s website, such as text on a website link from URL, attached documents, pop-up window, or other);
Provide notice to the individual at the time of collection of personal information, that their personal information may be shared with third parties.*

* The following are situations in which the application at the time of collection of the APEC Notice Principle may not be necessary or practical. Justification for any of the following will be required.

Obviousness: Personal Information controllers do not need to provide notice of the collection, use or third-party sharing of personal information in those circumstances where consent by the individual can be inferred from the provision of the individual’s information (e.g. if an individual gives his or her business card to another individual in the context of a business relationship, the individual would not expect that notice would be provided regarding the collection and normal use of that information).

Collection of Publicly-Available Information: Personal information controllers do not need to provide notice regarding the collection and use of publicly available information.

Technological Impracticability: Personal Information controllers do not need to provide notice at or before the time of collection in those cases where electronic technology automatically collects information when a prospective customer initiates contact (e.g. through the use of cookies). However, the notice should be provided to the individuals as soon after as is practicable.

Disclosure to a government institution which has made a request for the information with lawful authority: Personal information controllers do not need to provide notice of disclosure to law enforcement agencies for investigation purposes where the provision of such notice to the individual will likely prejudice the investigation.

Disclosure to a third party pursuant to a lawful form of process: Personal information controllers do not need to provide notice of disclosure to a third party when such disclosure was requested pursuant to a lawful form of process such as a discovery request made in the course of civil litigation.

Third-Party Receipt: Where personal information is received from a third party, the recipient personal information controller does not need to provide notice to the individuals at or before the time of collection of the information.
For legitimate investigation purposes: When providing notice would compromise the availability or accuracy of the information and the collection, use and disclosure are reasonable for purposes relating to an internal or external investigation of a violation of a code of conduct, breach of contract or a contravention of domestic law.

Action in the event of an emergency: Personal Information controllers do not need to provide notice in emergency situations that threaten the life, health or security of an individual.

Collection

The collection of personal information must be limited to information that is relevant to the purposes of collection, consistent with the requirements of the jurisdiction where data was collected, and any such information should be obtained by lawful and fair means, and where appropriate, with notice to, or consent of, the individual concerned.
Identify the type of data collected, the economies where data is collected, the source (i.e., the individual or a third party) and the corresponding purposes and use of collection for each type of data.

Use

Personal information collected must be used only to fulfill the purposes of collection and other compatible or related purposes as identified in the privacy statement and/or in the notice provided at the time of collection except for one of the following:
1. With the consent of the individual whose personal information is collected;
  1. Consent must be a documented description or documentation that consent was obtained
2. When necessary to provide a service or product requested by the individual; or
  1. A description must be documented of how the disclosure and/or transfer of collected personal information is necessary to provide a service or product requested by the individual
3. By the authority of law and other legal instruments, proclamations and pronouncements of legal effect.
  1. A description must be documented of how collected information shared, used or disclosed as compelled by law including the legal requirements under which it is compelled to share the personal information, unless the client is bound by confidentiality requirements for the purposes of this Principle, uses of personal information include the transfer or disclosure of personal information.
If personal information is disclosed to other personal information controllers or transferred to processors, such disclosure and/or transfer must be undertaken to fulfill the original purpose of collection or another compatible or related purpose, unless based upon the express consent of the individual necessary to provide a service or product requested by the individual or compelled by law.
1. Identify the type of data disclosed or transferred, the economies where data was transferred, the corresponding purpose of collection for each type of disclosed data, and the manner in which the disclosure fulfills the identified purpose (e.g. order fulfillment etc.).

Choice

A mechanism* must be provided for individuals to exercise choice in relation to the collection of their personal information.
A mechanism* must be provided for individuals to exercise choice in relation to the use of their personal information. Subject to the qualifications* outlined below, the opportunity to exercise choice should be provided to the individual at the time of collection, for subsequent uses of personal information. The opportunity to exercise choice may be provided to the individual after collection, but before:
1. Being able to make use of the personal information, when the purposes of such use is not related or compatible to the purpose for which the information was collected, and
2. Personal information may be disclosed or distributed to third parties, other than Service Providers.
A mechanism* must be provided for individuals to exercise choice in relation to the disclosure of their personal information. Subject to the qualifications outlined below, the opportunity to exercise choice should be provided to the individual at the time of collection, for subsequent disclosures of personal information. The opportunity to exercise choice may be provided to the individual after collection, but before:
1. Disclosing the personal information to third parties, other than Service Providers.
Choices must be displayed or provided in a clear and conspicuous manner, clearly worded and easily understandable, and easily accessible and affordable.

*The following are situations in which the application of the APEC Choice Principle may not be necessary or practical. Justification for any of the following will be required.

Obviousness: Personal Information controllers do not need to provide a mechanism for individuals to exercise choice in the collection, use or third-party sharing of personal information in those circumstances where consent by the individual can be inferred from the provision of the individual’s information.

Collection of Publicly-Available Information: Personal information controllers do not need to provide a mechanism for individuals to exercise choice in relation to the collection and use of publicly available information.

Technological Impracticability: Personal Information controllers do not need to provide a mechanism for individuals to exercise choice in relation to those cases where electronic technology automatically collects information when a prospective customer initiates contact [e.g. use of cookies]. However, a mechanism to exercise choice as to use and disclosure should be provided after collection of the information.

Third-Party Receipt: Where personal information is received from a third party, the recipient personal information controller does not need to provide a mechanism for individuals to exercise choice in relation to the collection of the information. However, if the personal information controller engages a third party to collect personal information on its behalf, the personal information controller should instruct the collector to provide such choice when collecting the personal information.
Disclosure to a government institution which has made a request for the information with lawful authority: Personal Information controllers do not need to provide a mechanism for individuals to exercise choice in relation to disclosure to law enforcement agencies for investigation purposes where the provision of such mechanism to the individual will likely prejudice the investigation.

Disclosure to a third party pursuant to a lawful form of process: Personal information controllers do not need to provide a mechanism for individuals to exercise choice in relation to the disclosure to a third party when such disclosure was requested pursuant to a lawful form of process such as a discovery request made in the course of civil litigation.
For legitimate investigation purposes: When providing a mechanism for individuals to exercise choice would compromise the availability or accuracy of the personal information and its collection, use and disclosure are reasonable for purposes relating to an internal or external investigation of a violation of a code of conduct, breach of contract or a contravention of domestic law.
Action in the event of an emergency: Personal Information controllers do not need to provide a mechanism for individuals to exercise choice in emergency situations that threaten the life, health or security of an individual.

Integrity of Personal Information

Personal information must be accurate, complete and kept up-to date to the extent necessary for the purposes of use.
Provide individuals the ability to challenge the accuracy of their personal information and to have it rectified, completed, amended and/or deleted and ensure procedures are in place to complete the request including communication and confirmation of the request to processors, agent, or other service providers to whom the personal information was transferred. Access and correction mechanisms must be presented in a clear and conspicuous manner. The request should be completed within a reasonable time frame following the request and a confirmation should be provided that the request has been completed.
If correction is denied, an explanation should be provided, together with contact information for further inquiries about the denial of access or correction
Require processors, agents, or other service providers acting on your behalf to inform you when they become aware of information that is inaccurate, incomplete, or out-of-date and ensure procedures are in place to complete the correction.

Security Safeguards

Maintain a written information security policy.
Implement physical, technical and administrative safeguards to protect personal information against risks such as loss or unauthorized access, destruction, use, modification or disclosure of information or other misuses. Such safeguards should be proportional to the likelihood and severity of the harm threatened, the sensitivity of the information and the context in which it is held, and should be subject to periodic review and reassessment.
Communicate to employees their obligations and the importance of maintaining the security of personal information.
Require information processors, agents, contractors, or other service providers to whom personal information is transferred to protect against leakage, loss or unauthorized access, destruction, use, modification or disclosure or other misuses of the information. Such requirement should include:
1. Implementing an information security program that is proportionate to the sensitivity of the information and services provided
2. Notifying you promptly when they become aware of an occurrence of breach of the privacy or security of the personal information
3. Taking immediate steps to correct/address the security failure which caused the privacy or security breach
Maintain a policy for secure disposal of personal information.
Implement procedures to detect, prevent, and respond to attacks, intrusions, or other security failures.
Perform tests on a periodic basis on the effectiveness of the implemented physical, technical and administrative safeguards.
Perform risk assessments or third-party validations on a periodic basis that include the implemented physical, technical and administrative safeguards and review the results of the assessment or third-party validation for remediation.

Access*

Provide individuals the ability to obtain confirmation of whether or not personal information is held about the requesting individual.
If requested, provide individuals access to their personal information. Prior to providing access, confirm the identity of the individual requesting access. Provide access within a reasonable time frame following the request and communicate the information in a reasonable manner that is generally understandable, in a legible format and compatible with the regular form of interaction with the individual.
If a fee is charged for providing access, the fees should not be excessive.
If the individual is denied access, an explanation must be provided as to why access was denied and provide the appropriate contact information for challenging the denial of access where appropriate.

*Although organizations should always make good faith efforts to provide access, there are some situations, described below, in which it may be necessary for organizations to deny access requests. Justification for any of the following will be required.

Disproportionate Burden: Personal information controllers do not need to provide access and correction where the burden or expense of doing so would be unreasonable or disproportionate to the risks to the individual's privacy in the case in question, as for example when claims for access are repetitious or vexatious by nature.

Protection of Confidential Information: Personal information controllers do not need to provide access and correction where the information cannot be disclosed due to legal or security reasons or to protect confidential commercial information (i.e. information that you have taken steps to protect from disclosure, where such disclosure would facilitate a competitor in the market to use or exploit the information against your business interest causing significant financial loss). Where confidential commercial information can be readily separated from other information subject to an access request, the personal information controller should redact the confidential commercial information and make available the non-confidential commercial information to the extent that such information constitutes personal information of the individual concerned. Other situations would include those where disclosure of information would benefit a competitor in the market place, such as a particular computer or modeling program. Furthermore, a denial of access may also be considered acceptable in situations where, for example providing the information would constitute a violation of laws or would compromise security.

Third Party Risk: Personal information controllers do not need to provide access and correction where the information privacy of persons other than the individual would be violated. In those instances where a third party’s personal information can be severed from the information requested for access or correction, the personal information controller must release the information after redaction of the third party’s personal information.

Accountability

Implement measures to ensure compliance the APEC Information Privacy Principles.
Appoint an individual(s) to be responsible for overall compliance with the Privacy Principles.
Implement procedures to receive, investigate, and respond to privacy-related complaints as well as an explanation of any remedial action where applicable. The procedures should include:
1. A description of how individuals may submit complaints,
2. A designated employee(s) to handle complaints related to the Applicant’s compliance with the APEC Privacy Framework and/or requests from individuals for access to personal information, and
3. A formal complaint-resolution process.
Procedures should ensure individuals receive a timely response to their complaints.
Complete formal training with employees that are responsible for carrying out the privacy-related complaints as well as responding to judicial or other government subpoenas, warrants or orders.
Implement procedures for responding to judicial or other government subpoenas, warrants or orders, including those that require the disclosure of personal information.

Accountability when Personal Information is Transferred

Implement mechanisms with processors, agents, contractors, or other service providers pertaining to personal information they process on your behalf, to ensure that obligations to the individual will be met. The mechanisms should require the following:
1. Abide by the APEC-compliant privacy policies and practices as stated in the Privacy Notice or Statement,
2. Implement privacy practices that are substantially similar to your policies or privacy practices as stated in the Privacy Notice or Statement,
3. Follow instructions provided relating to the manner in which personal information must be handled,
4. Impose restrictions on subcontracting unless with your consent,
5. CBPRs should be certified by an APEC accountability agent in their jurisdiction,
6. Provide self-assessments to ensure compliance with your instructions and/or agreements/contracts.
Perform regular spot checking or monitoring the processors, agents, contractors or other service providers to ensure compliance with your instructions and/or agreements/contracts.

Take the first step in untangling your compliance.

Our team of practice leaders, not sales, are ready to talk and help determine your best next steps.

Build your Compliance Roadmap Contact a Specialist