[Gnso-epdp-team] Accreditation principles from SSAC

Greg Aaron greg at illumintel.com
Thu Sep 26 13:27:54 UTC 2019

These are general principles; we decided not to get too down into the


1.	Accreditation is required for a party to participate in the access
system (SSAD).  Unaccredited parties can make data requests outside the
2.	Accreditation provides safeguards, with the goal of making the
exchange of data as routine and as swift as possible within the law.
3.	Accreditation emphasizes the responsibilities of the data requestor
(recipient), who is responsible for complying with the law.
4.	Accreditation will focus on the requirements of the law, such as
requirements regarding data retention length, secure storage, organizational
data controls, and breach notifications.   
5.	Therefore the accreditation guidelines should be the same across all
accrediting bodies (if there is more than one).  A common and standardized
set of practices and language is highly desirable to manage the
accreditation and operational processes, extending to common legal
documents.  There is not yet a demonstrated need for accreditation
requirements to vary from one industry sector to another.  Some data
requestors may participate in more than one industry sector and may make
queries with different purposes (for example, cybercrime versus intellectual
property disputes).  What matters more is the legitimate bases for the
queries they make rather than what kind of organization they are.  
6.	Accreditation is granted to an organization (not specific
individuals within an organization).  
7.	Accredited parties are authorized to participate in the SSAD system
and receive the necessary access/authentication credentials from a central
8.	Accreditation does not guarantee disclosure of the data. 
9.	Accreditation is for a period and must be renewed occasionally.
10.	Any auditing of the activities of accredited parties must be
performed by a neutral third party auditor.  
11.	Log data is confidential. 
12.	Accreditation may be revoked by the accrediting body. 
13.	Parties that violate the law are responsible to the state
authorities responsible for enforcing the law.
14.	The cost of becoming accredited must not be onerous on parties that
have a demonstrated need for the data but have limited means.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190926/9daaab12/attachment.html>

More information about the Gnso-epdp-team mailing list