These are general principles; we decided not to get too down into the details.

 

  1. Accreditation is required for a party to participate in the access system (SSAD).  Unaccredited parties can make data requests outside the system.
  2. Accreditation provides safeguards, with the goal of making the exchange of data as routine and as swift as possible within the law.
  3. Accreditation emphasizes the responsibilities of the data requestor (recipient), who is responsible for complying with the law.
  4. Accreditation will focus on the requirements of the law, such as requirements regarding data retention length, secure storage, organizational data controls, and breach notifications.   
  5. Therefore the accreditation guidelines should be the same across all accrediting bodies (if there is more than one).  A common and standardized set of practices and language is highly desirable to manage the accreditation and operational processes, extending to common legal documents.  There is not yet a demonstrated need for accreditation requirements to vary from one industry sector to another.  Some data requestors may participate in more than one industry sector and may make queries with different purposes (for example, cybercrime versus intellectual property disputes).  What matters more is the legitimate bases for the  queries they make rather than what kind of organization they are.  
  6. Accreditation is granted to an organization (not specific individuals within an organization). 
  7. Accredited parties are authorized to participate in the SSAD system and receive the necessary access/authentication credentials from a central authority.
  8. Accreditation does not guarantee disclosure of the data.
  9. Accreditation is for a period and must be renewed occasionally.
  10. Any auditing of the activities of accredited parties must be performed by a neutral third party auditor.  
  11. Log data is confidential.
  12. Accreditation may be revoked by the accrediting body.
  13. Parties that violate the law are responsible to the state authorities responsible for enforcing the law.
  14. The cost of becoming accredited must not be onerous on parties that have a demonstrated need for the data but have limited means.