During 2011 and the early part of 2012 the first independent assessments of GNI’s three founding companies were carried out. The purpose was to determine whether the companies had the systems, policies and procedures in place to support the implementation of the Principles within their organizations. Information about the assessments can be found in GNI’s 2011 annual report.
Three core documents guided the assessment process:
1. Independence and Competency Criteria for the Assessors
2. An Assessment template
3. A Reporting framework
These documents are summarized below:
1. Independence and Competency Criteria for the Assessors
Given the complexity and rapidly changing nature of the Information Communications Technology (ICT) industry, a variety of skill sets were required from the organizations carrying out the independent assessments. They were split into a number of categories.
a) Subject Matter Expertise and Skills
Knowledge, expertise and experience in relevant legal, human rights standards, compliance practices and auditing techniques. Examples included the implementation of compliance structures in organizations, familiarity with law enforcement processes such as subpoenas and court orders and international human rights standards such as the Universal Declaration of Human Rights, the International Covenant on Economic, Social and Cultural Rights and the International Covenant on Civil and Political Rights. Knowledge of the ICT sector itself was also required, for example global business processes such as operations, product development cycles, IT privacy, security standards and data retention systems.
b) Expertise in Compliance and Auditing
Assessors were to have experience in standard sampling, quantitative data analysis and compliance assessment within organizations.
c) Ability to handle confidential information
Assessors were required to demonstrate the measures they had in place to protect the confidentiality of information
d) Independence Criteria
Details of expectations on gifts, compensation, disclosure and limitations on repeat assessments were included in the independence section of the criteria for assessors. Disqualifying factors and factors requiring further consideration were covered for conflicts of interest including for example any appointment as a director or officer of the company being assessed .
2. Assessment template
The Assessment template was developed from the foundational documents of GNI, the Principles, Implementation Guidelines and our Governance, Accountability and Learning framework.
This template guided both the company and assessor preparation for the Phase II assessment process. It covered the following areas:
• Relevant to the GNI Principles, information including the scope of business and how it is organized, key suppliers partners and distributors and mergers and acquisitions was requested.
Responsible Company Decision-Making
• Board oversight and leadership – questions focused on the visibility of freedom of expression and privacy at Board level
• Human rights impact assessments – A series of questions were designed to understand the company approach to carrying out human rights impact assessments including when they were used, how they were updated overtime and how the results of the assessments were used
• Partners, suppliers and distributors – questions in this section were designed to understand how the company determined whether the particular supplier partner or distributor had a material effect on freedom of expression and privacy and what steps the company was taking both where the company does and does not have operational control
Integration into business operations
• Structure – a description of the approach the company was taking to implement the Principles was requested
• Integration into business operations – procedures – this section was directed towards the written policies the company had in place, the maintenance of records and means of remediation
• Employees – communication and training of employees were the focus of this section including whether periodic reviews of effectiveness were in place
• Complaints and Assistance – questions in this section focused on whistleblowing procedures and escalation procedures for employees
Freedom of expression
• Government Demands, Laws and Regulations – A series of questions in this section of the template sought information on how the company handles government requests including the parts of the company involved in the decision-making process, company actions to minimize the impact on freedom of expression, engagement with governments and how they work with other organizations when faced with potential inconsistencies between domestic law and international standards
• Communication with users – questions here looked at the steps the company is taking to communicate clearly and transparently with users on its policies and procedures and when access has been removed or blocked because of government restrictions
• Data collection – This section focused on the way in which the company evaluates risk associated with the collection, storage and retention of personal data.
• Privacy – Government Demands, Laws and Regulations – Similar to the section relating to freedom of expression, this part of the assessment template sought to understand the policies, processes and procedures the company had in place to protect the rights of users when addressing government demands for data. Examples include how the company determines if a request is overbroad, which parts of the company are involved in the decision-making process, how the company asks for requests for personal information to be in writing and when they would seek clarification from governments if a demand appeared to be overbroad
• Communication with users – this section asked similar questions to the communication with users section relating to freedom of expression
An opportunity was given for any final comments
3. Reporting Framework
The Reporting framework gave specific guidance to the assessors in their preparation of the reports at the end of the assessment process which were distributed to the company and the Executive Director and Independent Chair of GNI. It also guided the preparation of the redacted report for the GNI Board. This framework covered the following areas:
a) Information about the assessor including relevant experience and expertise
b) Information about the company being assessed
c) The scope of the assessment for example, lines of business, business functions and geographic markets.
d) Resources – how the assessment template was applied and feedback on the template. Also an indication if any other resources or standards were used during the assessments
e) Results and conclusions – this was expected to be the largest section of the report covering all aspects of the issues in the assessment template