Version 1,
February 2003
[OECD Privacy
Principles, with amendments as shown: deletion addition ]
1. Collection limitation
There should be limits to the collection of personal
datainformation [1] and any suchdatainformation should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of thedata subjectperson whose information is collected [2]Alternative:
1.1 Organisations should only collect personal information that is necessary for what they do.1.2 Organisations should only collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the person whose information is collected.
2.
DataQuality of collections of personal information3. Purpose SpecificationPersonal dataAny collection of personal information should be relevant to the purposes for whichthey areit is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.3.1 Organisations should tell people whose information they collect who they are and what they intend to do with the information collected.
3.2 Personal information should not be used for any purpose which is inconsistent with the purposes for which it has been collected.4. Use Limitation
Personal data information should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 Principle 3 except:a) with the consent of the
data subjectperson whose information is collected; orb) by the authority of law.
5. Security Safeguards
Personaldatainformation should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.6. Openness
There should be a general policy of openness about developments, practices and policies with respect to personal7. Individual Participationdatainformation. Means should be readily available of establishing the existence and nature of personaldatainformation collections, and the main purposes oftheirtheir use, as well as the identity and usual residence ofthe data controllerany person who collects or holds personal information.An individual should have the right:
a) to obtain from
b) to have communicated to him or her,a data controller, or otherwise,any other person or organisation confirmation of whether or notthe data controllerthat person or organisation hasdatainformation relating to him or her;datapersonal information relating to him or her
- within a reasonable time;
- at a charge, if any, that is not excessive;
- in a reasonable manner; and
- in a form that is readily intelligible to him or her;
c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and
d) to challenge
datathe accuracy of records relating to him or her and, if the challenge is successful to have thedatarecords erased, rectified, completed or amended.8. Accountability
Adata controllerperson or organisation who holds or collects personal information should be accountable for complying with measures which give effect to the principles stated above.
(Version 1, February
2003)
[Comments are sought on the following options.]
Option 1 - Adherence by economies to statement of principlesOption 2 - Self-certification by economies; compliance by business with national lawsThe procedure under this option would be for those economies which wished to implement the principles, or considered that they already implemented them, to make this fact known to other member economies. This is the least ambitious option. Other economies would decide unilaterally what significance they would attach to such a declaration. In some cases, domestic law may require some assessment of privacy protection measures in other economies where personal information is to be transferred across national borders.
Economies would certify by some formal procedure that their law complies with the principles and a record would be kept by the Secretariat of economies which had certified to this effect. A certification would be accepted by other economies as a basis upon which personal information could be transferred across national borders. Companies would continue to be bound by the laws of the economies in which they are resident and in which they do business.Option 3 - Self-assessment by economies coupled with peer review
Procedures would be developed with reference to those of the Financial Action Task Force but not involving the power to declare that any economy is not in compliance. The relevance of the Financial Action Task Force procedures would be to serve as a basis upon which self-assessment and peer review methodologies might be developed. A description of those procedures can be obtained if required.Option 4 - Development of internal binding codes by global companiesThis approach would enable global companies and multinational groups to develop codes which would be recognised throughout the region, and perhaps globally, as complying with the principles. It would require some assessment procedure involving supervisory authorities. Important contributors to work in this area would be those companies who have been working on global codes of practice.Option 5 - Development of guidelines for protecting privacy across bordersThis approach would be directed towards the development of a framework to facilitate cooperation between supervisory bodies in different economies. It could be adopted in combination with option 4. In this context, it would be useful to develop guidance on how authorities in member economies could co-operate to ensure compliance with codes and thereby give assurance of their effectiveness in a cross-border context.
See also an article discussing this proposal and these options.
[Baker Cyberlaw Centre home page]
URL: http://www.cyberlawcentre.org/appcc/OECD_redraft.htm