Changes: Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

Latest revision as of 06:06, 20 August 2014

Citation[]

Organization for Economic Cooperation and Development, ICCP Subcommittee, Guidelines on the Protection of Privacy and Transborder Flow of Personal Data (C(80)58/FINAL) (Sept. 23, 1980) (full-text).

Overview[]

In 1980, the Organization for Economic Co-operation and Development (OECD) adopted privacy guidelines in response to the growth of automatic data processing, which enabled increased transfers of personal data across national borders. These guidelines contain a revised version of the Fair Information Practices developed by the U.S. Department of Health, Education & Welfare in its 1973 report entitled "Records, Computers and the Rights of Citizens: Report of the Secretary’s Advisory Committee on Automated Personal Data Systems" (1973).

The guidelines provide a framework of principles at the policy and operational levels to foster consistent domestic approaches to addressing information security risks in a globally interconnected society. More broadly, the Guidelines reflect a shared ambition to develop a culture of security across society, so that security becomes an integral part of the daily routine of individuals, businesses and governments in their use of Information and Communication Technologies (ICTs) and in conducting online activities.

Fair Information Practices[]

The OECD version of the Fair Information Practices was reaffirmed by OECD ministers in a 1998 declaration and further endorsed in a 2006 OECD report.^[1] The OECD version of the principles states:

Influence on national privacy law[]

The Fair Information Practices are, with some variation, the basis of privacy laws and related policies in many countries, including the United States, Canada,^[2] Germany, Sweden, Australia, and New Zealand, as well as the European Union.^[3] They are also reflected in a variety of federal agency policy statements, beginning with an endorsement of the OECD principles by the Department of Commerce in 1981,^[4] and including policy statements from DHS, DOJ, and the Department of Housing and Urban Development.^[5]

In 2003 and 2005, the OECD monitored efforts by governments to implement national policy frameworks consistent with the Guidelines, including measures to combat cybercrime, develop Computer Security Incident Response Teams (CSIRTs), raise awareness, and foster education as well as other topics.^[6] In 2006 and 2007, the OECD focused on the development of policies to protect critical information infrastructures.^[7]

In 2004, the U.S. Chief Information Officers Council issued a coordinating draft of its Security and Privacy Profile for the Federal Enterprise Architecture that links privacy protection with a set of acceptable privacy principles corresponding to the OECD’s version of the Fair Information Practices.

References[]

↑ OECD, Making Privacy Notices Simple: An OECD Report and Recommendations (July 24, 2006) (full-text)
↑ Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5 (2008) (PIPEDA) (full-text).
↑ European Union Directive on the Protection of Personal Data (“Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data”) (1995).
↑ “Report on OECD Guidelines Program, Memorandum from Bernard Wunder, Jr., Assistant Secretary for Communications and Information, Department of Commerce (Oct. 30, 1981).
↑ U.S. Department of Homeland Security, Privacy Office Mission Statement, “Privacy Policy Development Guide"; U.S. Department of Justice, Global Information Sharing Initiative[www.it.ojp.gov/global] (Sept. 2005); U.S. Department of Housing and Urban Development, “Homeless Management Information Systems, 69 Fed. Reg. 45888 (July 30, 2004). See also Information Policy Committee of the National Information Infrastructure Task Force, Office of Information and Regulatory Affairs, Office of Management and Budget, “Options for Promoting Privacy on the National Information Infrastructure" (Apr. 1997).
↑ See OECD, Working Party on Information Security and Privacy, The Promotion of a Culture of Security for Information Systems and Networks in OECD Countries (DSTI/ICCP/REG(2005)1/FINAL) (2005) (full-text).
↑ See DSTI/ICCP.REG(2006)15/FINAL and DSTI/ICCP/REG(2007)16/FINAL.

[1] OECD, Making Privacy Notices Simple: An OECD Report and Recommendations (July 24, 2006) (full-text)

[2] Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5 (2008) (PIPEDA) (full-text).

[3] European Union Directive on the Protection of Personal Data (“Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data”) (1995).

[4] “Report on OECD Guidelines Program, Memorandum from Bernard Wunder, Jr., Assistant Secretary for Communications and Information, Department of Commerce (Oct. 30, 1981).

[5] U.S. Department of Homeland Security, Privacy Office Mission Statement, “Privacy Policy Development Guide"; U.S. Department of Justice, Global Information Sharing Initiative[www.it.ojp.gov/global] (Sept. 2005); U.S. Department of Housing and Urban Development, “Homeless Management Information Systems, 69 Fed. Reg. 45888 (July 30, 2004). See also Information Policy Committee of the National Information Infrastructure Task Force, Office of Information and Regulatory Affairs, Office of Management and Budget, “Options for Promoting Privacy on the National Information Infrastructure" (Apr. 1997).

[6] See OECD, Working Party on Information Security and Privacy, The Promotion of a Culture of Security for Information Systems and Networks in OECD Countries (DSTI/ICCP/REG(2005)1/FINAL) (2005) (full-text).

[7] See DSTI/ICCP.REG(2006)15/FINAL and DSTI/ICCP/REG(2007)16/FINAL.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

@@ Line 1: / Line 1: @@
 == Citation ==
-'''OECD, Guidelines on the Protection of Privacy and Transborder Flow of Personal Data''' (Sept. 23, 1980) ([http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html full-text)].
+[[Organization for Economic Cooperation and Development]], ICCP Subcommittee, '''Guidelines on the Protection of Privacy and Transborder Flow of Personal Data''' (C(80)58/FINAL) (Sept. 23, 1980) ([http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html full-text)].
 == Overview ==
-In 1980, the [[Organization for Economic Co-operation and Development]] ([[OECD]]) adopted privacy guidelines in response to the growth of [[automatic data processing]], which enabled increased transfers of [[personal data]] across national borders. These guidelines contain a revised version of the [[Fair Information Practices]] developed by the U.S. Department of Health, Education & Welfare in its 1973 report entitled "[[Records, Computers and the Rights of Citizens]]: Report of the Secretary’s Advisory Committee on Automated Personal Data Systems" (1973).
+In 1980, the [[Organization for Economic Co-operation and Development]] ([[OECD]]) adopted privacy guidelines in response to the growth of [[automatic data processing]], which enabled increased transfers of [[personal data]] across national borders. These guidelines contain a revised version of the [[Fair Information Practices]] developed by the U.S. Department of Health, Education & Welfare in its 1973 report entitled "[[Records, Computers and the Rights of Citizens]]: Report of the Secretary’s [[Advisory Committee on Automated Personal Data Systems]]" (1973).
 The guidelines provide a framework of principles at the policy and operational levels to foster consistent domestic approaches to addressing [[information security]] risks in a globally interconnected society. More broadly, the Guidelines reflect a shared ambition to develop a culture of [[security]] across society, so that [[security]] becomes an integral part of the daily routine of individuals, businesses and governments in their use of [[Information and Communication Technologies]] ([[ICT]]s) and in conducting [[online]] activities.
@@ Line 11: / Line 11: @@
 == Fair Information Practices ==
-The OECD version of the [[Fair Information Practices]] was reaffirmed by OECD ministers in a 1998 declaration and further endorsed in a 2006 OECD report.<ref>[[OECD, Making Privacy Notices Simple (2006)|OECD, Making Privacy Notices Simple: An OECD Report and Recommendations]] (July 24, 2006).[http://www.olis.oecd.org/olis/2006doc.nsf/LinkTo/NT00003A7E/$FILE/JT03212212.PDF]</ref> The OECD version of the principles states:
+The OECD version of the [[Fair Information Practices]] was reaffirmed by OECD ministers in a 1998 declaration and further endorsed in a 2006 OECD report.<ref>[[OECD, Making Privacy Notices Simple (2006)|OECD, Making Privacy Notices Simple: An OECD Report and Recommendations]] (July 24, 2006) ([http://www.olis.oecd.org/olis/2006doc.nsf/LinkTo/NT00003A7E/$FILE/JT03212212.PDF full-text])</ref> The OECD version of the principles states:
+[[File:OECDFIP.png|670px]]
-* '''Collection limitation.''' The collection of [[personal information]] should be limited, should be obtained by lawful and fair means, and, where appropriate, with the knowledge or consent of the individual.
-* '''Data quality.''' [[Personal information]] should be relevant to the purpose for which it is collected, and should be accurate, complete, and current as needed for that purpose.
-* '''Purpose specification.''' The purposes for the collection of [[personal information]] should be [[disclose]]d before collection and upon any change to that purpose, and its use should be limited to those purposes and compatible purposes.
-* '''Use limitation.''' [[Personal information]] should not be [[disclose]]d or otherwise used for other than a specified purpose without consent of the individual or legal authority.
-* '''Security safeguards.''' [[Personal information]] should be protected with reasonable [[security]] safeguards against risks such as loss or [[unauthorized access]], destruction, use, modification, or [[disclosure]].
-* '''Openness.''' The public should be informed about [[privacy policies]] and practices, and individuals should have ready means of learning about the use of [[personal information]].
-* '''Individual participation.''' Individuals should have the following rights: to know about the collection of [[personal information]], to [[access]] that [[information]], to request correction, and to challenge the denial of those rights.
-* '''Accountability.''' Individuals controlling the collection or use of [[personal information]] should be accountable for taking steps to ensure the implementation of these principles.
 == Influence on national privacy law ==
-The [[Fair Information Practices]] are, with some variation, the basis of [[privacy]] laws and related policies in many countries, including the United States, Canada,<ref>Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5 (2008) ('''PIPEDA''') ([http://laws.justice.gc.ca/en/p-8.6/93196.html full-text]).</ref> Germany, Sweden, Australia, and New Zealand, as well as the European Union.<ref>[[European Union Directive on the Protection of Personal Data]] (“Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data”) (1995). </ref> They are also reflected in a variety of federal agency policy statements, beginning with an endorsement of the OECD principles by the Department of Commerce in 1981,<ref>“Report on OECD Guidelines Program, Memorandum from Bernard Wunder, Jr., Assistant Secretary for Communications and Information, Department of Commerce (Oct. 30, 1981).</ref> and including policy statements from DHS, DOJ, and the Department of Housing and Urban Development.<ref>U.S. Department of Homeland Security, Privacy Office Mission Statement, “Privacy Policy Development Guide"; U.S. Department of Justice, Global Information Sharing Initiative[www.it.ojp.gov/global] (Sept. 2005); U.S. Department of Housing and Urban Development, “Homeless Management Information Systems, 69 Fed. Reg. 45888 (July 30, 2004). ''See also'' Information Policy Committee of the National Information Infrastructure Task Force, Office of Information and Regulatory Affairs, Office of Management and Budget, “Options for Promoting Privacy on the National Information Infrastructure" (Apr. 1997).</ref>
+The [[Fair Information Practices]] are, with some variation, the basis of [[privacy]] laws and related policies in many countries, including the United States, Canada,<ref>Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5 (2008) ('''PIPEDA''') ([http://laws.justice.gc.ca/en/p-8.6/93196.html full-text]).</ref> Germany, Sweden, Australia, and New Zealand, as well as the European Union.<ref>[[European Union Directive on the Protection of Personal Data]] (“Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data”) (1995).</ref> They are also reflected in a variety of federal agency policy statements, beginning with an endorsement of the OECD principles by the [[Department of Commerce]] in 1981,<ref>“Report on OECD Guidelines Program, Memorandum from Bernard Wunder, Jr., Assistant Secretary for Communications and Information, Department of Commerce (Oct. 30, 1981).</ref> and including policy statements from [[DHS]], [[DOJ]], and the Department of Housing and Urban Development.<ref>U.S. Department of Homeland Security, Privacy Office Mission Statement, “Privacy Policy Development Guide"; U.S. Department of Justice, Global Information Sharing Initiative[www.it.ojp.gov/global] (Sept. 2005); U.S. Department of Housing and Urban Development, “Homeless Management Information Systems, 69 Fed. Reg. 45888 (July 30, 2004). ''See also'' Information Policy Committee of the National Information Infrastructure Task Force, Office of Information and Regulatory Affairs, Office of Management and Budget, “Options for Promoting Privacy on the National Information Infrastructure" (Apr. 1997).</ref>
-In 2003 and 2005, the [[OECD]] monitored efforts by governments to implement national policy frameworks consistent with the  Guidelines, including measures to combat [[cybercrime]], develop [[Computer Security Incident Response Team]]s ([[CSIRT]]s), raise awareness, and foster education as well as other topics.<ref>''See'' DSTI/ICCP/REG(2005)1/FINAL.</ref> In 2006 and 2007, the [[OECD]] focused on the development of policies to protect [[critical information infrastructure]]s.<ref>''See'' DSTI/ICCP.REG(2006)15/FINAL and DSTI/ICCP/REG(2007)16/FINAL.</ref>
+In 2003 and 2005, the [[OECD]] monitored efforts by governments to implement national policy frameworks consistent with the  Guidelines, including measures to combat [[cybercrime]], develop [[Computer Security Incident Response Team]]s ([[CSIRT]]s), raise awareness, and foster education as well as other topics.<ref>''See'' [[OECD]], [[Working Party on Information Security and Privacy]], [[The Promotion of a Culture of Security for Information Systems and Networks in OECD Countries]] (DSTI/ICCP/REG(2005)1/FINAL) (2005) ([http://www.oecd.org/dataoecd/16/27/35884541.pdf full-text]).</ref> In 2006 and 2007, the [[OECD]] focused on the development of policies to protect [[critical information infrastructure]]s.<ref>''See'' DSTI/ICCP.REG(2006)15/FINAL and DSTI/ICCP/REG(2007)16/FINAL.</ref>
 In 2004, the U.S. [[Chief Information Officers Council]] issued a coordinating draft of its Security and Privacy Profile for the [[Federal Enterprise Architecture]] that links [[privacy protection]] with a set of acceptable [[privacy principles]] corresponding to the [[OECD]]’s version of the [[Fair Information Practices]].
@@ Line 34: / Line 27: @@
 [[Category:Privacy]]
 [[Category:Publication]]
+[[Category:International law]]
+[[Category:OECD]]
+[[Category:1980]]