Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

Citation: OECD, Guidelines on the Protection of Privacy and Transborder Flow of Personal Data (Sept. 23, 1980)

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data contain a revised version of the Fair Information Practices developed by the U.S. Department of Health, Education & Welfare in its 1973 report titled Records, Computers and the Rights of Citizens: Report of the Secretary’s Advisory Committee on Automated Personal Data Systems (1973).

The OECD version of the Fair Information Practices was reaffirmed by OECD ministers in a 1998 declaration and further endorsed in a 2006 OECD report.^[1] The OECD version of the principles states:

Collection limitation. The collection of personal information should be limited, should be obtained by lawful and fair means, and, where appropriate, with the knowledge or consent of the individual.

Data quality. Personal information should be relevant to the purpose for which it is collected, and should be accurate, complete, and current as needed for that purpose.

Purpose specification. The purposes for the collection of personal information should be disclosed before collection and upon any change to that purpose, and its use should be limited to those purposes and compatible purposes.

Use limitation. Personal information should not be disclosed or otherwise used for other than a specified purpose without consent of the individual or legal authority.

Security safeguards. Personal information should be protected with reasonable security safeguards against risks such as loss or unauthorized access, destruction, use, modification, or disclosure.

Openness. The public should be informed about privacy policies and practices, and individuals should have ready means of learning about the use of personal information.

Individual participation. Individuals should have the following rights: to know about the collection of personal information, to access that information, to request correction, and to challenge the denial of those rights.

Accountability. Individuals controlling the collection or use of personal information should be accountable for taking steps to ensure the implementation of these principles.

The Fair Information Practices are, with some variation, the basis of privacy laws and related policies in many countries, including the United States, Germany, Sweden, Australia, and New Zealand, as well as the European Union.^[2] They are also reflected in a variety of federal agency policy statements, beginning with an endorsement of the OECD principles by the Department of Commerce in 1981,^[3] and including policy statements from DHS, DOJ, and the Department of Housing and Urban Development.^[4]

In 2004, the Chief Information Officers Council issued a coordinating draft of its Security and Privacy Profile for the Federal Enterprise Architecture that links privacy protection with a set of acceptable privacy principles corresponding to the OECD’s version of the Fair Information Practices.

References

↑ OECD, Making Privacy Notices Simple: An OECD Report and Recommendations (July 24, 2006).
↑ European Union Directive on the Protection of Personal Data (“Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data”) (1995).
↑ “Report on OECD Guidelines Program, Memorandum from Bernard Wunder, Jr., Assistant Secretary for Communications and Information, Department of Commerce (Oct. 30, 1981).
↑ U.S. Department of Homeland Security, Privacy Office Mission Statement, “Privacy Policy Development Guide"; U.S. Department of Justice, Global Information Sharing Initiative[www.it.ojp.gov/global] (Sept. 2005); U.S. Department of Housing and Urban Development, “Homeless Management Information Systems, 69 Fed. Reg. 45888 (July 30, 2004). See also Information Policy Committee of the National Information Infrastructure Task Force, Office of Information and Regulatory Affairs, Office of Management and Budget, “Options for Promoting Privacy on the National Information Infrastructure" (Apr. 1997).

[1] OECD, Making Privacy Notices Simple: An OECD Report and Recommendations (July 24, 2006).

[2] European Union Directive on the Protection of Personal Data (“Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data”) (1995).

[3] “Report on OECD Guidelines Program, Memorandum from Bernard Wunder, Jr., Assistant Secretary for Communications and Information, Department of Commerce (Oct. 30, 1981).

[4] U.S. Department of Homeland Security, Privacy Office Mission Statement, “Privacy Policy Development Guide"; U.S. Department of Justice, Global Information Sharing Initiative[www.it.ojp.gov/global] (Sept. 2005); U.S. Department of Housing and Urban Development, “Homeless Management Information Systems, 69 Fed. Reg. 45888 (July 30, 2004). See also Information Policy Committee of the National Information Infrastructure Task Force, Office of Information and Regulatory Affairs, Office of Management and Budget, “Options for Promoting Privacy on the National Information Infrastructure" (Apr. 1997).

[1]

[2]

[3]

[4]

Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

References

Fan Feed