OECD Privacy Principles

Introduction

Privacy frameworks may be used as tools to help us think about and frame discussions about privacy, and understand privacy requirements.

Internationally, the OECD Privacy Principles provide the most commonly used privacy framework, they are reflected in existing and emerging privacy and data protection laws, and serve as the basis for the creation of leading practice privacy programs and additional principles.

The OECD Privacy Principles tie closely to European Union (EU) member nations' data protection legislation (and cultural expectations), which implement the European Commission (EC) Data Protection Directive (Directive 95/46/EC), and other "EU-style" national privacy legislation. (The European Commission is the executive body of the European Union.)

(For information about privacy principles utilized by United States government entities, see FairInformation.org)

The OECD Privacy Principles are part of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which was developed in the late 1970s and adopted in 1980.

The Organisation for Economic Co-operation and Development (OECD) is a forum for "countries committed to democracy and the market economy."
"The Organisation provides a setting where governments compare policy experiences, seek answers to common problems, identify good practice and coordinate domestic and international policies."

The Privacy Principles

Numbered 1 thorough 8 below, these principles are found in Part Two, paragraphs 7 though 14 of Annex to the Recommendation of the Council of 23rd September 1980: Guidelines Governing The Protection of Privacy and Transborder Flows of Personal Data.
Further discussion of the principles is in the accompanying Explanatory Memorandum, under section II, part B, paragraphs 50 through 62.

1. Collection Limitation Principle

There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

2. Data Quality Principle

Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

3. Purpose Specification Principle

The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

4. Use Limitation Principle

Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except:

a) with the consent of the data subject; or

b) by the authority of law.

5. Security Safeguards Principle

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.

6. Openness Principle

There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

7. Individual Participation Principle

An individual should have the right:

a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;

b) to have communicated to him, data relating to him

i) within a reasonable time;
ii) at a charge, if any, that is not excessive;
iii) in a reasonable manner; and
iv) in a form that is readily intelligible to him;

c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and

d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.

8. Accountability Principle

A data controller should be accountable for complying with measures which give effect to the principles stated above.

News

OECD Privacy Resources

Other Privacy Frameworks

APEC Privacy Framework

The Asia-Pacific Economic Cooperation (APEC) Privacy Framework overlaps with other frameworks; however, it concentrates on actual or potential harm as a result of disclosing information, rather than individuals' rights pertaining to their information. While the OECD Privacy Principles enjoy support amongst EU and other governments' legal regimes, the APEC Privacy Framework is not supported by law. The APEC Privacy Framework's major supporters have been certain global corporations.

The Asia-Pacific Economic Cooperation (APEC) is a forum for facilitating economic growth, cooperation, trade and investment in the Asia-Pacific region.

See APECprivacy.org for more information.

United States Department of Commerce Safe Harbor Privacy Principles

The United States Department of Commerce developed the Safe Harbor self certifying legal framework to allow US organizations to comply with the EC Data Protection Directive. Because of the purpose, the framework's principles follow closely with OECD's.

Safe Harbor is one of several cross-border data transfer options for organizations in the US that conduct business in the EU. For an organization to employ Safe Harbor as a compliance mechanism, the organization must be subject to the Federal Trade Commission's (FTC) or Department of Transportation's (DoT) authority. Safe Harbor is a very popular option, particularly for handling customer data. Its use continues to grow, often serving as a starting point for many US organizations expanding their operations into the EU.

See export.gov/safeharbor for more information.

Other cross-border data transfer options can be applied for jurisdictions that do not meet the EU adequacy standard for privacy protection. These include Express Consent, Model Contracts and Binding Corporate Rules. The use of Express Consent is decreasing due to "drop out" rates (the number of individuals that will not consent) along with data protect authorities recognizing that the imbalance of power between employers and employees negates a consent being "freely given." However, Express Consent remains useful for some relatively simple transfers, such as those necessary to complete business-to-consumer on-line transactions. Model Contracts, while lacking the flexibility often required for data transfers that are part of normal business operations, remain a staple for incidental data transfer (e.g., transferring expatriates' human resource records). There is a notable trend, for multinational companies with mature privacy programs, toward utilizing Binding Corporate Rules. In October 2008 a mutual recognition agreement went into effect among several EU nations' data protection authorities that allows for easier implementation of Binding Corporate Rules.

Over the last ten years, the EC has found Safe Harbor to be ineffective due to lack of enforcement and organizations' failure to comply with Safe Harbor requirements while continuing to self certify. Despite this, the EC has remained committed to Safe Harbor.

The ineffectiveness of Safe Harbor has been raised to the forefront again recently. As the tenth anniversary of Safe Harbor approached, the Data Protection Authority of the German State of Schleswig-Holstein (the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein or ULD) has called for the immediate termination of and/or revisions to Safe Harbor.

Generally Accepted Privacy Principles (GAPP)

The Generally Accepted Privacy Principles (GAPP) were developed by the American Institute of CPAs (AICPA) and the Canadian Institute of Chartered Accountants (CICA). Introduced in 2003 and updated in 2006 and 2009, they are similar to the OECD Privacy Principles, with a focus toward implementation.

According to the AICPA, "they are based on internationally known fair information practices included in many privacy laws and regulations of various jurisdictions around the world and recognized good privacy practices."

The GAPP are popular among Canadian privacy practitioners.

See www.cica.ca/privacy and www.aicpa.org/privacy for more information.

About This Site

The purpose of this site is to serve as a quickly and easily accessible reference on the OECD Privacy Principles.

I frequently refer to these principles in presentations, lectures, workshops and discussions and found that it would be useful to have an easy to reference and consume web page about the OECD Privacy Principles. I hope you find this resource useful as well.

Contact

The author and publisher of this site, Ben Gerber, can be contacted via privacy.us/contact. Additional contact information is available at privacy.tel.

This web site, OECDprivacy.org, is © Ben Gerber 2009, 2010 and is licensed under a Creative Commons Attribution 3.0 Unported License. Creative Commons License

Excerpts from Annex to the Recommendation of the Council of 23rd September 1980: Guidelines Governing The Protection of Privacy and Transborder Flows of Personal Data are © OECD 1980.

Version

Version 1.0 2010/07/20: publication on OECDprivacy.org
Version 1.1 2010/08/09: minor edits; added ULD's comment regarding Safe Harbor