Forgot your password?
New user?
Document Actions
Fair Information Practices
A set of principles, sometimes referred to as “fair information practices,” has been developed by international bodies to define and implement the right to privacy in the context of information systems. These principles were embodied in two highly influential instruments: the Council of Europe (COE) Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data and the Organization for Economic Cooperation and Development (OECD) Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data.
Both instruments articulate a similar set of guidelines regarding the responsible handling of personal data. These guidelines form the foundation of many national privacy laws and regional data protection frameworks, including the EU Data Protection Directive and the APEC Privacy Framework.
While the core principles have been described in somewhat different forms, the international consensus can be characterized as follows:
Based on these principles, a growing number of countries have adopted national data protection laws. Such laws may apply to data about individuals collected by the government, to personal data in the hands of private sector businesses, or to both. While details vary, it is clear that there is a deep worldwide trend toward establishment of legal protections for personal data in both commercial and governmental systems. A privacy framework developed by the government of Australia provides guidance to government agencies on how to implement privacy policies.
Practice Notes: Privacy
Back to Beginning of Chapter
Both instruments articulate a similar set of guidelines regarding the responsible handling of personal data. These guidelines form the foundation of many national privacy laws and regional data protection frameworks, including the EU Data Protection Directive and the APEC Privacy Framework.
While the core principles have been described in somewhat different forms, the international consensus can be characterized as follows:
- Purpose Specification. Personal data should be collected only for purposes that are concrete, clear, and legally determined. The subsequent use of data should be limited to those purposes, unless the data subject consents to other uses.
- Notice. The data subject should be informed of the identity of the data controller and the purpose for which data is collected, as well as the rights of access and correction.
- Collection Limitation. Personal data should be collected only if it is appropriate, relevant, and not excessive in relation to the purpose for which it is collected. No more data may be collected than is necessary to accomplish the stated purpose.
- Data Quality. Data must be accurate, complete, and up to date, taking into account the purposes for which it was collected. Upon request of the data subject, and upon its own initiative, the data controller should supplement, amend, or delete incorrect, incomplete, or out-of-date information.
- Retention Limit. Data should be stored in a form that allows identification of the data subject for no longer than is necessary to fulfill the purposes for which the data was collected.
- Use Limitation. Data should not be disclosed or used except for purposes specified when it was collected, unless the data subject consents, subject to specified exceptions.
- Access. The data subject should have the right to access data about himself. This right is crucial to exercise of the right to data quality.
- Security. Anyone holding personal data about others is obliged to maintain the security of the data, applying adequate technical and organization measures.
- Openness. There should be a means by which entities holding data publicly disclose what they are collecting and how they are using it.
- Accountability and Enforcement. Entities holding personal data should be accountable for complying with the foregoing principles and there should be processes created for data subjects to enforce their rights.
Based on these principles, a growing number of countries have adopted national data protection laws. Such laws may apply to data about individuals collected by the government, to personal data in the hands of private sector businesses, or to both. While details vary, it is clear that there is a deep worldwide trend toward establishment of legal protections for personal data in both commercial and governmental systems. A privacy framework developed by the government of Australia provides guidance to government agencies on how to implement privacy policies.
Practice Notes: Privacy
Back to Beginning of Chapter