APEC PRIVACY PRINCIPLES

CHAIR'S DRAFT (CONSULTATION TEXT)

Version 3 - July 2003

SECTION 1 - DRAFT APEC PRIVACY FRAMEWORK

Part I. Preamble

APEC economies recognize the importance of protecting privacy and maintaining cross-border information flows among economies in the Asia Pacific region. As APEC Ministers acknowledged in endorsing the 1998 Blueprint for Action on Electronic Commerce, the potential of electronic commerce cannot be realized without government and business cooperation “to develop and implement technologies and policies, which build trust and confidence in safe, secure and reliable communication, information and delivery systems, and which address issues including privacy...” APEC economies realize that a key part of these efforts must be cooperation to balance and promote both effective privacy protection and the free flow of information in the Asia Pacific region.

The Internet and information and communications technologies, including mobile technologies, have made it possible to store, collect and access information from anywhere in the world. This represents a tremendous opportunity for business, individuals and governments. However, while these make the collection and use of personal information easier, cheaper and less centralized, they also often make these activities undetectable to individuals. As a result, individuals have become concerned about the harmful consequences that may arise from the misuse of their information. Therefore, there is a need to promote ethical and trustworthy information practices in on- and off-line contexts to affirm businesses’ and individuals’ confidence.

APEC economies endorse the principles-based APEC Privacy Framework as an important tool in encouraging the development of appropriate privacy protections and ensuring the free flow of information in the Asia Pacific region. This Framework is consistent with the core values of the OECD's 1980 Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data (OECD Guidelines)^[1], but specifically addresses these foundation concepts as well as issues of particular relevance to APEC member economies. Finally, this Framework was developed in recognition of the importance of:

• Developing appropriate protections for personal information, particularly from the harmful consequences of unwanted intrusions and the misuse of personal information.
  
• Recognizing the free flow of information as being essential for both developed and developing market economies to sustain economic and social growth.
  
• Promoting international mechanisms to promote privacy and the continuity of cross-border information flows among APEC economies and with other trading partners.

Part II. Scope

Definitions

'data controller' means a party who, according to domestic law, is competent to decide about the contents and use of personal data regardless of whether or not such data are collected, stored, processed or disseminated by that party or by an agent on its behalf;

[alternative: 'organization' means.........]

'personal data' means any information relating to an identified or identifiable individual (data subject).

[alternative: 'personal information' means any information relating to an identified or identifiable individual but does not include personal information that is publicly available or........]

(Note: query whether a definition is also required for an APEC version of the OECD's 'transborder flows of personal data', this term is considered by some to be outdated in an internet environment).

Question: are definitions required for other terms (eg 'data subject' or an alternative term)? Note that above definitions are the only ones in OECD Guidelines.

Application

In view of the differences in social, cultural and economic backgrounds of each member economy, there may be exemptions and exceptions to these principles in their domestic implementation. (Note: adapted from draft APT Guidelines.)

Exceptions to the Principles contained in Part Three of these Guidelines, including those relating to national sovereignty, national security and public policy should be:

a) as few as possible, and

b) made known to the public.

(Chair's note: adapted from OECD Guidelines)

Part III. APEC Privacy Principles

(possible amendments in italics)

1. Collection limitation

There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

Question: should we revert to 'information' in preference to 'data'? ^[2]

2. Data Quality

Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

Alternative:

2. Ensuring the Quality of Personal Information

Any personal information held by organizations should be relevant to the purposes for which it is to be used, and to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

3. Purpose Specification

The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose

Alternative:

3. Purpose specification

3.1 The purposes for which personal data are collected should be specified to the data subject no later than the time of the collection.

3.2 The subsequent use of personal data should be limited to the fulfilment of:

a. those purposes; or

b. a purpose which is directly related to the purposes for which the data were collected.

4. Use Limitation

Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Principle 3 except:

a) with the consent of the data subject; or

b) by the authority of law: or

c) with legitimate cause to avoid immediate danger to the life, body, freedom or property of the person.

5. Security Safeguards

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data or other misuse.

Alternative:

5. Safeguarding Personal Information

Organizations should take reasonable steps to safeguard personal information that could harm individuals in the event of unauthorized access, accidental or deliberate loss, misuse, alteration, destruction or harmful disclosure. Such steps should be proportional to the likelihood and severity of the harm threatened and subject to periodic review and reassessment.

6. Openness

There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data and the main purposes of their use, as well as the identity and usual residence of the data controller. Data controllers should take reasonable steps to make data subjects aware of their rights to obtain access to data and to challenge a denial of access or inaccurate data.

7. Individual Participation

An individual should have the right:

a) to obtain from a data controller confirmation of whether or not the data controller has data relating to him or her;

b) to have communicated to him or her, data relating to him or her

• within a reasonable time;

• at a charge, if any, that is not excessive;

• in a reasonable manner; and

• in a form that is [readily intelligible] generally understandable (NZ text) to him or her;

c) to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and

d) to challenge the accuracy of data relating to him or her and, if the challenge is successful, to have the data erased, rectified, completed or amended; and

e) to refuse to provide his or her information except where required by law.

Alternative:

7. Accessing Personal Information

Individuals should have reasonable access to the personal information about them that an organization holds. Such access should include the ability to have the organization correct, amend, or if necessary, delete such information when it is inaccurate. Individuals should have such access except where the burden or expense to the organization of providing it would be disproportionate to the risk of harm to the requesting individual, or where the rights of another person would be violated."

8. Accountability

A data controller should be accountable for complying with measures which give effect to the principles stated above.

Part IV. Implementation Mechanisms

[TO BE DISCUSSED]

Note: Parts D and E of the APT draft Guidelines should be considered in this context.

SECTION 2 - PROPOSALS FOR CHANGES

The following proposals need to be further discussed before being included in the draft.

Proposal 1. Include a new principle:

Limited Retention Principle

When data no longer serve a purpose as specified in Principle 3 - Purpose specification, or are needed for use as allowed for in Principle 4 - Use limitation Principle, they should no longer be retained. Where practicable, they shall should no longer be retained. Where practicable, they should be destroyed or given an anonymous form.

Proposal 2. (Australia): Include a new principle:

Anonymity

Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.

Proposal 3. Include an exception relating to national security.

Question: does the language in Part II of the draft, under 'Application' satisfactorily deal with this issue?

Proposal 4.

text to be drafted but basic concept is to anchor APEC privacy protections to alleviating harm to individuals. Privacy protections, including self-regulatory efforts, education and awareness campaigns, laws, regulations and enforcement, should be designed to prevent harm to individuals from misuse of their personal information.

Proposal 5.

text to be drafted but basic concept is, as reflected in preamble, that personal information protections should reflect the benefits to participants of both protecting individual privacy and ensuring free cross-border flows of information.

Proposal 6. Add a principle concerning unique identifiers

Unique identifiers

1.1 A data controller should not adopt as its own identifier of an individual, an identifier that has been assigned by a government body unless it is authorised to do so by law.

1.2 A data controller should not require an individual to disclose any identifier assigned to that individual by a government body unless the disclosure is one of the purposes for which the identifier was assigned.

1.3 "Identifier" means a number used to uniquely identify an individual ^[3]

Footnotes

1. The 1980 OECD Guidelines were drafted at a high level that make them still relevant today. In many ways, the OECD Guidelines represent the international consensus on what constitutes honest and trustworthy treatment of personal information.
2. In Version 2, the term 'data' was used instead of information' for two reasons - it was easier to work with when terms such as 'data subject' were employed and it appeared, at that stage, to be more generally accepted by the group. My personal preference, as indicated by Version 1, is for 'information'. If we revert to 'information' however, we need to address the issues raised in comments on Version 1.
3. A more sophisticated definition of "identifier" (or it could be termed "unique identifier", "personal identifier" or "government identifier") may be required.

[ APPCC home page]

[back to Cyberlaw Centre home page]