APEC redraft of OECD privacy principles, version 2 May 2003

I have tried to identify major issues for the group’s consideration and these are set out immediately following the text of version 2.
The next section sets out proposals for change which have either been expressly put forward or seem to me to be implicit in comments received. I think these need to be addressed by the group.

Peter Ford
Chair
Privacy Sub Group, ECSG

Principles

Note: The following text builds on the language of version 1 by taking account of comments received up until 20 May 2003

1. Collection limitation

There should be limits to the collection of personal data^[1] and any such information should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

2. Data Quality

Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

3. Purpose Specification

3.1 Organisations should tell people whose data they collect what they intend to do with the data collected not later than at the time they collect the data.

3.2 Personal data shall not, without the consent of the data subject, be used for any purpose other than -

(a) the purpose for which the data were to be used at the time of collection of the data; or

(b) a purpose directly related to the purpose referred to in paragraph (a).

4. Use Limitation

Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Principle 3 except:

a) with the consent of the person whose information is collected; or

b) by the authority of law.

5. Security Safeguards

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.

6. Openness

There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data and the main purposes of their use, as well as the identity and usual residence of the data controller.

7. Individual Participation

An individual should have the right:

a) to obtain from a data controller confirmation of whether or not the data controller has data relating to him or her;

b) to have communicated to him or her, data relating to him or her

within a reasonable time;

at a charge, if any, that is not excessive;

in a reasonable manner; and

in a form that is readily intelligible to him or her;

c) to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and

d) to challenge the accuracy of records relating to him or her and, if the challenge is successful, to have the records erased, rectified, completed or amended.

8. Accountability

A data controller should be accountable for complying with measures which give effect to the principles stated above

Major Issues

Do we agree to use this version as the basis for further comments and discussion?
Should the principles be limited to electronic data?
Do we wish to deal with definitions now? If so, can delegates please put forward drafts for circulation see also proposals 1 and 2.

2. Proposals for changes

The following proposals need to be discussed before further drafting is undertaken.

Proposal 1. Include an equivalent to Part One of the OECD Privacy Guidelines but delete clause 3 (c) of the OECD Guidelines which reads:

‘These Guidelines should not be interpreted as preventing:

...

(c) the application of the Guidelines only to automatic processing of personal data’

Reason: See attachment for justification of proposal.

Proposal 2. (Chair): Defer any consideration of the question whether an equivalent is required to Part One of the OECD Privacy Guidelines until agreement is reached on a text.

Reason: Part One contains definitions and a statement of scope. Definitions can be considered once decisions are taken on the issues outlined above and agreement is reached on text.

Proposal 3. Include an equivalent to Part Three of the OECD Privacy Guidelines: Basic Principles of International Application: Free flow and legitimate restrictions.

Reason: Transborder data flows and international co-operation

We consider that parts 3 and 5 of the OECD Guidelines are very important, as they deal with principles of international application (principles which are chiefly concerned with transborder data flows and relationships between Member countries) and matters of mutual assistance between Member countries, chiefly through the exchange of information and by avoiding incompatible national procedures for the protection of personal data.

We therefore suggest that the following text be inserted. We have made some minor changes to the OECD text to make it more appropriate to APEC:

BASIC PRINCIPLES OF INTERNATIONAL APPLICATION:
FREE FLOW AND LEGITIMATE RESTRICTIONS

Member economies should take into consideration the implications for other Member economies of domestic processing and re-export of personal [data/information]

Member economies should take all reasonable and appropriate steps to ensure that transborder flows of personal [data/information], including transit through a Member economy, are uninterrupted and secure.

A Member economy should refrain from restricting transborder flows of personal data between itself and another Member economy except where the latter does not substantially observe these principles or where the re-export of such [data/information] would circumvent its domestic privacy legislation. A Member economy may also impose restrictions in respect of certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of [those data/that information] and for which the other Member economy provides no equivalent protection.

Member economies should avoid developing laws, policies and practices in the name of the protection of privacy and individual liberties, which would create obstacles to transborder flows of personal [data/information] that would exceed requirements for such protection.

INTERNATIONAL CO-OPERATION

Member economies should, where requested, make known to other Member economies details of the observance of these principles. Member economies should also ensure that procedures for transborder flows of personal [data/information] and for the protection of privacy and individual liberties are simple and compatible with those of other Member economies which comply with these principles.

Member economies should establish procedures to facilitate:

information exchange related to these principles, and

mutual assistance in the procedural and investigative matters involved.

Member economies should work towards the development of principles, domestic and international, to govern the applicable law in the case of transborder flows of personal data.

Proposal 4. (Chair): Include an equivalent to Part Three of the OECD Privacy Guidelines based on whatever implementation option is favoured.

Reason: The OECD Guidelines are not entirely satisfactory on this point. Although I have no objection to Part Three, I think APEC can do better.

Proposal 5. Include an equivalent to Part Four of the OECD Privacy Guidelines: National Implementation.

Reason: We also note that part 4 of the OECD Guidelines contains a very principled high level statement about what Member countries should do to adopt the principles. We think inclusion of something quite like part 4 will make an excellent starting point for a framework for implementation mechanisms.

There are some ideas in part 4 that should not be lost sight of. Specifically, we note that:

Member countries should provide for reasonable means for individuals to exercise their rights; and

Member countries economies should provide for adequate sanctions and remedies in case of failures to comply with measures implementing the principles.

We suggest that these provisions are essential to creating principles that will make a difference for consumers, and are therefore essential to building consumer confidence in the effectiveness of data protection within the region. We would, therefore, like the working group to consider drafting a principle or mechanism that would encompass these provisions.

Proposal 6. (Chair): Include an equivalent to Part Four of the OECD Privacy Guidelines but redraft it to avoid prescriptive language on means of national implementation.

Reason: The means of national implementation is a domestic issue. This section could, however address the kind of issues that I understand will be covered in the APT Guidelines.

flexibility and specificity

the roles of government

the responsibilities of businesses and business associations; and

remedies

Proposal 7. (Chair): Include an equivalent to Part Five of the OECD Privacy Guidelines: International Co-operation.

Proposal 8. Include a new principle:

‘Limited Retention Principle

When data no longer serve a purpose as specified in Principle 3 - Purpose specification, or are needed for use as allowed for in Principle 4 - Use limitation Principle, they shall be destroyed or given an anonymous form’.

Reason: This would give a clear statement that data should not be retained unduly long, having regard to purpose for which it is held, given the risks attendant upon such retention. This is only implicit in the OECD Guidelines.

We suggest that this principle could follow the use limitation principle, as it is associated with the concepts of data quality, purpose specification and use.

In this context, we note that the OECD Guidelines clearly anticipate limited retention to be an outcome of the Guidelines but leave the matter as a matter of inference from the purpose specification principle. We suggest that it is better to be explicit.

Most international data privacy instruments have explicit data retention principles. Examples include: Council of Europe Convention (1981), article 5; UN Guidelines (1990), article 3; EU Directive, article 6; ILO Code on Workers Data, article 8. The approach is roughly the same in each. None is prescriptive as to periods but relates retention to the needs of the primary and permitted secondary uses. Many national laws which have implemented the OECD Guidelines have a retention principle (e.g. principle 9 of the NZ Privacy Act)

Proposed Creation of another Principle on the Retention of Personal Data

The concept of control over retention of personal data is contained in the Explanatory Memorandum of the OECD Guidelines. In explaining the Purpose Specification Principle, it states, amongst others, that when data no longer serve a purpose, and if it is practicable, it may be necessary to have them destroyed (erased) or given an anonymous form.

It is not necessary to go into details the security risk involved in the on-line world in retaining data that are no longer required. We recommend that the APEC Privacy Principles should contain specific provisions over retention of personal data.

For consideration by the Chair, the relevant requirements under the Hong Kong data privacy law dealing with retention of personal data provides that:-

"Personal data shall not be kept longer than is necessary for the fulfilment of the purpose (including any directly related purpose) for which the data are or are to be used.”

Proposal 9. (Australia): Include a new principle:

‘Anonymity

Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation’.

Reason: This has been suggested by the Australian Privacy Commissioner during consultations within Australia. In an increasingly inter-connected world, anonymity becomes more important.

Proposal 10. The exceptions to the restrictions imposed by Principle 4 – Use Limitation, on the use of data for non-specified purposes, should be broadened to include the following:

‘with legitimate cause to avoid immediate danger to the life, body, freedom or property of the person’

Proposal 11. (Chair): Consider implementation options in the context of proposals 3 and 4.

Reason: On one view, implementation options cannot be considered until the text is settled. I think this is incorrect. Whatever language is employed, we will, I expect, settle on a statement that is consistent with both the OECD Principles and the yet to be released APT Privacy Guidelines and it is the implementation options which require detailed discussion.

^[1] The term ‘data’ has been used instead of information’ for two reasons – it is easier to work with when terms such as ‘data subject’ are employed and it appears to be more generally accepted in an international context. It will require definition (see Issues).

APEC Privacy Principles

Chair’s draft