APEC Draft Privacy Principles
based on OECD Principles

(APEC ECSG Privacy Sub Group Chair's draft)


Version 1, February 2003
[OECD Privacy Principles, with amendments as shown: deletion addition ]

1. Collection limitation

There should be limits to the collection of personal data information [1] and any such data information should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject person whose information is collected [2]

1.1 Organisations should only collect personal information that is necessary for what they do.

1.2 Organisations should only collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the person whose information is collected.

2. Data Quality of collections of personal information

Personal data Any collection of personal information should be relevant to the purposes for which they are it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
3. Purpose Specification

The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

3.1 Organisations should tell people whose information they collect who they are and what they intend to do with the information collected.

3.2  Personal information should not be used for any purpose which is inconsistent with the purposes for which it has been collected.

4. Use Limitation

Personal data information should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 Principle 3 except:

a) with the consent of the data subject person whose information is collected; or

b) by the authority of law.

5. Security Safeguards

Personal data information should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.

6. Openness

There should be a general policy of openness about developments, practices and policies with respect to personal data information. Means should be readily available of establishing the existence and nature of personal data information collections, and the main purposes of their their use, as well as the identity and usual residence of the data controller any person who collects or holds personal information.
7. Individual Participation

An individual should have the right:

a) to obtain from a data controller, or otherwise, any other person or organisation confirmation of whether or not the data controller that person or organisation has data information relating to him or her;

b) to have communicated to him or her, data personal information relating to him or her

c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and

d) to challenge data the accuracy of records relating to him or her and, if the challenge is successful to have the data records erased, rectified, completed or amended.

8. Accountability

A data controller person or organisation who holds or collects personal information should be accountable for complying with measures which give effect to the principles stated above.

[1] I have preferred the term 'personal information' to 'personal data' and have also substituted other terms for 'data subject' and 'data controller' which seem inappropriate in the context of the Internet.
[2]This term refers to the person to whom the information relates.



(Version 1, February 2003)
[Comments are sought on the following options.]

Option 1 - Adherence by economies to statement of principles

The procedure under this option would be for those economies which wished to implement the principles, or considered that they already implemented them, to make this fact known to other member economies. This is the least ambitious option.  Other economies would decide unilaterally what significance they would attach to such a declaration.  In some cases, domestic law may require some assessment of privacy protection measures in other economies where personal information is to be transferred across national borders.

Option 2 - Self-certification by economies; compliance by business with national laws
Economies would certify by some formal procedure that their law complies with the principles and a record would be kept by the Secretariat of economies which had certified to this effect. A certification would be accepted by other economies as a basis upon which personal information could be transferred across national borders. Companies would continue to be bound by the laws of the economies in which they are resident and in which they do business.

Option 3 - Self-assessment by economies coupled with peer review

Procedures would be developed with reference to those of the Financial Action Task Force but not involving the power to declare that any economy is not in compliance. The relevance of the Financial Action Task Force procedures would be to serve as a basis upon which self-assessment and peer review methodologies might be developed. A description of those procedures can be obtained if required.
Option 4 - Development of internal binding codes by global companies
This approach would enable global companies and multinational groups to develop codes which would be recognised throughout the region, and perhaps globally, as complying with the principles. It would require some assessment procedure involving supervisory authorities. Important contributors to work in this area would be those companies who have been working on global codes of practice.
Option 5 - Development of guidelines for protecting privacy across borders
This approach would be directed towards the development of a framework to facilitate cooperation between supervisory bodies in different economies. It could be adopted in combination with option 4. In this context, it would be useful to develop guidance on how authorities in member economies could co-operate to ensure compliance with codes and thereby give assurance of their effectiveness in a cross-border context.

[any other options?]

See also an article discussing this proposal and these options.

[ APPCC home page]

[Baker Cyberlaw Centre home page]

URL: http://www.cyberlawcentre.org/appcc/OECD_redraft.htm