CIPP/A - Modern Privacy Principles Questions and Answers Rated A+

CIPP/A - Modern Privacy Principles Questions and Answers Rated A+ OECD (Privacy Reg) The Organization of Economic Cooperation and Development 'Guidelines Governing the Protection of Privacy and Trans-border Data Flows of Personal Data." (1980) OECD: Legally... > Not legally binding, no DPA or other supervisory body. OECD Proposed minimum standards for... Protection of privacy and individual liberty: (Generally viewed as minimum principles common to all four international frameworks (EU, CoE, OECD, APEC).) *Collection limitation* - limited, lawful, fair means; with consent or knowledge. *Data quality* - relevant, accurate, up-to-date. *Purpose specification* - at time of collection. *Use limitation* - limited to purposes specified or compatible. *Security safeguards* - reasonable. *Openness* - concerning data practices. *Individual participation* - right of access and correction. *Accountability* - data controllers accountable for implementation. OECD FREE FLOW AND LEGITIMATE RESTRICTIONS > Members consider *implications for other member countries* of domestic processing and re-export of personal data. > Members take all reasonable steps to ensure that trans-border flows of personal data (including transit through member) are *uninterrupted and secure*. > *Refrain from restricting* trans-border flows of personal data between member and another member, *except where* latter does not substantially observe guidelines or where re-export would circumvent its domestic privacy legislation. > Don't develop laws, policies, practices in name of privacy and individual liberties that *create obstacles* to trans-border flows that would exceed requirements for protection. OECD Basic Principles of National Application 1. Collection Limitation Principle 2. Data Quality Principle 3. Purpose Specification Principle 4. Use Limitation Principle 5. Security Safeguards Principle 6. Openness Principle 7. Individual Participation Principle 8. Accountability Principle OECD Collection Limitation Principle There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. OECD Data Quality Principle Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. OECD Purpose Specification Principle The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose OECD Use Limitation Principle Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except: a) with the consent of the data subject; or b) by the authority of law. OECD Security Safeguards Principle Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data. OECD Openness Principle There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. OECD Individual Participation Principle An individual should have the right: a) to *obtain* from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have *communicated* to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given *reasons* if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to *challenge* data relating to him and, if the challenge is successful to have the data *erased, rectified, completed or amended*. OECD Accountability Principle A data controller should be accountable for complying with measures which give effect to the principles stated above APEC Generally Includes 21 separate economies, including Singapore and Hong Kong > Nine from East Asia; 12 from Pacific Rim (incl. U.S., Canada). > 1/3 world's population, ½ world's GDP, about ½ world trade. APEC PRIVACY PRINCIPLES 1. Preventing Harm 2. Notice 3. Collection Limitation 4. Uses of PI (only used for...) 5. Choice 6. Integrity of PI 7. Security safeguards 8. Access and correction 9. Accountability (and data export limitations) APEC Preventing Harm Remedies should prevent misuse of information and be proportionate to likelihood and severity APEC Notice Fact of collection, purposes, to whom disclosed, ID and location of controller, choices for limiting, access, and correction APEC Collection Limitation Limited to info relevant to purpose; obtained by lawful and fair means with notice/consent where appropriate. APEC Uses of PI Only used to fulfill purposes of collection and compatible/related purposes except: > With consent of PI data subject. > When necessary to provide service or product requested by individual. > By authority of law. APEC Choice Requires consent, prominent, effective and affordable mechanisms for choice and review APEC Integrity of PI PI should be accurate, complete and kept up-to-date within the scope of purpose of use. APEC Security Safeguards Safeguards against risk should be proportional to likelihood and severity of harm. APEC Access and Correction > Individuals should be able to obtain PI and challenge accuracy (with correction/deletion), all in reasonable cost/time. > Except where burden or expense would be unreasonable or disproportionate to risks to individual's privacy, legal issues, or would violate privacy of others. APEC Accountability (and data export limitations) DOMESTIC Data controller should be accountable for security measures, no requirement for further obligations on processor. >> *Transfer to third party* requires consent of data subject and that discloser exercise due diligence. Once due diligence is exercised, no further liability to controller. APEC FAIR INFORMATION PRIVACY PRACTICES Efficiency Principle Surveillance Principle Finality Principle APEC FIPP Efficiency Principle Helps make information systems operate more fairly in the interests of both data controllers and subjects APEC FIPP Surveillance Principle Limits the surveillance capacity of information systems in ways that are not necessarily in the commercial or administrative interests of data controllers. Four conditions for acceptable surveillance: 1. Personal data is kept accurate, complete, and up to date 2. Openly promulgated rules of due process govern working of data systems, including decision making; 3. Organizations collect and use for legitimate goals only; 4. Persons described in data have the right to aest adherence to these principles. APEC FIPP Finality Principle OECD Guidelines and CoE Convention 108 and almost all of the national laws passed have added the requirement that organizations may only use or disclose the personal information they collect for the purpose which they collected it. Universal Declaration of Human Rights (1948) Article 12- No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to protection of the law against such interference or attacks. Similar to International Covenant on Civil and Political APEC Accountability (and data export limitations) EXPORT ACCOUNTABILITY Recipient Overseas: 1. If data exported to jurisdiction without applicable privacy laws, there's no right of action for data subject against exporter and importer, unless some other enforceable mechanism exists. >> *Contractual clauses* requiring APEC compliance will not provide remedy unless importer is in jurisdiction where consumer can enforce such clauses benefiting third parties. 2. Allows exports, requiring only that exporter will exercise due diligence and take reasonable steps to ensure that recipient will protect information consistently with the Principles. >> *If diligence exercised*, no further liability on exporter. 3. APEC's Cross-Border Privacy Rules