The OECD Data Protection Guidelines:
A Template for Evaluating Information Privacy Law
and Proposals for Information Privacy Law

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Working Version of April 1989

© Xamax Consultancy Pty Ltd, 1987, 1988, 1989

This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/PaperOECD.html


Abstract

In 1980, the Organisation for Economic Cooperation and Development (OECD) issued a set of Guidelines for data protection. These drew on the experiences of many countries which had already implemented privacy and data protection laws, some of them as long ago as 1973. The express intention of the OECD Guidelines was to facilitate trans-border data flows, by providing a means of coordination between the laws of various countries.

This paper provides a structured interpretation of the OECD Guidelines, whose purpose is to assist researchers in assessing the extent to which laws and proposals for law comply. It has been used to assess a variety of laws and proposals, including the successive Australian Privacy Bills, the Australian Privacy Act 1988, the proposed guidelines of the Western Australian public service, the Berner Kantonaler Datenschutzgesetz 1987 in Switzerland and the U.S. Computer Matching Act 1988.


CONTENTS

  1. INTRODUCTION
  2. THE OECD GUIDELINES
    1. Background
    2. Description
  3. FACTORS AFFECTING NATIONAL IMPLEMENTATION
  4. GLOBAL ASPECTS
    1. Who Is To Be Regulated
      • The 'Data Controller'
      • Public versus Public Sector Organisations
    2. Whose Data Is Protected
      • Natural Persons
      • Legal Persons
    3. The Object of the Regulatory Scheme
      • Documents, Files, Records, Data or Information
      • Computerised Versus Manual Systems
      • Restrictions Based on Recording Media
      • Identifiability of Individuals
      • Sensitive Data
    4. Exemptions
    5. Reasons for Adverse Decisions
    6. Conflict of Laws
  5. THE PRINCIPLES
    1. Collection Limitation Principle
      1. What is Collected
      2. The Means of Collection
      3. From Whom The Data Is Collected
      4. Knowledge or Consent of the Data Subject
      5. Scope of the Collection Limitation Principle
    2. Data Quality
    3. Purpose Specification
    4. Use Limitation
      1. Control Against Original Purposes
      2. Exceptions
      3. The Mechanism of Disclosure
    5. Security Safeguards
    6. Openness
    7. Individual Participation
      1. The Right of Subject Knowledge of the Existence of Data
      2. The Right of Subject Access to Data
      3. The Mechanism of Subject Access
      4. The Right of Challenge, and Provision of Reasons for Refusal
      5. Subject Challenge to Data
    8. Accountability
  6. CONTROLS OVER SYSTEM PURPOSES
  7. ENFORCEMENT AND REGULATION MECHANISMS
  8. CONCLUSIONS

1. INTRODUCTION

Concern about unfair information practices developed quickly during the latter half of the 1960's. This was stimulated by growth in the power of computers, and the extent of their use, although many problems either pre-existed computers, or were associated also with other forms of information system automation, such as photocopying, microfilm and telecommunications. Concern about the social impact of computers resulted in a significantly improved appreciation of the impact of information technology generally.

In many countries it was felt that the emergence of the various information technologies represented a challenge that existing legal protections were unable to cope with. As a result, during the decade of the 1970's, many of the 'advanced western nations' acted to provide legislative and/or administrative protections.

Important early activity in the United States included studies by Westin (Westin 1967, 1974) and an Advisory Committee to the then Department of Health Education and Welfare (HEW 1973). Congress passed the Privacy Act in 1974 regulating federal government agencies. A report on early experiences is to be found in the Report of the Privacy Protection Study Commission (PPSC 1977). Legislation in Europe had begun even earlier, with the West German Land of Hesse passing the very first Data Protection Act in 1970, and Sweden's Data Act of 1973 being the first comprehensive legislation at national level. In the United Kingdom, Private Members' Bills were introduced in the late 1960's, and the Younger Committee reported in 1972.

Since the early 1970's, most of the advanced western nations have legislated. In addition, many of the states of the U.S.A., provinces of Canada and Länder of West Germany have also passed laws. Some of these apply to all personal data systems, while others are restricted, e.g. to the public sector, or to automated or computerised systems. In an endeavour to achieve some amount of consistency in the highly varied approaches, the European Economic Community adopted a Convention in 1980 (EEC 1980).

The United Kingdom ignored the recommendations of successive Government Committees (Younger 1972 and Lindop 1978), but finally responded to commercial pressure to ensure that British companies were not disadvantaged against their European competitors, and passed the Data Protection Act in 1984.


2. THE OECD GUIDELINES
2.1 Background

The membership of the Organisation for Economic Co-operation and Development (OECD) comprises the nineteen major Western European countries, plus the United States, Japan, Canada, Australia and New Zealand. By 1980, many of the OECD's Member countries had legislation of some kind in force (ALRC 1983 Vol.3 provides a summary). By 1978 it was apparent that "these laws have tended to assume different forms in different countries", and "the disparities in legislation may create obstacles to the free flow of information between countries" (OECD, 1980, p.15).

An Expert Group, chaired by Justice Michael Kirby, then Chairman of the Australian Law Reform Commission, was established in 1978 "in order to facilitate the harmonisation of national legislation" (p.15). Its instructions were "to develop guidelines on basic rules governing transborder flow and the protection of personal data and privacy, in order to facilitate a harmonisation of national legislations ..." (p.18). It was expressly not an attempt to flesh out more general documents concerning human rights, such as ICCPR (1966).

The prime concern was to " ... advance the free flow of information between Member countries and to avoid the creation of unjustified obstacles to the development of economic and social relations among Member countries" (OECD, 1980, p.7), and the concern to ensure that member-countries had a clear statement of international expectations regarding privacy protection was quite secondary. However, "The Guidelines attempt to balance the two values against one another; while accepting certain restrictions to free transborder flows of personal data, they seek to reduce the need for such restrictions and thereby strengthen the notion of free information flows between countries" (p.22-23).

The Guidelines are contained in OECD (1980), and comprise a 1-page Council Recommendation, 4 pages of Guidelines and a 22-page Explanatory Memorandum. The document provides " ... a general framework for concerted action by Member countries: objectives ... may be pursued in different ways" (p.23). It does not represent a binding International Convention.

2.2 Description

The OECD Guidelines comprise eight 'Basic Principles of National Application' (pp.10-11), definitions of terms and of scope, and discussion of a number of matters of international concern. This paper concentrates on the national, to the virtual exclusion of the international, matters. References to paragraph-numbers in the Guidelines are prefaced with 'G', and those in the Explanatory Memorandum with 'EM'.

The Guidelines make clear that they "do not constitute a set of general privacy protection principles"; they relate only to that sub-set of privacy concerns referred to as 'information privacy' (EM 38). Although the term 'privacy' is used, the guidelines are predominantly concerned with 'data protection' with consideration of some broader matters such as relevance, reasons for refusal and public participation.

The OECD's 'Basic Principles of National Application' are reproduced in Exhibit 1. In this paper the OECD Principles are numbered sequentially from 1, rather than in accordance with their paragraph numbers in the Guidelines (which run from 7 to 14).

Exhibit 1: The OECD Principles

Collection Limitation Principle

1. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

Data Quality Principle

2. Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, compete and kept up-to-date.

Purpose Specification Principle

3. The purposes for which personal data are collected should be specified not later than at the time of collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

Use Limitation Principle

4. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [Principle 3] except:

(a) with the consent of the data subject; or

(b) by the authority of law.

Security Safeguards Principle

5. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.

Openness Principle

6. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

Individual Participation Principle

7. An individual should have the right:-

  1. to obtain from the a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
  2. to have communicated to him, data relating to him
    1. within a reasonable time;
    2. at a charge, if any, that is not excessive;
    3. in a reasonable manner; and
    4. in a form that is readily intelligible to him;
  3. to be given reasons if a request made under sub-paragraphs (a) and (b) is denied, and to be able to challenge such denial; and
  4. to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.

Accountability Principle

8. A data controller should be accountable for complying with measures which give effect to the principles stated above.

The first five Principles relate to the collection, storage, use, and dissemination of personal data. Three further principles relate to a 'policy of openness' regarding data systems, the ability of individuals to participate in certain aspects of data systems, and accountability for compliance. The structure reflects that of previous national laws: "Generally speaking, statutes ... attempt to cover the successive stages of the cycle, beginning with the initial collection of data and ending with erasure or similar measures, and to ensure ... individual awareness, participation and control" (EM5).

They are also clearly, and fairly explicitly (e.g. EM 4, 51), a result of negotiation among common law and codified law countries, and between 'data protection' and 'privacy' oriented countries. This exercise in international diplomacy produced some fairly broad qualifications: "The framework ... permits Member countries to exercise their discretion with respect to the degree of stringency with which the Guidelines are to be implemented ... generally speaking, the Guidelines do not presuppose their uniform implementation by Member countries with respect to details" (EM45). It is also envisaged that some countries will undertake "the regulation of ['particular'] types of data or activities as compared to regulation of a general nature ("omnibus approach")" (EM46). Subject access and correction rights in particular are to be implemented pragmatically (the liberally-worded Principle in G13 is heavily qualified by EM58-61). Similarly the means whereby a Member country complies with the Guidelines is at its own discretion, as are the mechanisms of action and appeal (G19, EM69-70).

Nonetheless, the OECD Guidelines are an explicit attempt to work toward international harmonisation, and therefore represent an independent standpoint from which the laws, and proposals for laws, of particular jurisdictions can be assessed. However, in doing so, it is necessary to identify important considerations which result in differences among the national implementations of the various OECD members. The next section canvasses some of these issues, and those following then present and discuss the OECD Guidelines.


3. FACTORS AFFECTING NATIONAL IMPLEMENTATION

Significant differences exist among OECD member countries, ranging from conceptions of data protection and privacy, through approaches to regulation, to the nature of legal procedures. Some of the important factors involved are:

Some relevant aspects of society are identified below, with examples given of factors which are relevant to the Australian context.

Geographic, Economic and Cultural Factors

This is a very broad cluster of characteristics, which have a major influence on the flavour of data protection and information privacy laws.

Some factors of particular relevance in the Australian context are that is a widely dispersed country, with a population of 16 million spread over an area the size of contiguous U.S.A. and larger than Europe excluding Russia. Perth is as far from Canberra as London is from Tel Aviv, and Jakarta and Singapore are closer. The population is mainly urban (40% in the two largest cities, 55% in the five largest), but provincial and country populations are very widely spread. It is a relatively well-off country, with the mining industry having grown quickly during the last twenty years to supplement the long-established agricultural and pastoral industries. Per capita disposable income is noticeably less than in the U.S.A., but of the same order as in West Germany, and greater than in the United Kingdom and Italy. It is certainly sufficient that an appreciable proportion of the population is concerned not only about 'standard of living' but also about 'quality of life' issues, including privacy.

'Culture' is a vague yet very important consideration. In some countries religion will be the central determinant. In Australia's case, national and ethnic origins of the population would appear to be dominant. About 20% of the population was born outside the country, and since the last war the previously very strongly Anglo-Celtic population has been leavened with many 'New Australians' of other ethnic groups, particularly Italians and Greeks. Earlier policies of 'assimilation' have given way to an acceptance that ethnic groups will remain visible long after their arrival in the country, and approach currently referred to as 'multi-culturalism'. These ethnic groups have included numbers of many different refugee groups, including European Jews and White Russians (1930's and 1940's), Hungarians (1956), Czechs (1968) and Vietnamese (mid 1970's). The attitudes of Australians to information privacy, and the degree of trust they have in record-keepers, are accordingly highly varied.

Attitudes to Individual Freedoms and Social Control

Legal and political traditions are vital to an understanding of domestic privacy laws. For example, Australians have a long-standing ambivalence toward authority. They were fervant supporters of the British Empire into the 1950's, and since the Second World War most have regarded their country as a staunch ally of the United States. During recent decades they have pioneered compulsory seat-belts and random breath-testing with little protest. Yet attitudes of distrust of central authority, a cynical dislike for politics, and a love for both anarchic and republican symbols (such as the colony's convict origins, bushrangers, the Eureka Stockade flag and frequent use of the right to strike) have persisted. Despite living in one of the most strongly urbanised of all countries, Australians enjoy the 'boy from the bush' getting the better of the 'city slicker' - an image successfully and profitably projected by the recent film 'Crocodile Dundee'.

Despite the significant heterogeneity in Australian society, there have been few periods of real social unrest since the Second World War, with the Vietnam War having been the most socially divisive issue in that time. Unlike some countries, including some in its reference group, Australia has no restrictions on location of residence or employment, no system of identity cards, and no comprehensive register of people's addresses and occupations. A multitude of identity documents are used in transactions, and a recent attempt to introduce a national identification scheme foundered in the face of strong community opposition. Police have no general powers to require that a person prove his or her identity. For the most part, therefore, individual freedoms have dominated social control.

Degree of Computerisation

The sophistication of company management and public administration is clearly a factor of relevance. Australian organisations have been early adopters of new information technology products, and are sophisticated users. For example, the banking sector comprises a small number of institutions which are large by world standards, and which introduced electronic banking at a very early stage. There have been a number of innovative computing applications in the public sector, including Medicare, administered by the Health Insurance Commission, and the Department of Social Security's system. As in other countries making advanced use of information technology, there are shortages of trained staff, but standards remain high.

Constitutional Factors

The nature of the nation-state determines the framework within which each country creates new laws. Australia's federal structure provides the Commonwealth Government with specific powers, but leaves the States with considerable residual powers and responsibilities. However, the Commonwealth's powers are certainly sufficient to enable regulation of its own agencies, and are adequate to enable it to at least significantly influence practices in the private sector and in agencies of the State governments. The current Commonwealth Government certainly believed it had sufficient powers to enforce a national identification scheme irrespective of the attitudes of the States.

Common Law versus Codified Law

The nature of the legal system is also relevant. Australian law was inherited from the United Kingdom, with prior cases defining some areas of law, and being crucial to the interpretation of others. A similar line of development has been followed to that of British law, and only very recently was the last possibility of final appeal to the United Kingdom Privy Council removed. Although foreign case-law is generally no longer binding on Australian courts, decisions by courts from other common law jurisdictions are of persuasive value. Judicial decisions in other common law countries are particularly relevant to Australian cases where the legislation is based on similar sources, such as the pioneering statute of some other country, or an international instrument.

Legal and Administrative Mechanisms

The nature of courts and court procedures, and the extent to which quasi-judicial processes are used in the determination and application of administrative law, are also relevant. In common with many other common law countries, Australia has experimented with methods of dispute resolution alternative to the traditional courts. A variety of bodies and tribunals have been established since the mid-1970's to deal with administrative law, including, at the federal level, an Ombudsman, an Administrative Appeals Tribunal, and a Human Rights and Equal Opportunities Commission. Various States have Ombudsmen, Anti-Discrimination Boards, and Administrative Appeals Tribunals.

Existing Data Protection Laws

The laws of some countries had developed in such a way as to recognise some form of privacy rights. Many countries, and many states, provinces and Länder created data protection or information privacy law before the OECD Expert Group considered the matter. The extent to which such legal development has already taken place is an important factor in the consideration of law and proposals for new law.

Little Australian data protection law existed until 1988. There is no constitutional right of privacy as in the United States. A number of incidental protections for 'information privacy' potentially exist in the general law (common law and equity), in such areas as breach of confidence, negligent advice and defamation, but they have received little development by the Courts. The Commonwealth Freedom of Information Act 1982 and the Victorian and New South Wales (State) Freedom of Information Acts of 1982 and 1989 both provide individuals with a right of access to, and correction of, records held on them by the Commonwealth and Victorian Governments respectively. In New South Wales, a Privacy Committee of twelve people representing various community interests is empowered under the Privacy Committee Act 1975 as a 'privacy ombudsman' to investigate complaints of invasion of privacy against both public and private sector bodies and make recommendations. In Queensland, South Australia and Victoria there is ineffective legislation providing individuals with rights of access and correction to credit bureau files. These matters are reviewed in ALRC (1983). In late 1988, the Federal Government passed in the Privacy Act, regulating the Commonwealth public sector. That Act also provided a limited control regime over private sector organisations and state government agencies, and the Government has announced its intention to extend that regime to the consumer credit reporting industry.

The Law Reform Process

When considering proposals for new or amended law, it is necessary to appreciate the mechanisms traditionally used in their development. For example, Australian courts generally avoid changing the law for policy reasons, asserting not just the primacy of Parliaments in law reform, but their exclusive responsibility for it. Given that Parliaments are better financed, and have less fettered access to know-how, this conservatism does not seem unreasonable. However, Australian Parliaments look less like sober law-making institutions than gladiatorial arenas, and tend to undertake major change in the law only sporadically. Difficult issues are referred to Law Reform Commissions, whose report is delivered years later, in a different social and political climate, often to a new Minister, and not infrequently to a subsequent Government of a different persuasion. Unsurprisingly, most of their recommendations are generally ignored.

For these various reasons, the conception of an effective framework for application in many countries is fraught with difficulties. Nonetheless, the OECD Guidelines represent a serious attempt to provide general statements at a greater level of detail, and less formally, than expressions of basic human rights.

The remainder of this paper presents the OECD Guidelines in a structured manner intended to assist in the analysis of specific laws and proposals for law. The structure comprises three parts:


4. GLOBAL ASPECTS

This section deals with aspects of the OECD Guidelines which apply generally, across all of the Principles.

4.1 Who Is To Be Regulated
The 'Data Controller'

The OECD Guidelines use the notion of a 'data controller' (G1,14, EM40,62), who "should carry ultimate responsibility for activities concerned with the processing of personal data" (EM40), and is defined as "any person who, according to domestic law, is competent to decide about the contents and use of personal data" (G1). The definition is intended to exclude service bureaux and telecommunications carriers (who are mere agents), and also 'dependent users' who have little control over any aspect other than data use. It assumes that a single natural or legal person can reasonably be held responsible for all aspects of practices relating to a given piece of information; and also that that person is the one concerned with the data's processing. This is quite unrealistic. However, "nothing in the Guidelines prevents service bureaux personnel, 'dependent users' ... and others from being held accountable" (EM62). The term is used only in the Accountability Principle.

Since it contains a compound criterion and could result in many data collections having no data controller, it is to be assumed that the explanation was intended for guidance, rather than as a serious attempt at authoritative definition. The drafters of many laws have encountered great difficulty in creating operational definitions to sheet home the responsibilities, and many attempts to define terms such as 'data controller', 'data keeper', 'record-keeper' and 'data collector' have left large loopholes.

The resolution of the problem is that each of the various principles should be complied with by the relevant organisation (e.g. collection principles should apply to anyone who collects any personal data, whether as principal or agent; and security principles should apply to any data-keeper, again whether the data is held as principal or agent). In addition, any organisation which has 'control' of personal data, in such senses as ownership rights, or power to use, disclose or dispose, also has responsibility to comply with the relevant principles, and to ensure that its agents also comply. It is strange that mechanisms which have existed in law for centuries have not been readily applied in this area of law.

Public versus Public Sector Organisations

The OECD considered restricting the scope of the Guidelines to only the public or only the private sector, but decided to cover both (G2,G5,EM44). The reason is not discussed, but it was presumably on the grounds that threats arise in both areas, and that, although somewhat different regulation may be required, the Guidelines are at a sufficient level of generalisation for the same general statement to apply to both.

4.2 Whose Data Is Protected
Natural Persons

Some national legislation restricts the scope of protection depending on the status of the data subject, in many cases seemingly accidentally. In particular:

The OECD Guidelines define 'data subject' as "an identified or identifiable individual" (implicitly only, see G1b), and other references (e.g. at EM33 and 41) are to 'individual' and 'physical persons' in an unqualified manner. It would appear therefore that the Guidelines avoid creating any unnecessary difficulties of this kind.

Legal Persons

The OECD considered whether data protection should apply not only to natural persons, but also to groups or classes of natural persons including associations, and to legal personæ such as companies and trusts (EM19c, 31-33). This was decided in favour of natural persons only, on the basis that " ... individual integrity and privacy are in many respects particular and should not be treated in the same way as the integrity of a group of persons, or corporate security and confidentiality" (EM33).

4.3 The Object of the Regulatory Scheme

The OECD considered whether there should be restrictions on the scope of coverage of data (EM19g, 41). Considerable difficulty appears to have been encountered in reaching consensus as to what types of data should be covered.

Documents, Files, Records, Data or Information

A central issue is whether the scheme deals with personal information, personal data, records of personal data, documents containing personal data, or personal data systems. Three issues require consideration:

The OECD Guidelines use a framework based on 'personal data', defined as "any information relating to an identified or identifiable individual (data subject)" (G1b). This is much less restrictive than the approach traditionally taken in Freedom Of Information statutes, which are generally restricted to 'documents'. The OECD Guidelines fail to make the conventional distinction between data and information.

Computerised Versus Manual Systems

The OECD considered restricting the scope of the Guidelines depending on whether they were (at least partly) automatic rather than entirely manual systems (G2,G3c,EM19b,34-38,41-43,45). They concluded that, "Above all, ... the principles are valid for the processing of data in general, irrespective of the particular technology employed" (EM37) and " ... the OECD Guidelines apply ... irrespective of the methods and machinery used in [the data] handling" (EM20).

The reasons canvassed for common treatment were that distinguishing between them is difficult; that many systems are partly automated and partly manual; that ongoing technological change means that many private systems are becoming automated in some sense; and that definitional problems would inevitably lead to excessively literal interpretation and the accidental creation of loopholes (EM35). The intuitively obvious explanation (that the unfair information practices from which people need protection are as much characteristic of manual as of automated systems) is not discussed.

However, making the Guidelines generally applicable would have created difficulties for countries such as France, Luxembourg and Austria (and subsequently the United Kingdom) who apply data protection only to data maintained in computer-based systems. The OECD therefore allowed that "some countries may find it appropriate to restrict the application of the Guidelines to ... automatic processing" (EM45). The Council of Europe went further, by restricting its Convention to 'any set of personal data processed in whole or in part by automatic means' (EEC, 1980, Arts.2,3).

Restrictions Based on Recording Media

The OECD considered specifying restrictions based on the nature of the recording medium, but decided against them. Unnecessary confusion can be created by referring to 'computer-readable' media. Greater difficulties still may arise from an open-ended, technology-dependent definition like "information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose" (U.K. Data Protection Act 1984 s.2, my emphasis).

Identifiability of Individuals

Privacy risks only arise where the person to whom the data relates can be identified. Data protection is needed not only where the data contains some clear identifier (such as name, supplemented in large databases by date of birth), but also where the person's identity can be established indirectly (such as by looking up an index of employee or client numbers). To cater for both of these situations, the OECD Guidelines are intended to apply to data which is relatable to 'identified or identifiable individuals' (G1b,EM41).

Sensitive Data

The OECD Guidelines apply to data which poses a danger to privacy and individual liberties (whether that danger is inherent in the data, or arises from the manner of its processing or the context in which it is used). This test is intended to exclude "data collections of an obviously innocent nature (e.g. personal notebooks)" (EM43). The term 'obvious', and the presumption that personal notebooks are necessarily innocent, seem rather naive. Perhaps it was the likely limited circulation that justified the example, and the desire for consensus that justified the general comment.

Consideration was also given to distinguishing sensitive and non-sensitive personal data (G3b,EM19a,50-51). The European approach tends to recognise some items of data as being by its very nature sensitive, whereas the U.S. privacy legislation reflects the view that sensitivity is dependent on context and use. The OECD concluded that "it is probably not possible to identify a set of data which are universally regarded as being sensitive" (EM19a).

4.4 Exemptions

The OECD considered the question of exceptions to the Principles, and concluded that they "should be as few as possible, and ... made known to the public" (G4,EM19g,EM46-7). This applies even to those relating to national sovereignty (e.g. relationships with foreign governments), national security (e.g. espionage and counter-espionage organisations) and 'ordre public', a very French phrase usually translated into English as 'public policy' (arguably as a polite euphemism for 'law and order').

The Explanatory Memorandum also contemplates additional heads, such as financial interests of the State. The extent to which international diplomacy can lead to empty statements is demonstrated by the wonderful remark that "To summarise, the Expert Group has assumed that exceptions will be limited to those which are necessary in a democratic society" (EM47).

Data protection laws in some jurisdictions contain additional exemptions which were not contemplated by the OECD, such as:

In addition, some data protection laws create extra-parliamentary mechanisms whereby additional exemptions may be created. This was also not contemplated by the OECD Guidelines.

4.5 Reasons for Adverse Decisions

The right to be given reasons for adverse decisions was a matter of difficulty for the OECD (G13,EM60). Principle 7(c) makes clear that "an individual should have the right to be given reasons if a request [for access or correction] is denied". In a particularly bold move, "broadening of this right to include reasons for adverse decisions in general, based on the use of personal data, met with sympathy by the Expert Group. However, on final consideration a right of this kind was thought to be too broad for insertion in the privacy framework constituted by the Guidelines".

4.6 Conflict of Laws

On the questions of choice of jurisdiction and of law, the OECD reached no conclusions as to the basis whereby these issues might be resolved (EM19f,74). On the surface this is a remarkable failure for an international organisation. On the other hand, the OECD's efforts were directed at defusing a potential restraint of international flow of communications, and conflict avoidance was a higher priority than conflict resolution.


5. THE PRINCIPLES

This section considers each of the OECD Principles in turn, within the context set by the previous section on global aspects.

5.1 Collection Limitation Principle
(a) What is Collected

Exhibit 5.1(b): Collection Limitation Principle - Content

OECD - Collection Limitation (and Data Quality) Principles

1. There should be limits to the collection of personal data ...

2. Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

The OECD recognised that "there should be limits to the collection of personal data", but did not specify what they were. Presumably the Data Quality Principle considerations of relevance, accuracy, completeness and up-to-dateness (see section 5.2 below) were intended to be applied.

(b) The Means of Collection

Exhibit 5.1(a): Collection Limitation Principle - Means

OECD - Collection Limitation Principle

1. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means ...

(c) From Whom The Data Is Collected

Exhibit 5.1(c): Collection Limitation - Source

OECD - OMITTED

Some data protection legislation and guidelines explicitly state the preference that data be collected from the data subject except where there is a justification for collection from another source. The OECD Guidelines contain no such provision.

(d) Knowledge or Consent of the Data Subject

Exhibit 5.1(d): Collection Limitation Principle
Knowledge or Consent

OECD - Collection Limitation Principle

1. There should be limits to the collection of personal data and any such data should be obtained ... where appropriate, with the knowledge or consent of the data subject.

Although the OECD Guidelines fail to reflect the interest which an individual has in restraining the flow of data about himself, they do require that the collection be undertaken with the 'knowledge or consent of the data subject', with an open-ended and undiscussed qualification "where appropriate".

(e) Scope of the Collection Limitation Principle

Exhibit 5.1(e): Collection Limitation Principle - Scope

OECD - Collection Limitation (and Data Quality) Principles

1. There should be limits to the collection of personal data and any such data...

2. Personal data should be ...

There are no limitations on the applicability of this Principle. For example, restrictions in the Australian Act to data "collected for inclusion in a record or in a generally available publication" find no correspondence in the OECD Guidelines.

5.2 Data Quality

Exhibit 5.2: Data Quality

OECD - Data Quality Principle

2. Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

Rather than the more conventional term 'data integrity', the OECD refers to 'data quality'. Reasonable though that expression is, the use of a term which bears an uncertain relationship to the underlying discipline risks difficulties in using expert knowledge of information technology to interpret and apply the requirements.

The main elements of data quality or integrity are:

Data quality is a factor throughout the cycle of data collection, processing, storage, processing, internal use, external disclosure and on into further data systems. Data quality is not an absolute concept, but is relative to the particular use to which it is to be put. Data quality is also not a static concept, because data can decay in storage, as it becomes outdated, and loses its context. Organisations therefore need to take positive measures at all stages of data processing, to ensure the quality of their data. Their primary motivation for this is not to serve the privacy interests of the people concerned, but to ensure that their own decision-making is based on data of adequate quality. There are, however, many circumstances in which the two interests coincide quite closely.

The OECD Data Quality Principle is not constrained in time, but requires data quality to be maintained throughout the cycle of collection, storage, use and dissemination. It explicitly refers to relevance, accuracy, completeness and up-to-dateness as the heads of data quality. Although the OECD Principle contains no mention of destruction, the matter is discussed in the Explanatory Memorandum: " ... when data no longer serve a purpose, and if it is practicable, it may be necessary to have them destroyed (erased) or given an anonymous form. The reason is that control over data may be lost when data are no longer of interest; this may lead to risks of theft, unauthorised copying or the like" (EM54).

5.3 Purpose Specification

Exhibit 5.3: Purpose Specification

OECD - Purpose Specification Principle

3. The purposes for which personal data are collected should be specified not later than at the time of collection {and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose}.

OECD Principles 3 and 4 contain a clumsy piece of drafting. For OECD 3 to correspond to its title, the second half, commencing "and the subsequent use limited ..." should have been moved into OECD 4. This paper treats OECD 3 and 4 as if they were worded that way.

It is probable that the OECD intended only that the purposes be 'specified in writing' (such that they could be communicated on any future occasion when they became an issue) rather than being necessarily 'specified to the data subject' (EM54). The impact of this excessive requirement is then mitigated by the clause "unless that purpose is obvious". Such 'obvious' (and therefore unspecified) purposes represent a loophole of the same kind, if not the same magnitude, as the infamous 'routine uses' provision of the U.S. Privacy Act 1974.

The principle applies to all data collected, whether from the data-subject himself or otherwise.

5.4 Use Limitation

This section treats OECD Principle 4 as though it included the second part of OECD Principle 3.

(a) Control Against Original Purposes

Exhibit 5.4(a): Use Limitation - Control Against Purpose

OECD - Use Limitation Principle

4. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [Principle 3] {or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose} ...

The basic use the OECD Guidelines envisage are for the purposes specified, including related purposes and subsequently specified purposes which are 'not incompatible with' the original purposes.

(b) Exceptions

Exhibit 5.4(b): Use Limitation - Exceptions

OECD - Use Limitation Principle

4. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [Principle 3] {or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose} except:

The OECD envisages exceptional use of data being restricted to two circumstances:

A variety of additional exceptions are to be found in legislation in a variety of jurisdictions, including:

(c) The Mechanism of Disclosure

Exhibit 5.4(c): Use Limitation - Mechanism

OECD - OMITTED

In practice, procedures need to be specified in such a way as to ensure:

The OECD Guidelines do not specify such matters, nor even mention the need for care in the processes of disclosure.

5.5 Security Safeguards

Exhibit 5.5: Security Safeguards

OECD - Security Safeguards Principle

5. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.

The OECD provides an explicit list of dangers against which personal data is to be safeguarded.

5.6 Openness

Exhibit 5.6: Openness

OECD - Openness Principle

6. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

The Openness, or Public Participation, Principle was considered by the OECD "as a prerequisite for the Individual Participation Principle" (EM57). Its function is to provide information to both existing and potential data-subjects of record systems such that, if they consider features of them to be undesirable or dangerous, they can seek, through the appropriate legal or (more likely) political channels, to have controls imposed. The OECD Principle requires openness about the existence and nature of data, and the manner in which it is processed and used. It contains a surprising (and perhaps accidental) qualification whereby only the 'main' purposes need to be disclosed.

5.7 Individual Participation
(a) The Right of Subject Knowledge of the Existence of Data

Exhibit 5.7a: Individual Participation - Knowledge

OECD - Individual Participation Principle

7. An individual should have the right:-
(a) to obtain from the a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him ...

This Guideline recognises that the data subject needs to know whether data exists, even if he has no access to it. This is important because otherwise his ability to exercise his appeal rights would be negated.

(b) The Right of Subject Access to Data

Exhibit 5.7b: Individual Participation - Access

OECD - Individual Participation Principle

7. An individual should have the right:-

"The right of individuals to access and challenge personal data is generally regarded as perhaps the most important privacy protection safeguard. ... [T]he Expert Group ... has chosen to express it in clear and fairly specific language" (EM58).

(c) The Mechanism of Subject Access

Exhibit 5.7c: Individual Participation - Mechanism of Access

OECD - Individual Participation Principle

7. An individual should have the right:-
...

(b) to have communicated to him, data relating to him
(i) within a reasonable time;
(ii) at a charge, if any, that is not excessive;
(iii) in a reasonable manner; and
(iv) in a form that is readily intelligible to him;..

The OECD identifies areas in which standards must be set as to the manner in which access is to be provided.

(d) The Right of Challenge, and Provision of Reasons for Refusal

Exhibit 5.7d: Individual Participation - Rights Concerning Refusal

OECD - Individual Participation Principle

7. An individual should have the right:-
...

(c) to be given reasons if a request made under sub-paragraphs (a) and (b) is denied, and to be able to challenge such denial; .....

The OECD states the clear requirement that some form of appeal is to exist against a refusal to allow access, and, to facilitate that appeal, that reasons for the refusal are to be given.

(e) Subject Challenge to Data

Exhibit 5.7e: Individual Participation - Challenge to Data

OECD - Individual Participation Principle

7. An individual should have the right:-
.....
(d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.

OECD Principle 7 expressly provides for challenge by the individual of the data held, but leaves open the basis whereby a challenge would be judged.

It can be argued that this Guidelines uses unnecessarily confrontationist language, such as 'challenge', 'erasure','rectification' and 'correction', and that non-judgmental terms such as 'request for change' and 'alteration' would be preferable, since many disputes are at heart matters of opinion rather than fact.

5.8 Accountability

Exhibit 5.8: Accountability

OECD - Accountability Principle

8. A data controller should be accountable for complying with measures which give effect to the principles stated above.

This 'Principle' is procedural, representing an exhortation to law reformers to sheet home responsibilities to identifiable individuals. It is arguably deficient, since some responsibilities are logically the direct responsibility of a data-collector or data-keeper, and hence, depending on the circumstances, it is more sensible for a data-controller's responsibility to be limited to that of a principal exercising appropriate control over his agent.


6. CONTROLS OVER SYSTEM PURPOSES

There is one respect in which the OECD Guidelines does not provide effective protection for information privacy. Rule et al (1980) claim that the 'official response' of Governments to the public demand for data protection regulation has been dominated by what they call the 'efficiency criterion':

In [the conventional] view, the drawbacks of surveillance systems are not inherent in their nature, but lie in their failure to work 'correctly'. And 'correctly' in this context means 'efficiently' from the standpoint of the long-term interests of the organisation. (p. 69)

By this ['efficiency'] criterion, surveillance is considered acceptable provided that four conditions are met:

By these criteria, organisations can claim to protect the privacy of those with whom they deal, even as they demand more and more data from them and accumulate ever more power over their lives. From the standpoint of surveillance organisations, this is a most opportune interpretation of 'privacy protection' (p. 71, my emphasis).

The effectiveness of data protection principles is heavily dependent on the purposes for which the personal data are maintained. If data protection is to be effective, these purposes need to be decided taking into account not just the interests of the data-keeper, but also those of the individual, and society as a whole. This means that, in addition to internal, 'efficiency' criteria, external or 'political' criteria are needed.

Yet the OECD Guidelines provide neither for oversight of the purposes of personal data systems, nor for disallowance of purposes. Indeed, as Rule observes, such a provision is uncommon (see, however, NSWPC 1977, whose Guidelines are not legally enforceable, and, with qualifications, the Swedish Data Act 1973). As a result of this lack of oversight, organisations can define for themselves their 'functions or activities', and the purposes of their data, subject only to the very remote constraint of not acting outside the law or ultra vires (Greenleaf and Clarke 1986). Much of the failure of the U.S. Privacy Act can be traced back to the token nature of control over uses.

There is nothing to prevent so broad a definition of purpose that virtually any data is 'relevant'. For example, the creation of one central bureau for the purpose of gaining a complete picture of a person's socio-economic history and status, e.g. by pooling financial, tenancy, employment, education, medical, insurance and criminal data, is not contrary to the Principles. As a result, data protection legislation represents no protection whatsoever against the brisk development of data surveillance (Clarke 1988).

The OECD Guidelines require a 'general policy of openness' about various matters including the purposes of personal data, and thereby provide the possibility for informed debate. However, they are seriously undermined by the assumption that the purposes to which organisations put personal data is not an information privacy issue.


7. ENFORCEMENT AND REGULATION MECHANISMS

The OECD left the approach to regulation and enforcement almost entirely at the discretion of each Member country, although it did suggest that self-regulation may be appropriate in common law countries (G19,EM5,19d-e,69-70). Matters considered included:


8. CONCLUSIONS

The language of the OECD Guidelines is intentionally general, in order to cope with the distinctly different legal systems and cultural values of the Organisation's members. A further difficulty with them is that they contain one major and several minor deficiencies, and hence the framework for data protection laws or information privacy regulation which they provide is not quite complete.

This paper has analysed and slightly deepened and extended the framework of the OECD Guidelines, in order to deal with these difficulties. The resulting framework has been used as a template against which a number of distinctly different statutes and guidelines have been assessed (Clarke 1987, 1989). On the basis of these assessments, it is tentatively concluded that this template is suitable as a basis for the analysis of substantive law and proposals for law in particular jurisdictions, and for the comparison of the laws of different jurisdictions.


Bibliography

ALRC 'Report No.22: Privacy' Australian Law Reform Commission, Elizabeth St, Sydney NSW 2000, 1983 (3 vols.)

Clarke R.A. 'The Impact on Practitioners of the A.L.R.C.'s Information Privacy Proposals' Aust. Comp. J. 17,2 (May 1985)

________ 'Just Another Piece of Plastic for Your Wallet: The Australia Card Scheme' Prometheus 5,1 (June 1987) 29-45

________ 'Assessment of the Berner Kantonaler Datenschutzgesetz' Working Paper (12 pp.), December 1987, available from the author

________ 'Information Technology and Dataveillance' Commun. ACM 31,5 (May, 1988)

________ 'The Privacy Act 1988 as an Implementation of the OECD Data Protection Guidelines' Working Paper (69 pp.), June 1989, available from the author

EEC 'Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data' Brussels 1980

Greenleaf G.W. & Clarke R.A. 'Database Retrieval Technology and Subject Access Principles' Aust. Comp. J. 16,1 (Feb 1984)

________ 'Aspects of the Australian Law Reform Commission's Information Privacy Proposals' J. of Law & Info. Sc. 2,1 (August 1986)

HEW 'Records, Computers and the Rights of Citizens' Report of the Secretary's Advisory Committee on Automated Personal Data Systems, U.S. Dept. of Health, Education and Welfare (now Health and Human Services), MIT Press, 1973

ICCPR 'International Covenant on Civil and Political Rights' United Nations, 1966

Lindop N. 'Report of the Committee on Data Protection' U.K. Cmnd 7341 H.M.S.O. London 1978

Morison W.L. 'Report on the Law of Privacy' Govt. Printer, Sydney 1973

NSWPC 'Guidelines for the Operation of Personal Data Systems' New South Wales Privacy Committee, Sydney, 1977

OECD 'Guidelines on the Protection of Privacy and Transborder Flows of Personal Data' OECD, Paris, 1980

OTA 'Federal Government Information Technology: Electronic Record Systems and Individual Privacy' Office of Technology Assessment, U.S. Congress, OTA-CIT-296 (June 1986)

PPSC 'Personal Privacy in an Information Society' Privacy Protection Study Commission, U.S. Govt. Printing Office, Washington D.C., 1977

Rule J.B., McAdam D., Stearns L. & Uglow D. 'The Politics of Privacy' New American Library 1980

Westin A.F. 'Privacy and Freedom' Atheneum 1967

Westin A.F. & Baker M.A. 'Databanks in a Free Society: Computers, Record-Keeping and Privacy' Quadrangle 1974

Younger K. 'Report, Committee on Privacy' U.K. Cmnd 5012 London 1972


Major National Legislation

Australia

Constitution

Freedom of Information Act 1982

Privacy Act 1988

Austria

Data Protection Act 1978

Canada

Access to Information Act 1982, Privacy Act 1982

Denmark

Private Registers, Etc., Act 1978, Public Authorities Registers Act 1978

France

Act 78-17 of 6/1/78 on Data Processing, Data Files and Individual Liberties

Iceland

Act 63/1981 respecting Systematic Recording of Personal Data

Israel

Protection of Privacy Law 1981

Luxembourg

Act of 31/3/79 regulating the use of Nominal Data in Computer Processing

New Zealand

Wanganui Computer Centre Act 1976

Official Information Act 1982

Norway

Act of 9/6/78 relating to Personal Data Registers

Sweden

Data Act 1973

United Kingdom

Data Protection Act 1984

United States

Constitution and First, Fourth and Fifth Amendments

Freedom of Information Act 1972

Privacy Act 1974


Acknowledgements

The assistance of my colleague Graham Greenleaf, of the Law Faculty at the University of N.S.W. in Sydney was very important in the preparation of this paper. The research was partly funded by the Faculties Research Fund of the Australian National University.

Navigation

Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Last Amended: 28 August 1997

These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).

The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA

Tel: +61 2 6288 1472, 6288 6916