Australia's 'APEC Privacy Initiative'

The two following documents are first drafts by Mr Peter Ford, First Assistant Secretary of the Information and Security Law Division, Federal Attorney General's Department, Australia
They were presented to an APEC working group in March 2003, and are available here only for the purposes of private work and study, and should not be disseminated - Graham Greenleaf

    Version 1


    [OECD Privacy Principles with amendments as shown - THIS VERSION ONLY SHOWS THE AMENDMENTS, NOT THE 'STRUCK THROUGH TEXT]

    1. Collection limitation

    There should be limits to the collection of personal information[1] and any such information should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the person whose information is collected[2].

    Alternative: 1.1 Organisations should only collect personal information that is necessary for what they do.

    1.2 Organisations should only collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the person whose information is collected.

    2. Quality of collections of personal information

    Any collection of personal information should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

    3. Purpose Specification

    3.1 Organisations should tell people whose information they collect who they are and what they intend to do with the information collected.

     3.2 Personal information should not be used for any purpose which is inconsistent with the purposes for which it has been collected.

    4. Use Limitation

    Personal information should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Principle 3 except:

     a) with the consent of the person whose information is collected; or

     b) by the authority of law.

    5. Security Safeguards

    Personal information should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.

    6. Openness

    There should be a general policy of openness about developments, practices and policies with respect to personal information. Means should be readily available of establishing the existence and nature of personal information collections, and the main purposes of their use, as well as the identity and usual residence of any person who collects or holds personal information.

    7. Individual Participation

    An individual should have the right:

     a) to obtain from any other person or organisation confirmation of whether or not that person or organisation has information relating to him or her;

     b) to have communicated to him or her, personal information relating to him or her

  •  within a reasonable time;
  •  at a charge, if any, that is not excessive;
  •  in a reasonable manner; and
  •  in a form that is readily intelligible to him or her;

  • c) to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and
    d) to challenge the accuracy of records relating to him or her and, if the challenge is successful to have the records erased, rectified, completed or amended.

    8 Accountability

    A person or organisation who holds or collects personal information should be accountable for complying with measures which give effect to the principles stated above.


    (Version 1)

    [Comments are sought on the following options.]


    Option 1 - Adherence by economies to statement of principles
    The procedure under this option would be for those economies which wished to implement the principles, or considered that they already implemented them, to make this fact known to other member economies. This is the least ambitious option. Other economies would decide unilaterally what significance they would attach to such a declaration. In some cases, domestic law may require some assessment of privacy protection measures in other economies where personal information is to be transferred across national borders.

    Option 2 - Self-certification by economies; compliance by business with national laws
    Economies would certify by some formal procedure that their law complies with the principles and a record would be kept by the Secretariat of economies which had certified to this effect. A certification would be accepted by other economies as a basis upon which personal information could be transferred across national borders. Companies would continue to be bound by the laws of the economies in which they are resident and in which they do business.

    Option 3 - Self-assessment by economies coupled with peer review
    Procedures would be developed with reference to those of the Financial Action Task Force but not involving the power to declare that any economy is not in compliance. The relevance of the Financial Action Task Force procedures would be to serve as a basis upon which self-assessment and peer review methodologies might be developed. A description of those procedures can be obtained if required.

    Option 4 - Development of internal binding codes by global companies
    This approach would enable global companies and multinational groups to develop codes which would be recognised throughout the region, and perhaps globally, as complying with the principles. It would require some assessment procedure involving supervisory authorities. Important contributors to work in this area would be those companies who have been working on global codes of practice.

    Option 5 - Development of guidelines for protecting privacy across borders
    This approach would be directed towards the development of a framework to facilitate cooperation between supervisory bodies in different economies. It could be adopted in combination with option 4. In this context, it would be useful to develop guidance on how authorities in member economies could co-operate to ensure compliance with codes and thereby give assurance of their effectiveness in a cross-border context.

    [any other options?]

    [1] I have preferred the term 'personal information' to 'personal data' and have also substituted other terms for 'data subject' and 'data controller' which seem inappropriate in the context of the Internet.

    [2] This term refers to the person to whom the information relates.