The Organization for European Economic Cooperation was originally formed in 1948 to oversee aid for reconstructing Europe. It was later reconstituted as the Organization for Economic Cooperation and Development (OECD) in 1960. The convention signed in Paris became effective on Sep 30, 1961. This international intergovernmental organization has experience of over 60 years of collaborating with citizens, stakeholders, and policy-makers to establish standards and solve environmental & social problems. OECD has 38 member countries, including the United States, Canada, Mexico, United Kingdom, Germany, France, Italy, Spain, New Zealand, and Japan, with the latest addition being Costa Rica in 2021. It collaborates with the governments of these countries to contribute to sustainable economic growth, economic expansion in member & non-member countries, and development of world trade, among several other causes. It functions with the support of the monetary contributions of the member countries.
The OECD decision-making body, known as the Council, has representatives (usually ambassadors) from the EU and all the member countries. On September 23, 1980, as per the recommendation of the OECD Council, the Protection of Privacy and Transborder Flows of Personal Data or the Privacy Guidelines were adopted, that were later amended on July 11, 2013.
Purpose & Scope
These guidelines are the first internationally accepted data protection principles that enable the protection of personal data in the digital age as information technology integrates more rapidly into social and economic life and computerized data becomes more significant than ever before. These guidelines demonstrate the commitment of the member countries to protect individuals’ data during the transborder flow of information, focusing on data quality, security, and accountability.
Applicable to businesses of member countries in the private and public sectors processing personal data, these guidelines serve as the minimum standards aimed at protecting privacy and individual liberties. However, federal countries are not obligated to comply with these guidelines beyond constitutional competence. These are divided into five (I-V) parts that specify the guidelines’ purpose, define the relevant terms, and explain the principles of national & international application, means of implementation of these principles, and matters of mutual assistance among member countries.
Like most laws, the OECD defines ‘personal data’ as information related to an individual (a physical person) who is directly or indirectly identifiable. The ‘data controller’ has been defined as the one carrying the ultimate responsibility for the processing of personal data irrespective of who collects, stores, shares, or processes it. It could be an agency, a public authority, a legal or natural person, or any other body. The exceptions to the data controller as mentioned in OECD guidelines,
Section B. Detailed Comments, Paragraph 1, Definitions, include:
- Data processing service bureau
- Telecommunications authorities and similar entities
- Licensing authorities that have no power to decide the activities and purposes related to them, except for data processing
- Dependent users who have access to data but no authorization to make decisions like selecting the users of the data, etc.
The OECD privacy guidelines document covers Basic Principles of National Application under Part II that outline fundamental principles that member countries should adopt to regulate and protect the processing of personal data from collection to disposal stage. Below are the principles:
- Collection Limitation Principle: The collection of personal data should be fair and lawful and, wherever appropriate, done with the consent of the data subject (individual). Consent is not necessary for situations like criminal investigations or routine updates of mailing lists. This principle also applies to data subjects who are minors, mentally disabled, or in similar cases and are represented by a third party.
- Data Quality Principle: The personal data should be complete, accurate, and kept up-to-date. It should also be necessary and relevant to the purposes it is collected for. Historical data may be collected or retained for archival activities social and historical research.
- Purpose Specification Principle: The purpose for data collection should be specified no later than at the time of collection and at every stage of change. Also, the data usage should be compatible with the purpose it was collected for. Due to the possibility of unauthorized duplication, theft, or similar risks, data that is of no interest or no longer serves the purpose should be erased/destroyed or anonymized. For data minimization, the use of software like BitRaser File Eraser is recommended to destroy unnecessary, Redundant, Obsolete, and Trivial (ROT) data, along with maintaining proof of data destruction. Certificates of destruction serve as an audit trail and help in achieving compliance with OECD data privacy guidelines.
- Use Limitation Principle: Unless given consent by the data subject or authorization by the law, the personal data should not be used, disclosed, or made available for unspecified purposes.
- Security Safeguards Principle: Reasonable security and privacy safeguards should be applied to prevent data loss, unauthorized disclosure, use, access, modification, or destruction of personal data. The safeguards also include physical measures, like ID cards; organizational measures, like access privilege; and informational measures, like enciphering.
- Openness Principle: A general policy of openness on developments and practices of personal data should be established. Along with the identity and residence of the data controller, means should be made available to establish the nature and existence of personal data, and the purposes for their use.
- Individual Participation Principle: An individual should have the right:
- to get confirmation about data being held by the data controller or some other entity.
- to be conveyed about the data in an intelligible form within a reasonable period and at a reasonable charge.
- to be given justification regarding the denial of these above requests and to challenge this denial.
- to challenge related data and get their data completed, amended, rectified, or erased upon the challenge being successful.
Note: Organizations looking to comply with OECD privacy guidelines can use the
BitRaser File Eraser Network edition to permanently erase the personal data of individuals on request from the company network with a single click.
- Accountability Principle: Compliance with the abovementioned principles is the responsibility of the data controller, even if the processing is carried out by a third party.
The OECD Basic Principles of International Application: Free Flow and Legitimate Restrictions are covered under Part III. These principles promote the exchange of personal data across borders with certain restrictions among member countries in the public interest. Described below are the keynotes:
- The member countries should take into account the consequences of domestic processing and re-export of personal data on other member countries.
- The member countries should take all the appropriate and reasonable steps to ensure secure and uninterrupted transborder flows of personal data, including transit through a member country.
- A member country should not restrict transborder flows of personal data with another member country unless data re-export would circumvent its domestic privacy legislation or when the latter is not yet complying with these guidelines. Restrictions regarding certain categories of personal data can be imposed by a member country for which its domestic privacy legislation incorporates certain regulations considering the nature of that data, but the other member country does not provide equivalent protection.
- The member countries should avoid developing laws, policies, and practices in the name of protecting privacy and individual liberties that hinder the transborder flow of personal data, exceeding requirements for such protection.
Part IV of OECD privacy guidelines, National Implementation, states that the member countries should establish legal, administrative institutions or other procedures to protect privacy and individual liberties in order to implement the principles set forth in parts II and III. The member countries should aim to:
- Adopt suitable domestic legislation.
- Support and encourage self-regulation with the help of a code of conduct or other forms.
- Provide reasonable means of exercising rights to individuals.
- Provide adequate sanctions and remedies in cases of non-compliance with the principles in parts II and III.
- Avoid any unfair discrimination against individuals or data subjects.
Part V of OECD privacy guidelines, International Cooperation, discusses subjects of mutual assistance among member countries via information exchange and refraining from incompatible national procedures in order to protect personal data. The following points sum up the significance of this part.
- When requested, the member countries should share compliance details of the principles mentioned in these guidelines. The compliant member countries should ensure that the procedures to protect privacy & individual liberties and for transborder flows of personal data are simple and compatible with those of other member countries adhering to these guidelines.
- Procedures should be established by member countries to enable information exchange pertaining to these guidelines, and mutual assistance should be provided in procedural and investigative matters.
- The member countries should contribute to the development of domestic and international principles.
Conclusion
The OECD member countries unite on the principles of open market economies, pluralistic democracy, and respect for human rights. The guidelines on privacy and personal data protection recommend businesses collect limited data in a fair and lawful manner, necessary to the purpose of processing. Unless permitted by the law, or data is required for purposes like historical research, data controllers of member countries are obligated to inform the data subjects about the collection of data. Personal data should be retained by businesses for as long as it serves the purpose and later destroyed or erased using professional data wiping tools once the information has served its purpose.
+1-844-775-0101
