OECD Principles-Privacy

Basic ideas about privacy protection emerged in the 1970's, dating back to the advent
of the "Information Society" and the introduction of computers into various areas of
economic and social activity. During this time period, there was a growing public
perception that the greater need for information, and the proliferation of computerized
systems, would result in a reduction in the power of individuals to control the personal
information collected and stored about them. Computers were seen as a technology
for processing large amounts of data quickly and cheaply and as a technology which
concentrated enormous power in the hands of computer specialists and data
processing managers. The combination of computer technology and
telecommunications was already holding out the prospect of complex information and
communications networks at the national and international level.

In the 1970's the Member Countries of the OECD reached a consensus on issues
related to the protection of privacy to promote the free flow of information across
their borders and to prevent legal issues related to the protection of privacy from
creating obstacles to the development of their economic and social relations. To this
end, the OECD Council on September 23, 1980, adopted the Privacy Guidelines. The
Guidelines were intended to form the basis of legislation in the organization's
Members States.

At the core of the Guidelines is a set of eight principles to be applied to both the
public and private sectors: (1) the collection limitation principle, (2) the data quality
principle, (3) the purpose specification principle, (4) the use limitation principle, (5)
the security safeguards principle, (6) the openness principle, (7) the individual
participation principle and (8) the accountability principle. The OECD Guidelines are
not legally binding on Member States. However, the Guidelines have been widely
accepted and form the cornerstone of fair information practices designed to protect
personal information around the world. The Canadian Federal Government affirmed
its commitment to the OECD Guidelines in 1984. Rather than pass legislation
applying these guidelines to the federally regulated public sector, the Federal
Government committed itself to encouraging private sector corporations to develop
and adopt voluntary privacy protection codes based upon the OECD Guidelines.

The OECD principles identified in the Guidelines outline the rights and obligations of
individuals in the context of automated processing of personal data, and the rights and
obligations of those who engage in such processing. The Guidelines apply to personal
data, whether in the public or private sectors, which pose a danger to privacy and
individual liberties because of the manner in which it is processed, or because of its
nature or the context in which it is used. The core OECD privacy principles are as
follows:

Collection Limitation Principle: There should be limits to the collection of

personal data and any such data should be obtained by lawful and fair means
and, where appropriate, with the knowledge or consent of the data subject.

Data Quality Principle: Personal data should be relevant to the purposes for
which they are to be used, and, to the extent necessary for those purposes,
should be accurate, complete and kept up-to-date.

Purpose Specification Principle: The purposes for which personal data are
collected should be specified not later than at the time of data collection and the
subsequent use limited to the fulfilment of those purposes or such others as are
not incompatible with those purposes and as are specified on each occasion of
change of purpose.

Use Limitation Principle: Personal data should not be disclosed, made available
or otherwise used for purposes other than those specified in accordance with
[the Purpose Specification Principle] except: (a) with the consent of the data
subject; or (b) by the authority of law.

Security Safeguards Principle: Personal data should be protected by reasonable

security safeguards against such risks as loss or unauthorised access,
destruction, use, modification or disclosure of data.

Openness Principle: There should be a general policy of openness about

developments, practices and policies with respect to personal data. Means
should be readily available of establishing the existence and nature of personal
data, and the main purposes of their use, as well as the identity and usual
residence of the data controller.

Individual Participation Principle: An individual should have the right: a) to

obtain from a data controller, or otherwise, confirmation of whether or not the
data controller has data relating to him; b) to have communicated to him, data
relating to him within a reasonable time; at a charge, if any, that is not
excessive; in a reasonable manner; and in a form that is readily intelligible to
him; c) to be given reasons if a request made under subparagraphs (a) and (b) is
denied, and to be able to challenge such denial; and d) to challenge data
relating to him and, if the challenge is successful to have the data erased,
rectified, completed or amended.

Accountability Principle: A data controller should be accountable for

complying with measures which give effect to the principles stated above.
DATA PROTECTION POSITION IN INDIA

There is no separate data protection legislation in our country, the National Task Force on
Information Technology and Software Development had submitted an ‘Information
Technology Action Plan’ to the Government in July 1998.

In May 2000, the Information Technology Act of 2000 was passed by the Legislature
providing for a comprehensive regulatory environment for e-commerce.

Section 2(1) (o) of the IT Act defines ‘data’ as a ‘representation of information,

knowledge, facts, concepts or instructions which are being prepared or have been
prepared in a formalised manner, and is intended to be processed, is being processed or
has been processed in a computer system or computer network, and may be in any form
(including computer printouts magnetic or optical storage media, punched cards, punched
tapes) or stored internally in the memory of the computer’

Section 43 Explanation (ii) defines ‘computer database’ as ‘a representation of

information, knowledge, facts, concepts or instructions in text, image, audio, video that
are being prepared or have been prepared in a formalised manner or have been produced
by a computer, computer system or computer network and are intended for use in a
computer, computer system or computer network’.

The IT Act also provides for civil and criminal liabilities for violation of data protection
couched in the term ‘cyber contravention’ as section 43 carries an exhaustive list of
penalty for damage to computer, computer system etc. S/s. (b) stipulates that if any
person downloads copies or extracts any data, computer database or information from
such computer, computer system or computer network including information or data held
or stored in any removable storage medium. Section 72 deals with the issue of breach of
confidentiality and privacy. It provides that a person who has access to confidential
information under the powers conferred on him under the Act and discloses such
information can be punished with imprisonment for upto two years or a fine of Rs. 1 lakh
or both. The scope of the section is limited as interception of confidential information has
been left untouched.
The Indian government is well aware of this issue and in an attempt to overcome the
problem; the Indian Department of Information Technology announced in June 2003 its
plans to pass a Data Protection Act in line with the EU requirements. A bill is being
drafted jointly by the Department of Information Technology and the National
Association for Software Service Companies (NASSCOM), which is India’s main trade
association for the IT industry.

The aim is to allow India to be officially designated by the European Commission as a

country that can be assumed to ensure an adequate level of protection. This would clear
the path for any data processing operations involving personal data originated in the EU
to be carried out by India-established companies, as they would have to meet the same
requirements as EU-based companies. However, the procedure to determine whether a
third country is safe from a data protection perspective is rather cumbersome and
bureaucratic.

EU law in particular restricts businesses transferring data to countries with weak privacy
protection, and with Indian IT wage costs rising – albeit still far behind those in the US
and Europe – India wants to eliminate reasons for potential customers to outsource
elsewhere. European firms are severely restricted in terms of the Data Protection
Directive of 1995 as to what data can be transferred or stored in countries without
equivalent rules and enforcement procedures. At present, India has no such regulations,
and relies on individual contracts negotiated between the main company and the Indian
outsourcing contractor to address the data protection issues.