navi navi navi navi
 
 
Main Menu
 Home
 About
 e-Biz Concepts
 Publications
 Database
 Experts
 News
 Contact

spacer
 
european flag - link to EC website
  The e-Business [email protected] is an initiative of the
European Commission
Enterprise Directorate General
E-business, ICT industries and services.

spacer
 
Logo_e-bsn.org
  The European e-business policies portal - a one-stop-shop, on-line environment for all European e-business initiatives.

spacer
 
Logo_ebusinesslex.net
  The eBusiness legal portal offers information on all legal aspects of e-business, in particular for small and medium-sized enterprises (SMEs).

spacer
 
Logo_emarketservices.com
  eMarket Services: a guide to B2B e-markets, co-funded by the the EC / DG Enterprise.

spacer
 

Technical Administration of the Web Site    

Help for using the OECD Privacy Generator

 

Technical notes on using the Generator 

The OECD Privacy Generator is a questionnaire that is a tool to help you to advertise your privacy policy on the Web site(s) of your organisation by generating a Web page (in HTML format). This Web page can be downloaded when you complete the Generator questionnaire and reflects the answers you provide. After appropriate modifications, the Web page can be included on your organisation's Web site(s).

The questionnaire begins by a Login page, permitting you to indicate which task you want to achieve:

  • Create a new Statement, for which you will be given a Statement ID and asked for a Password.
  • Modify an existing Statement by giving its Statement ID and Password.
  • Delete an existing Statement by giving its Statement ID and Password.

During Statement creation or modification, you will be asked a series of questions that you should answer based on your own organisationís practices in relation to privacy. These questions are grouped into 11 sections which you can access through the Back and Next button available at the bottom of each page.

The Next button also saves the current page. For this reason, it is important to click the Next button to ensure that the contents of the current page will not be lost.

A Help button is provided at the beginning of each section. It provides a link to full and detailed guidance on the questions in the section. Each Help Section is in two parts; the first provides an explanation of the relevant OECD Principle, and the second provides further guidance through hyperlinks on specific terms in the questions. Reading the relevant Help section before attempting to answer the questions of a given section will ensure that you understand the question correctly and are able to answer in a way that accurately reflects your privacy practices.

The Generator keeps the answers you have given to questions in any page of the questionnaire permanently, thereby making it possible to modify or delete them later or at any time. To do so, you simply have to keep the Statement ID and the Password you gave when creating the Policy. Ensure that you only use the Next and Back buttons located at the end of each page of the Generator to navigate between questionnaire pages, as the Generator validates and stores the answers during these steps.

Note: Unless you delete it, the information you provide and the answers you give will be kept on the OECD server to allow you to return to and modify your draft statement. However, the OECD will not access or use such information and answers for any purpose.

At the end of most pages of the questionnaire a Preview button appears. Clicking on this button will enable you to view the draft privacy statement generated from the responses that you have given. The privacy statement will appear in a new window. After viewing the Preview page you should close the window to return to the questionnaire.

Note: The draft privacy statement generated by the preview function will not include the responses from the current page, unless the contents of the page have been saved by clicking the Next button.

At the end of the questionnaire, you will be able to download your Draft Privacy Statement produced by the Generator by clicking on the "Download Statement" button :

  • Choose the Save As option in the download option windows of your browser.
  • Change the name of the page as an appropriate HTML page (with .htm or .html suffix).
  • Choose a location to save the Statement file.
  • Click on the OK button.

Additional notes

If the Generator is left inactive for a period of four hours, you will have to re-enter your login details in order to access the answers you have entered, and all unvalidated answers will be lost.

The Generator uses session (also called temporary) cookies to maintain the link between the user and the OECD server during the use of the Generator. This cookie is not permanently stored on your computer and is not used to store any information related to the user. Be sure that your Internet browser is configured to accept (at least temporary) cookies.

When creating a new Statement, the Generator asks you for a password so that other users cannot access your information. Be sure not to leave a blank password, which would allow other users to access your statements. The OECD server does not use a secure connection for the Generator. Network traffic between the user and the OECD server is not encrypted.  

During 2001/2002, the OECD would like to undertake research into the use of Generator in order to identify any difficulties that users have experienced when using this tool. If you would like to participate in that research, would you please e-mail your contact details to: mailto:[email protected].

Credits and Acknowledgements

The OECD would like to thank those who sponsored the technical development of the OECD Privacy Policy Statement Generator: the Chief Data Protection Officer of DaimlerChrysler AG, Microsoft Consulting Services (MCS) France, Microsoft bCentral and Microsoft Europe.

Thanks also to the OECD's Business and Industry Advisory Committee (BIAC) for contributing to the development of the project and for recruiting companies to test the Generator.

The OECD is grateful to Data Protection Commissioners (particularly those of Canada, Hong Kong, China, New Zealand and the United Kingdom), and consumer groups and consumer protection experts, particularly Canada's Public Interest Advocacy Centre and Denmark's Consumer Council for their advice and input.

The OECD also acknowledges the assistance, in the initial stage of producing the Generator, of the privacy wizards being developed by TRUSTe, AT&T and the DMA.

The Privacy Principles of the OECD Privacy OECD Privacy Guidelines

To access the full text and explanatory memorandum, please click here

Collection Limitation Principle

"There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject". [Please see paragraph 7 of the OECD Privacy Guidelines and paragraphs 50 - 52 of the Explanatory Memorandum].

Data Quality Principle

"Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date".   [Please see paragraph 8 of the OECD Privacy Guidelines and paragraph 53 of the Explanatory Memorandum].

Purpose Specification Principle

"The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose".   [Please see paragraph 9 of the OECD Privacy Guidelines and paragraph 54 of the Explanatory Memorandum].

Use Limitation Principle

"Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 [Purpose Specification Principle] of the OECD Privacy Guidelines except:
a) with the consent of the data subject; or b) by the authority of law".  [Please see paragraph 10 of the OECD Privacy Guidelines and paragraph 55 of the Explanatory Memorandum].

Security Safeguards Principle

"Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data".  [Please see paragraph 11 of the OECD Privacy Guidelines and paragraph 56 of the Explanatory Memorandum].

Openness Principle

"There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the Data Controller".   [Please see paragraph 12 of the OECD Privacy Guidelines and paragraph 57 of the Explanatory Memorandum].

Individual Participation Principle

"An individual should have the right:

a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and
d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended".

[Please see paragraph l3 of the OECD Privacy Guidelines and paragraphs 58-61 of the Explanatory Memorandum].

Accountability Principle

"A Data Controller should be accountable for complying with measures which give effect to the principles stated above".  [Please see paragraph 14 of the OECD Privacy Guidelines and paragraph 62 of the Explanatory Memorandum].

Personal Data
"Personal data" under the OECD Privacy Guidelines is a very broad expression, which means " any information relating to an identified or an identifiable individual (data subject) ". It would include any kind of information once linked with an individual.

Openness
According to the OECD Privacy Guidelines "openness" means that "there should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the Data Controller".

Information about your Organisation and your Web Site

Providing visitors to your Web site with information about your organisation, and in particular about the legal entity which controls the processing of personal data, is consistent with the Openness Principle in the OECD Privacy Guidelines. Therefore the information that you provide in this section will be disclosed in your privacy statement so that visitors to your Web sites will know who you are.

The
Openness Principle may be viewed as a prerequisite for the Individual Participation Principle); please note that for the latter principle to be effective, it must be possible in practice to acquire information about who collects stores or uses personal data.

Name of the Data Controller
An indication of the name of the data controller is required by the OECD Privacy Guidelines. According to the OECD Privacy Guidelines, " the Data Controller means a party who, according to domestic law, is competent to decide about the contents and use of personal data regardless of whether or not such data are collected, stored, processed or disseminated by that party or by an agent on its behalf". Therefore the "data controller" may be a legal or natural person, for example, a public authority, an organisation, a department within an organisation, a board of directors, or an individual.

Providing Visitors with Anonymous Access

Providing visitors with anonymous access is not a requirement of the OECD Privacy Guidelines. However, you may wish to make it clear that visitors to your Web site can browse without disclosing personal data except that data which is required for system administration such as HTTP log information.

Browsing the Site
"Browsing the site" does not include carrying out specific transactions such as purchasing goods and/or services. If you provide free access to services in exchange for personalised registration details, you should answer "no" to this question. However, you may choose to edit the statement to make this trade-off clear, and to provide a positive image of the site(s).

Linkage Characteristics of Your Web Site

Depending on the service links of your Web site, personal data on visitors to your Web site may be collected by other visitors or by third partiesí Web servers. Visitors to your Web site may not be aware of such collection of data, and you may wish to make this clear. Though it is not an express requirement of the OECD Privacy Guidelines, providing information to your visitors on the linkage characteristics of your Web site, where those links allow another legal entity to collect your visitors' personal data, is a fair practice, consistent with the
Collection Limitation and Openness Principles in the OECD Privacy Guidelines. Furthermore, you may wish to add a link to the privacy policy statement of any third party Web service provider which you may use.

Communicate or Post
Visitors may be unaware that when they post messages to a bulletin board, communicate with the site via e-mail, or make postings to chat areas, their personal data (such as e-mail address) can be captured by the Web site and/or other visitors.

Use of Third Party Web Service Provider
Visitors may be unaware that their data may be collected by a third party Web service provider. Telling your visitors that their personal data may be collected by a third party, is consistent with the OECD Collection Limitation Principle which requires that personal data be collected with the knowledge of the data subject.

Company that collects personal data to distribute advertising
Companies that collect personal data to distribute advertisements are also called "advertising or content aggregators".  They collect data on visitors to a Web site and re-send them to other recipients.  They can also deposit a cookie in the visitor's cookie directory in order to follow the visitor's activity on the Web site.  The data is stored as a profile in the company's data base and used to determine which ads he/she will see when visiting the company's Network Affiliate sites.  They may combine information from many sources - categories of information are sometimes called channels.

A number of competitors exist today and advertising on the Web continues to evolve. Each manages a network of sites and advertisers.  A few ad services, and provide reciprocal exchange of advertising between participating sites, basically a barter system.  Merchants and advertisers may push into the business of running the servers that place ads, for better control and gathering of visitors'  personal data. (Source: http;//www.scils.rutgers.edu/ecommerce/ken/case1.htm).

Automatic Collection of Information

Information automatically collected, via cookies or other means such as programming, may not be linked to an individual. However, if you link the information that you capture automatically, via cookies or other programming means, with personal data about a specific individual, your visitors should be made aware of this. Telling your visitors that you use cookies, or similar automatic logging means, in such a way is consistent with the OECD Openness Principle as well as the OECD Collection Limitation Principle.   The latter Principle deals with the "requirements concerning data collection methods" . These requirements are "directed against practices which involve, for instance, the use of hidden data registration devices such as tape recorders, or deceiving data subjects to make them supply information. The knowledge or consent of the data subject is as a rule essential, knowledge being the minimum requirement" - see Paragraph 52 of the Explanatory Memorandum.

Cookies
Cookies associate a unique code with a particular IP address. They cannot pass on private information such as an email address without the user's intervention in the first place. However, it is possible to link the information stored in a cookie, or otherwise automatically logged, to personal data about individual visitors. Cookies may be used for a number of reasons such as registration and password storing, or for creating logs of visitor interests and preferences. Cookies may also be used to ensure the security of a visitor's information during a session and link personal data to the correct visitor. Cookies can either be temporary or persistent -  for example a temporary cookie may be used by a Web site during a visitor's session in order to link a visitor to a "shopping bag" so that the visitor can purchase a number of items rather than having to purchase each item separately. An example of a persistent cookie might be one that a Web site attaches to a specific visitor so that when the visitor returns to the Web site, the visitor does not need to complete the logging-in process.

Your visitors may find it helpful if you make a link to a Web site such as: http://www.cookiecentral.com which provides information on what cookies are.

Non-personal Information
eg: IP address, preferred language, session (number, key), duration, or other information such as advertisements viewed, Web pages visited - where this information is not related to a specific visitor.

Data Collection and Purpose Specification

The OECD Collection Limitation Principle, the OECD Purpose Specification Principle and the OECD Data Quality Principle are interrelated. 

For the Collection Limitation Principle, the focus in this section is on the requirement that there must be limits to the collection of data, which are regarded as sensitive either because of the manner in which they are to be processed, their nature, the context in which they are to be used or other circumstances.

The Purpose Specification Principle implies "that before, and in any case not later than at the time of data collection, it should be possible to identify the purposes for which these data are to be used, and that later changes should likewise be specified". 

The Data Quality Principle implies that data should be related to the purpose for which they are to be used.  For instance, data concerning opinions may easily be misleading if they are used for purposes to which they bear no relation, and the same is true of evaluative data.  


Personal data Volunteered
This question refers to the categories of personal data that an individual knowingly provides when interacting or corresponding with your organisation.  Collection of personal data from individuals may also be carried out both on-line, for example by storing an individual's e-mail address, and off-line, for example by recording the information that individuals may provide in correspondence with an organisation. Personal data may be collected both on and off-line on from order forms, application forms for registration or competitions, questionnaires or surveys.

Other Sources
This question refers to categories of personal data that you may collect from sources such as public records and publications, public bodies or authorities, or private organisations. It is implicit that the personal data from these other sources would include personal data relating to your visitors, whether you match or merge personal data from these sources with personal data which your visitors have volunteered or which you have logged automatically from your visitors.

Technical Administration of the Web Site
Parts of the data are used for the technical support of the Web site and computer system. This would include processing computer account information, and information used in the course of securing and maintaining the site. Typically, certain information automatically logged including IP addresses and domain names are automatically used for the technical support of the Web site and computer system; tracking down problems with the server, improving security of a visitor's information during a session etc.

Research, Development and Statistics
Parts of the data are used to enhance, evaluate, or otherwise review the Web site, service, product, or market. For instance, IP addresses are used to gather broad demographic data (such as buying habits or interests in a specific geographic location). Note that this does not include personal data used to tailor or modify the content to the specific individual or data used to evaluate, target, profile or contact the individual.

Customer Administration
Part of the data are used for the provision of information, communications, or transaction services, for example to return the results from a Web search, to forward email, to place an order, or to make deliveries to the visitor. In particular, financial data are used to check visitors registration qualifications, credit card, or to bill consumers for a service or product, and IP addresses are used to help identify visitors and their shopping carts. The data might also be used to contact visitors when necessary.

Marketing
Parts of the data are used to contact visitors for sending information or promotional material, products or services. This includes notifying visitors about updates to the Web site, tailoring the content or design of the site or the page to the particular individual. More generally these data are used for direct mail, prospects lists, profiling, analysis and marketing. The intention may be to disclose to third parties in the future.

Trading in Personal Data
Parts of the data are collected and processed with the intention of selling them to other organisations.

Other Purposes
The data can also be used for other purposes, such as automatic scoring (e.g. for solvency, creditability) or the data may be required by law (e.g. identification details if transactions have certain characteristics, or age verification requirements on certain adult services). 

Primary Data/ Business Information
Please check each relevant box, for this category of personal data, to explain how you obtain that data.

Personal Details
Such as nickname, date of birth/age, place of birth, nationality.

Physical Description
Such as height, weight, distinguishing characteristics.

Family Characteristics
Such as, marriage, partnership, dependants.

Education and Skills
Such as academic records, professional interests.

Life Style or Personal Tastes
Such as details of consumption of goods or services, leisure activities and sport, personal or family behaviour, smoking, drinking, favourite colour, food.

Financial Resources
Such as salary/income, property.

On-line Identifiers
Such as Web site passwords, cookies OR visitor's identity certificate, PUID (pairwise or site ID), TUID (temporary or site ID)...

Financial Identifiers
Such as credit card number, bank account number.

Identifiers Assigned by Public Bodies
Such as Social Security number, Identity number. According to the OECD
Data Quality Principle, personal data should be relevant to the purposes for which they are to be used. In many countries, these personal data are regarded as sensitive and their use restricted.  If you collect and use personal data which fall into this category, you should consult the Privacy Resource and make further enquiries into whether there are any regulations which affect your processing of these categories of personal data.

Biometric Identifiers
Such as DNA, Iris recognition, fingerprints. According to the OECD
Data Quality Principle, personal data should be relevant to the purposes for which they are to be used. In many countries, these personal data are regarded as sensitive and their use restricted. For example, European Directive 95/46/EC requires additional criteria to be met if a data controller wishes to process personal data in these categories. If you collect and use personal data which fall into this category, you should consult the Privacy Resource (see, for example, Convention 108 of the Council of Europe, European Directive 95/46/EC and the UN Guidelines for the Regulation of Computerised Personal Data Files).

Specific Data
According to the OECD
Data Quality Principle, personal data should be relevant to the purposes for which they are to be used. In many countries, the personal data listed below are regarded as sensitive and their use restricted. If you collect and use personal data which fall into this category, you should consult the Privacy Resource (for example, the following instruments: Convention 108 of the Council of Europe, European Directive 95/46/EC and the UN Guidelines for the Regulation of Computerised Personal Data Files):

Racial or ethnic origin, Political opinions, Religious or philosophical beliefs, Trade union membership, Health/Medical data, Sex life, Police/Justice data such as civil/criminal actions brought by or against the visitor.

Consent
Seeking consent from visitors for disclosure of their personal data for new purposes accords with both the Purpose Specification Principle and the Use Limitation Principle.   The Purpose Specification Principle provides that the purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.  The Use Limitation Principle develops this further by stating that personal data should not be disclosed, made available or otherwise used for purposes other than those specified.  However, if you wish to use or disclose your visitors' personal data for an incompatible and unspecified purpose, you may do so provided that you have obtained consent of your visitors' before proceeding with the new use or disclosure.  

Opt in
An "Opt in" means providing the individual with the opportunity to give positive consent ie an individual's personal data can only be disclosed to a third party where the individual has indicated that they agree to that type of disclosure - without that indication the individual's personal data should not be disclosed to third parties.

Opt-out
An "Opt out" means providing the individual with the opportunity to object.  This means that an individual may receive information such as promotional or advertising information unless or until they have indicated that they do not wish to receive such material.  It may also mean that their personal data may be disclosed to third parties unless and until they have indicated their objection to that disclosure.

Children's Privacy

The OECD Privacy Guidelines do not require specific protection for children's personal data, but in some countries there may be restrictions on the collection and use of this category of personal data. For example, in the US the Children's Online Privacy Protection Act (COPPA) and related regulations, which took effect on 21 April 2000 governs the online collection of personal information from children under l3 by Web site operators as well as the use of such information. Below is a brief summary of the essential requirements of the COPPA, but you are encouraged to examine more specific information on the obligations imposed, at http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm.

Organisations who are not subject to the COPPA may still have specific privacy policies in relation to children which can be reflected in the privacy policy statement through this section of the questionnaire.

Knowingly
For operators of commercial sites or online service directed toward children under 13 that collect personal information from children, the US Children's Online Privacy Protection Act may apply. To determine whether a website is directed toward children, several factors are considered, including the subject matter; visual or audio content; the age of models on the site; language; whether advertising on the website is directed to children; information regarding the age of the actual or intended audience; and whether a site uses animated characters or other child-oriented features.

For general audience sites (sites not directed toward children) the Children's Online Privacy Protection Act explicitly covers operators who have "actual knowledge" that they are collecting personal information from children. For example, the operator of a general audience chat site who has actual knowledge that a child is posting personal information on the site must provide notice and obtain verifiable parental consent if the child is to continue to post such information in that site's chat room. In most cases, if site visitors register and the registration process asks for age or date of birth, the operator likely will have the requisite Knowledge (i.e., "actual knowledge") under the Act. However, where visitors register on a website and the operator monitors the chat room, if the operator strips any posting of individually identifiable information before it is made public (and deletes it from the operator's records), that operator will not be deemed to have collected the child's personal information. Further guidance on this issue can be obtained from the FTC Web site as indicated above.

Verifiable Parental Consent
Before collecting, using or disclosing personal information from a child, an operator must obtain verifiable parental consent from the child's parent.   Until April 2002, the Federal Trade Commission will use a sliding scale approach to parental consent in which the required method of consent will vary based on how the operator uses the child's personal information.  That is, if the operator uses the information for internal purposes, a less rigorous method of consent is required, such as seeking confirmation of parental consent by e-mail, letter or phone call.  If the operator discloses the information to others, the situation presents greater dangers to children, and a more reliable method of consent is required.  This may involve obtaining a signed form from a parent via the post or fax, or accepting and verifying a credit card number.  Further guidance on this issue can be obtained from the FTC Web site as indicated above.

Information Practices
Organisations who may be subject to the jurisdiction of the COPPA should note that the FTC final regulations on Children's Online Privacy Protection Act provide clear guidance on where notifications of information practices in relation to personal data knowingly collected from children, should be placed. Organisations will have a choice - they may either post, at the appropriate places, their whole privacy policy statement, or they may wish to extract those statements relevant to children's privacy from their privacy policy statement and post that extract at the appropriate places. Further guidance on this issue can be obtained from the FTC Web site as indicated above.

Disclosure and Visitor's Choice

Providing visitors to your Web site with information about the purposes for which personal data are collected and to whom that data may be disclosed is consistent with the Purpose Specification Principle and the Use Limitation Principle in the OECD Privacy OECD Privacy Guidelines. "Use" of data occurs any time data about an identifiable individual are handled within the organisation. "Disclosure" of data involves revealing or transferring the data outside the organisation. 

According to the OECD Purpose Specification Principle, the purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

This Principle implies that before, and in any case not later than at the time data collection it should be possible to identify the purposes for which these data are to be used, and that later changes of purposes should likewise be specified. Such specification of purposes can be made in a number of alternative or complementary ways, e.g. by public declarations, information to data subjects, legislation, administrative decrees, and licences provided by supervisory bodies. According to this Principle and the Use Limitation Principle, new purposes should not be introduced arbitrarily; freedom to make changes should imply compatibility with the original purposes.

The Use Limitation Principle deals with uses of different kinds, including disclosure, which involve deviations from specified purposes. As a rule the initially or subsequently specified purposes should be decisive for the uses to which data can be put. The Use Limitation Principle foresees two general exceptions to this principle: the consent of the data subject and the authority of law (including, for example, licences granted by supervisory bodies). It may be provided that data that have been collected for purposes of administrative decision-making may be made available for research, statistics and social planning.

Disclosure
Where you wish to disclose your visitors' personal data for the same purposes which you have indicated previously in your answers to this questionnaire, you do not always need to seek their consent to disclosure.   However, you should note that Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, requires special criteria to be met with regard to the use and disclosure of your visitors' personal data for marketing and promotional purposes.  If your organisation is subject to this regulatory instrument, you may wish to use the Privacy Resource to determine whether there are any regulations which apply to your use or disclosure of personal data for these purposes. In some sectors, such as direct marketing, industry standard codes of practice may contain special criteria in relation to the use of personal data for such purposes.  Again you may wish to use the Privacy Resource to make further enquiries.

The Use Limitation Principle implies that where you wish to disclose your visitors' personal data for purposes other than those which you have previously specified, you will need to seek the consent of your visitors before making the disclosure unless the disclosure is required by authority of the law.

Confidentiality/Security

Establishing a security policy that protects personal data under your control is consistent with the
Security Safeguards Principle of the OECD Privacy Guidelines.

The Security Safeguards Principle implies that personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data. The 2002 OECD Security Guidelines also recommend that "security should be implemented in a manner consistent with the values recognized by democratic societies including the freedom to exchange thoughts and ideas, the free flow of information, the confidentiality of information and communication, the appropriate protection of personal information, openness and transparency" under the Democracy Principles.

Security safeguards are intended to reinforce limitations on data use and disclosure. Such safeguards include physical measures (locked doors and identification cards, for instance), organisational measures (such as authority levels with regard to access to data) and, particularly in computer systems, informational measures (such as enciphering and threat monitoring of unusual activities and responses to them). It should be emphasised that the category of organisational measures includes obligations for data processing personnel to maintain confidentiality.

Secure Transmission Method
For example if you use an industry standard encryption technology for transferring and receiving personal data on your Web site(s).

Unauthorised Access
For example, steps should be taken to ensure that only authorised staff have access to the data.

Improper Use or Disclosure
For example, steps should be taken to ensure that the data are only used or disclosed for those purposes which were indicated to the visitor at or before the time of collection. Steps may also be taken to confirm the identity of individuals before providing a copy of their personal data to avoid the improper disclosure of one individual's personal data to another individual. 

Unauthorised Modification or Alteration
"Modified" should be construed to cover unauthorised input of data. Steps should be taken to ensure that the data are only altered/modified by authorised staff, and are not altered in such a way as would make the data inaccurate.

Unlawful Destruction or Accidental Loss
"Loss" of data encompasses such cases as accidental erasure of data, destruction of data storage media (and thus destruction of data) and theft of data storage medium. Steps should be taken to ensure that adequate security procedures are in place to prevent any person from either unlawfully (i.e. not in accordance with the data controllerís instructions) or accidentally destroying and losing the data.

Data Processors
Data Processors are third parties that process data on behalf of a
Data Controller only for the completion of stated purposes, and who do nothing further with the data.

Confidentiality
According to paragraph 56 of the Explanatory Memorandum, the Security Safeguards Principle includes physical, organisational and informational measures. "It should be emphasised that the category of organisational measures includes obligations for data processing personnel to maintain confidentiality".

Individual Participation/Access

According to the OECD Individual Participation Principle, an individual should have the right:

a) to obtain from a Data Controller, or otherwise, confirmation of whether or not the Data Controller has data relating to him;

b) to have communicated to him, data relating to him

  • within a reasonable time;
  • at a charge, if any, that is not excessive;
  • in a reasonable manner; and
  • in a form that is readily intelligible to him;

c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and

d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.

According to the OECD Explanatory Memorandum, as a rule, the right to access should be simple to exercise. This may mean, among other things, that it should be part of the day-to-day activities of the Data Controller or his representative and should not involve any legal process or similar measures. In some cases it may be appropriate to provide for intermediate access to data; for example, in the medical area a medical practitioner can serve as a go-between. In some countries supervisory organs, such as data inspection authorities, may provide similar services. The requirement that data be communicated within reasonable time may be satisfied in different ways. For instance, a Data Controller who provides information to data subjects at regular intervals may be exempted from obligations to respond at once to individual requests. Normally, the time is to be counted from the receipt of a request. Its length may vary to some extent from one situation to another, depending on circumstances such as the nature of the data processing activity. Communication of such data "in a reasonable manner" means, among other things, that problems of geographical distance should be given due attention. Moreover, if intervals are prescribed between the times when requests for access must be met, such intervals should be reasonable. The extent to which data subjects should be able to obtain copies of data relating to them is a matter of implementation which must be left to the decision of each Member country.

The right to reasons is narrow in the sense that it is limited to situations where requests for information have been refused.

The right to challenge is broad in scope and includes first instance challenges to Data Controllers as well as subsequent challenges in courts, administrative bodies, professional organs or other institutions according to domestic rules of procedure. The right to challenge does not imply that the data subject can decide what remedy or relief is available (rectification, annotation that data are in dispute, etc.): domestic law and legal procedures will decide such matters.

Intelligible copy
This means in a form which is readily intelligible - this may include providing an explanation for any coded information which is contained in the personal data.

Specific Charge
The charge, if any, must not be excessive -- see paragraph 13(b)(ii) of the 1980 OECD Privacy Guidelines: "An individual should have the right to have communicated to him, data relating to him at a charge, if any, that is not excessive". In some countries, charges are either forbidden or restricted by law.

Challenge
The right to challenge the personal data (paragraph 6l of the l980 OECD Privacy OECD Privacy Guidelines and the Explanatory Memorandum) means that you allow individuals to challenge the personal data that you hold about them  This means that you provide individuals with the opportunity to dispute the personal data which you hold. For example the individual might believe that the personal data has been incorrectly attributed to them, or that it is inaccurate - you may allow them to provide evidence to support their claims and amend or delete the personal data (where appropriate) if you are satisfied that the individual has a legitimate concern.

Erased
Delete/remove a recording.

Rectified or Amended
Correct/put right a recording or an error.

Completed
Add any missing data in order to make an entry complete.

Right to Refuse
There can be proper grounds for refusing access to information e.g. the defence of your legal rights or the protection of the rights and freedoms of others.

Reasons for Refusing to Provide Information
Paragraph 13(c) of the Individual Participation Principle requires that an individual should have the right to be given reasons if a request [for confirmation of whether or not the data controller has data relating to him] is denied, and to be able to challenge such denial. As Paragraph 60 of the Explanatory Memorandum explains, the right to reasons in Paragraph 13(c) is narrow in the sense that it is limited to situations where requests for information have been refused. A broadening of this right to include reasons for adverse decisions in general, based on the use of personal data, met with sympathy in the OECD. However, on final consideration a right of this kind was thought to be too broad for insertion in the privacy framework constituted by the OECD Privacy Guidelines. This is not to say that a right to reasons for adverse decisions may not be appropriate, e.g. in order to inform and alert a subject to his rights so that he can exercise them effectively.

Paragraph 13(c) of the Individual Participation Principle requires that an individual should have the right to be given reasons if a request [for confirmation of whether or not the data controller has data relating to him] is denied, and to be able to challenge such denial. As Paragraph 60 of the Explanatory Memorandum explains, the right to reasons in Paragraph 13(c) is narrow in the sense that it is limited to situations where requests for information have been refused. A broadening of this right to include reasons for adverse decisions in general, based on the use of personal data, met with sympathy in the OECD. However, on final consideration a right of this kind was thought to be too broad for insertion in the privacy framework constituted by the OECD Privacy Guidelines. This is not to say that a right to reasons for adverse decisions may not be appropriate, e.g. in order to inform and alert a subject to his rights so that he can exercise them effectively.

Proof of Identity
If you require proof of identity before providing an individual with information about the personal data you hold, or providing a copy of the personal data held, you may wish to indicate the proof you require in your privacy policy statement - for example, a password, confirmation of date of birth etc.

Privacy Compliance

According to the OECD Accountability Principle, a Data Controller should be accountable for complying with measures which give effect to the other OECD Privacy principles. As stated in the Explanatory Memorandum at Paragraph 69, the detailed implementation of the Principles and the Guidelines is left to Member countries in order that different legal systems and traditions may be respected. The OECD Privacy Guidelines are therefore flexible and envisage that a range of approaches might be taken by countries, such as the creation of special supervisory bodies, reliance on existing control facilities such as the courts, or self-regulation where non-legislative implementation of the Guidelines would complement legislative action. If there are no legislative or self-regulatory mechanisms, then the OECD Guidelines provide a common reference point and may be incorporated into a contractual solution to provide privacy protection.

National Privacy Laws
More than thirty countries worldwide have adopted privacy legislation; applicable, depending on the country, to the public and private sectors or to the public sector alone. For further information on national laws, see the OECD Privacy Inventory (as of March 1999). For electronic links to national data protection and privacy authorities, please see the Privacy Resource. Please note that this resource is provided for your convenience and is not definitive.

National Self-Regulation Instruments
In countries that do not have special privacy legislation, regulations that apply to specific industry sectors are nevertheless applicable as well as a number of industry-driven provisions. General principles or standards have also been established to serve as a reference in both the public and private sectors. Codes of good conduct have been adopted in many business communities as well as proactive privacy commitments. For further information on self-regulation see the OECD Privacy Inventory (as of March 1999). For electronic links to FTC and private sector organisations with expertise in this area, please see the Privacy Resource.   Please note that this resource is provided for your convenience and is not definitive.

Main Privacy Instruments
We suggest that, in your privacy policy statement, you later add an hyperlink to the instrument(s) you are compliant with.

Global Regulatory  Instruments
E.g.  OECD Privacy Guidelines on the Protection Of Privacy and Transborder Flows of Personal Data Guidelines, UN Guidelines for the Regulation of Computerized Personal Data Files Adopted by General Assembly resolution 45/95 of 14 December 1990 etc. For further information, see the OECD Privacy Inventory (as of March 1999).  The Privacy Resource provides electronic links to some of these global regulatory privacy instruments. Please note that this resource is provided for your convenience and is not definitive.

Regional Regulatory  Instruments
E.g. Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. For further information, see the OECD Privacy Inventory.  The Privacy Resource provides electronic links to some of these regional regulatory instruments.  Please note that this resource is provided for your convenience and is not definitive.

Self-Regulatory Privacy Instruments
E.g. International Chamber of Commerce codes of conduct - see the Privacy Resource for an electronic link.  Please note that this resource is provided for your convenience and is not definitive.

To demonstrate
In order to demonstrate that your privacy policy statement accords with applicable regulation, you may voluntarily commit your organisation to a self-assessment process, a certification process administered by a third party, or you may be subject to supervision by a government agency or relevant data protection authority. We suggest that you later add an hyperlink to the relevant person/service/organisation/party or Authority - see Privacy Resource for private sector organisations with expertise in this field.  Please note that this resource is provided for your convenience and is not definitive.

Self-Assessment Procedure
Although your organisation may not be subject to external assessment of its privacy practices (either by a relevant government department, a data protection authority or third party organisation providing certification), your organisation may undertake a regular internal privacy audit of your policies and your compliance with your policies.

Third Party Organisation Certification
E.g. TRUSTe, BBB Online - see
Privacy Resource for electronic links. Japan Information Processing Development Council (JIPDEC) has a privacy mark system. Japan Data Communications Association has a Personal Information Protection Registration Centre.

Government Agency Supervision
E.g. in the USA, the Federal Trade Commission -
see Privacy Resource for electronic links.  Please note that this resource is provided for your convenience and is not definitive.

Data Protection Authority
Eg Data Protection Commissioners in Europe, New Zealand or Hong Kong - see Privacy Resource for electronic links.  Please note that this resource is provided for your convenience and is not definitive.

Privacy Support

Providing visitors with information about how you address your visitors' concerns, is in accordance with both the Openness and Accountability Principles. It also accords with Part 4 of the Guidelines on National Implementation which requires that there are "adequate sanctions and remedies in case of failures to comply with measures which implement" the OECD Privacy Principles.

Contact Details
You may provide visitors to your Web site with details of several persons or services to contact.

Third Party Dispute Resolution Mechanisms
Such mechanisms may include conciliation, mediation, and arbitration.

Conciliation is a hybrid of a number of other alternative dispute resolution mechanisms such as mediation and arbitration (see below). The exact structure and operation of a conciliation process will vary depending on the model chosen, which should reflect the particular type of dispute. The conciliator has the powers of both a mediator and an arbiter. However, this process is distinct from processes such as mediation (see below) which can be escalated to arbitration.

Mediation involves a third party, a mediator, helping the disputants to find common ground.   A mediator does not have the power to decide a dispute, but only to assist the disputing parties to identify options for, and negotiate, resolution.  Mediators facilitate communication between disputants, helping them to recognise each other's interests and to discover mutual interests, and helping to  change perceptions of the costs of failing to settle as an inducement to settle.

Arbitration is private adjudication, in which a non-governmental neutral party hears presentations by the disputants and makes a decision that is legally binding on them.  Traditionally, arbitrators are designated by the disputants.  However, court-annexed arbitration is growing in popularity.  In such cases an arbitrator derives authority from a court order or rule. It is possible for disputants to declare in advance a willingness to arbitrate a class of disputes that may arise in the future.  Arbitration agreements may also be entered into after a particular dispute has arisen, and apply only to that dispute. 

 
 
spacer
 
spacer
 
Search Mail Policy
 
  Legal notice - The information on this site is subject to a disclaimer and a copyright notice
The e-Business [email protected] is being implemented and operated by empirica Gesellschaft fŁr Kommunikations- und Technologieforschung mbH (Bonn)
in co-operation with DIW Berlin - German Institute for Economic Research and Databank Consulting spa (Milan), Berlecon Research,
IDATE, PLS RAMBōLL Management, and Saatchi & Saatchi Business Communications