Directorate for Science, Technology and Industry
Back to
Home: Information Security and Privacy  > Developing a Privacy Policy and Statement
About Publications & Documents Information by Country

Developing a Privacy Policy and Statement

Send Send Print print

HOW TO DEVELOP A PRIVACY POLICY

STEP 1. To ensure that you answer the questions contained in the Generator accurately, you need to know what your personal data practices are. Therefore, before completing the questionnaire, it is essential to carry out an extensive internal review of your current personal data practices. For example:

  • Do you collect personal data?
  • What kinds of personal data do you collect?
  • How are they collected? From individuals, from third parties, from public bodies or authorities? Are individuals aware that their personal data are being collected?
  • Who in your organisation is responsible for deciding what personal data are collected and how ?
  • Why do you collect personal data?
  • How are they used?
  • Who controls personal data once they are collected?
  • Are personal data disclosed to third parties, and if so, why?
  • How and where are they stored?
  • Do you have standards, guidelines and regulations which apply to your collection and use of personal data?
  • Do you allow visitors access to the personal data you have about them?
  • What happens if a visitor has a query about their personal data? What if they are not satisfied with how you deal with their query?

Further guidance on carrying out an internal review can be found on the Web sites of SIIA, USCIB, or CSA Model Code CAN/CSA-Q830 .

You may also wish to consult:

www.jipdec.or.jp/security/privacy/index-e.html
www.research.att.com/projects/p3p/propgen
www.the-dma.org
www.truste.org/businesses/how_to_sign_up.php

STEP 2. Once you have reviewed your current personal data practices:

  • You should review laws or (self) regulatory schemes which may apply to your collection and use of personal data. Governmental agencies, non-governmental organisations or private bodies may provide you with help in this respect.
  • It is recommended that you review your current practices against such regulations and amend them where necessary to ensure compliance.

USING THE GENERATOR TO CREATE A PRIVACY POLICY STATEMENT

STEP 3. Once you have determined your current personal data practices and reviewed those practices against relevant regulatory requirements, you are in a position to complete the Generator questions. The Help Section provides explanations of terms used, guidance on what is consistent with the OECD Privacy Guidelines, and, where appropriate, additional information on other national, regional or international instruments. It is important to read the technical notes before answering the questions.

After you have completed the questionnaire as accurately as possible, a draft privacy policy statement is automatically generated. It proposes pre-formatted sentences based on your answers/choices.

ASSESSING THE DRAFT PRIVACY POLICY STATEMENT

STEP 4. Next, you should make sure:

  • That the draft privacy statement accurately reflects your organisation’s personal data practices.
  • That the draft privacy statement complies with applicable national, regional and international laws or (self) regulatory schemes.
  • That errors are corrected and that the privacy statement reads smoothly.

PLACING YOUR PRIVACY POLICY STATEMENT ON YOUR WEB SITE

STEP 5. Once you are satisfied that your privacy policy statement accurately reflects your personal data practices and complies with applicable regulations, you need to consider how to make your statement publicly available. Regulations to which you may be subject may require a specific location for such a statement, such as your homepage, or at the point(s) where personal data are collected. In the absence of specific regulatory requirements, you may wish to consider creating a link between your homepage and your privacy statement, or between pages where you collect personal data and your privacy statement. The OECD Privacy Guidelines recommend that individuals should be able to gain access to information about personal data practices without unreasonable effort as to time, knowledge and expense. You may also wish to create links to relevant Web sites to make visitors aware of any relevant regulations.

REMEMBER: Once your privacy statement is publicly posted, you may be legally liable if you fail to abide by your privacy policy statement or if that statement does not comply with local laws.

By following the above steps, you can help ensure that your policy statement will not misrepresent your privacy practices or fail to comply with applicable regulations.

EXAMPLE PRIVACY POLICY STATEMENT

The OECD online privacy policy statement was revised using the OECD Generator. This example is not intended to be a "model" statement. It is intended only to provide an indication of what you can expect your final privacy statement to look like.

 

OECD Home     Contact Us (Generator staff)     Help for the Generator    

© 2000 OECD & Microsoft Corporation. All Rights Reserved
Also available:
Top of page
Don't miss

Keep informed!

Keep abreast of the latest in ICT policy.

Receive your copy of OECD Information and Communication Policy News

Privacy Online

To assist governments, businesses and individuals in promoting privacy protection online at both national and international levels.

Privacy Online: OECD Guidance on Policy and Practice

Security Guidelines

Now available for download in several languages.

OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (2002)

New Guidelines

OECD Guidelines for Protecting Consumers from Fraudulent and Deceptive Commercial Practices Across Borders

Privacy Guidelines

Includes the "Declaration on Transborder Data Flows" and the "Ministerial Declaration on the Protection of Privacy of Global Networks".

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data