Tiny URL for this page: oe.cd/privacy
Other projects have examined privacy notices and considered privacy in the context of horizontal issues such as radio frequency indentification (RFID), digital identity management, and looked at metrics to inform policy making in these areas. The important role of privacy is also addressed in the OECD Recommendation on Principles for Internet Policy Making (2011) and the Seoul Ministerial Declaration on the Future of the Internet Economy (2008).
Current work is examining privacy-related issues raised by large-scale data use and analytics. It is part of a broader project on the data-driven innovation and growth, which already produced a preliminary report identifying key issues.
The 2013 OECD Privacy Guidelines
The revisions agreed in 2013 include:
- The Recommendation of the OECD Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (July 2013); and
- A new explanatory memorandum providing context and rationale for the July 2013 revisions.
[Download the updated Guidelines and memorandum]
These new Guidelines constitute the first update of the original 1980 version that served as the first internationally agreed upon set of privacy principles.
Two themes run through the updated Guidelines. First is a focus on the practical implementation of privacy protection through an approach grounded in risk management. Second is the need for greater efforts to address the global dimension of privacy through improved interoperability. A number of new concepts are introduced, including:
Download the full OECD privacy framework booklet including the 2013 Privacy Guidelines
- National privacy strategies. While effective laws are essential, the strategic importance of privacy today also requires a multifaceted national strategy co-ordinated at the highest levels of government.
- Privacy management programmes. These serve as the core operational mechanism through which organisations implement privacy protection.
- Data security breach notification. This provision covers both notice to an authority and notice to an individual affected by a security breach affecting personal data.
Other revisions modernise the OECD approach to transborder data flows, detail the key elements of what it means to be an accountable organisation, and strengthen privacy enforcement. As a step in a continuing process, this revision leaves intact the original “Basic Principles” of the Guidelines. On-going work by the OECD on privacy protection in a data-driven economy will provide further opportunities to ensure that its privacy framework is well adapted to current challenges.
The process to revise the Guidelines was led by the OECD’s Working Party on Information Security and Privacy (WPISP) working from terms of reference released at an OECD conference on global interoperability in Mexico City in November 2011. Preparatory work for the 2013 revision was conducted in the context of the 30th anniversary of the original Guidelines, marked by a series of conferences and papers.
In accordance with the terms of reference, the WPISP convened a multi-stakeholder group of experts from governments, privacy enforcement authorities, academia, business, civil society and the Internet technical community. This expert group was chaired by Jennifer Stoddart, Privacy Commissioner of Canada. Omer Tene, consultant to the OECD, served as rapporteur. On the basis of the work by the expert group, proposed revisions were developed by the WPISP and approved by the Committee for Information, Computer and Communications Policy (ICCP), before final adoption by the OECD Council.
The expert group also produced a report on its work. The document identifies a number of issues that were raised but not fully addressed as part of the review process and which could be considered as candidates for possible future study.
Back to information security and privacy