Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

International Safe Harbor Privacy Principles [1999] PLBIRp 9; (1999) 47 Privacy Laws and Business International Report 15

The Safe Harbor Principles

The International Safe Harbor Principles, released last year by the US Department of Commerce for US companies' voluntary adoption, are summarised here. The full text is available on the Internet at http://www.ita.doc.gov/ ecom/menu.htm. Read more about Safe Harbor on p.16.

1. NOTICE: An organisation must inform individuals about the types of personal information which it collects about them, how and for which purposes it collects that information, to whom it discloses the information and the choices and means it offers individuals for limiting its use and disclosure. Access to this notice should be clear and immediately available on request when individuals are first asked to provide personal information.

2. CHOICE: An organisation must give individuals the opportunity to choose whether and how personal information they provide is used (where such use is unrelated to the uses for which they originally disclosed it). Mechanisms to exercise this option must be clear, affordable and readily available. Certain kinds of sensitive information (e.g. medical) must offer them an opt-in choice.

3. ONWARD TRANSFER: Individuals must be given the opportunity to choose whether and the manner in which a third party uses the personal information they provide, when such use is unrelated to the uses for which the individual originally disclosed it.

4. SECURITY: Organisations creating, maintaining, using or disseminating records of personal information must take reasonable measures to assure its reliability for its intended us and must take reasonable precautions to protect it from loss, misuse, unauthorized access or disclosure, alteration, or destruction.

5. DATA INTEGRITY: An organisation must keep personal data relevant for the purposes for which it has been gathered only, consistent with the principles of notice and choice. To the extent necessary for those purposes, the data should be accurate, complete, and current.

6. ACCESS: Individuals must have reasonable access to information about them derived from non-public records that an organisation holds, and be able to correct or amend that information where it is inaccurate. Reasonableness of access depends on the nature and sensitivity of the information collected and its intended uses. For instance, access must be provided to an individual where the information in question is sensitive or used for substantive decisionmaking purposes that affect that individual.

7. ENFORCEMENT: Effective privacy protection must include mechanisms for assuring compliance with the principles, recourse for individuals, and consequences for the organisation when the principles are not followed. At a minimum, such mechanisms must include:

(a) Readily available and affordable independent recourse mechanisms by which individuals' complaints and disputes can be resolved;

(b) Systems for verifying that the attestations and assertions businesses make about their privacy practices are true and privacy practices have been implemented as presented; and

(c) Obligations to remedy problems arising out of and consequences for organisations announcing adoption of these principles and failing to comply with the principles. Sanctions must be sufficient to ensure compliance by organisations and must provide individuals the means for enforcement.

Note: Organisations may satisfy the requirements set forth in principle 7: (a) through compliance with private sector developed privacy programs that include effective enforcement of the type described in Principle 7; or (b) through compliance with legal or regulatory supervisory authorities; or (c) by committing to cooperate with Data Protection Authorities located in the European Community.