It is with great concern that Privacy First has taken note of the Dutch draft bill on COVID-19 test certificates. Under this bill, a negative COVID-19 test certificate will become mandatory for access to sporting and youth activities, all sorts of events and public places including bars and restaurants and cultural and higher education institutions, Those who have no such certificates risk getting high fines. This will put pressure on everyone's right to privacy. 

Serious violation of fundamental rights

The draft bill severely infringes numerous fundamental and human rights, including the right to privacy, physical integrity and freedom of movement in combination with other relevant human rights such as the right to participate in cultural life, the right to education and various children’s rights such as the right to recreation. Any curtailment of these rights must be strictly necessary, proportionate and effective. However, the current draft bill fails to demonstrate this, while the required necessity in the public interest is simply assumed. More privacy-friendly alternatives to reopen and normalize society do not seem to have been considered. For these reasons alone, the proposal cannot pass the human rights test and should therefore be withdrawn.

Social exclusion

The proposal also violates the general prohibition of discrimination, as it introduces a broad social distinction based on medical status. This puts pressure on social life and may lead to large-scale inequality, stigmatization, social segregation and even possible tensions, as large groups in society will not (or not systematically) want to or will not be able to get tested (for various reasons). During the recent Dutch National Privacy Conference organized by Privacy First and the Platform for the Information Society (ECP), it already became clear that the introduction of a mandatory ‘corona passport’ could have a socially disruptive effect.[1] On that occasion the Dutch Data Protection Authority, among others, took a strong stand against it. Such social risks apply all the more strongly to the indirect vaccination obligation that follows on from the corona test certificate. In this regard, Privacy First wants to recall that recently both the Dutch House of Representatives and the Parliamentary Assembly of the Council of Europe have expressed their opposition to a direct or indirect vaccination requirement.[2] In addition, the draft bill under consideration will have the potential to set precedents for other medical conditions and other sectors of society, putting pressure on a much broader range of socio-economic rights. For all of these reasons, Privacy First strongly recommends that the Dutch government withdraw this draft bill.

Multiple privacy violations

Moreover, from the perspective of the right to privacy, a number of specific objections and questions apply. First of all, the draft bill introduces a mandatory ‘proof of healthiness’ for participation in a large part of social life, in flagrant violation of the right to privacy and the protection of personal data. Also, the draft bill introduces an identification requirement at the entrance of public places, in violation of the right to anonymity in public spaces. The bill also results in the inconsistent application of existing legislation to the same act, namely testing, with far-reaching consequences on the one hand for a precious achievement like medical confidentiality and the trust of citizens in that confidentiality, and on the other hand for the practical implementation of retention periods while the processing of the test result does not change. After all, it is not the result of the test that should determine whether the file falls under the Dutch Medical Treatment Contracts Act (WGBO, which has a medical secrecy requirement and a retention period of 20 years) or under the Public Health Act (with a retention period of five years), but the act of testing itself. Moreover, it is unclear why the current draft bill seeks to connect to the Public Health Act and/or WGBO if it only concerns obtaining a test certificate for the purpose of participating in society (and therefore no medical treatment or public health task for that purpose). Here, the only possibility for processing and for breaching medical confidentiality should be the basis of consent. In this case, however, there cannot be the legally required freely given consent, since testing will be a compelling condition for participation in society.

Privacy requires clarity

Many other issues are still unclear: which data will be stored, where, by whom, and which data may possibly be exchanged? To what extent will there be personal localization and identification as opposed to occasional verification and authentication? Why may test results be kept for an unnecessarily long time (five or even 20 years)? How great are the risks of hacking, data breaches, fraud and forgery? To what extent will there be decentralized, privacy-friendly technology, privacy by design, open source software, data minimization and anonymization? Will test certificates remain free of charge and to what extent will privacy-friendly diversity and choice in testing applications be possible? Is work already underway to introduce an ‘alternative digital carrier’ in place of the Dutch CoronaCheck app, namely a chip, with all the risks that entails? How will function creep and profiling be prevented and are there any arrangements when it comes to data protection supervision? Will non-digital, paper alternatives always remain available? What will happen to the test material taken, i.e. everyone’s DNA? And when will the corona test certificates be abolished?

As long as such concerns and questions remain unanswered, submission of this bill makes no sense at all and the corona test certificate will only lead to the destruction of social capital. Privacy First therefore reiterates its request that the current proposal be withdrawn and not submitted to Parliament. Failing this, Privacy First will reserve the right to have the matter reviewed by the courts and declared unlawful.

[1] See the Dutch National Privacy Conference, 28 January 2021, https://youtu.be/asEX1jy4Tv0?t=9378, starting at 2h 36 min 18 sec.
[2] See Council of Europe, Parliamentary Assembly, Resolution 2361 (2021): Covid-19 vaccines: ethical, legal and practical considerations, https://pace.coe.int/en/files/29004/html, par. 7.3.1-7.3.2: “Ensure that citizens are informed that the vaccination is NOT mandatory and that no one is politically, socially, or otherwise pressured to get themselves vaccinated, if they do not wish to do so themselves; ensure that no one is discriminated against for not having been vaccinated, due to possible health risks or not wanting to be vaccinated.” See also, for example, Dutch House of Representatives, Motion by Member Azarkan on No Corona Vaccination Obligation (28 October 2020), Parliamentary Document 25295-676, https://zoek.officielebekendmakingen.nl/kst-25295-676.html: "The House (...) pronounces that there should never be a direct or indirect coronavirus vaccination obligation in the future"; Motion by Member Azarkan on Access to Public Benefits for All Regardless of Vaccination or Testing Status (5 January 2021), Parliamentary Document 25295-864, https://zoek.officielebekendmakingen.nl/kst-25295-864.html: "The House (...) requests the government to enable access to public services for all regardless of vaccination or testing status.’

Published in Law & Politics

In the fight against the coronavirus, the Dutch government this week made clear that the introduction of a curfew is imminent. Because of this, Privacy First today has sent the following appeal to the Dutch House of Representatives:

Dear Members of Parliament,

This week the Netherlands finds itself at a historical human rights crossroads: is a nation-wide curfew going to be introduced for the first time since World War II? For Privacy First such a far-reaching, generic measure would be disproportionate and far from necessary in virtually every situation. Moreover, in the fight against the coronavirus the effectiveness of such a measure remains unknown to this date. For that alone, there can be no legally required social necessity of a curfew. A curfew could in fact also be counterproductive, as it would harm the mental and (therefore also) physical health of large groups in society. Besides, a curfew in the Netherlands is yet another step towards a surveillance society. The use of lighter, targeted and more effective measures is always preferable. Should a curfew nonetheless be introduced, Privacy First would consider it a massive violation of the right to privacy and freedom of movement. Privacy First therefore calls on you to not let this happen and to thwart the introduction of a curfew.

Yours faithfully,

The Privacy First Foundation


Update 17 February 2021: this week, in summary proceedings, the district court of The Hague handed down a ground-breaking ruling that says that the curfew was wrongly introduced under the Dutch Extraordinary Powers Act. The current Dutch curfew is therefore unlawful. Moreover, the court found that there are "major question marks regarding the factual substantiation by the State of the necessity of the curfew. (...) Before a far-reaching restriction such as a curfew is introduced, it must be clear that no other, less far-reaching measures are available and that the introduction of the curfew will actually have a substantial effect", stated the court, without the conviction that this was the case. In addition, the court raised the question of why an urgent (but voluntary) curfew advice had not been chosen. The court also noted that "the Dutch Outbreak Management Team, according to the team itself, has no evidence that the curfew will make a substantial contribution to reducing the spread of the virus." All this "makes the State's assertion that a curfew is inevitable at least debatable and without convincing justification", the court concluded. (See judgment (in Dutch), paragraphs 4.12-4.14.)

The judgment of the district court of The Hague is in line with Privacy First’s earlier position. Privacy First hopes that this will be confirmed on appeal by the Hague Court of Appeal and that it will also lead to the rejection of the curfew by both the Dutch House of Representatives and the Senate.

Published in Mobility

The world is hit exceptionally hard by the coronavirus. This pandemic is not only a health hazard, but can also lead to a human rights crisis, endangering privacy among other rights.

The right to privacy includes the protection of everyone’s private life, personal data, confidential communication, home inviolability and physical integrity. Privacy First was founded to protect and promote these rights. Not only in times of peace and prosperity, but also in times of crisis.

Now more than ever, it is vital to stand up for our social freedom and privacy. Fear should not play a role in this. However, various countries have introduced draconian laws, measures and infrastructures. Much is at stake here, namely preserving everyone’s freedom, autonomy and human dignity.

Privacy First monitors these developments and reacts proactively as soon as governments are about to take measures that are not strictly necessary and proportionate. In this respect, Privacy First holds that the following measures are in essence illegitimate:
- Mass surveillance
- Forced inspections in the home
- Abolition of anonymous or cash payments
- Secret use of camera surveillance and biometrics
- Every form of infringement on medical confidentiality.

Privacy First will see to it that justified measures will only apply temporarily and will be lifted as soon as the Corona crisis is over. It should be ensured that no new, structural and permanent emergency legislation is introduced. While the measures are in place, effective legal means should remain available and privacy supervisory bodies should remain critical.

Moreover, in order to control the coronavirus effectively, we should rely on the individual responsibility of citizens. Much is possible on the basis of voluntariness and individual, fully informed, specific and prior consent.

As always, Privacy First is prepared to assist in the development of privacy-friendly policies and any solutions based on privacy by design, preferably in collaboration with relevant organizations and experts. Especially in these times, the Netherlands (and the European Union) can become an international point of reference when it comes to fighting a pandemic while preserving democratic values and the right to privacy. This is the only way that the Corona crisis will not be able to weaken our world lastingly, and instead, we will emerge stronger together.

Published in Law & Politics
Saturday, 28 March 2020 18:14

Health and common sense

Column

The coronavirus has plunged the whole world into a deep crisis and governments do their utmost to control the dissemination. As I wrote in my previous column, it is important especially now to keep our heads cool and to protect our civil rights and privacy. A short and temporary infringement of our privacy in the general interest may be legitimate. The western model should imply a partial, temporary lockdown, lasting at most twice the incubation period so as to control the spread of the virus based on increased testing, and to facilitate the healthcare system, augmenting the number of critical care beds.

Moreover, this should be a participatory lockdown, based on voluntary participation and citizens’ individual responsibility. This is only logical, as trust is the cornerstone of our democratic society, even though at times there is a lack of it. This concerns trust in fellow citizens, the government and first of all, oneself. At this point in time I have a lot of confidence in the Dutch approach, which is a combination of common sense and relying on healthcare experts. Ultimately, we will have to learn to live with this virus and control potential outbreaks.

To measure is to know and therefore it is essential to scale up the number of tests with the right test equipment without delay. There are tests which can indicate quickly whether someone is infected. It is interesting to note that in Germany, where practically everyone with symptoms is being tested, the percentages of gravely ill and deceased people are considerably lower than in countries where testing is very limited. For policy makers and politicians it is thus very important to take the right decisions on the basis of facts.

If not, there will be a long-standing and emotionally-driven struggle, the encroachment on our freedom will not be short and temporary and power will shift disproportionately into the hands of the State. Such a scenario will see us move towards a forced surveillance society (see the current situation Israel is in, the newly introduced legislation in the UK as well as EU proposals with regard to telecom location data), characterised by the abolishment of anonymous (cash) payments (see the current guidelines in the Dutch retail sector), the dissolution of medical confidentiality and physical integrity in the context of potential virus infections (compulsory vaccinations and apps) and censorship of any alternative or undesired sources of information that counter the prevailing narrative. Besides, commercial interests of IT and pharmaceutical companies would come to dominate even more.

In the best case scenario, both society and the economy will soon be able to revive on the basis of individual and aggregate test results, with this lesson to bear in mind: let’s not lose the importance of our freedom, health and individual responsibility out of sight. All of a sudden, citizens have been left to their own devices and this experience will make them realize that life is not malleable and our society is not a mere paper exercise. This situation could lead to increased civic participation and less government, i.e. greater focus on critical functions. When we take a look around now, we see positive-minded, well-informed and responsible citizens and there is no need to keep focusing on a handful of exceptions. That is, as long as the measures in place are comprehensible, measurable and very temporary, and are not packaged into structural legislation, thereby misusing the crisis in order to grant certain organizations and sectors greater influence and power.

Finally, it’s worth realizing that all entrepreneurial Dutchmen without whom we would not be able to pay our fine public services, also deserve a round of applause. And perhaps the idea of a basic income for every citizen could be reviewed once more. In other words: let’s aim for more individual decisions in a freer society that is supported by technology and common sense!

Here’s to a free 2020!

Bas Filippini,
Privacy First chairman
(in personal capacity)

Published in Columns

Column

Many questions have been raised about Privacy First’s point of view in relation to the protection of privacy in crisis situations, such as the one we’re currently experiencing as a result of the coronavirus. As indicated previously, I support the precautionary principle, i.e., we don’t know what we don’t know and what in fact is effective. A strict, western-style approach on the basis of a temporary (partial) lockdown for a (very) short period of time will drastically flatten the coronavirus curve and will make sure the healthcare system does not collapse. This also allows us to gain time to find a vaccine or medicine. We still don’t know exactly what kind of virus we’re dealing with, how it came into existence and how to control it.

Our society is built on trust. In a crisis situation like we’re in now, authorities will have to take temporary crisis measures which allow citizens to do the right thing voluntarily and on the basis of trust. This may temporarily restrict privacy, such as freedom of movement and/or physical integrity (think of being in quarantine). The government can choose to have a full or partial lockdown. Making this choice, it is essential that we rely on the norms and values of our free, democratic society, and that there is trust both in the citizenry and in the means and measures that may be employed. Ideally, this would result in a participatory lockdown based on everyone’s freedom and sense of responsibility.

Past experience shows that when there is open and honest communication, citizens act responsibly and in the general interest. This implies that draconian and structural legislative measures that restrict freedom can be kept at bay, much to the benefit of the people and the economy. In this respect, it is significant that practically all companies, institutions and organizations currently comply with the protocols, and even do more than what is required. After a period of inaction, the Dutch government has decided to act and take responsibility, which is most welcome. After all, this concerns a potentially great number of very sick patients and fatalities, including many elderly and vulnerable people.

Our government has opted for a democratic instead of a dictatorial approach, and that is to be applauded. So let’s use this moment to keep our head cool instead of infringing upon everyone’s freedom and right to privacy, freedom of movement, bodily integrity and cash payments. I see there is a bitter wind sweeping through Denmark, where a coronavirus emergency law has been rushed through, allowing the authorities to force people to be vaccinated (even though there is no vaccine yet), and in France too, where permanent crisis measures seem to have been implemented. All this is incompatible with a decent society and creates misplaced precedents. Let’s act in the general interest on the basis of trust and everyone’s own responsibility. For that, we need neither to be locked up, nor do we want to see the army in the streets, or any other draconian measures or laws to be put in place.

Let’s strive for a free and trustworthy Netherlands and Europe.

Bas Filippini,
Privacy First chairman
(in personal capacity)

Published in Columns

This week an important policy debate took place in the Dutch Senate with the Minister of the Interior and Kingdom Relations Piet Hein Donner (of the Christian-democratic party CDA) and the State Secretary for Security and Justice Fred Teeven (of the liberal party VVD) about ‘the role of the government in digital data processing’. In the week following up to the debate Privacy First had expressed its views to the Senate. We are pleased to see that many of our views have been accepted (and even literally copied by some parties) throughout the Senate and that even government members Donner and Teeven proved not to be insensitive to them. This goes for both classic rights and principles that need to be reconfirmed as well as some new starting points:

- the right to express, prior and fully informed consent of citizens in the use of their personal data, both by the government and corporations;

- strict purpose limitation and necessity when using personal data;

- the right of citizens to access, correction and deletion of their personal data;

- privacy, freedom of choice, transparency and effectiveness as leading principles in the drafting of new legislation;

- the importance of evaluation and sunset clauses in (new) legislation;

- public cost-benefit analyses;

- public disclosure of departmental feasibility studies, pilot projects and research reports;

- introduction of privacy impact assessments (PIAs) and privacy by design;

- support of the legislative process by means of expert meetings and external advice.

However, the statement by minister Donner that destroying the fingerprints which are stored by Dutch municipalities would still take months is a great disappointment. The same goes for the fact that there is still no ‘fingerprint-free’ ID card; this too could have been implemented a long time ago. Recently Privacy First urged the minister to execute this process as quickly as possible (be it through modifying relevant legislation or through technical modifications).

A draft report of the Parliamentary debate can be found HERE. Our own audio recordings of the debate can be downloaded HERE. A great number of interesting passages from the debate (both by Members of Parliament as well as members of the government) can be found HERE (in Dutch).

Published in Law & Politics

For the benefit of the policy debate in the Dutch Senate on 17 May 2011 about digital data processing the Privacy First Foundation today has sent the following focal points to Senate members. Privacy First hopes that these focal points will take on a guiding role in the debate between the members of the Senate and members of the Dutch government.

Privacy’s First motto is ‘‘your choice in a free society’’ For citizens, this translates into:

- the right to express, prior and fully informed consent of citizens in the use of their personal data, both by the government and corporations;

- any use of personal data is to be strictly necessary and purpose bound;

- citizens have the right to access, correction and deletion of their personal data at all times;

- relevant legislation needs to be known and to be accessible to citizens;

- no new legislation without prior democratic (public) debate.

For the government and Parliament, this translates into:

- privacy, freedom of choice, transparency and efficiency as guiding principles in the drafting of new legislation;

- a preference for formal laws instead of Orders in Council and ministerial regulations;

- no so-called ‘gold-plating’ (add-ons) in the implementation of European legislation;

- mandatory evaluation and sunset clauses;

- an integral approach by considering every new law in conjunction with other, already existing laws and treaties;

- an integral approach by considering all new technical applications in conjunction with other, already existing technical applications;

- public cost-benefit analyses;

- public disclosure of relevant official feasibility studies, pilot projects and research reports;

- making privacy impact assessments (PIAs), privacy by design and privacy enhancing technologies (PET) compulsory;

- support of the legislative process by means of expert meetings and external advice.

For further information or questions regarding the above Privacy First is available at all times.

Published in Law & Politics
Sunday, 17 April 2011 19:17

Be smart: choose for opt-in!

In February 2011, the Dutch Senate adopted a revised, more privacy-friendly legislative proposal on the introduction of 'smart energy meters'. But does this really enhance the protection of citizens' privacy? Dr. Jaap-Henk Hoepman of the Radboud University Nijmegen puts this in doubt and advocates for opt-in instead of opt-out
[translated by Privacy First from the original article in Dutch]

‘‘In the legislative act, the following things have changed: smart meters are no longer compulsory and refusing a smart meter is no longer an economic crime. Monitoring energy consumption continuously is no longer allowed. This is only allowed when making an invoice, in the event of relocation or where technical management is due. When moving to a house where a smart meter is already installed, you can request to have the meter turned off ‘administratively’. The distribution network operator is obliged to accept this request. Basically an administratively disabled meter behaves like a traditional, ‘dumb’ meter. This sounds hopeful.  

However, the extent to which ‘administratively turned off’ in practice truly does mean ‘turned off’ still depends on further requirements that will be imposed on smart meters. Of course there’s a big difference between a meter that never passes on information and a meter that does so every once in a while even though the information is then being ignored by the distribution network operator. Administratively turned off could also mean that the operator promises not to make a request for information to the meter. But what if someone else does this instead? And what if operators are required by law enforcement agencies to make a request for information to the meter after all? Would the meter simply respond to it? A ‘dumb’ meter would never do such a thing...

In my view a greater objection is the opt-out character of the law. A consumer is allowed to request for the smart meter to be disabled. It would have been better to make that into an opt-in rule. When a smart meter is delivered and whenever a relocation takes place the meter is automatically turned off. Consumers can then request for the smart meter to be administratively turned on.  

Citizens are not in a position to choose not to use systems such as smart meters, an electronic toll system or the Electronic Health Record which have been introduced by the government. Therefore a great deal of responsibility to protect citizens against abuse lies with the government. The default state should therefore be a good protection of privacy. And opt-in should be the norm. Be smart: choose for opt-in!’’  

Dutch source: Jaap-Henk Hoepman's blog, 'Opt-in, da's pas slim', http://blog.xot.nl/2011/04/11/opt-in-das-pas-slim/, 11 April 2011.

Published in Smart Grids
Friday, 08 October 2010 22:17

The Fair Information Principles

The general philosophy of the Fair Information Principles

1. Notice/Awareness

The most fundamental principle is notice. Consumers should be given notice of an entity's information practices before any personal information is collected from them. Without notice, a consumer cannot make an informed decision as to whether and to what extent to disclose personal information. Moreover, three of the other principles discussed below -- choice/consent, access/participation, and enforcement/redress -- are only meaningful when a consumer has notice of an entity's policies, and his or her rights with respect thereto.

While the scope and content of notice will depend on the entity's substantive information practices, notice of some or all of the following have been recognized as essential to ensuring that consumers are properly informed before divulging personal information:

  • identification of the entity collecting the data;
  • identification of the uses to which the data will be put;
  • identification of any potential recipients of the data;
  • the nature of the data collected and the means by which it is collected if not obvious (passively, by means of electronic monitoring, or actively, by asking the consumer to provide the information);
  • whether the provision of the requested data is voluntary or required, and the consequences of a refusal to provide the requested information; and
  • the steps taken by the data collector to ensure the confidentiality, integrity and quality of the data.

Some information practice codes state that the notice should also identify any available consumer rights, including: any choice respecting the use of the data; whether the consumer has been given a right of access to the data; the ability of the consumer to contest inaccuracies; the availability of redress for violations of the practice code; and how such rights can be exercised.

In the Internet context, notice can be accomplished easily by the posting of an information practice disclosure describing an entity's information practices on a company's site on the Web. To be effective, such a disclosure should be clear and conspicuous, posted in a prominent location, and readily accessible from both the site's home page and any Web page where information is collected from the consumer. It should also be unavoidable and understandable so that it gives consumers meaningful and effective notice of what will happen to the personal information they are asked to divulge.

2. Choice/Consent

The second widely-accepted core principle of fair information practice is consumer choice or consent. At its simplest, choice means giving consumers options as to how any personal information collected from them may be used. Specifically, choice relates to secondary uses of information -- i.e., uses beyond those necessary to complete the contemplated transaction. Such secondary uses can be internal, such as placing the consumer on the collecting company's mailing list in order to market additional products or promotions, or external, such as the transfer of information to third parties.

Traditionally, two types of choice/consent regimes have been considered: opt-in or opt-out. Opt-in regimes require affirmative steps by the consumer to allow the collection and/or use of information; opt-out regimes require affirmative steps to prevent the collection and/or use of such information. The distinction lies in the default rule when no affirmative steps are taken by the consumer. Choice can also involve more than a binary yes/no option. Entities can, and do, allow consumers to tailor the nature of the information they reveal and the uses to which it will be put. Thus, for example, consumers can be provided separate choices as to whether they wish to be on a company's general internal mailing list or a marketing list sold to third parties. In order to be effective, any choice regime should provide a simple and easily-accessible way for consumers to exercise their choice.

In the online environment, choice easily can be exercised by simply clicking a box on the computer screen that indicates a user's decision with respect to the use and/or dissemination of the information being collected. The online environment also presents new possibilities to move beyond the opt-in/opt-out paradigm. For example, consumers could be required to specify their preferences regarding information use before entering a Web site, thus effectively eliminating any need for default rules.

3. Access/Participation

Access is the third core principle. It refers to an individual's ability both to access data about him or herself -- i.e., to view the data in an entity's files -- and to contest that data's accuracy and completeness. Both are essential to ensuring that data are accurate and complete. To be meaningful, access must encompass timely and inexpensive access to data, a simple means for contesting inaccurate or incomplete data, a mechanism by which the data collector can verify the information, and the means by which corrections and/or consumer objections can be added to the data file and sent to all data recipients.

4. Integrity/Security

The fourth widely accepted principle is that data be accurate and secure. To assure data integrity, collectors must take reasonable steps, such as using only reputable sources of data and cross-referencing data against multiple sources, providing consumer access to data, and destroying untimely data or converting it to anonymous form.

Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data. Managerial measures include internal organizational measures that limit access to data and ensure that those individuals with access do not utilize the data for unauthorized purposes. Technical security measures to prevent unauthorized access include encryption in the transmission and storage of data; limits on access through use of passwords; and the storage of data on secure servers or computers that are inaccessible by modem.

5. Enforcement/Redress

It is generally agreed that the core principles of privacy protection can only be effective if there is a mechanism in place to enforce them. Absent an enforcement and redress mechanism, a fair information practice code is merely suggestive rather than prescriptive, and does not ensure compliance with core fair information practice principles.

 

 

The Fair Information Principles as put into Canadian Law

Klik hier voor de bron.

These principles are usually referred to as “fair information principles”.

They are included in the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private-sector privacy law, and called "Privacy Principles".

Privacy Principles

Principle 1 — Accountability

An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.

Principle 2 — Identifying Purposes

The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

Principle 3 — Consent

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Principle 4 — Limiting Collection

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

Principle 5 — Limiting Use, Disclosure, and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

Principle 6 — Accuracy

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Principle 7 — Safeguards

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

Principle 8 — Openness

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Principle 9 — Individual Access

Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Principle 10 — Challenging Compliance

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.

 

Published in Philosophy

Our Partners

logo Voys Privacyfirst
logo greenhost
logo platfrm
logo AKBA
logo boekx
logo brandeis
 
 
 
banner ned 1024px1
logo demomedia
 
 
 
 
 
Pro Bono Connect logo
Procis

Follow us on Twitter

twitter icon

Follow our RSS-feed

rss icon

Follow us on LinkedIn

linked in icon

Follow us on Facebook

facebook icon