The purpose of Part II of the APEC Privacy Framework is to make
clear the extent of coverage of the Principles.
|
Definitions
|
-
personal information means any information
about an identified or identifiable individual
|
- The Principles have been drafted against a background in which
some economies have well-established privacy laws and/or
practices
while others may be considering the issues. Of those with already
settled policies, not all
treat personal information in exactly
the same way. Some, for example, may draw distinctions between
information that is readily searchable and other information. Despite
these differences, this Framework has been drafted
to promote a
consistent approach among the information privacy regimes of APEC
economies.
This Framework is intended to apply to information about natural
living persons, not legal persons. The APEC Privacy
Framework
applies to personal information, which is information that
can be used to identify
an individual. It also includes information
that would not meet this criteria alone, but when put together
with other information would identify an individual.
|
- personal information controller means
a person or organization who controls the collection, holding,
processing or use of personal information.
It includes a person
or organization who instructs another person or organization to
collect, hold, process,
use, transfer or disclose personal information
on his or her behalf, but excludes a person or organization who
performs such functions as instructed by another person or organization.
It also excludes an individual who
collects, holds, processes or
uses personal information in connection with the individual’s
personal,
family or household affairs.
|
- The APEC Privacy Framework applies to persons
or organizations in the public and private sectors who control
the collection, holding, processing, use, transfer or disclosure
of personal information. Individual economies’
definitions
of personal information controller may vary. However, APEC economies
agree that for the purposes
of this Framework, where a person or
organization instructs another person or organization to collect,
hold, use, process, transfer or disclose personal information on
its behalf, the instructing person or organization
is the personal
information controller and is responsible for ensuring compliance
with the Principles.
Individuals will often collect, hold and use personal information
for personal, family or household purposes.
For example,
they often keep address books and phone lists or prepare
family newsletters.
The Framework is not intended to apply
to such personal, family or household activities.
|
-
publicly available information means personal information
about an individual that the individual knowingly makes or permits
to
be made available to the public, or is legally obtained and
accessed from:
-
government records that are available to the public;
-
journalistic reports; or
-
information required by law to be made available to the
public
|
- The APEC Privacy Framework has limited application
to publicly available information. Notice and choice requirements,
in particular, often are superfluous where the information is already
publicly available, and the personal
information controller does
not collect the information directly from the individual concerned.
Publicly
available information may be contained in government records
that are available to the public, such as registers of
people who
are entitled to vote, or in news items broadcast or published by
the news media.
|
Application
|
- In view of the differences in social, cultural, economic and
legal backgrounds of each member economy, there should
be flexibility
in implementing these Principles.
|
- Although it is not essential for electronic commerce that all
laws and practices within APEC be identical in all respects,
including
the coverage of personal information, compatible approaches to
information privacy protection
among APEC economies will greatly
facilitate international commerce. These Principles recognize that
fact, but also take into account social, cultural and other differences
among economies. They focus on those aspects
of privacy protection
that are of the most importance to international commerce.
|
- Exceptions to these Principles contained in Part III of this
Framework, including those relating to national sovereignty,
national
security, public safety and public policy should be:
a) limited and proportional to meeting the objectives to which
the exceptions relate; and,
b) (i) made known to the public; or,
(ii) in accordance with law.
|
- The Principles contained in Part III of the APEC
Privacy Framework should be interpreted as a whole rather than
individually, as there is a close relationship among them. For
example, the Use Principle is closely related
to both the Notice
and Choice Principles. Economies implementing the Framework at
a domestic level may
adopt suitable exceptions that suit their
particular domestic circumstances.
Although recognizing the importance of governmental respect
for privacy, this Framework is not intended to impede
governmental
activities authorized by law when taken to protect national
security, public
safety, national sovereignty or other public
policy. Nonetheless, Economies should take into consideration
the impact of these activities upon the rights, responsibilities
and legitimate interests of
individuals and organizations.
|
|
|
I. Preventing Harm
|
-
Recognizing the interests of the individual
to legitimate expectations of privacy, personal information protection
should be designed to prevent the misuse of such information. Further,
acknowledging the risk
that harm may result from such misuse of personal
information, specific obligations should take account of such
risk,
and remedial measures should be proportionate to the likelihood and
severity of the harm
threatened by the collection, use and transfer
of personal information.
|
- The Preventing Harm Principle recognizes that
one of the primary objectives of the APEC Privacy Framework is
to prevent misuse of personal information and consequent harm to
individuals. Therefore, privacy protections,
including self-regulatory
efforts, education and awareness campaigns, laws, regulations,
and enforcement
mechanisms, should be designed to prevent harm
to individuals from the wrongful collection and misuse of their
personal information. Hence, remedies for privacy infringements
should be designed to prevent harms
resulting from the wrongful
collection or misuse of personal information, and should be proportionate
to the likelihood and severity of any harm threatened by the collection
or use of personal information.
|
II. Notice
|
-
Personal information controllers should provide clear and
easily accessible statements about their practices
and policies
with respect to personal information that should include:
a) the fact that personal information is being collected;
b) the purposes for which personal information is collected;
c) the types of persons or organizations to whom personal information
might be disclosed;
d) the identity and location of the personal information controller,
including information on how to contact them
about their practices
and handling of personal information;
e) the choices and means the personal information controller offers
individuals for limiting the use and disclosure
of, and for accessing
and correcting, their personal information.
-
All reasonably practicable steps shall be taken to ensure
that such notice is provided either before or at the time
of collection
of personal information. Otherwise, such notice should be provided
as soon after
as is practicable.
-
It may not be appropriate for personal information
controllers to provide notice regarding the collection and use
of
publicly available information.
|
-
–17. The Notice Principle is directed
towards ensuring that individuals are able to know what information
is
collected about
them and for what purpose
it is to be used. By providing
notice, personal information controllers may enable an individual
to make
a more informed decision about interacting with the organization.
One
common method of compliance with this Principle is for personal
information controllers to post notices on their Web sites. In
other situations, placement
of notices on intranet sites or in
employee handbooks, for example, may be appropriate.
The requirement in this Principle relating to when notice should
be provided is based on a consensus
among APEC member economies.
APEC member economies agree that good privacy practice is to inform
relevant individuals at the time of, or before, information is
collected
about them. At the same time, the Principle also recognizes
that there are circumstances in which it
would not be practicable
to give notice at or before the time of collection, such as in
some cases where electronic technology automatically collects information
when a
prospective customer initiates contact, as is often the
case with the use of cookies.
Moreover, where personal information is not
obtained directly from the individual, but from a third party,
it may not be practicable
to give notice at or before the time of collection of the
information. For example, when an insurance company collects employees’ information
from an employer
in order to provide medical insurance services,
it may not be practicable for the insurance company to give notice
at or before the time of collection of the employees’ personal
information.
Additionally, there are situations in which
it would not be necessary to provide notice, such as in the collection
and use of publicly
available information, or of business contact information and
other professional information that identifies an individual in
his or
her professional
capacity in a business context. For example,
if an individual gives his or her business card to another individual
in the context of a business relationship, the individual would
not expect that notice would
be provided regarding the collection
and normal use of that information.
Further, if colleagues who
work for the same
company as the individual,
were to provide the
individual’s
business contact information to potential customers
of that company, the individual would not
have an expectation that
notice would be provided
regarding the transfer or the expected use of that
information.
|
III. Collection Limitation
|
-
The collection of personal information should
be limited to information that is relevant to the purposes of collection
and any such information should be obtained by lawful and fair means,
and where appropriate, with
notice to, or consent of, the individual
concerned.
|
- This Principle limits collection of information
by reference to the purposes for which it is collected. The collection
of the information should be relevant to such purposes, and proportionality
to the fulfillment of such
purposes may be a factor in determining
what is relevant.
This Principle also provides that collection methods must be lawful
and fair. So, for example, obtaining personal
information under
false pretenses (e.g., where an organization uses telemarketing
calls, print
advertising, or email to fraudulently misrepresent
itself as another company in order to deceive consumers and
induce
them to disclose their credit card numbers, bank account information
or other sensitive
personal information) may in many economies
be considered unlawful. Therefore, even in those economies where
there is no explicit law against these specific methods, they may
be considered an unfair means
of collection.
The Principle also recognizes that there are circumstances
where providing notice to, or obtaining consent of, individuals
would
be inappropriate. For example, in a situation where there is an outbreak
of food poisoning,
it would be appropriate for the relevant health
authorities to collect the personal information of patrons from restaurants
without providing notice to or obtaining the consent of individuals
in order to tell them about the
potential health risk.
|
IV.
Uses of Personal Information
|
-
Personal information collected should be used only to fulfill
the purposes of collection and other compatible or
related purposes
except:
a) with the consent of the individual whose personal information
is collected;
b) when necessary to provide a service or product requested by
the individual; or,
c) by the authority of law and other legal instruments,
proclamations and pronouncements of legal effect.
|
- The Use Principle limits the use of personal
information to fulfilling the purposes of collection and other
compatible or related purposes. For the purposes of this Principle, “uses
of personal information”
includes the transfer or disclosure
of personal information.
Application of this Principle requires consideration
of the nature of the information, the context of collection
and the intended use of the information. The fundamental
criterion
in determining
whether a purpose is compatible with or related to the stated
purposes is whether
the extended usage stems from or is in
furtherance of
such purposes. The use of personal information
for “compatible
or related purposes” would extend, for example, to matters
such as
the creation and use of a centralized database to manage
personnel in an effective and efficient manner; the processing
of employee payrolls by a third party; or, the use of information
collected
by an organization for the purpose of granting credit for the
subsequent purpose of collecting debt owed to that
organization.
|
V. Choice
|
-
Where appropriate, individuals should be provided
with clear, prominent, easily understandable, accessible and affordable
mechanisms to exercise choice in relation to the collection, use
and disclosure of their personal
information. It may not be appropriate
for personal information controllers to provide these mechanisms
when collecting publicly available information.
|
- The general purpose of the Choice Principle is
to ensure that individuals are provided with choice in relation
to collection, use, transfer and disclosure of their personal information.
Whether the choice is conveyed
electronically, in writing or by
other means, notice of such choice should be clearly worded and
displayed
clearly and conspicuously. By the same token, the mechanisms
for exercising choice should be accessible and affordable
to individuals.
Ease of access and convenience are factors that should be taken
into account.
Where an organization provides information on available mechanisms
for exercising choice that is specifically tailored
to individuals
in an APEC member
economy or national group, this may require that the information
be conveyed in an “easily understandable” or particular
way appropriate to members
of that group (e.g., in a particular
language). However if the communication is not directed to
any particular economy or national group other than the one
where
the organization is located,
this requirement will not apply.
This Principle
also recognizes, through the introductory words “where appropriate”,
that
there are certain situations where consent may be clearly
implied or where it would not be
necessary
to provide a mechanism to exercise choice.
As is specified in the Principle, APEC member economies agree
that in many situations it would not be necessary
or practicable to provide a mechanism to exercise choice when collecting
publicly available information.
For example, it would not be necessary
to provide a mechanism to exercise choice to individuals when collecting
their name and address from a public record or a newspaper.
In addition to situations involving publicly available information,
APEC member economies also agreed that in specific
and limited
circumstances it would not be necessary
or practicable to provide a mechanism to exercise choice when collecting,
using, transferring
or disclosing other types of information. For
example, when business contact information or other professional
information that identifies an individual in his or her professional
capacity is being exchanged
in a business context it is generally
impractical or unnecessary to provide a mechanism to exercise choice,
as in these circumstances individuals would expect that their information
be used in this way.
Further, in certain situations, it would not be practicable for
employers to be subject to requirements to provide
a mechanism
to exercise choice related to the personal information of their
employees when using
such information for employment purposes.
For example, if an organization has decided to centralize human
resources information, that organization should not be required
to provide a mechanism to exercise choice
to its employees before
engaging in such an activity.
|
VI. Integrity of Personal
Information
|
-
Personal information should be accurate, complete
and kept up-to-date to the extent necessary for the purposes
of use.
|
-
This Principle recognizes that a personal
information controller is obliged to maintain the accuracy and completeness
of records and keep them up to date. Making decisions about individuals
based on inaccurate,
incomplete or out of date information may not
be in the interests of individuals or organizations. This Principle
also recognizes that these obligations are only required to the extent
necessary for the purposes
of use.
|
VII. Security Safeguards
|
-
Personal information controllers should protect
personal information that they hold with appropriate safeguards against
risks, such as loss or unauthorized access to personal information,
or unauthorized destruction,
use, modification or disclosure of information
or other misuses. Such safeguards should be proportional to the likelihood
and severity of the harm threatened, the sensitivity of the information
and the context in which
it is held, and should be subject to periodic
review and reassessment.
|
-
This Principle recognizes that individuals
who entrust their information to another are entitled to expect that
their information be protected with reasonable security safeguards.
|
VIII. Access and Correction
|
-
Individuals should be able to:
-
obtain from the personal information controller confirmation of whether or not the personal information controller holds personal
information about them;
-
have communicated to them, after having provided sufficient proof of their identity,
personal information about them;
i. within a reasonable time;
ii. at a charge, if any, that is not excessive;
iii. in a reasonable manner;
iv. in a form that is generally understandable; an
-
challenge the accuracy of information relating
to them and, if possible and as appropriate, have the information
rectified, completed, amended or deleted.
- Such access and opportunity for correction should be provided
except where:
(i) the burden or expense of doing
so would be unreasonable or disproportionate to the risks
to the
individual’s privacy
in the case in question;
(ii) the information should not be disclosed due to legal or
security reasons or to protect confidential commercial
information;
or
(iii) the information privacy of persons other than the individual
would be violated.
-
If a request under (a) or (b) or a challenge
under (c) is denied, the individual should be provided with reasons
why and be able to challenge such denial.
|
- –25. The ability to access and correct personal
information, while generally regarded as a central aspect of
privacy protection, is not an absolute right. This Principle
includes specific
conditions
for what would be considered reasonable in the provision
of access, including conditions related to timing, fees,
and
the manner and form in which access would be provided. What is
to be
considered
reasonable in each of these areas will vary from one
situation to another depending on circumstances, such as the
nature of the
information processing activity. Access will also be conditioned
by
security requirements that preclude the provision of direct
access to information and will require sufficient proof
of identity
prior
to provision of access.
Access must be provided in a reasonable
manner and form. A reasonable manner should include the normal
methods of interaction between organizations and individuals.
For example,
if a computer
was involved in the transaction or request, and
the individual’s email address is available, email would
be considered “a
reasonable manner” to provide information. Organizations
that have
transacted with an individual may reasonably be expected
to
answer requests in a form that is
similar to what has been
used in prior exchanges with said individual or in the form
that is
used
and available within the organization, but should not be understood
to
require separate language translation or conversion of code
into text.
Both the copy of personal
information supplied by an organization in response to an
access
request and any explanation
of codes used by the organization should be readily comprehensible.
This obligation does not extend to the conversion of computer
language (e.g. machine-readable instructions,
source codes
or object codes)
into text. However, where a code represents a particular meaning,
the personal information controller shall explain the meaning
of that code to the individual.
For example, if the personal
information
held by the organization includes the age range of the
individual,
and that is represented by a particular code (e.g., “1” means
18-25 years
old, “2” means “26–35 years old,
etc.), then when providing the individual with such a
code,
the organization
shall explain to the individual what age range that code represents.
Where individual requests access to his or her information, that
information should be provided in the language
in which it is currently
held. Where information is held in a language different to the
language
of original collection, and if the individual requests
the information be provided in that original language, an
organization
should supply the information in the original language if the individual
pays the cost
of translation.
The details of the procedures by which the ability to access and
correct information is provided may differ depending
on the nature
of the information and other interests. For this reason, in certain
circumstances,
it may be impossible, impracticable or unnecessary
to change, suppress or delete records.
Consistent with the fundamental nature of access, organizations
should always make good faith efforts to provide
access. For example,
where certain information needs to be protected and can be readily
separated
from other information subject to an access request,
the organization should redact the protected information and
make
available the other information. However, in some situations, it
may be necessary for organizations
to deny claims for access and
correction, and this Principle sets out the conditions that must
be met in order for such denials to be considered acceptable, which
include: situations where claims would constitute
an unreasonable
expense or burden on the personal information controller, such
as when claims
for access are repetitious or vexatious by nature;
cases where providing the information would constitute a violation
of laws or would compromise security; or, incidences where it would
be necessary in order to
protect commercial confidential information
that an organization has taken steps to protect from disclosure,
where disclosure would benefit a competitor in the marketplace,
such as a particular computer or modeling
program.
“Confidential commercial information” is information
that an organization has taken steps to protect
from disclosure,
where such disclosure would facilitate a competitor in the market
to use or
exploit the information against the business interest
of the organization causing significant financial loss. The
particular
computer program or business process an organization uses, such
as a modeling program,
or the details of that program or business
process may be confidential commercial information. Where confidential
commercial information can be readily separated from other information
subject to an access request,
the organization should redact the
confidential commercial information and make available the non-confidential
information, to the extent that such information constitutes personal
information of the individual
concerned. Organizations may deny
or limit access to the extent that it is not practicable to separate
the personal information from the confidential commercial information
and where granting access would
reveal the organization’s
own confidential commercial information as defined above, or
where it would reveal the confidential commercial information
of another
organization that is subject
to an obligation of confidentiality.
When an organization denies a request for access, for the reasons
specified above, such an organization should provide
the individual
with an explanation as to why it has made that determination and
information on
how to challenge that denial. An organization would
not be expected to provide an explanation, however, in cases
where
such disclosure would violate a law or judicial order.
|
IX. Accountability
|
-
A personal information controller should
be accountable for complying with measures that give effect to
the Principles
stated above. When personal information is to be transferred
to another person
or organization, whether domestically or internationally,
the personal information controller should obtain the consent
of
the individual or exercise due diligence and take reasonable
steps to ensure that
the recipient person or organization will
protect
the information consistently with these Principles.
|
-
Efficient and cost effective business models
often require information transfers between different types of
organizations in different locations with varying relationships.
When transferring
information,
personal information controllers should be accountable
for ensuring that the recipient will protect the information
consistently with these Principles when not obtaining consent.
Thus, information
controllers should take reasonable steps to ensure the information
is protected, in accordance with these Principles,
after it is
transferred. However, there are certain situations where such
due diligence may
be impractical or impossible, for example, when there is no on-going
relationship between the personal
information controller and
the third party to whom the information is disclosed. In these
types
of circumstances, personal information controllers may choose
to use other means, such as obtaining
consent, to assure that
the information
is being protected consistently with these Principles. However,
incases
where disclosures are required by domestic law, the personal information
controller would be relieved of any due diligence or consent obligations.
|