[nc-whois] The OECD Privacy Guidelines As a Guide to the WHOIS Task Force's Privacy Issues Report

[Ruchika Agrawal <agrawal@epic.org>]

Dear Co-Members of the WHOIS Task Force:

We had an interesting brainstorming session on the privacy issues report during today’s teleconference.  Ken Stubbs talked about stratified access; Thomas Roessler and Brian Faucet discussed the challenge of complying with a number of local and international laws; Ram Mohan posed questions about the intersection of privacy with accuracy, stability, and security; Kristy McKee talked about a categorization of registrants; Abel Wisman talked about accessibility issues; and Marilyn listed four topics - different needs of different kinds of registrants, implications of different European directives on gTLD WHOIS, the current availability of anonymity services, and how ccTLDs are dealing with privacy, accuracy, and with other related topics.

And as I discussed, the Organization for Economic Cooperation and Development (OECD) Privacy Guidelines provide an already thought-out solution to the questions and problems that were posed during today’s teleconference. 

To give you more information (as promised):

On September 23, 1980, the Organization for Economic Cooperation and Development, a group of leading industrial countries concerned with global economic and democratic development, issued guidelines for privacy protection in the transfer of personal information across national borders.  These are the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.  The OECD Privacy Guidelines outline an eight-fold path to privacy.

First is the principle of collection limitation.  This principle states that there should be limits to the collection of personal data; any such data collected should be obtained by lawful means and with the consent of the data subject, where appropriate.  Second is the principle of data quality.  This principle embodies the notion that collected data should be relevant to a specific purpose, and be accurate, complete, and up-to-date.  Third is the principle of purpose specification; that is, the purpose for collecting data should be settled at the outset.  The fourth principle, use limitation, works in tandem with the third.  It states that the use of personal data ought be limited to specified purposes, and that data acquired for one purpose ought not be used for others.  The fifth principle is security:  data must be collected and stored in a way reasonably calculated to prevent its loss, theft, or modification.  The sixth principle is openness.  There should be a general position of transparency with respect to the practices of handling data.  The seventh principle is individual participation:  individual should have the right to access, confirm, and demand correction of their personal data.  The eighth and last principle is accountability.  Those in charge of handling data should be responsible for complying with the principles of the privacy guidelines....  [see Marc Rotenberg, The Privacy Law Sourcebook: United States Law, International Law, and Recent Developments 324-52 (EPIC 2002) (“OECD Privacy Guidelines”)]

For another perspective:

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, adopted on 23 September 1980, continue to represent international consensus on general guidance concerning the collection and management of personal information. By setting out core principles, the Guidelines play a major role in assisting governments, business and consumer representatives in their efforts to protect privacy and personal data, and in obviating unnecessary restrictions to transborder data flows, both on and off line. The reflection of twenty-one years of expertise and experience shared among representatives of OECD governments, business and industry, and civil society, this publication contains the instruments that serve as the foundation for privacy protection at the global level….  [see http://www.oecd.org/EN/home/0,,EN-home-0-nodirectorate-no-no-no-0,FF.html and do a search for “OECD Privacy Guidelines”]

Note that the OECD Privacy Guidelines reflect an international
consensus on privacy, and include guidelines on accuracy, data use
limitation, and security.  Therefore, the WHOIS Task Force should
carefully read and understand the OECD Privacy Guidelines before engaging
in a meaningful discussion on privacy.  

I am happy to lead such a discussion in our Privacy Issues Report. 
Please let me know if I can supply further information.

Sincerely,
Ruchika Agrawal
WHOIS Task Force Member
Non-Commercial Constituency