|
The table below presents a comparison of privacy concepts set out in some domestic and international privacy regulations, laws, and guidelines in relation to Generally Accepted Privacy Principles. This is for illustrative purposes only and not meant to be comprehensive. Column 1 lists the 10 principles of Generally Accepted Privacy Principles. Columns 2 through 9 lists the significant principles discussed in specific laws and regulations. The "Key to Column and Source," that follows the table identifies the source of each law and regulation compared:
|
(1)
Generally Accepted Privacy Principles |
(2)
Australia
Privacy Act |
(3)
Canada
PIPEDA |
(4)
E.U.
Directive |
(5)
OECD
Guidelines |
|
Management |
|
Accountability |
Notification |
Accountability |
|
Notice |
Openness |
Identifying Purposes, Openness |
Information to Be Given to the Data Subject
|
Purpose Specification, Openness |
|
Choice and Consent |
Use and Disclosure |
Consent |
Criteria for Making Data Processing Legitimate, Data Subject's Right to Object |
Collection Limitation |
|
Collection |
Collection, Sensitive Information, Anonymity |
Limiting Collection |
Principles Relating to Data Quality, Exemptions and Restrictions |
Collection (including consent) Limitation |
|
Use and Retention |
Identifiers, Use and Disclosure |
Limiting Use, Disclosure, and Retention |
Making Data Processing Legitimate,
Special Categories of Processing,
Principles Relating to Data Quality, Exemptions and Restrictions, The Data Subject's Right to Object |
Use Limitation (including disclosure limitation) |
|
Access |
Access and Correction |
Individual Access |
The Data Subject's Right of Access to Data |
Individual Participation |
|
Disclosure to Third Parties |
Use and Disclosure,
Transborder Data Flows |
Limiting Use, Disclosure, and Retention |
Transfer of Personal Data to Third Countries |
Use Limitation (including disclosure limitation) |
|
Security |
Data Security |
Safeguards |
Confidentiality and Security of Processing |
Security Safeguards |
|
Quality |
Data Quality |
Accuracy |
Principles Relating to Data Quality |
Data Quality |
|
Monitoring and Enforcement |
Enforcement by the Office of the Privacy Commissioner |
Challenging Compliance |
Judicial Remedies, Liability and Sanctions, Codes of Conduct, Supervisory Authority and Working Party on the Protection of Individuals with Regard to the Processing of Personal Data |
Individual Participation (including challenging compliance) |
Back to top
|
(1)
Generally Accepted Privacy Principles |
(6)
U.S.
FTC
|
(7)
U.S.
Safe Harbor |
(8)
U.S.
HIPAA |
(9)
U.S.
GLBA |
|
Management |
|
|
Administrative requirements |
|
|
Notice |
Notice |
Notice |
Notice |
Privacy and Opt Out Notices, Exceptions |
|
Choice and Consent |
Choice |
Choice |
Consent, Uses and Disclosures |
Privacy and Opt Out Notices |
|
Collection |
|
Data Integrity |
|
|
|
Use and Retention |
|
(Implied but not specified in the principles) |
Uses and Disclosures |
Limits on Disclosures |
|
Access |
|
Access |
Access |
|
|
Disclosure to Third Parties |
|
Onward Transfer |
Uses and Disclosures, Accounting of Disclosures |
Limits on Disclosures |
|
Security |
Security |
Security |
Security Rule |
Security Guidelines mandated by section 501(b) of GLBA |
|
Quality |
Integrity |
Data Integrity |
Amendment |
|
|
Monitoring and Enforcement |
Enforcement |
Enforcement |
Compliance and Enforcement by the Department of Health and Human Services
|
Enforcement by financial services industry regulators, the FTC, and SEC |
Back to top
Key to Column and Source
- AICPA/CICA Generally Accepted Privacy Principles, May 2006.
- Australia Privacy Act 1988, Privacy Act 1988, as amended, effective December 21, 2001.
- Canada Personal Information Protection and Electronic Documents Act (PIPEDA), also referred to as. Bill C-6, Second Session, Thirty-sixth Parliament, 48-49 Elizabeth II, 1999-2000, assented to April 13, 2000, effective January 1, 2001.
- EU Directive, European Union (EU), Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, October 24, 1995, effective October 25, 1998, as implemented in EU country-specific laws and regulations.
- OECD Guidelines, Organisation for Economic Cooperation and Development (OECD), Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, September 23, 1980.
- U.S. FTC, Privacy Online: Fair Information Practices in the Electronic Marketplace, A Report to Congress, United States (U.S.) Federal Trade Commission (FTC), May 2000.
- U.S. Safe Harbor, an agreement between the U.S. Department of Commerce and the European Commission's Internal Market Directorate, approved by the European Commission July 27, 2000, open for use November 1, 2000.
- U.S. United States Health Insurance Portability and Accountability Act of 1996 (HIPAA), Privacy Rule (compliance deadline April 16, 2003), Security Rule (compliance deadline April 21, 2005).
- U.S. Financial Services Modernization Act, also referred to as the Gramm-Leach-Bliley Act (GLBA), Title V – Privacy, Subtitle A, enacted November 12, 1999, effective November 13, 2000, Compliance by July 1, 2001. The Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of Thrift Supervision (collectively, the Agencies) published final Guidelines establishing standards for safeguarding customer information that implement sections 501 and 505(b) of GLBA.
Back to top
|