The IT Law Wiki


Organization for Economic Cooperation and Development, ICCP Subcommittee, Guidelines on the Protection of Privacy and Transborder Flow of Personal Data (C(80)58/FINAL) (Sept. 23, 1980) (full-text).


In 1980, the Organization for Economic Co-operation and Development (OECD) adopted privacy guidelines in response to the growth of automatic data processing, which enabled increased transfers of personal data across national borders. These guidelines contain a revised version of the Fair Information Practices developed by the U.S. Department of Health, Education & Welfare in its 1973 report entitled "Records, Computers and the Rights of Citizens: Report of the Secretary’s Advisory Committee on Automated Personal Data Systems" (1973).

The guidelines provide a framework of principles at the policy and operational levels to foster consistent domestic approaches to addressing information security risks in a globally interconnected society. More broadly, the Guidelines reflect a shared ambition to develop a culture of security across society, so that security becomes an integral part of the daily routine of individuals, businesses and governments in their use of Information and Communication Technologies (ICTs) and in conducting online activities.

Fair Information Practices[]

The OECD version of the Fair Information Practices was reaffirmed by OECD ministers in a 1998 declaration and further endorsed in a 2006 OECD report.[1] The OECD version of the principles states:


Influence on national privacy law[]

The Fair Information Practices are, with some variation, the basis of privacy laws and related policies in many countries, including the United States, Canada,[2] Germany, Sweden, Australia, and New Zealand, as well as the European Union.[3] They are also reflected in a variety of federal agency policy statements, beginning with an endorsement of the OECD principles by the Department of Commerce in 1981,[4] and including policy statements from DHS, DOJ, and the Department of Housing and Urban Development.[5]

In 2003 and 2005, the OECD monitored efforts by governments to implement national policy frameworks consistent with the Guidelines, including measures to combat cybercrime, develop Computer Security Incident Response Teams (CSIRTs), raise awareness, and foster education as well as other topics.[6] In 2006 and 2007, the OECD focused on the development of policies to protect critical information infrastructures.[7]

In 2004, the U.S. Chief Information Officers Council issued a coordinating draft of its Security and Privacy Profile for the Federal Enterprise Architecture that links privacy protection with a set of acceptable privacy principles corresponding to the OECD’s version of the Fair Information Practices.


  1. OECD, Making Privacy Notices Simple: An OECD Report and Recommendations (July 24, 2006) (full-text)
  2. Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5 (2008) (PIPEDA) (full-text).
  3. European Union Directive on the Protection of Personal Data (“Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data”) (1995).
  4. “Report on OECD Guidelines Program, Memorandum from Bernard Wunder, Jr., Assistant Secretary for Communications and Information, Department of Commerce (Oct. 30, 1981).
  5. U.S. Department of Homeland Security, Privacy Office Mission Statement, “Privacy Policy Development Guide"; U.S. Department of Justice, Global Information Sharing Initiative[] (Sept. 2005); U.S. Department of Housing and Urban Development, “Homeless Management Information Systems, 69 Fed. Reg. 45888 (July 30, 2004). See also Information Policy Committee of the National Information Infrastructure Task Force, Office of Information and Regulatory Affairs, Office of Management and Budget, “Options for Promoting Privacy on the National Information Infrastructure" (Apr. 1997).
  6. See OECD, Working Party on Information Security and Privacy, The Promotion of a Culture of Security for Information Systems and Networks in OECD Countries (DSTI/ICCP/REG(2005)1/FINAL) (2005) (full-text).
  7. See DSTI/ICCP.REG(2006)15/FINAL and DSTI/ICCP/REG(2007)16/FINAL.