The Organisation for Economic Co-operation and Development (OECD) recently released a declaration on government access to personal data. The declaration, which was adopted by the OECD Council, outlines principles for the access and use of personal data held by private sector entities for law enforcement and national security purposes.
The declaration states personal data should only be accessed when necessary and proportionate to achieving a legitimate objective. This is designed to promote confidence in cross-border data flows and establish common standards for data retention and security. Moreover, to address concerns of public safety and individual rights, the declaration calls for governments to adopt a risk-based approach to government access to personal data in the private sector. This approach would involve assessing the potential risks and benefits of government access to personal data and taking steps to minimise the risks and maximise the benefits.
The declaration notes seven principles that should be adopted by OECD member parties. This includes:
- Government access to personal data should be regulated by a legal framework with clear rules, conditions, and safeguards.
- Government access should only be for legitimate reasons and should not be used to suppress criticism or disadvantage certain groups.
- Government access to personal data should be approved by relevant authorities and have strict approval process for serious interference with privacy.
- Measures should be taken to protect personal data from unauthorised access and only authorised personnel should have access. Personal data should also be deleted after a certain time period.
- Government frameworks for access should be clear and accessible to the public.
- There should be oversight and monitoring to ensure compliance with the framework.
- Individuals should have access to redress and remedies such as termination of government access, deletion of improperly accessed data and cessation of any unlawful processing.
The declaration is non-binding at an international level and Australia is under no obligation to implement the declaration into domestic law, however, it provides prudent guidance in ensuring that personal data is protected and used responsibly by governments around the world.
For a full reading of the declaration, see here.