Openness Principle

PRINCIPLE (Openness)

DEFINITION AND DESCRIPTION (WITH VARIATIONS)

There shall be no personal-data record-keeping system whose very existence is secret and there shall be a policy of openness about an organization’s personal-data record-keeping policies, practices, and systems.  (The Openness Principle)  (PPSC; 1977)

PPSC

U.S. Privacy Protection Study Commission

“Protecting Privacy in an Information Society” (ch. 13).

http://aspe.hhs.gov/datacncl/1977privacy/toc.htm

 

FRAMEWORKS WHERE THE PRINCIPLE APPEARS

Open Identity Trust Framework has a well developed view of the Principle of Openness which includes; Lawfulness, Open Reporting and Publication, an Ombudsmen, Anti-circumvention and Open Disclosure, Non Discrimination, Interoperability, Open Versioning, Participant Involvement, Data Protection, Accountability, Auditability, Redress (OITF, p.12)

The first of the 5 original 1973 HEW (US Dept. Health, Education and Welfare) Fair Information Practices was openness.  (Followed by disclosure, secondary use, correction, and security.)

Frameworks Referenced in the ISTPA

APEC Privacy Framework under “Educating and publicizing domestic privacy 

protections” (Part IV, Section III) 

OECD Privacy Guidelines under “Openness” (Paragraph 12) 

EU Data Protection Directive under “Notification” (Section IX) 

Japan Personal Information Protection Act  under “Public Announcement of Matters 

Concerning Retained Personal Data” (Article 24) 

Australian National Privacy Principles under “Openness” (Sub clause 5.1-5.2) 

The Privacy Act of 1974 (US) under “Agency Rules” (Subsection f) 

CSA Model Code under “Openness” (Clause 4.8-4.8.3) 

 

CONTROLS ASSOCIATED WITH THE PRINCIPLE

Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals should be able to acquire information about an organization's policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.

 

The information made available shall include (a) the name/title and address of the person who is accountable for the organization's policies and practices and to whom complaints or inquiries can be forwarded; (b) the means of gaining access to personal information held by the organization; (c) a description of the type of personal information held by the organization, including a general account of its use; (d) a copy of any brochures or other information that explain the organization's policies, standards, or codes; and (e) what personal information is made available to related organizations (eg, subsidiaries).

 

An organization may make information on its policies and practices available in a variety of ways. The method chosen depends on the nature of its business and other considerations. For example, an organization may choose to make brochures available in its place of business, mail information to its customers, provide online access, or establish a toll-free telephone number.(CSA, 4.81.-4.83)

 

INTERACTION WITH OTHER PRINCIPLES

The principle of Openness interacts with the principle of Notice in defining the spirit of open notices and their use.  The principle of openness provides integrity to the provision of consent and facilitates participation between stakeholders. Integrity/Participation (FTC , B.2)

Additional safeguards for the data subject: [Any person shall be enabled:]to establish the existence of an automated personal data file, its main purposes, as well as the identity and habitual residence or principal place of business of the controller of the file; (COE; Art. 8.a.)

Individual Participation: Organizations should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII. Organizations should also provide mechanisms for appropriate access, correction, and redress regarding use of PII. (NSTIC)

 

APPLIES TO INTERNAL OPERATIONS OR TO EXTERNAL PARTICIPANTS?

Applied to both  primarily as method of information provision but also internally as Open Versioning, Data Protection, Audit ability, ability to Redress. 

 

ANALIYSIS REFERENCES

 

Additional References to Discovery

COE

Council of Europe

Convention for the Protection of Individuals with Regard to Automatic

Processing of Personal Data (1980)

http://www.privacy.org/pi/intl_orgs/coe/dp_convention_108.txt

HEW

U.S. Department of Health Education and Welfare

“Records, Computers and the Rights of Citizens” issued by the Secretary's Advisory Committee on Automated Personal Data Systems; Elliot Richardson, Secretary of the Department of Health, Education and Welfare (1973)