Privacy Assessment from the Privacy Management Toolkit

Privacy Principle 9: Free Flow of Personal Information

Organizations must take into consideration the privacy requirements of all the countries from which they gather personal information, and through which they send or store personal information. Such information must be adequately secured to ensure uninterrupted flow through the countries, and continued business processing. Requirements for such transborder personal data flow should be detailed within contracts with third parties and customers.

Question: Have you identified all the countries through which personal information is collected, stored, and through which personal information flows?

Discussion: Most countries have privacy related laws, and some, such as the U.S., have multiple laws. In addition, most of the countries with privacy laws have restrictions for how information can flow across country borders. For example, in addition to detailed provisions regarding the collecting and processing of personal information, the EU Data Protection Directive includes limitations on the ability of companies to transfer personal information out of the EU. The Directive requires EU member states to make it illegal for companies to export personal information to countries outside the EU unless the EU has determined that the country's laws provide adequate privacy protections.

As a starting point, an organization must identify, document and keep an up-to-date inventory of all countries from which personal information is collected, where personal information is stored and through which personal information flows.

Different countries consider different types of information to be personal information. Once each country is identified, resources such as the Privacy Management Toolkit and others can be used to help determine the PII definition and requirements for each law. It is important for organizations to identify all such types of personal information and document them to ensure the information does not flow across borders in ways that break the applicable countries' laws. (Chapter 3 from the Privacy Management Toolkit provides organizations examples and guidance for how to define Personally Identifiable Information PII for their organization.)

Performing an analysis of cross-border data flow requires some effort. For example, many organizations today have existing information technology systems that routinely move personal data across borders without regard to privacy laws. For example, a customer database that contains PII of customers in Spain may get automatically synchronized to a master database within the United States. In 1998 Sweden brought a case against American Airlines that involved the transfer of personal medical information within the Sabre reservations system that was in voilation of the EU Data Protection Directive.

Suggested Policy: Company X must identify, document and keep an up-to-date inventory of all the applicable privacy laws for each of the countries within which personal information is collected, stored, or through which personal information passes.

Read the assessment for Privacy Principle 8: Accountability Principle

Note: Assessment and discussion from the Privacy Management Toolkit, Version 1. The Privacy Impact Assessment (PIA) within the Toolkit contains a complete assessment against all O.E.C.D. privacy principles.