III. PRINCIPLES FOR DATA PROTECTION
The data protection acts referred to above, whether they apply to the public or private sectors, or to both, embody principles which were adopted by the OECD in 1980 in the Guidelines on the Protection of Privacy and Transborder Flows of Personal Information. These Guidelines were developed to help harmonise national privacy legislation and, at the same time, prevent interruptions in international flows of data (50). Canada formally adhered to the Guidelines in 1984, committing the federal government to the protection of personal privacy in both the public and private sectors. At the centre of the OECD Guidelines are eight principles of fair information practices (see Annex 1). These eight principles are the foundation upon which privacy legislation has been based, whether it is directed at the public or private sectors. To follow up on the commitment it made when it subscribed to the OECD Guidelines, the federal government undertook to encourage private sector corporations to develop and implement voluntary privacy protection codes.
Since there is already privacy legislation embodying the OECD Guidelines in the public sector at the federal level and in most provinces, the area where there is the most need for privacy legislation guidelines is the private sector.
The federal government has been working closely with the Canadian Standards Association (CSA), which has begun to draft a Model Privacy Code that would meet or surpassthe OECD Guidelines while balancing trade interests and business needs with the consumer's inherent right to privacy. The CSA has brought together representatives from consumers groups and unions, the transportation, telecommunications, insurance, health and financial services industries, public sector officials and other general interest groups.
The final version of the Model Code should be adopted by the CSA in the fall of 1995, but a draft version has already been circulated for public comments (See Annex 2). It is the most up-to-date set of guidelines on the protection of personal information in the private sector and one of the most useful tools available to establish guidelines for privacy legislation. The Information Highway Advisory Council has called on the federal government to adopt legislation that would require sectors or organizations to meet the standards of fair information practices contained in the CSA model code.
At the core of the Draft Model Code are 10 interrelated principles for the protection of personal information:
1. Organizations are accountable for the personal information they collect.
2. Organizations should identify the reasons for collecting personal information.
3. Individuals are required to consent to the collection, use and disclosure of personal information.
4. Collection of information should be limited.
5. Use, disclosure and retention of information should be limited.
6. The information collected must be accurate.
7. There must be safeguards to protect information.
8. Organizations' policies and practices must be open.
9. Individuals have a right of access to their own information.
10. An individual can challenge an organization for not complying with the above principles.
These principles, which in one form or another should be in any data protection legislation, could be complemented by additional measures in related areas. Following the lead of the United Kingdom, the legislation might provide individuals with a right of action for harm caused by inaccurate personal information, loss of personal information, or unauthorized destruction of personal information(51). In addition, legislation might recognize the central role of technology by requiring assessments of new technologies for privacy implications before they are implemented.(52)