Privacy Principles and DPDP Act
- sujosutech
- Apr 7
- 5 min read
Privacy principles are fundamental guidelines that organizations and individuals should follow when handling personal information. Some world bodies and associations have formulated and proposed privacy principles that ensure the protection and responsible use of personal information. The privacy legislations of various countries, including India’s DPDP Act, have been formulated considering these basic principles.
In this article, we look at the privacy principles that are universally accepted and analyse how the DPDP Act addresses them.
OECD Privacy Principles
The Organization for Economic Cooperation and Development (OECD) established the first internationally agreed-upon set of privacy principles on September 23, 1980. These are also known as the “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data”. The principles are as follows:
Collection Limitation Principle –There should be limits to the collection of personal data and it should be obtained by lawful and fair means. Also, personal data should be collected with the knowledge or consent of the data subject, where appropriate.
Data Quality Principle – The collected personal data should be relevant to the purposes for which they are to be used. It should be accurate, complete and kept up-to-date.
Purpose Specification Principle – The purposes for which personal data are collected should be specified before, or at the time of, data collection. The use of personal data should be limited to the fulfilment of those, or other compatible, purposes.
Use Limitation Principle – Personal data should not be disclosed, made available or otherwise used for purposes other than those specified except: a) with the consent of the data subject; or b) by the authority of law.
Security Safeguards Principle – Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
Openness Principle – There should be a general policy of openness about developments, practices and policies with respect to personal data. There should be means for establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
Individual Participation Principle – Individuals should have the right: a) to obtain confirmation of whether the data controller has data relating to them; b) to have data (relating to them) communicated to them legibly, in a reasonable manner and time; c) to be given reasons if the above requests are denied; and d) to challenge data relating to them, and have the data erased, rectified, completed or amended.
Accountability Principle – A data controller should be accountable for complying with measures which help implement the above principles.
APEC Privacy Principles
The Asia-Pacific Economic Cooperation (APEC) developed the Privacy Framework in 2003, adopted it in 2004 and finalized it in 2005. The framework aims to improve information privacy protection across APEC countries and facilitate the trans-border flow of personal information. It is consistent with the core values of OECD’s privacy principles. The APEC privacy principles are as follows:
Preventing Harm - Organizations should take reasonable steps to prevent harm to individuals resulting from the processing of their personal information.
Notice - Individuals should be informed about the collection and use of their personal information.
Collection Limitations - Personal information should only be collected for specific, legitimate purposes and in a fair and lawful manner.
Uses of Personal Information - Personal information should only be used for the purposes for which it was collected, or for purposes that are compatible with those purposes.
Choice - Individuals should have the right to choose whether their personal information is collected, used, or disclosed, and to have access to and correct their personal information.
Integrity of Personal Information - Personal information should be accurate, complete, and kept up-to-date.
Security Safeguards - Organizations should implement appropriate security measures to protect personal information from unauthorized access, use, disclosure, alteration, or destruction.
Access and Correction - Individuals should have the right to access their personal information and to have it corrected if it is inaccurate or incomplete.
Accountability - Organizations are responsible for complying with the principles and for ensuring that their employees and agents also comply.
How DPDP Act addresses Privacy Principles
The Digital Personal Data Protection (DPDP) Act, 2023 was passed by the Parliament of India and came into effect on August 11, 2023. It is focused on protecting digital personal data and balancing lawful processing. It applies to the processing of data in India, whether collected online or offline; it also applies to the processing of data outside of India if it involves providing goods or services to people in India.
Analysis of the DPDP Act reveals that it addresses the privacy principles as established by OECD and APEC. Specifically, the Act considers the following:
Lawful & Transparent Use – Data must be processed with clear purpose and consent.
Purpose Limitation – Data should be used only for the specified purpose.
Data Minimization – Only necessary data should be collected.
Accuracy – Data must be kept correct and updated.
Accessibility – Data must be accessible to data principals and they should be able to correct and update the same.
Storage Limitation – Data should not be stored longer than required.
Security Safeguards – Organizations must ensure data security and prevent breaches.
Accountability – Organizations are responsible for compliance.
The following table illustrates the mapping of the principles of the DPDP Act with the OECD and APEC privacy principles.
SL. No. | Principle of DPDP Act | OECD Privacy Principle | APEC Privacy Principle |
1 | Lawful & Transparent Use | Purpose Specification Principle; Openness Principle | Uses of Personal Information; Notice; Choice |
2 | Purpose Limitation | Use Limitation Principle | Uses of Personal Information |
3 | Data Minimization | Collection Limitation Principle | Collection Limitations |
4 | Accuracy | Data Quality Principle | Integrity of Personal Information |
5 | Accessibility | Openness Principle; Individual Participation Principle | Access and Correction |
6 | Storage Limitation | Use Limitation Principle; Individual Participation Principle | Uses of Personal Information; Access and Correction |
7 | Security Safeguards | Security Safeguards Principle | Preventing Harm; Security Safeguards |
8 | Accountability | Accountability Principle | Accountability |
How Sujosu Technology Can Help
Sujosu Technology helps organizations design and implement systems that prioritize cyber security, data privacy and compliance. Our services include:
Risk Assessments: Identifying cyber security and privacy requirements and vulnerabilities in applications and infrastructure.
Countermeasures and Solutions: Providing tailored strategies to prevent, detect, and recover from potential attacks.
Compliance Documentation: Helping you comply with the requirements of specific standards and regulations by compiling policies, procedures, and other relevant manuals.
Training and Awareness: Equipping your team with the knowledge to address cyber security and privacy challenges effectively.
With Sujosu Technology’s expertise, your organization can build systems that are secure and resilient against security and privacy breaches. We can also help you achieve compliance with relevant standards and legislations.
Partner with Sujosu Technology
Protect your data and ensure compliance with Sujosu Technology’s state-of-the-art cyber security and privacy services. Stay ahead of challenges and foster trust with your stakeholders.
Comments