SEP 11, 2018 | US
BSA | The Software Alliance Releases Privacy Framework to Support Data Privacy Legislation
- Transparency: Organizations should provide clear and accessible explanations of their practices for handling personal data, including the categories of personal data they collect, the type of third parties with whom they share data, and the description of processes the organization maintains to review, request changes to, request a copy of, or delete personal data.
- Purpose Specification: Personal data should be relevant to the purposes for which it is collected and obtained by lawful means. Organizations should inform consumers of the purpose for which they are collecting personal data and use that data in a manner that is consistent with that explanation, the context of the transaction, or reasonable expectation of the consumer, or in a manner that is otherwise compatible with the original purpose for which the data was collected. Organizations should employ governance systems that seek to ensure that personal data is used and shared in a manner that is compatible with the stated purposes.
- Informed Choice: Organizations should provide consumers with sufficient information to make informed choices and, where practical and appropriate, the ability to opt out of the processing of personal data. BSA recognizes that certain data, such as financial account information or health condition, may be particularly sensitive. If the use of sensitive data implicates heightened privacy risks, organizations should enable consumers from whom they collect sensitive data to provide affirmative express consent. Certain existing US laws, such as COPPA, HIPAA, GLB, and the FCRA, also provide important protections for the processing of sensitive personal data covered by those laws and should therefore remain in place.
- Data Quality: Personal data should be relevant to the purpose for which it is used and, to the extent necessary for those purposes, should be accurate, complete, and current.
- Consumer Control: Consumers should be able to request information about whether organizations have personal data relating to them and the nature of such data. They should be able to request a copy of the data, challenge the accuracy of that data, and, as appropriate, have the data corrected or deleted. Organizations that determine the means and purposes of processing personal data should be primarily responsible for responding to these requests. Organizations may deny such requests where the burden or expense of doing so would be unreasonable or disproportionate to the risks to the consumer’s privacy; to comply with legal requirements; to ensure network security; to otherwise protect confidential commercial information; for research purposes; or to avoid violating the privacy, free speech, or other rights of other consumers.
- Security: Organizations should employ reasonable and appropriate security measures designed to prevent unauthorized access, destruction, use, modification, and disclosure of personal data based on the volume and sensitivity of the data, size and complexity of the business, and cost of available tools.
- Facilitating Data Use for Legitimate Business Interests: Privacy frameworks should facilitate the use of data for legitimate business purposes. Such purposes may include providing services to other business customers or consumers. Where the processing of data poses risks to the privacy of consumers, privacy frameworks should implement a risk-based approach that tailors protections to circumstances that are likely to lead to substantial harm.
- Accountability: Organizations should develop policies and procedures that provide the safeguards outlined in this framework, including designating persons to coordinate programs implementing these safeguards and providing employee training and management; regularly monitor and assess the implementation of those programs; and, where necessary, adjust practices to address issues as they arise.
- Legal Compliance and Enforcement: Organizations that determine the means and purposes of processing personal data should have primary responsibility for satisfying legal privacy and security obligations. Entities that process data on behalf of those organizations should be responsible for following their agreed upon instructions. Any uniform federal privacy law should harmonize requirements in state law. The Federal Trade Commission, which has a strong record of robust enforcement, should have the tools and resources necessary to carry out its mission effectively.
- International Interoperability: Privacy frameworks should enable and encourage global data flows, which underpin the global economy. Where differences exist among varying privacy regimes, governments should create tools to bridge those gaps in ways that both protect privacy and facilitate the free flow of data.
소프트웨어 연합(BSA | The Software Alliance, 이하 BSA)(www.bsa.org)은 각국 정부를 대상으로 세계 시장에서 전 세계 소프트웨어 업계를 대변하고 옹호하는 선도적 연합체입니다. 세계의 가장 혁신적 기업들이 회원사로 참여하며 경제에 활기를 불어 넣고 현대의 생활을 향상시키는 소프트웨어 솔루션을 만들어 내고 있습니다.
워싱턴 DC에 본부를 두고, 30개국이 넘는 국가들에서 운영되는 BSA는, 합법적 소프트웨어 사용을 증진시키고 기술 혁신을 촉진하며 디지털 경제의 성장을 추진하는 공공 정책을 지지하는 준법 프로그램들을 선도합니다.