Data quality -- the forgotten privacy principle

Computerworld -

Nearly every major privacy law requires "data quality," but it’s become the most forgotten of all of the internationally recognized privacy principles. Why? Three reasons: The laws provide few details on what "data quality" means; companies violating this principle don’t make the headlines; and it’s not exactly clear what data quality has to do with privacy, anyhow.

Why is this important? Because companies around the globe are spending more time and resources assessing their internal privacy practices, and they need to know what is "good enough" when it comes to data accuracy.

Back in 1980, while the world’s attention was focused on the U.S. hostages in Iran, bureaucrats in Paris were slipping the data-quality principle into play. It was there that the EU-dominated Organisation for Economic Co-operation and Development (OECD) issued its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which stated:

"Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up to date."

Even then, delegates debated about whether data quality mattered to privacy. The OECD’s expert group concluded that data quality is relevant to "whether or not harm can be caused to data subjects because of lack of accuracy, completeness and updating."

Fifteen years later, the EU further embedded the data-quality concept by including it within its Directive on Data Protection. The directive states:

"Member states shall provide that personal data must be: collected for specified, explicit and legitimate purposes … adequate, relevant and not excessive in relation to the purposes for which they are collected … accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified … kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected ..."

Under threat of being deemed an inadequate destination for EU data, Canada’s Parliament in 2000 passed the Personal Information Protection and Electronic Documents Act, which parrots the EU tune:

"Personal information shall be as accurate, complete and up to date as is necessary for the purposes for which it is to be used. The extent to which personal information shall be accurate, complete and up to date will depend upon the use of the information, taking into account the interests of the individual."

But Ottawa went further: