Privacy and data protection

What are illustrative commitments

Illustrative Commitments

  • Introduction

    Privacy is an internationally recognised human right, enshrined in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights and the constitutions of more than 100 countries across the globe. Privacy is not only an important right in itself, but it is a key element of individual autonomy and dignity, and a strong enabler of political, spiritual, religious and even sexual freedoms. It is central to defining the relationship between a citizen and their government. Concrete expressions of the right to privacy are context specific, and may reflect cultural and societal differences.

    The right to privacy encapsulates a right to protection of personal data: individuals have the right to decide whether to share or exchange their personal information and on what terms. Technologies are rapidly changing the nature and value of information, with huge volumes of personal data rapidly generated, transmitted, shared and collated. It is essential that governments are transparent and accountable in their handling of citizens’ personal information.

    The right to privacy and the right to information – and freedom of expression – are both essential human rights and need to be balanced on a case by case basis. There are occasions when these rights will be in conflict, such as in mandating disclosure of the private interests of politicians. But in most cases these “information rights” are not opposed, and in fact mutually reinforce each other. They work in tandem to hold the powerful to account by establishing the right to know, mainly about the government, but also what information the government and relevant institutions may hold and utilise in decisions about a citizen (Banisar, 2011).

    Transparency efforts that respect privacy will try to correct information asymmetries between the powerful and rest of the population, while minimising intrusion to what is necessary to make the powerful accountable. Privacy should not be used as an excuse to avoid proper scrutiny.

    Open government and transparency programmes place more information in the public domain, and can generate negative reactions if ordinary citizens feel that it is they – and not the powerful – who are exposed. The publication of health records, tax returns or even court transcripts have all proved problematic for individual privacy in different contexts. Technologies used for accountability – for example apps and websites collecting complaints about corruption – can have serious privacy implications. Such technologies involve the collection or storage of large amounts of potentially sensitive data, and as such raise risks of identification by third parties, and unforeseen access to data by governments (Open Rights Group, 2014).

    The rights to privacy and data protection have a bearing on a multitude of government institutions, but are also important in the regulation of the private sector, including NGOs involved in development projects.

    Police and security services are special cases since their responsibilities involve non-consensual intrusion into the private sphere in pursuit of public aims such as criminal justice and the protection of public safety and national security. Privacy issues relate to search and seizure powers, communications surveillance activities, and the establishment of DNA databases. The chapter of this guide on the Police and Security Sector contains specific recommendations.

    The recommendations in this chapter are not prescriptive but examples to be adapted to local circumstances in order to enhance existing protections.


    • Open Rights Group (2014) Open Data and Privacy Primer
    • Banisar, D. (2011) The Right to Information and Privacy: Balancing Rights and Managing Conflicts, Washington DC: World Bank.
  • Expert Organisations


    This topic was developed by Carly Nyst from Privacy International and Javier Ruiz from the Open Rights Group with input from Tim Davies, Fabrizio Scrollini, Sam Smith, Tom Glaisyer, Steve Song, and Toby Mendel.

  • Standards &
  • Examples in Practice

    Privacy Impact Assessments are legally required for e-government programmes in the United States

    In the US, PIAs are required by the E-Government Act of 2002, Section 208, which regulates the management and promotion of Federal electronic government services and processes. The Act defines the required top level components of a PIA, including how the information will be secured.

    The data protection framework of Uruguay has been accredited by the EU as providing adequate protection

    The EU Commission recognised Uruguay’s legal framework as providing ‘adequate protection’ for personal data under the EU Data Protection Directive 95/46/EC. This allows full data transfer with the EU without the need for additional safeguards. To achieve this distinction, Uruguay has had to prove to the competent authorities the appropriate adoption and compliance with the provisions on protection of personal data protection.

    Other countries recognised as providing ‘adequate’ data protection are Argentina, Andorra, Canada, Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey and the US Safe Harbor.

    The Dominican Republic committed to enact the law on personal data protection as part of its OGP Action Plan

    The Open Government Partnership Action Plan for the Dominican Republic contains a commitment to create a legal framework for the protection of personal data, both in public and in the private domain.

    The UK Government supports the Get Safe Online advice site

    Get Safe Online was created in 2005 as a joint Government-industry partnership in order to provide unbiased, user-friendly advice about online safety for consumers and smaller businesses. It is supported by funding from the Cabinet Office and cooperation from other Government bodies. The Serious Organised Crime Agency (SOCA) provides staff to help with the annual “Get Safe Online Week” which includes conferences, media events and workshops.

    The UK Information Commissioner’s Office has published a booklet about protecting personal information

    The UK’s Information Commissioner’s Office – the independent authority set up to promote access to information and to protect personal information in the UK – has published a booklet on protecting personal information. It contains advice and tips on protecting, accessing and correcting personal information, as well as information on how to reduce unwanted texts, junk mail etc. and how to identify theft and fraud.

    The UK’s Interception of Communications Commissioner publishes limited annual statistics

    The Commissioner’s role includes reviewing interception warrants for real-time surveillance (historically known as “telephone tapping”) and safeguards relating to the use of information. He reports annually to the Prime Minister as to whether the institutions within his oversight mandate are operating in accordance with the law. The Commissioner’s annual report covers the issuing of warrants to MI5, police, Special Branch and other government agencies, but not the Foreign Office or world-wide electronic intelligence-gathering agency GCHQ. It only gives general aggregate figures, and although the amount of data has been increased in recent years, human rights organisations say that this remains inadequate for meaningful oversight, review and accountability of interception and surveillance’

    The USA publishes annual Wiretap reports

    U.S. Courts issue an annual Wiretap report detailing the use of surveillance authorities by law enforcement agencies. The annual report provides comprehensive data on all federal and state wiretap applications, including the types of crimes investigated, as well as the costs involved and whether arrests or convictions resulted. They do not include names, addresses, or phone numbers of subjects under surveillance. However the Foreign Intelligence Surveillance Court annual report provides much less information.