Complete DCPLA DSCI Materials

Under the DSCI Privacy Framework and consistent with global definitions (including GDPR and APEC), a “Data Controller” is the entity that determines the purposes and means of processing personal data. For its own employees, an organization inherently controls how their personal data is collected, used, and stored — making it the data controller by default. This is not necessarily the case for clients or supervisory authorities, whose data processing may be governed by different contractual or legal terms.

==============

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) defined eight core privacy principles:

Collection Limitation

Data Quality

Purpose Specification

Use Limitation

Security Safeguards

Openness

Individual Participation

Accountability

“Data Minimization” was not part of the original 1980 OECD principles. While it is a common privacy principle today and included in modern frameworks like GDPR and DSCI's DPF, it was not part of the original OECD set.

==============

The DPF© outlines that the applicability and implementation of privacy principles depend on several contextual factors including:

The organization's role as data controller or processor (A)

Channels and methods of data inflow (B)

Jurisdictional regulations applicable to the organization's operations (C)

Public commitments, contracts, and stakeholder expectations (D)

Privacy governance is about setting direction and defining roles and responsibilities across the organization for managing personal data. It:

B: Defines strategy and takes decisions on privacy-related matters

C: Enables execution of policies to handle operational privacy incidents

D: Ensures that privacy accountability is not overlooked

Option A is incorrect because governance is not limited to computer resources—it spans all organizational functions involving personal data processing .

==============