Access and privacy legislation is based on two fundamental rights of people in a democratic society:

• the right to access information held by government and other public bodies, including information about oneself, subject only to certain specified exceptions; and,
  
  
• the right to privacy for personal information collected, stored, used and disclosed by public bodies.

The access right is based on the principles of openness and accountability of governments and other public institutions to people. The exceptions to access derive from recognition that certain types of decision making and transactions must be conducted in confidence.

The right to privacy for personal information is based on internationally acknowledged and nationally sanctioned principles of fair information practices. According to these principles, an organization is obligated to:

• identify the reason for collecting, using and disclosing personal information;
  
  
• obtain consent before collecting, using and disclosing personal information;
  
  
• collect the minimum amount of information needed to accomplish its purpose;
  
  
• use and disclose personal information only for the same reasons it was collected (unless consent is obtained);
  
  
• ensure the accuracy of personal information;
  
  
• provide individuals with access to their own information and allow them to make corrections if needed;
  
  
• keep personal information only for as long as it is needed;
  
  
• ensure the security of personal information; and
  
  
• provide a complaint process and an independent review process.