The security of an information system should be weighed against the rights of
users and other individuals affected by the system.
Complexity: It is important that the security of information systems is compatible with the legitimate use and flow of data
and information in the context of the host society. It is appropriate that the nature and amount of data that can
be collected is balanced by the nature and amount of data that should be collected. It is also important that the
accuracy of collected data is assured in accordance with the amount of damage that may occur due to its
corruption. For example, individuals' privacy should be protected against the power of computer matching.
Public and private information should be explicitly identified. Organization policy on monitoring information
systems should be documented to limit organizational liability, to reduce potential for abuse, and to permit
prosecution when abuse is detected. The monitoring of information and individuals should be performed within
a system of internal controls to prevent abuse.
Note: The authority for the following candidate principles has not been established by committee consensus,
nor are they derived from the OECD principles. These principles are submitted for consideration as additional