Fair Information Practice Principles

Introduction
The Fair Information Practice Principles (FIPPs) are a widely accepted framework that is at the core of the Privacy Act of 1974 and is mirrored in the laws of many U.S. states, as well as many foreign nations and international organizations.

The concept of defining principles to be used in the evaluation and consideration of systems, processes, or programs that impact individual privacy is not a new one. In his seminal work, Privacy and Freedom, published in 1967, Professor Emeritus Alan Westin identified a number of “criteria for weighing conflicting interests.”

HEW Report
The FIPPs were first articulated in a comprehensive manner in the U.S. Department of Health, Education and Welfare's seminal 1973 report entitled Records, Computers and the Rights of Citizens (1973) (hereinafter "HEW Report"). The HEW Report was the result of the committee’s look at the impact of computerization of information on privacy and included recommendations on developing policies that would allow the benefits of computerization to go forward, but at the same time provide safeguards for personal privacy.

The backdrop surrounding the HEW report and the Privacy Act of 1974 included several years of intense Congressional hearings examining the surveillance activities of the Nixon and J. Edgar Hoover era and the post-Watergate support for government reform.

In the HEW Report, the Advisory Committee recommended the enactment of legislation establishing a Code of Fair Information Practice for all automated personal data systems and set forth five basic principles to safeguard requirements for automated personal data systems:


 * There must be no personal data record-keeping systems whose very existence is secret. (transparency; openness)


 * There must be a way for an individual to find out what information about him or her is in a record and how it is used. (individual participation)


 * There must be a way for an individual to prevent information about him or her that was obtained for one purpose from being used or made available for other purposes without his or her consent. (purpose limitation)


 * There must be a way for an individual to correct or amend a record of identifiable information about him or her.


 * Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data. (data quality and integrity)

The Code of Fair Information Practices predated the Privacy Act of 1974 by over a year, and influenced the enactment of the Privacy Act.

In the years since the HEW Report, a canon of fair information practice principles has been developed by a variety of governmental and inter-governmental agencies.

European Developments
A number of European countries also began to build upon the HEW principles and individually enacted omnibus data protection laws. In 1980, the international Organization of Economic Cooperation and Development (OECD) codified its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. In 1995, a variation of these principles became the basis of the EU Directive on the Protection of Personal Data. The FIPPs have also been agreed upon by member countries, including the United States, through a consensus and formal ratification process and form the basis of many modern international privacy agreements and national laws.

As recently as 2004, the FIPPs were championed again by the United States in the development of the Asia-Pacific Economic Cooperation (APEC) Privacy Framework.6 The FIPPs principles have also formed the basis of many individual laws in the United States, at the both Federal and state levels, including the Fair Credit Reporting Act, the Right to Financial Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Children’s Online Privacy Protection Act. Many states have incorporated these principles in their own state laws governing public records and in some instances private sector data as well. A number of private and not-for-profit organizations have also incorporated these principles into their privacy policies.

Homeland Security Act of 2002
Section 222 of the Homeland Security Act of 2002, as amended,7 which is the basis for the authorities and responsibilities of the DHS Chief Privacy Officer, also recognizes the significance of the FIPPs. This section calls on the Chief Privacy Officer to “assur[e] that personal information contained in Privacy Act systems of records is handled in full compliance with fair information practices as set out in the Privacy Act of 1974” (emphasis added). Pursuant to Section 222, the Privacy Office has used the FIPPs to assess privacy when conducting Privacy Impact Assessments, issuing System of Records Notices, and developing privacy policy for the Department. The FIPPs provide the foundation of all privacy policy development and implementation at the Department and must be considered whenever a DHS program or activity raises privacy concerns or involves the collection of personally identifiable information from individuals, regardless of their status.

Major Reports Setting Forth FIPPS
In addition to the HEW Report, the major reports setting forth the core fair information practice principles are:
 * The Privacy Protection Study Commission, Personal Privacy in an Information Society (1977) [hereinafter "Privacy Protection Study"]
 * Organization for Economic Cooperation and Development, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) (hereinafter "OECD Guidelines"). The following table sets for the Fair Information Practice Principles as set forth in the OECD Guidelines:


 * [[Image:FIPPS.jpg]]


 * Information Infrastructure Task Force, Information Policy Committee, Privacy Working Group, Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information (1995) [hereinafter "IITF Report"].


 * U.S. Department of Commerce, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information (1995) [hereinafter "Commerce Report"].


 * The European Union Directive on the Protection of Personal Data (1995) [hereinafter "EU Directive"]. and


 * The Canadian Standards Association, Model Code for the Protection of Personal Information: A National Standard of Canada (1996) [hereinafter "CSA Model Code"]..


 * The Asia-Pacific Economic Cooperation (APEC) Privacy Framework.

24, 2006).
 * OECD, Making Privacy Notices Simple: An OECD Report and Recommendations (July

The result has been a series of reports, guidelines, and model codes that represent widely-accepted principles concerning fair information practices.

Core Principles
Common to all of these documents (hereinafter referred to as "fair information practice codes") are five core principles of privacy protection:


 * (1) Notice/Awareness;
 * (2) Choice/Consent;
 * (3) Access/Participation;
 * (4) Integrity/Security; and
 * (5) Enforcement/Redress.

The Fair Information Practices are not precise legal requirements. Rather, they provide a framework of principles for balancing the need for privacy with other public policy interests, such as national security, law enforcement, and administrative efficiency. Striking that balance varies among countries and among types of information (e.g., medical, employment information).

Notice/Awareness
The most fundamental principle is notice.


 * [C]onsumers should be given clear and conspicuous notice of an entity’s information practices before any personal information is collected from them, including: identification of the entity collecting the data, the uses to which the data will be put, and the recipients of the data; the nature of the data collected and the means by which it is collected; whether provision of the requested data is voluntary or required; and the steps taken by the data collector to ensure the confidentiality, integrity and quality of the data.

Without notice, a consumer cannot make an informed decision as to whether and to what extent to disclose personal information. Moreover, three of the other principles discussed below &mdash; choice/consent, access/participation, and enforcement/redress &mdash; are only meaningful when a consumer has notice of an entity's policies, and his or her rights with respect thereto.

While the scope and content of notice will depend on the entity's substantive information practices, notice of some or all of the following have been recognized as essential to ensuring that consumers are properly informed before divulging personal information:


 * identification of the entity collecting the data;
 * identification of the uses to which the data will be put;
 * identification of any potential recipients of the data;
 * the nature of the data collected and the means by which it is collected if not obvious (passively, by means of electronic monitoring, or actively, by asking the consumer to provide the information);
 * whether the provision of the requested data is voluntary or required, and the consequences of a refusal to provide the requested information; and
 * the steps taken by the data collector to ensure the confidentiality, integrity and quality of the data.

Some information practice codes state that the notice should also identify any available consumer rights, including: any choice respecting the use of the data; whether the consumer has been given a right of access to the data; the ability of the consumer to contest inaccuracies; the availability of redress for violations of the practice code; and how such rights can be exercised.

In the Internet context, notice can be accomplished easily by the posting of an information practice disclosure describing an entity's information practices on a company's site on the Web. To be effective, such a disclosure should be clear and conspicuous, posted in a prominent location, and readily accessible from both the site's home page and any web page where information is collected from the consumer. It should also be unavoidable and understandable so that it gives consumers meaningful and effective notice of what will happen to the personal information they are asked to divulge.

Choice/Consent
The second widely-accepted core principle of fair information practice is consumer choice or consent. Virtually every set of fair information practice principles includes consumer choice or consent as an essential element.


 * Under the choice principle, data collectors must afford consumers an opportunity to consent to secondary uses of their personal information, such as the placement of a consumer’s name on a list for marketing additional products or the transfer of personal information to entities other than the data collector.

Specifically, choice relates to secondary uses of information &mdash; i.e., uses beyond those necessary to complete the contemplated transaction. Such secondary uses can be internal, such as placing the consumer on the collecting company's mailing list in order to market additional products or promotions, or external, such as the transfer of information to third parties.

Traditionally, two types of choice/consent regimes have been considered: opt-in or opt-out. Opt-in regimes require affirmative steps by the consumer to allow the collection and/or use of information; opt-out regimes require affirmative steps to prevent the collection and/or use of such information. The distinction lies in the default rule when no affirmative steps are taken by the consumer. Choice can also involve more than a binary yes/no option. Entities can, and do, allow consumers to tailor the nature of the information they reveal and the uses to which it will be put. Thus, for example, consumers can be provided separate choices as to whether they wish to be on a company's general internal mailing list or a marketing list sold to third parties. In order to be effective, any choice regime should provide a simple and easily-accessible way for consumers to exercise their choice.

In the online environment, choice easily can be exercised by simply clicking a box on the computer screen that indicates a user's decision with respect to the use and/or dissemination of the information being collected. The online environment also presents new possibilities to move beyond the opt-in/opt-out paradigm. For example, consumers could be required to specify their preferences regarding information use before entering a website, thus effectively eliminating any need for default rules.

Access/Participation
Access is the third core principle. It refers to an individual's ability both to access data about him or herself &mdash; i.e., to view the data in an entity's files -- and to contest that data's accuracy and completeness. Both are essential to ensuring that data are accurate and complete.

Access is essential to improving the accuracy of data collected, which benefits both data collectors who rely on such data, and consumers who might otherwise be harmed by adverse decisions based on incorrect data. It also make data collectors accountable to consumers for the information they collect and maintain about consumers, and enable consumers to confirm that websites are following their stated practices.

To be meaningful, access must encompass timely and inexpensive access to data, a simple means for contesting inaccurate or incomplete data, a mechanism by which the data collector can verify the information, and the means by which corrections and/or consumer objections can be added to the data file and sent to all data recipients.

Integrity/Security
The fourth widely accepted principle is that data be accurate and secure. To assure data integrity, collectors must take reasonable steps, such as using only reputable sources of data and cross-referencing data against multiple sources, providing consumer access to data, and destroying untimely data or converting it to anonymous form.

Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data. Managerial measures include internal organizational measures that limit access to data and ensure that those individuals with access do not utilize the data for unauthorized purposes. Technical security measures to prevent unauthorized access include encryption in the transmission and storage of data; limits on access through use of passwords; and the storage of data on secure servers or computers that are inaccessible by modem.

Security is a process: no one static standard can assure adequate security, as threats, technology and the Internet itself are constantly evolving. Commercial websites should maintain security programs to protect personal data and that data security requirements may vary depending on the nature of the data collected. Each website should maintain a security program that is "appropriate to the circumstances."

Enforcement/Redress
It is generally agreed that the core principles of privacy protection can only be effective if there is a mechanism in place to enforce them. Absent an enforcement and redress mechanism, a fair information practice code is merely suggestive rather than prescriptive, and does not ensure compliance with core fair information practice principles. Among the alternative enforcement approaches are industry self-regulation; legislation that would create private remedies for consumers; and/or regulatory schemes enforceable through civil and criminal sanctions.

Self-Regulation
To be effective, self-regulatory regimes should include both mechanisms to ensure compliance (enforcement) and appropriate means of recourse by injured parties (redress). Mechanisms to ensure compliance include making acceptance of and compliance with a code of fair information practices a condition of membership in an industry association; external audits to verify compliance; and certification of entities that have adopted and comply with the code at issue. A self-regulatory regime with many of these principles has recently been adopted by the individual reference services industry.

Appropriate means of individual redress include, at a minimum, institutional mechanisms to ensure that consumers have a simple and effective way to have their concerns addressed. Thus, a self-regulatory system should provide a means to investigate complaints from individual consumers and ensure that consumers are aware of how to access such a system.

If the self-regulatory code has been breached, consumers should have a remedy for the violation. Such a remedy can include both the righting of the wrong (e.g., correction of any misinformation, cessation of unfair practices) and compensation for any harm suffered by the consumer. Monetary sanctions would serve both to compensate the victim of unfair practices and as an incentive for industry compliance. Industry codes can provide for alternative dispute resolution mechanisms to provide appropriate compensation.

Private Remedies
A statutory scheme could create private rights of action for consumers harmed by an entity's unfair information practices. Several of the major information practice codes, including the seminal 1973 HEW Report, call for implementing legislation. The creation of private remedies would help create strong incentives for entities to adopt and implement fair information practices and ensure compensation for individuals harmed by misuse of their personal information. Important questions would need to be addressed in such legislation, e.g., the definition of unfair information practices; the availability of compensatory, liquidated and/or punitive damages; and the elements of any such cause of action.

Government Enforcement
Finally, government enforcement of fair information practices, by means of civil or criminal penalties, is a third means of enforcement. Fair information practice codes have called for some government enforcement, leaving open the question of the scope and extent of such powers. Whether enforcement is civil or criminal likely will depend on the nature of the data at issue and the violation committed.