A Review of the Fair Information Principles: The Foundation of Privacy Public Policy

A Review of the Fair Information Principles: The Foundation of Privacy Public Policy

In 1973 the U.S. Dept of Health Education and Welfare (HEW) to look at the impact of computerization on medical records privacy. The members wanted to develop policies that would allow the benefits of computerization to go forward, but at the same time provide safeguards for personal privacy.

 

The task force developed a Code of Fair Information Practices, consisting of five clauses: openness, disclosure, secondary use, correction, and security (detailed below). At the same time, Sweden enacted a law which codified many of the same fair information principles formulated by the HEW.

 

In the ensuing years, other European countries enacted similar omnibus data protection laws. In 1980, the Organization of Economic Cooperation and Development (OECD), an international body based in Paris, adopted the "Guidelines on the Protection of Privacy and Transborder Flows of Personal Data." The OECD is comprised of 24 countries throughout the world, including the U.S. This international privacy code was developed to help "harmonize national privacy legislation and, while upholding such human rights, [to] at the same time prevent interruptions in international flows of data. [The Guidelines] represent a consensus on basic principles which can be built into existing national legislation, or serve as a basis for legislation in those countries which do not yet have it."

[from OECD's "Guidelines," 1981, page 5]

A further evolution of the OECD's Guidelines went into effect in 1998, the European Union's Directive on Protection of Personal Data (approved in June 1995). The impetus for the 12-nation EU Directive is to establish a stable regulatory framework to enable the movement of personal data from one country to another, while at the same time ensuring that privacy protection is "adequate" in the country to which the data is sent. If the recipient country has not established a minimum standard of data protection, it is expected that the transfer of data will be prohibited.

A determination of "adequacy" will be based on "the nature of the data, the purpose and duration of the processing, the legislative provisions, both general and sectoral...and the professional rules which are complied with in that country."

[From Who Knows: Safeguarding Your Privacy in a Networked World, by Ann Cavoukian and Don Tapscott, McGraw-Hill, p.45]

On July 11, 2013, the OECD issued updated guidelines which replaced the  original 1980 guidelines. The new guidelines focus on greater accountability and notification of significant data breaches, but did not amend the eight original basic principles of the 1980 Guidelines.  Read a summary of the guidelines at http://www.bna.com/revised-oecd-privacy-n17179877087/.

 

In contrast to other industrialized countries throughout the world, the U.S. has not codified the Fair Information Principles into an omnibus privacy law at the federal level. Instead, the Principles have formed the basis of many individual laws in the U.S., at the both federal and state levels -- called the "sectoral approach." Examples are the Fair Credit Reporting Act, the Right to Financial Privacy Act, the Electronic Communications Privacy Act, and the Video Privacy Protection Act.

The U.S. does have the Privacy Act of 1974, but this statute only protects personal information held by federal government agencies. About half the states have similar privacy acts concerning state government agencies' handling of personal information. In California, this statute is the Information Practices Act.

 

In only a handful of states does the state's "privacy act" extend to local government, where, ironically, the lion's share of government-compiled personal information is held (for example, property ownership, court records, voter registration, fictitious business names, vital records, and so on). It is worth noting here that in October 1994 the City Council of San Diego, California, adopted a code of Fair Information Principles as a part of its Telecommunications Policy. (See code below.)

 

The U.S. has not created an office of Privacy Commissioner as have the European countries, Canada, Australia, New Zealand, Japan and Hong Kong. When the European Union Directive is enacted in 1998, there is some question as to whether the U.S. sectoral approach will be considered "adequate" for the transfer of personally identifiable data from any of the EU countries to the U.S.

 

The value of the Fair Information Principles is not only in providing a framework for privacy laws, as described above. The Principles can also form the foundation of an organization's privacy policy -- whether a private, public or not-for-profit organization. [The nonprofit organization, Privacy and American Business, based in Hackensack, New Jersey, has compiled the privacy codes of many U.S. corporations into a book and has made them available for sale.]

 

In addition, the Principles can be the basis for an industry's privacy policy. Indeed, several industry groups in the U.S. have formulated their own sets of Fair Information Principles, for example the Direct Marketing Association and  the Information Industry Association.

 

The Federal Trade Commission, for example, has encouraged the development of industry codes, although it has stated that if the codes prove to be ineffective, it will recommend a legislative approach to regulation. It is the opinion of the Privacy Rights Clearinghouse that the strongest of the privacy principles, such as "secondary usage," "use limitation," and "individual access" (see below), have not been incorporated into the daily practices of industry members.

 

A further use of the Fair Information Principles is in the development of formal industry standards. Canada has taken the lead worldwide in the formation of a voluntary, national standard which can be adopted on a company-specific or industry basis. Included below is the code which has been adopted by the independent, not-for-profit Canadian Standards Association. The CSA "Model Code for the Protection of Personal Information" was adopted in 1995.

 

In Canada, organizations can demonstrate their compliance with the Code by becoming certified by the CSA at one of three tiers of recognition -- Declaration, Verification, or Registration. Depending on the level sought, this involves signing a code of ethics or a statement of their data protection principles, and/or undergoing formal on-site audits.

 

The CSA privacy code has been codified into law, the Personal Information Protection and Electronic Documents Act. It came into effect in 2001, with the health provisions implemented in 2002, and commercial activities covered as of January 2004. For more information, www.privcom.gc.ca.]

 

Industry Canada touts several benefits of the standards approach. [From May 1997 presentation by Stephanie Perrin of Industry Canada at the National Association of Consumer Agency Administrators conference]

  • The broad scope of the CSA Standard ensures the same rules apply to all organizations.
  • Consumers have a standard against which to judge how their personal information is being treated.
  • The Code puts mechanisms in place for challenging compliance.
  • [It] represents a consensus among government, consumers, business, and others.
  • Industry is willing and able to work with rules that are clear, comprehensible, and uniformly applied.
  • [The Code represents] a flexible approach to protecting personal information that meets the needs of consumers and business.

To conclude, four sets of Fair Information Principles are presented below:

Fair Information Practices
U.S. Dept. of Health, Education and Welfare, 1973

[From The Law of Privacy Explained by Robert Ellis Smith, Privacy Journal, 1993, pp. 50-51.]

  1. Collection limitation. There must be no personal data record keeping systems whose very existence is secret.
  2. Disclosure. There must be a way for an individual to find out what information about him is in a record and how it is used.
  3. Secondary usage. There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent.
  4. Record correction. There must be a way for an individual to correct or amend a record of identifiable information about him.
  5. Security. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.

Privacy Guidelines
Organization of Economic Cooperation and Development, 2013

[From "Guidelines on the Protection of Privacy and Transborder Flows of Personal Data," OECD, 2013.]

  1. Collection Limitation.There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
  2. Data quality principle. Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
  3. Purpose specification. The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
  4. Use limitation principle. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except:

    (a) with the consent of the data subject; or

    (b) by the authority of law.

  5. Security safeguards principle. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
  6. Openness principle. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity about usual residence of the data controller.
  7. Individual participation principle. An individual should have the right:

    (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;

    (b) to have communicated to him, data relating to him

    1. within a reasonable time;
    2. at a charge, if any, that is not excessive;
    3. in a reasonable manner; and
    4. in a form that is readily intelligible to him;

    ( c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and

    (d) to challenge data relating to him and, if the challenge is successful, to have the data erased; rectified, completed or amended.

  8. Accountability principle. A data controller should be accountable for complying with measures which give effect to the principles stated above.

City of San Diego Fair Information Principles

[Contained in Telecommunications Policy, No. 900-13, adopted by San Diego City Council, October 1994.]

  1. Consideration of privacy effects. Privacy is recognized explicitly as an issue to be considered by the City in introducing and using information technologies.
  2. Openness. Citizens of San Diego have a right to know what personal information is collected about them by local government entities and how it is used. There must be no personal record-keeping system whose existence is secret.
  3. Collection limitation. Only the personal information necessary for the stated purpose of the agency shall be collected. Whenever possible, such personal information shall be collected directly from the subject of the information.
  4. Information integrity. Each local government agency shall make every reasonable effort to ensure that all records containing personal information are accurate and up-to-date and that procedures are in place to dispose of records once they are of no further use.
  5. Access and correction. Citizens shall have reasonable means to obtain and review, and when necessary, correct and amend information about themselves held by local government entities.
  6. Secondary usage. Personal information will not be made available for secondary uses without providing notice to the subjects of the information and allowing said subjects the means to opt out of such uses. However, consent is not required for secondary uses of personal information to support legitimate government activities such as law enforcement investigations, or for uses that are compatible with the purposes for which the information was first collected.
  7. Security. The City will establish reasonable physical, technical and administrative safeguards to protect personal information against the risk of unauthorized access, collection, use, disclosure or disposal.
  8. Education. The City will make reasonable efforts to educate San Diegans about the existence and use of the broadband network for government services; its education efforts shall include how personal information is obtained, transmitted, used and stored by the City, and citizens' rights as expressed in these privacy principles.
  9. Oversight. A mechanism for oversight and enforcement shall be established to ensure the observance of these principles.
  10. Review. As information technologies advance, privacy considerations are likely to change. The City will review these principles on a regular basis to ensure their adequacy.

CSA Model Code for the Protection of Personal Information
Canadian Standards Association, 1995

[From Who Knows: Safeguarding Your Privacy in a Networked World, Ann Cavoukian and Don Tapscott, McGraw-Hill, 1997, pages 182-183.]

 

"The need for privacy protection in the absence of privacy laws for the private sector has led the Canadian Standards Association (CSA) to develop a generic privacy code ... which private-sector organizations could use as a model. What is novel about the CSA's approach is that, although the code is voluntary, an attempt has been made to build in an oversight mechanisms to address the historic lack of enforcement of voluntary codes.

 

The CSA privacy code, like most, is modeled on the OECD guidelines, except that it strengthens two components: "consent" by having it stand alone as a completely separate principle, and "challenging compliance," which strengthens a person's right to challenge an organizations' compliance with any of the principles, not simply refusals of access of the accuracy of the collected data. As well, accountability was considered to be so fundamental that it was placed first in the list of 10 principles."

 

[Update Feb. 2004: The CSA privacy code has since been codified into law, the Personal Information Protection and Electronic Documents Act. It came into effect in 2001, with the health provisions implemented in 2002, and commercial activities covered as of January 2004. For more information, www.privcom.gc.ca.]

  1. Accountability. An organization is responsible for personal information under its control and shall designate a person who is accountable for the organization's compliance with the following principles.
  2. Identifying purposes. The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
  3. Consent. The knowledge and consent of the individual are required for the collection, use or disclosure of personal information except where inappropriate.
  4. Limiting collection. The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
  5. Limiting use, disclosure and retention. Personal information shall not be used or disclosed for purposes other than those for which it was collected except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.
  6. Accuracy. Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
  7. Safeguards. Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
  8. Openness. An organization shall make readily available to individuals specific information about its policies and practices relating to its handling of personal information.
  9. Individual access. Upon request, an individual shall be informed of the existence, use and disclosure of personal information about the individual and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
  10. Challenging compliance. An individual shall be able to challenge compliance with the above principles with the person who is accountable within the organization.

For an up-to-date history of Fair Information Practices, see Robert Gellman's paper Fair Information Practices: A Basic History.