What is LawBrain?
It's a living legal community making laws accessible and interactive. Click Here to get Started »

Fair Information Practices

From lawbrain.com

Fair Information Practices (FIP) are principles that address the privacy of individuals' information. These principles provide a foundation for many international laws specific to privacy and data protection.

  • This LawBrain entry is a stub. Please help us expand it! Click the 'Edit' tab above to add to this page.

Contents

Overview

Fair Information Practices (FIP) are a set of principles that governs the collection and use of personal data while also addressing issues of both privacy and accuracy.  FIPs are used as a foundation for many privacy and data protection laws.  There are a number of varitations to the FIPs, however, the main objective is always protecting the privacy of individuals.

History

In 1973, a task force from the U.S. Department of Health, Education and Welfare (HEW) was charged with looking at the impact of computerization on medical record privacy. Members of the task force wanted to develop policies that would allow the benefits of computerization to continue, but also provide safeguards for personal privacy.  A Code of Fair Information Practices was developed which consisted of five sections: openess, disclosure, secondary use, correction, and security.

Sweden was the first country to endact a law that codified many of the Fair Information Practice principles created by the HEW.

In 1980, the Organization of Economic Cooperation and Development (OECD), which compromises a number of countires, including those members of the European Union (EU), adopted the "Guidelines on the Protection of Privacy and Transborder Flows of Personal Data." This international privacy code was created and was based on fair information practices.

Unlike the EU, the U.S. has not codified the Fair Information Practices principles into an overarching federal privacy law.  Rather, the principles have been used as a basis for many individual laws, both federal and state, that have a privacy factor in them.[1]

Fair Information Practices (FIP) Principles

Fair Information Practices (FIP) principles differ slightly from one another, however, the underlying idea of protecting the privacy of individuals is the goal of them all.

U.S. FIP

HEW Report

The original set of Fair Information Practices[2] as formulated in the HEW Report included:

  • Principle 1: There must be no personal data record-keeping systems whose very existence is secret.
  • Principle 2: There must be a way for a person to find out what information about the person is in a record and how it is used.
  • Principle 3: There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person's consent.
  • Principle 4: There must be a way for a person to correct or amend a record of identifiable information about the person.
  • Principle 5: Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuses of the data.

Federal Trade Commission (FTC)

The information privacy principles[3] of the FTC include:

  • Principle 1: Notice/Awareness
  • Principle 2: Choice/Consent
  • Principle 3: Access/Participation
  • Principle 4: Integrity/Security
  • Principle 5: Enforcement/Redress
  •   5a: Self-Regulation
  •   5b: Private Remedies
  •   5c: Government Enforcement

The FTC designates children's personal information as a special set of information that must be handled in a separate manner. 

The information privacy principles with regard to children's personal data includes:

  • Principle 1: Parental Notice/Awareness and Parental Choice/Consent
  • Principle 2: Access/Participation and Integrity/Security

OECD FIP

The OECD information privacy principles[4] include:

  • Principle 1: Collection Limitation
  • Principle 2: Data Quality
  • Principle 3: Purpose Specification
  • Principle 4: Use Limitation
  • Principle 5: Security Safeguards
  • Principle 6: Openness
  • Principle 7: Individual Participation
  • Principle 8: Accountability

APEC FIP

The Asia-Pacific Economic Cooperation (APEC) information privacy principles[5] include:

  • Principle 1: Preventing Harm
  • Principle 2: Notice
  • Principle 3: Collection Limitations
  • Principle 4: Uses of Personal Information
  • Principle 5: Choice
  • Principle 6: Integrity of Personal Information
  • Principle 7: Security Safeguards
  • Principle 8: Access and Correction
  • Principle 9: Accountability

Canada FIP

The Canadian Standard Association (CSA) information privacy principles[6] include:

  • Principle 1: Accountability
  • Principle 2: Identifying Purposes
  • Principle 3: Consent
  • Principle 4: Limiting Collection
  • Principle 5: Limiting Use, Disclosure, and Retention
  • Principle 6: Accuracy
  • Principle 7: Safeguards
  • Principle 8: Openness
  • Principle 9: Individual Access
  • Principle 10: Challenging Compliance

Australia FIP

There are two sets of privacy principles that Australian privacy laws follow: (1) the National Privacy Principles (NPPs) and (2) the Information Privacy Principles (IPPs).

The National Privacy Principles[7] are standards regulate personal information held by private sector organizations, including private health service providers. The principles include:

  • Principle 1: Collection
  • Principle 2: Use and disclosure
  • Principle 3: Data quality
  • Principle 4: Data security
  • Principle 5: Openness
  • Principle 6: Access and correction
  • Principle 7: Identifiers
  • Principle 8: Anonymity
  • Principle 9: Transborder data flows
  • Principle 10: Sensitive information

The Information Privacy Principles[8] regulate personal information handled by the government.  The principles include:

  • Principle 1: Manner and purpose of collection of personal information
  • Principle 2: Solicitation of personal information from individual concerned
  • Principle 3: Solicitation of personal information generally
  • Principle 4: Storage and security of personal information
  • Principle 5: Information relating to records kept by record-keeper
  • Principle 6: Access to records containing personal information
  • Principle 7: Alteration of records containing personal information
  • Principle 8: Record-keeper to check accuracy etc of personal information before use
  • Principle 9: Personal information to be used only for relevant purposes
  • Principle 10: Limits on use of personal information
  • Principle 11: Limits on disclosure of personal information

References

  1. http://bobgellman.com/rg-docs/rg-FIPShistory.pdf
  2. http://epic.org/privacy/hew1973report/
  3. http://www.ftc.gov/reports/privacy3/fairinfo.shtm
  4. http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html#part2
  5. http://www.apec.org/apec/apec_groups/committee_on_trade/electronic_commerce.MedialibDownload.v1.html?url=/etc/medialib/apec_media_library/downloads/taskforce/ecsg/pubs/2005.Par.0001.File.v1.1
  6. http://www.csa.ca/cm/ca/en/privacy-code/publications/view-privacy-code
  7. http://www.privacy.gov.au/materials/types/infosheets/view/6583
  8. http://www.privacy.gov.au/materials/types/infosheets/view/6541

External Links

Related Resources on FindLaw

Related Blogs on FindLaw

See Also



Contributors

FindLaw Michelle, FindLaw Nira