Fair Information Practices
By DON CIO Privacy Team - Published, October 15, 2010
The Privacy Act of 1974 is largely based on a set of internationally recognized principles for protecting the privacy and security of personal information known as the Fair Information Practices. A U.S. government advisory committee first proposed the practices in 1973 to address what it termed a poor level of protection afforded to privacy under contemporary law. The Organization for Economic Cooperation and Development (OECD) developed a revised version of the Fair Information Practices in 1980 that has, with some variation, formed the basis of privacy laws and related policies of many countries, including the United States, Australia, New Zealand and the European Union.
These practices are now widely accepted as a standard benchmark for evaluating the adequacy of privacy protections. The eight principles of the Fair Information Practices are listed below.
- Collection Limitation: The collection of personal information should be limited, should be obtained by lawful and fair means, and, where appropriate, with the knowledge or consent of the individual.
- Data Quality: Personal information should be relevant to the purpose for which it is collected, and should be accurate, complete and current as needed for that purpose.
- Purpose Specification: The purposes for the collection of personal information should be disclosed before collection and upon any change to that purpose, and its use should be limited to those purposes and compatible purposes.
- Use Limitation: Personal information should not be disclosed or otherwise used for other than a specified purpose without consent of the individual or legal authority.
- Security Safeguards: Personal information should be protected with reasonable security safeguards against risks such as loss or unauthorized access, destruction, use, modification or disclosure.
- Openness: The public should be informed about privacy policies and practices, and individuals should have ready means of learning about the use of personal information.
- Individual Participation: Individuals should have the following rights: to know about the collection of personal information, to access that information, to request correction, and to challenge the denial of those rights.
- Accountability: Individuals controlling the collection or use of personal information should be accountable for taking steps to ensure the implementation of these principles.
The Fair Information Practices are not precise legal requirements. Rather, they provide a framework of principles for balancing the need for privacy with other public policy interests, such as national security, law enforcement and administrative efficiency. Ways to strike that balance vary among countries and according to the type of information under consideration.