According to the HEW report, the purpose of Fair information principles is to
In 1973 the U.S. Dept of Health Education and Welfare (HEW) to look at the impact of computerization on medical records privacy. The members wanted to develop policies that would allow the benefits of computerization to go forward, but at the same time provide safeguards for personal privacy. Show
The task force developed a Code of Fair Information Practices, consisting of five clauses: openness, disclosure, secondary use, correction, and security (detailed below). At the same time, Sweden enacted a law which codified many of the same fair information principles formulated by the HEW.
In the ensuing years, other European countries enacted similar omnibus data protection laws. In 1980, the Organization of Economic Cooperation and Development (OECD), an international body based in Paris, adopted the "Guidelines on the Protection of Privacy and Transborder Flows of Personal Data." The OECD is comprised of 24 countries throughout the world, including the U.S. This international privacy code was developed to help "harmonize national privacy legislation and, while upholding such human rights, [to] at the same time prevent interruptions in international flows of data. [The Guidelines] represent a consensus on basic principles which can be built into existing national legislation, or serve as a basis for legislation in those countries which do not yet have it."
A further evolution of the OECD's Guidelines went into effect in 1998, the European Union's Directive on Protection of Personal Data (approved in June 1995). The impetus for the 12-nation EU Directive is to establish a stable regulatory framework to enable the movement of personal data from one country to another, while at the same time ensuring that privacy protection is "adequate" in the country to which the data is sent. If the recipient country has not established a minimum standard of data protection, it is expected that the transfer of data will be prohibited. A determination of "adequacy" will be based on "the nature of the data, the purpose and duration of the processing, the legislative provisions, both general and sectoral...and the professional rules which are complied with in that country."
On July 11, 2013, the OECD issued updated guidelines which replaced the original 1980 guidelines. The new guidelines focus on greater accountability and notification of significant data breaches, but did not amend the eight original basic principles of the 1980 Guidelines. Read a summary of the guidelines at http://www.bna.com/revised-oecd-privacy-n17179877087/.
In contrast to other industrialized countries throughout the world, the U.S. has not codified the Fair Information Principles into an omnibus privacy law at the federal level. Instead, the Principles have formed the basis of many individual laws in the U.S., at the both federal and state levels -- called the "sectoral approach." Examples are the Fair Credit Reporting Act, the Right to Financial Privacy Act, the Electronic Communications Privacy Act, and the Video Privacy Protection Act. The U.S. does have the Privacy Act of 1974, but this statute only protects personal information held by federal government agencies. About half the states have similar privacy acts concerning state government agencies' handling of personal information. In California, this statute is the Information Practices Act.
In only a handful of states does the state's "privacy act" extend to local government, where, ironically, the lion's share of government-compiled personal information is held (for example, property ownership, court records, voter registration, fictitious business names, vital records, and so on). It is worth noting here that in October 1994 the City Council of San Diego, California, adopted a code of Fair Information Principles as a part of its Telecommunications Policy. (See code below.)
The U.S. has not created an office of Privacy Commissioner as have the European countries, Canada, Australia, New Zealand, Japan and Hong Kong. When the European Union Directive is enacted in 1998, there is some question as to whether the U.S. sectoral approach will be considered "adequate" for the transfer of personally identifiable data from any of the EU countries to the U.S.
The value of the Fair Information Principles is not only in providing a framework for privacy laws, as described above. The Principles can also form the foundation of an organization's privacy policy -- whether a private, public or not-for-profit organization. [The nonprofit organization, Privacy and American Business, based in Hackensack, New Jersey, has compiled the privacy codes of many U.S. corporations into a book and has made them available for sale.]
In addition, the Principles can be the basis for an industry's privacy policy. Indeed, several industry groups in the U.S. have formulated their own sets of Fair Information Principles, for example the Direct Marketing Association and the Information Industry Association.
The Federal Trade Commission, for example, has encouraged the development of industry codes, although it has stated that if the codes prove to be ineffective, it will recommend a legislative approach to regulation. It is the opinion of the Privacy Rights Clearinghouse that the strongest of the privacy principles, such as "secondary usage," "use limitation," and "individual access" (see below), have not been incorporated into the daily practices of industry members.
A further use of the Fair Information Principles is in the development of formal industry standards. Canada has taken the lead worldwide in the formation of a voluntary, national standard which can be adopted on a company-specific or industry basis. Included below is the code which has been adopted by the independent, not-for-profit Canadian Standards Association. The CSA "Model Code for the Protection of Personal Information" was adopted in 1995.
In Canada, organizations can demonstrate their compliance with the Code by becoming certified by the CSA at one of three tiers of recognition -- Declaration, Verification, or Registration. Depending on the level sought, this involves signing a code of ethics or a statement of their data protection principles, and/or undergoing formal on-site audits.
The CSA privacy code has been codified into law, the Personal Information Protection and Electronic Documents Act. It came into effect in 2001, with the health provisions implemented in 2002, and commercial activities covered as of January 2004. For more information, www.privcom.gc.ca.]
Industry Canada touts several benefits of the standards approach. [From May 1997 presentation by Stephanie Perrin of Industry Canada at the National Association of Consumer Agency Administrators conference]
To conclude, four sets of Fair Information Principles are presented below:
Fair Information Practices |