Fair Information Practices

Fair information practices are standards of practice required to ensure that entities that collect and use personal information provide adequate privacy protection for that information. These practices include notice to and awareness of individuals with personal information that such information is being collected, providing them with choices about how their personal information may be used, enabling them to review the data collected about them in a timely and inexpensive way and to contest that data’s accuracy and completeness, taking steps to ensure that their personal information is accurate and secure, and providing them with mechanisms for redress if these principles are violated.

Fair information practices were first articulated in a comprehensive manner in the U.S. Department of Health, Education and Welfare’s 1973 report Records, Computers and the Rights of Citizens.1 This report was the first to introduce the Code of Fair Information Practices, which has proven influential in subsequent years in shaping the information practices of numerous private and governmental institutions and is still well accepted as the gold standard for privacy protection.2

From their origin in 1973, fair information practices “became the dominant U.S. approach to information privacy protection for the next three decades.”3 Their five principles not only became the common thread running through various bits of sectoral regulation developed in the United States, but also they were reproduced, with significant extension, in the guidelines developed by the Organization for Economic Co-operation and Development (OECD). These principles are extended in the OECD guidelines, which govern “the protection of privacy and transborder flows of personal data” and include eight principles that have come to be understood as “minimum standards … fortheprotection of privacy and individual liberties.”4 The OECD guidelines also include a statement about the degree to which data controllers should be accountable for their actions. This generally means that there are costs associated with the failure of a data manager to enable the realization of these principles.


1U.S. Department of Health, Education, and Welfare, Records, Computers and the Rights of Citizens, Report of the Secretary’s Advisory Committee on Automated Personal Data Systems, MIT Press, Cambridge, Mass., 1973.


2Fair information principles are a staple of the privacy literature. See, for example, the extended discussion of these principles in D. Solove, M. Rotenberg, and P. Schwartz, Information Privacy Law, Aspen Publishers, New York N.Y., 2006; A. Westin, “Social and political dimensions of privacy,” Journal of Social Issues 59(2):431-453, 2003; H. Nissenbaum, “Privacy as contextual integrity,” Washington Law Review 79(1):119-158, February 2004; and an extended discussion and critique in R. Clarke, “Beyond the OECD guidelines: Privacy protection for the 21st century,” available at


3A. Westin, “Social and political dimensions of privacy,” Journal of Social Issues 59(2):431-453, 2003, p. 436.


4M. Rotenberg, The Privacy Law Sourcebook 2001, Electronic Privacy Information Center, Washington, D.C., 2001, pp. 270-272.

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement