Fair Information Practices
Fair information practices are standards of practice required to ensure that entities that collect and use personal information provide adequate privacy protection for that information. These practices include notice to and awareness of individuals with personal information that such information is being collected, providing them with choices about how their personal information may be used, enabling them to review the data collected about them in a timely and inexpensive way and to contest that data’s accuracy and completeness, taking steps to ensure that their personal information is accurate and secure, and providing them with mechanisms for redress if these principles are violated.
Fair information practices were first articulated in a comprehensive manner in the U.S. Department of Health, Education and Welfare’s 1973 report Records, Computers and the Rights of Citizens.1 This report was the first to introduce the Code of Fair Information Practices, which has proven influential in subsequent years in shaping the information practices of numerous private and governmental institutions and is still well accepted as the gold standard for privacy protection.2
From their origin in 1973, fair information practices “became the dominant U.S. approach to information privacy protection for the next three decades.”3 Their five principles not only became the common thread running through various bits of sectoral regulation developed in the United States, but also they were reproduced, with significant extension, in the guidelines developed by the Organization for Economic Co-operation and Development (OECD). These principles are extended in the OECD guidelines, which govern “the protection of privacy and transborder flows of personal data” and include eight principles that have come to be understood as “minimum standards … fortheprotection of privacy and individual liberties.”4 The OECD guidelines also include a statement about the degree to which data controllers should be accountable for their actions. This generally means that there are costs associated with the failure of a data manager to enable the realization of these principles.