1A-3-Fair Information Practices
Common Themes
As these above examples illustrate, there is no one specific way to articulate FIPs. But regardless of how FIPs are specifically articulated, each framework touches upon common themes. Broadly speaking, each theme falls into one of two separate aspects of privacy protection: (1) individual rights that a data subject has with respect to data collected about himself or herself; and (2) how an organization manages the data it collects.
i. Individual Data Subject Rights (Common Themes)
FIPs attempt to protect individual rights through three main mechanisms—notice, consent, and access. Notice: The concept of Notice refers to providing information to consumers related to how an organization processes personal information. The scope of required notice, whether mandated by law or not, includes not only what information is collected from the data subject, but how the organization uses the data, who is entitled to access it (including third parties), and other similar considerations. Notice serves the larger goals of allowing consumers to make informed decisions and providing organizational accountability. Consent: The concept of consumer Consent is another way of referring to providing consumers the ability to determine whether and/or how their personal information is collected, used, and retained by an organization. This includes making a determination of whether an organization has the authority to transfer personal information to third parties. Obtaining consumer consent may not be appropriate in every situation, as the 2012 FTC Report recognized. Where the option to consent is provided, however, that option should always be meaningful. Consent may be express or implied, with certain types of data collection requiring express approval. Express, affirmative consent is sometimes referred to as "Opt-in" consent and requires an affirmative indication or act that provides consent to collect or use a person's information. The counterpart to this, "Opt-out" consent, is a passive form of acceptance that is implied by a person's conduct or actions, as well as the context of the transaction. The distinction between opt-in and opt-out consent is often an important concept to be aware of when reviewing applicable laws and regulations; some laws specifically require that a form of opt-in consent be obtained from a consumer before collecting or processing personal information, while other laws permit opt-out consent. Under the Telemarketing Sales Rule ("TSR"), for example, telemarketers are required to obtain opt-in consent before a telemarketer is permitted to play a pre-recorded message (as opposed to presenting a live human) to a consumer. Access: Providing data subjects with Access to the information an organization processes about the individual is also as individual right afforded by most articulations of FIPs. Included in the right of access is the ability to update or correct inaccurate information. Some laws specifically require that organizations allow persons the ability to correct inaccurate information. For example, HIPAA's Privacy Rule mandates that consumers be provided the ability to amend their "personal health information" held by a covered entity, or alternatively, if the covered entity does not agree with the proposed changes, an individual may file a statement that must be included in the file and any future use or disclosure. The Federal Education Rights and Privacy Act of 1974 ("FERPA") provides a similar right with respect to student records.
Examples of FIPs in International Frameworks
FIPs have also been adopted internationally. Important conventions, agreements, and frameworks tested on the CIPP/US exam include the following: (1) the "Guidelines on the Protection of Privacy and Transborder Flows of Personal Data" adopted by the Organization for Economic Co-operation and Development in 1980; (2) the "Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data" (Convention 108) signed by the European Council in 1981; and (3) the Madrid Resolution of 2009.
Fair Information Practices
Fair Information Practices (FIPs), also called Fair Information Privacy Practices (FIPPs), are a set of principles and practices that describe how best to approach the collection, storage, and management of data with the aim of achieving and maintaining fairness, privacy, and security with respect to that data.1 More succinctly, FIPs are guidelines that attempt to balance privacy interests with security and fairness. FIPs are widely used to develop laws and regulations concerning data privacy and security. The extent to which any FIP is legally binding changes with particular circumstance, but FIPs serve as general guiding principles for managing, storing, and handling personal information. Below are some important examples of FIPs that have been developed in the United States and internationally. After these examples, we discuss the common themes that emerge from the various examples below.
Key Points
Fair Information Practices: A set of principles and practices that describe how best to approach the collection, storage, and management of data with the goal of achieving and maintaining fairness, privacy, and security Widely used to develop laws and regulations related to data privacy Examples of FIPs in the United States include: (1) The 1973 FIPs promulgated by HHS (2) The Privacy Act of 1974 (3) The 2012 White House Report (4) The 2012 FTC Report (encouraged Privacy by Design, simplified consumer choice, and transparency in data practices) International examples of FIPs include: (1) OECD Guidelines (2) The European Council Convention (3) The Madrid Resolution FIPs fall into the category of individual rights or organizational responsibilities Data Subject Rights: notice, consent, and access Organizational Responsibilities: security controls, data quality, limitation principles, and accountability
ii. The Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (1981) - (Examples of FIPs in International Frameworks)
In 1981, the Council of Europe adopted the Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data.29 Pursuant to this Convention, the members of the Council of Europe agreed to, among other things, incorporate certain FIPs into their domestic laws so that they apply to both the public and private sectors. Four articles were adopted to this end, including the following: • Article 5 - Quality of Data - Personal data undergoing automatic processing shall be: (a) Obtained and processed fairly and lawfully; (b) Stored for specific and legitimate purposes and not used in a way incompatible with those purposes; (c) Adequate, relevant and not excessive in relation to the purposes for which they are stored; (d) Accurate and, where necessary, kept up to date; (e) Preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored. • Article 6 - Special Categories of Data - Personal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life, may not be processed automatically unless domestic law provides appropriate safeguards. The same shall apply to personal data relating to criminal convictions. • Article 7 - Data Security - Appropriate security measures shall be taken for the protection of personal data stored in automated data files against accidental or unauthorized destruction or accidental loss as well as against unauthorized access, alteration or dissemination. • Article 8 - Additional Safeguards for the Data Subject - Any person shall be enabled: (a) To establish the existence of an automated personal data file, its main purpose, as well as the identity and habitual residence or principal place of business of the controller of the file; (b) To obtain at reasonable intervals and without excessive delay or expense confirmation of whether personal data relating to him are stored in the automated data file as well as communications to him of such data in an intelligible form; (c) To obtain, as the case may be, rectification or erasure of such data if these have been processed contrary to the provisions of domestic law giving effect to the basic principles in [the rules applicable to quality of data and the special categories of data] of this convention; (d) To have a remedy if a request for confirmation or, as the case may be, communication, rectification or erasure as referred to [in this convention] is not complied with.
ii. Organizational Management (Common Themes)
In addition to the protection of individual rights, FIPs also focus heavily on how information is collected, used, and managed within an organization. Security Controls: A guiding principle of nearly all expressions of FIPs is that information should be safeguarded with adequate Security Controls. Policies and procedures should be in place to accomplish this, including physical, technical, and administrative protections. Physical Protectionsinclude things such as storing computer servers behind locked doors, with limited access. Technical Protections refer to computer code or other electronic systems designed to limit access to authorized users and to maintain the integrity of data from outside attack. Administrative Protectionsinclude policies designed to limit access to data to only those employees who need access to accomplish their assigned job functions. In practice, these forms of protection are often implemented simultaneously or overlap to varying degrees depending on the circumstance. Data Quality: As a corollary to maintaining adequate security controls, companies must also maintain Data Quality. Maintaining adequate data quality involves multiple components; FIPs commonly provide that data collected should be accurate and complete, as well as relevant to the purposes for which it is used. Limits on the Collection, Use, Disclosure, and Retention of Data: Data that is collected from consumers should be limited solely to the purposes for which it is relevant and as identified in the data controller's privacy notice. This is sometimes referred to as the Collection Limitation principle. The way data is processed should be similarly limited, which is called the Use Limitation principle. Likewise, data should not be disclosed to third parties except where the intent to do so is identified in public notice and consumer consent is obtained. When data is no longer needed for the purposes of which it was originally collected, that data should be deleted or anonymized. Administration and Monitoring (i.e., Accountability): How data is used should be defined and documented within an organization, and tasks and accountability should be assigned for effectuating policies and procedures. This is broadly referred to as the Accountability Principle. This principle dictates that organizations must hold themselves accountable for maintaining adequate privacy protections. That is, an organization must take responsibility for protecting personal information, using it in a manner that is consistent with the law, and treating individuals equitably.39Organizations should ensure that policies and procedures are actively being followed by consistent monitoring and employee training. Furthermore, companies should address complaints in an organized manner as set forth in an organization's policies and procedures. Knowing the commonly used FIPs is important for understanding the policy and rationale for many of the laws and regulations covering the area of information privacy. It is also important to remember, however, that there is not one universally accepted definition of FIPs. The scope of FIPs changes with particular circumstance, and the general principles set forth in FIPs can be subject to exceptions in specific laws or regulations to account for other competing concerns and practical considerations.
ii. The 2012 White House Report (FIPs in the United States)
More recently, in 2012, the White House issued a report entitled Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy. The White House included in this report a "Consumer Privacy Bill of Rights," which was a set of principles based on traditional FIPs that the White House believed should be applied to the commercial use of personal information. Included in this Consumer Privacy Bill of Rights were the principles of individual control, transparency, respect for context, security, access and accuracy, focused collection of information, and accountability. Emphasizing that these are merely principles and that there is no one-size-fits-all approach when it comes to the application of FIPs, the White House Report stated that "[c]ontext should shape the balance and relative emphasis of [these] particular principles."
iii. The Madrid Resolution (2009)- (Examples of FIPs in International Frameworks)
The International Conference of Data Protection and Privacy Commissioners, recently renamed the Global Privacy Assembly, bills itself as the premier global forum for data protection. At its 2009 conference, the commissioners of data privacy and protection in attendance approved what is known as the Madrid Resolution. The Madrid Resolution established international standards on the protection of personal data and privacy to facilitate uniformity and the transborder flow of data. The Madrid Resolution set forth six principles: • Principle of Lawfulness and Fairness - Personal data must be fairly processed, respecting the applicable national legislation as well as the rights and freedoms of individuals. If processing of personal data gives rise to unlawful or arbitrary discrimination against the data subject it shall be deemed unfair. • Purpose Specification Principle - The processing of personal data should be limited to the fulfilment of the specific, explicit and legitimate purposes for which it is collected. • Proportionality Principle - The processing of personal data should be limited to such processing as is adequate, relevant and not excessive in relation to the purposes for which it is collected, and the collection of personal data should be limited to the minimum necessary to achieve the purpose of collection. • Data Quality Principle - Personal data should be accurate, as well as sufficient and kept up to date in such a way as to fulfil the purposes for which they are processed. Moreover, the period of retention should be limited to the minimum necessary and deleted or rendered anonymous when no longer needed. • Openness Principle - Policies with regard to the processing of personal data should be transparent, with appropriate notice including the responsible person's identity, the intended purpose of processing, the recipients to whom their personal data will be disclosed and how data subjects may exercise the rights provided in this Document, as well as any further information necessary to guarantee fair processing of such personal data. Data subjects must also be provided access to the data collected about them. • Accountability Principle - Data controllers (called "responsible persons" in the Madrid Resolution) must observe the Madrid Resolution's principles and obligations, as well as applicable national legislation, and have the necessary internal mechanisms in place for demonstrating such observance both to data subjects and to the supervisory authorities in the exercise of their powers. The Madrid Resolution, like many other similar conventions, frameworks, and agreements also included provisions related to when the collection of data is considered legitimate, how to handle particularly sensitive data, how data should be processed, and the transborder flow of data.
i. The Organization for Economic Co-operation and Development (OECD) Guidelines (1980)- (Examples of FIPs in International Frameworks)
The Organization for Economic Co-operation and Development ("OECD") is an organization consisting of thirty-six member nations with the mission to promote policies that will improve the economic and social well-being of people around the world.27 The Guidelines on the Protection of Privacy and Transborder Flows of Personal Data adopted by OECD identified eight "principles" governing the use of personal information that it encouraged its member nations to put into practice. These include the following: • Collection Limitation Principle - There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. • Data Quality Principle - Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up to date. • Purpose Specification Principle - The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. • Use Limitation Principle - Personal data should not be disclosed, made available or otherwise used for purposes other than . . .: a) with the consent of the data subject; or b) by the authority of law. • Security Safeguards Principle - Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data. • Openness Principle - There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. • Individual Participation Principle - An individual should have the right: (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; (b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; (c) to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and (d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended. • Accountability Principle - A data controller should be accountable for complying with measures which give effect to the principles stated above.
iii. The 2012 FTC Report (FIPs in the United States)
The same year that the White House issued this report, the Federal Trade Commission ("FTC") also issued a report on Protecting Consumer Privacy in an Era of Rapid Change (the "2012 FTC Report").That report calls on companies to implement various recommendations for protecting privacy, and it emphasized three main areas of concern. First, the FTC encouraged companies to adopt a "Privacy by Design" approach to developing new products and services in which companies "build in" privacy as part of their systems engineering.Put differently, a "Privacy by Design" approach calls on companies to "promote consumer privacy throughout their organizations and at every stage of the development of their products and services." The privacy concepts that should be "built in" to products and services include: data security, reasonable collection limits, sound data retention and disposal practices, and data accuracy. Similarly, the 2012 FTC Report calls on companies to "maintain comprehensive data management procedures throughout the life cycle of their products and services." The second privacy principle that the 2012 FTC Report encouraged companies to adopt was simplified consumer choice regarding how personal information is used. The FTC recognized that consumer choice is not always required or appropriate. Rather, the availability of consumer choice should be consistent with the context of the transaction or the company's relationship with the consumer, unless providing consumer's the ability to make meaningful choices about how their personal information is used is mandated by specific law or regulation. Two situations calling for express, affirmative consumer consent are when a company seeks retroactive consent to use personal information in a manner that is materially different than the manner in which the data was used when originally collected, or when particularly sensitive data is collected. Where a choice is presented to a consumer, whether required or not, consumer choice must be meaningful—i.e., companies should offer the choice at a time and in a context in which the consumer is making a decision about his or her data. The FTC also highlighted several areas of concern with respect to consumer choice: (1) giving consumers a "take-it-or-leave-it" choice where there are few market options; (2) providing a Do-Not-Track mechanism (discussed later in this study guide); and (3) issues related to "comprehensive" tracking by large companies (also discussed later). The third area that the FTC focued on in its 2012 Report was the issue of transparency in companies' data practices. The FTC encouraged companies to ensure that their privacy notices—an issue discussed at length in Module I.D.10—are clear, short, and standardized with industry practice to increase consumer understanding and to facilitate the ability to compare different privacy notices. Additionally, a company should provide data subjects access to the personal information it collects about them, with a level of access "proportionate to the sensitivity of the data and the nature of its use." The FTC also encouraged companies to expand their attempts to educate consumers about data privacy practices. FIPs are infused throughout this 2012 FTC Report. The FTC concluded its report by highlighting five areas that it would be prioritizing: (1) a Do-Not-Track mechanism; (2) collection of data on mobile devices; (3) regulation of data brokers; (4) issues related to "comprehensive" tracking by large companies; and (5) promoting self-regulatory codes. Each of these areas raise their own concerns about the implementation of FIPs. As discussed further in Module II.A.5, the FTC has continued to issue privacy and data security updates, which provide key insight into the FTC's enforcement priorities.
i. Early Adoption of FIPs (FIPs in the United States)
There are many ways to articulate FIPs. The first official attempt to do so in the United States occurred in 1973. That year, the Department of Health, Education, and Welfare ("DHEW"), later renamed the Department of Health and Human Services ("HHS"), promulgated an official set of FIPs. The DHEW identified five different practices organizations should attempt to follow: • "There must be no personal-data record-keeping systems whose very existence is secret." • "There must be a way for an individual, to find out what information about him is in a record and how it is used." • "There must be a way for an individual to prevent information about him obtained for one purpose from being used or made available for other purposes without his consent." • "There must be a way for an individual to correct or amend a record of identifiable information about him." • "Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take reasonable precautions to prevent misuse of the data." The year following the adoption of these FIPs by GHEW, Congress passed the Privacy Act of 1974.The Privacy Act of 1974, as amended, codifies a set of FIPs that govern how information about individuals in the records of federal agencies is collected, maintained, used, and disseminated.Each federal agency is required to adopt rules to effect the purpose of the Privacy Act of 1974. There can be harsh penalties for any violation of these rules, including the imposition of civil remedies or criminal prosecution.