FTC Fair Information Practice Principles
Fair information practice principles were first documented in the United States Department of Health, Education and Welfare’s (HEW) 1973 report Records, Computers and the Rights of Citizens. Since then, several other frameworks and reports have built upon the HEW report’s work. The FTC Fair Information Practice Principles are the ones most commonly shared between these other frameworks.
Excerpts from the FTC Fair Information Practice Principles:
- Notice/Awareness (Inflection Principle 1) While the scope and content of notice will depend on the entity’s substantive information practices, notice of some or all of the following have been recognized as essential to ensuring that consumers are properly informed before divulging personal information:
- identification of the entity collecting the data;
- identification of the uses to which the data will be put;
- identification of any potential recipients of the data;
- the nature of the data collected and the means by which it is collected if not obvious (passively, by means of electronic monitoring, or actively, by asking the consumer to provide the information);
- whether the provision of the requested data is voluntary or required, and the consequences of a refusal to provide the requested information; and
- the steps taken by the data collector to ensure the confidentiality, integrity and quality of the data.
Choice/Consent (Inflection Principle 4)
The second widely-accepted core principle of fair information practice is consumer choice or consent. At its simplest, choice means giving consumers options as to how any personal information collected from them may be used. Specifically, choice relates to secondary uses of information—i.e., uses beyond those necessary to complete the contemplated transaction. Such secondary uses can be internal, such as placing the consumer on the collecting company’s mailing list in order to market additional products or promotions, or external, such as the transfer of information to third parties.
Access/Participation (Inflection Principle 4)
Access is the third core principle. It refers to an individual’s ability both to access data about him or herself—i.e., to view the data in an entity’s files—and to contest that data’s accuracy and completeness.
Integrity/Security (Inflection Principle 5)
The fourth widely accepted principle is that data be accurate and secure. To assure data integrity, collectors must take reasonable steps, such as using only reputable sources of data and cross-referencing data against multiple sources, providing consumer access to data, and destroying untimely data or converting it to anonymous form.
It is generally agreed that the core principles of privacy protection can only be effective if there is a mechanism in place to enforce them. Absent an enforcement and redress mechanism, a fair information practice code is merely suggestive rather than prescriptive, and does not ensure compliance with core fair information practice principles.