What Are the Fair Information Practice Principles (FIPPs)?

Fair Information Practices, also known as Fair Information Practice Principles (FIPPs), are a set of eight principles concerning the use, collection, and privacy of data. They were published in 1980 by the Organisation for Economic Co-operation and Development (OECD) and were agreed upon in principle by a number of countries.

Although they are not formally part of any privacy legislation, these principles remain relevant and influential today. Many organizations use them as a guide for how to handle personal data. Several of the principles listed in FIPPs are incorporated into major privacy frameworks such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

The Eight Fair Information Practice Principles Are:

1. Collection Limitation Principle. There should be limits on the collection of personal data and any such data should be obtained by lawful and fair means, and, where appropriate, with the knowledge or consent of the data subject.
2. Data Quality Principle. Personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and kept up-to-date.
3. Purpose Specification Principle. The purposes for which personal data is collected should be specified no later than at the time of data collection, and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as specified on each occasion of change of purpose.
4. Use Limitation Principle. Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified in accordance with [the Purpose Specification Principle] except: a) with the consent of the data subject; or b) by the authority of law.
5. Security Safeguards Principle. Personal data should be protected by reasonable security safeguards against risks such as loss of data or unauthorized access, destruction, use, modification, or disclosure.
6. Openness Principle. There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available to establish the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
7. Individual Participation Principle. An individual should have the right to:
   1. Obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to them;
   2. To have communicated to them data relating to them within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to them;
   3. To be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and
   4. To challenge data relating to them and, if the challenge is successful, to have the data erased, rectified, completed, or amended.
8. Accountability Principle. A data controller should be accountable for complying with measures that give effect to the principles stated above.

How Did Fair Information Practices Evolve?

FIPPs as they currently appear are based on recommendations proposed by an advisory committee to the U.S. Department of Health, Education, and Welfare in 1973.

The committee's report noted that "safeguards for personal privacy based on the concept of mutuality in record-keeping

would require a commitment by record-keeping organizations to certain basic principles of fair information practice." It then went on to describe several data protection principles.

In 1980, the OECD expanded those recommendations and divided them into the eight FIPPs areas mentioned above. Since then, FIPPs have been referenced several times,

particularly in the United States. They continue to form an important part of data privacy and data protection guidance.

Are Fair Information Practices Part of Any Privacy Legislation?

FIPPs are not part of any formal or legal requirements. However, they have served as the foundation for many different privacy guidelines. They also reflect many widely accepted privacy principles that appear in other formal privacy frameworks.

For Example

The Individual Participation Principle (number 7) lists a number of rights that individuals should have.

The California Consumer Privacy Protection Act (CCPA) has codified some of these into law: it includes the "right to know," similar to what is described in parts (a) and (b) of the Individual Participation Principle.

The General Data Protection Regulation (GDPR) also includes the "right to erasure," similar to the ability to "erase data" as described in part (d) of the Individual Participation Principle.

As another example, the FIPPs Data Quality Principle has a counterpart in the GDPR: Article 5 requires that personal data be "accurate,

and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate,

having regard to the purposes for which they are processed, are erased or rectified without delay."

It is important to note that these privacy frameworks do not map perfectly to FIPPs

in their descriptions and requirements. Organizations wishing to comply with the General Data Protection Regulation (GDPR) or the Consumer Privacy Protection Act (CCPA)

or any other privacy legislation need to ensure they are following the requirements of those specific laws, and not just FIPPs.