In May 2022, North Carolina officially adopted the Fair Information Practice Principles (FIPPs), a foundational framework for safeguarding privacy and responsibly managing data. These principles serve as the bedrock for many privacy laws and policies, and their adoption underscores the state’s commitment to ensuring that state data is handled with integrity and care.
Across the U.S. and around the world, privacy laws have been enacted to govern the collection, maintenance, use and dissemination of information about individuals. The concept of Fair Information Practice Principles is at the heart of these laws and has been implemented in the N.C. Department of Information Technology to guide privacy and security policies.
The FIPPs strengthen the privacy protections of those who have entrusted the state of North Carolina with their personally identifiable information. They provide a mechanism to ensure data quality and integrity while enhancing the state’s ability to responsibly share data with educational institutions and other agencies throughout the state offer more services that better serve the state. Implementing these principles reduces the risk of unauthorized disclosure of information and supports the creation of reliable records to inform decision-making.
What Are the FIPPs?
The FIPPs outline a set of core principles designed to guide how organizations collect, use, and protect personal information. These principles include:
- Transparency: The organization should be transparent and provide notice to the individual regarding its collection, use, dissemination and maintenance of personally identifiable information (PII).
- Individual Participation: Consent should be sought from the individual for the collection, use, dissemination and maintenance of PII. A mechanism should also be provided for appropriate access, correction and redress regarding the organization's use of PII.
- Purpose Specification: The organization should specifically articulate the authority that permits the collection of PII and the purpose(s) for which the PII is intended to be used.
- Data Minimization: The organization should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as it is necessary to fulfill those purpose(s).
- Use Limitation: The organization should use PII solely for the purpose(s) specified in the notice. Sharing PII outside of the organization should be for a purpose compatible with the purpose(s) for which the PII was collected.
- Data Quality and Integrity: The organization, to the extent practicable, should ensure that PII is accurate, relevant, timely and complete.
- Security: The organization should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.
- Accountability and Auditing: The organization should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.
FIPPs & State Agency Projects
Implementing the FIPPs means that state agencies in North Carolina embed the core principles throughout the lifecycle of their projects. This ensures that privacy and responsible data practices are embedded into projects and processes from the beginning and are carried throughout the project lifecycle.
How are the FIPPs integrated into projects involving personal information?
- Initial Planning: During the planning phase, agencies should define the purpose of data collection, assess the necessity of the data being gathered and ensure that privacy considerations are included in project goals.
- Risk Assessments: Agencies must perform privacy threshold analyses and may occasionally need to complete a privacy impact assessment to identify and address potential privacy risks early on. These assessments ensure alignment with the FIPPs and help in developing privacy risk mitigation strategies.
- Data Governance: Agencies should implement strong data governance measures, such as role-based access controls, to maintain data security and minimize access to sensitive information.
- Ongoing Monitoring: Projects must include mechanisms to monitor data use and quality, ensuring compliance with the FIPPs over time. Regular audits and reviews help maintain accountability and adapt to changing circumstances.
- Project Closure: At the conclusion of a project, agencies must ensure that data is either appropriately archived or securely disposed of, following the principles of data minimization and security. Data retention schedules that identify how long data should be kept can be found on the website of the State Archives of North Carolina.
By systematically integrating the FIPPs into projects, state agencies ensure that privacy is not an afterthought but a fundamental part of their operations.
Why FIPPs Matter
The FIPPs are not just theoretical guidelines; they are actionable principles that provide a roadmap for ethical data management and privacy by design. By adhering to these principles, North Carolina demonstrates its dedication to protecting individual privacy rights, fostering public trust and promoting transparency and accountability in its operations.
Continuing the Commitment
As we observe Data Privacy Week, let us reflect on the importance of the FIPPs in our work and how these principles empower us to responsibly manage data and maintain the trust of North Carolina residents. Together, we can ensure that privacy remains a top priority in every aspect of state operations.
Stay informed with more insights and updates from the Office of Privacy and Data Protection as we continue to champion privacy and responsible data practices.