Fair Information Practices Support Data Protection & Privacy
Across the U.S. and around the world, privacy laws have been enacted to govern the collection, maintenance, use and dissemination of information about individuals.
The concept of Fair Information Practice Principles (FIPPs) is at the heart of these laws and has been implemented in the N.C. Department of Information Technology to guide privacy and security policy.
The FIPPs strengthen the privacy protections of those who have entrusted the state of North Carolina with their personally identifiable information (PII). They provide a mechanism to ensure data quality and integrity while enhancing the state’s ability to responsibly share data with educational institutions and industry throughout the state.
Implementing these principles reduces the risk of unauthorized disclosure of information and supports the creation of reliable records to inform decision-making.
The eight guiding principles that are commonly accepted and form the Fair Information Practice Principles in the United States are:1
- Transparency: The organization should be transparent and provide notice to the individual regarding its collection, use, dissemination and maintenance of personally identifiable information (PII).
- Individual Participation: Consent should be sought from the individual for the collection, use, dissemination and maintenance of PII. A mechanism should also be provided for appropriate access, correction and redress regarding the organization's use of PII.
- Purpose Specification: The organization should specifically articulate the authority that permits the collection of PII and the purpose(s) for which the PII is intended to be used.
- Data Minimization: The organization should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as it is necessary to fulfill those purpose(s).
- Use Limitation: The organization should use PII solely for the purpose(s) specified in the notice. Sharing PII outside of the organization should be for a purpose compatible with the purpose(s) for which the PII was collected.
- Data Quality and Integrity: The organization, to the extent practicable, should ensure that PII is accurate, relevant, timely and complete.
- Security: The organization should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.
- Accountability and Auditing: The organization should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.
The Fair Information Principles gained traction in the early 1970s in response to the growing use of computers in the collection and use of personal information.
The U.S. Department of Health, Education and Welfare's Advisory Committee on Automated Personal Data Systems found that individuals’ privacy was poorly protected under existing law and record keeping practices and recommended basic principles for a code of information practice.
Those principles are at the core of the Privacy Act of 1974 and govern the collection, maintenance, use and dissemination of information about individuals that is maintained in systems of records by federal agencies.
The principles have been refined, expanded, and widely adopted in the U.S. and around the world.
Have a Question or Comment About Privacy?
Data privacy and protection are important to NCDIT, and we want to hear from you to help strengthen our privacy program for the state.