The Fair Information Practice Principles Act
The Fair Information Practice Principles (FIPP) is designed to apply to any situation involving handling information about people. This acts as a framework to guide federal and international laws regarding data protection and information management (FPC.Gov, n.d.).
FIPP is derived from meeting the requirements of the Privacy Act of 1974. The Privacy Act of 1974 is the primary driver behind federal privacy law. This applies to any records maintained by the federal government about U.S. citizens or lawful permanent residents (Privacy Act, 2024). While the Privacy Act of 1974 protects citizens and lawful residents, adding non-resident aliens and possibly undocumented persons residing in the United States may be worth adding to an amended version. However, FIPP is primarily applied to government agencies, although businesses have been encouraged to adopt their recommendations.
FIPP is designed to promote consideration of transparency in government information handling by focusing on several specific areas. (Performance, 2022).
FIPP requires that agencies are transparent about PII practices and policies and clearly explain how they handle PII. This is intended to ensure that data subjects understand their rights and what providing consent means.
FIPP also requires that individuals be involved in handling their own PII. This generally means that individuals provide consent, but it also requires provision for allowing individuals to conduct privacy inquiries, request privacy data deletion, and file complaints.
Another requirement is that agencies are only to handle PII that they have the authority to manage as required for their government function. This is meant to ensure that scope creep prevents agencies from exceeding their jurisdiction for privacy data collection.
Agencies must provide an explicit purpose for handling PII and ensure that PII is only handled in the way authorized at the time of collection.
Agencies shall minimize the collection of PII to the minimum amount required for accomplishing the legally obligation tasks of the agency.
Agencies should collect accurate and timely information to protect the principle. This ensures that the data being gathered is relevant and does not incorrectly portray the individual who is the subject of the data collection. Misrepresenting an individual could lead to harm, especially for public figures who suffer a data breach.
Agencies shall provide access and amendment to PII. This meets earlier requirements to allow for individuals to be involved with data but explicitly requires that individuals can modify data if they disagree with it.
Agencies shall ensure that agencies secure PII to prevent inadvertent disclosure, loss, destruction, or dissemination. This prevents privacy harm by ensuring proper lifecycle control of data.
Agencies are accountable to federal requirements and must have clearly defined roles for employees and contractors handling PII. This works to minimize exposure to PII.
FIPP has been recently criticized for being archaic and ineffective at dealing with modern privacy risks. Because FIPP principles heavily drive privacy impact assessments, PIAs sometimes are less effective because they do not consider contemporary issues such as cyberstalking or sharing embarrassing information on social media. FIPP has also been similarly criticized for lacking the ability to contextualize morally objectionable privacy data collections (Issues, 2021).
FIPP does not follow a standardized release model. Instead, it follows a set of reports and guidelines associated with the original FIPPS document. The last major update was issued in 2000 in a report to Congress (Pitofsky et al., n.d.). Additional recommendations were provided in 2012 through another report delivered to Congress. These reports differ because the 2000 update was primarily a status report, whereas the 2012 report was oriented more toward business practice recommendations.
References:
FPC.gov. (n.d.). Retrieved February 10, 2024, from https://www.fpc.gov/resources/fipps/
Issues. (2021, December 20). Time to Modernize Privacy Risk Assessment. Issues in Science and Technology. https://issues.org/modernize-privacy-risk-assessment-fipps/
Performance, S. S. and (Director). (2022, January 24). FPC Fair Information Practice Principles. https://vimeo.com/669614456
Pitofsky, R., Anthony, S. F., Thompson, M. W., Swindle, O., & Leary, T. B. (n.d.). Federal Trade Commission. PRIVACY ONLINE.
Privacy Act. (2024, January 25). U.S. Department of the Treasury. https://home.treasury.gov/
Member discussion