Fair Information Practices

  Excerpt from the OECD's Guidelines (1980)

This text were excerpted verbatim from a longer document by the OECD, except that a numeric reference to the Purpose Specification Principle was changed to name the principle instead.

A much broader set of Guidelines for Multinational Enterprises adopted in 2000 calls for companies to ``respect consumer privacy and provide protection for personal data.''

For real-life examples companies' successes and failures in abiding by these principles, see our Awards page.

  Collection Limitation Principle

There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

  Data Quality Principle

Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

  Purpose Specification Principle

The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

  Use Limitation Principle

Personal data should not be disclosed made available or otherwise used for purposes other than those specified in accordance with [the Purpose Specification Principle] except:

1. with the consent of the data subject; or
2. by the authority of law.

  Security Safeguards Principle

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.

  Openness Principle

There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

  Individual Participation Principle

An individual should have the right:

1. to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
2. to have communicated to him, data relating to him
   
   1. within a reasonable time;
   2. at a charge, if any, that is not excessive;
   3. in a reasonable manner; and
   4. in a form that is readily intelligible to him;
3. to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and
4. to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.

  Accountability Principle

A data controller should be accountable for complying with measures which give effect to the principles stated above.

  Privacy at the end of the millennium

I'm very grateful to Professor Westin for inviting me here today, in part because it has given me the chance to meet with the people who are at the forefront of the some of the most important social changes of this information revolution age. Over the past couple of years I can vouch as an eyewitness for how extremely hard so many of you have worked in making your contribution to fate of the 21st century.

If diligence and talent and goodwill were all that was required, the future would look very bright indeed. Unfortunately fate isn't always just.

You all know that American business will soon face a crisis of unprecedented magnitude, and in most cases, the responsibility is simply its own. I'm talking of course, about the Year 2000 problem.

Why, you might ask, is he hitting us with this millenial angst about computer technology when we already have the EU Data Directive to keep us awake at night? Well, because the same key questions that are important to businesses for the Y2K problem are key for electronic privacy, and the answers are similar. Those questions are simply

1. How did we get into this mess?
2. How bad is is?
3. How can we get out of it?

Now I only have about eight minutes left for eight questions, so I'll have to speak pretty bluntly. I hope you'll forgive me if my answers aren't entirely pleasing. But there are no nice solutions to these problems, only painful solutions and non-solutions.

Question 1: How did businesses get into the Y2K mess? Answer: Very easily: by computerizing their businesses processes without sufficient attention to a detail that didn't seem very important at the time. I can tell you as someone who has written many programs that aren't Y2K-compliant - back in the seventies, when I didn't imagine I would be alive in the year 2000 - that bad software is much easier and cheaper to write than good software, and it's much more expensive to educate staff to think about obscure problems than it is to downsize anyone who isn't showing obvious signs of productivity. In our rush to automate business processes, we have created an information machine that is creaky and difficult and expensive to change. There were good reasons to do it at the time, such as competitive pressure and cost savings, but now we're stuck with an open-ended liability that we hadn't foreseen.

All the above statements hold true of the privacy mess. How did we get into the mess? Same answer: by computerizing businesses processes without sufficient attention to a detail that didn't seem very important at the time. But there's more to it than that for privacy. Because personal information can be turned into profit by selling it or storing it and using it later, there is an economic incentive to businesses to do those things. And because fair information practices such as letting people see and correct data about themselves have been seen as a costly overhead, they tend not to have been designed into their systems. If a legal requirement to do so suddenly springs up, the task of retrofitting that capability onto existing systems can be very expensive, and difficult to do at short notice. "Gee, if we had only known a few years ago we would have put it in." That's a comment that applies equally to fair information practices and to use of four-digit dates instead of two-digit. So to summarize: how did we get into this mess?

1. By computerizing businesses processes without sufficient attention to a detail that didn't seem very important at the time, and
2. because of business practices that were perfectly legal and to which few people objected at the time, but which are suddenly becoming illegal or despised by consumers.

OK, next question. How bad is it? For Y2K, it's pretty bad. Typical estimates of the cost are around $400 billion, and some unprepared companies might go into bankruptcy because of it. For privacy, I don't think it's that bad. It'll be expensive, and it might bankrupt some unusual companies, particularly a very small number whose business plans are predicated on intrinsically unfair information practices. But companies go bankrupt all the time through mistakes and bad luck. What is more important than individual companies is whether technological change moves us towards or away from the kind of society we want: prosperous and free. Unfortunately Internet is fast becoming a vast information badlands that inspires fear and deters people from enjoying its enormous opportunities.

Question 3: What should consumers do? Well, there's a small number of people called the Y2K survivalists, who are holing themselves up in fortresses in Montana with diesel generators, bottled water, shotguns and dehydrated food, awaiting the failure of the electricity grid and the wave of looting that they believe will follow the collapse of civil order in January of the year 2000. I don't think it'll be that serious, but even conservative forecasters warn of widespread inconveniences about 57 weeks from now.

Now, assuming that things go modestly well in the nuclear power plants and the missile silos and that our civilization survives the Y2K bug, (last week the Pentagon admitted falsifying Y2K readiness reports) and assuming that people don't become so disenchanted with computer technology that they refuse to turn on their PCs again, what will they do about their privacy on the World Wide Web? Two points will have become very clear to everyone by then:

1. computer technology can have negative societal effects, and
2. businesses are not entirely able to eliminate those effects, even with strong individual motivation.

1. get off this dangerous information superhighway (or don't get on it in the first place),
2. adopt technological means of protection, and
3. demand change.

So what should businesses do about the Y2K bug? Well, hoping that someone will discover the cure in November of 1999 isn't a strategy. You just have to try to get down to a lot of thankless hard work of putting contingency plans in place and re engineering the company's processes. To put it bluntly: bite the bullet, quickly and hard. And it's the similar answer for the privacy mess: adopt fair information practices as fast as you can. They are ultimately your only defense against the crusading reporter, the disgruntled consumer, the class action lawyer, and the irascible legislature.

Don't pat yourself on the back saying "gee, we're doing pretty well, we're abiding by six of the eight principles already, let's leave subject access and secondary use until after lunchtime." That's like saying "we've fixed six of the eight Y2K bugs that are known to affect our computer systems." Unfortunately, just one is enough to blow you out of the water.

Now because some of the OECD principles are harder to comply with than others, many trade associations, including the DMA and the Online Privacy Alliance have issued policies, often even called Fair Information Practices, that somewhat resemble the OECD's guidelines but which omit inconvenient principles such as giving people access to information about themselves. These pseudo-FIP policies have been described by cynics as FIP-lite, CIP (Convenient Information Practices), IIP (Inexpensive Information Practices), SLUIP (Slightly-Less-Unfair Information Practices), and several other names that we needn't belabor the point by repeating here. The point is simply that anything less than fair isn't fair, even if it's cheaper and more convenient, and calling something that's not entirely fair fair doesn't make it fair.

Asking "Hasn't industry done enough about the privacy problem?" is a little like asking " "Hasn't industry done enough about the Y2K problem?" Reality is a stronger and sometimes crueler taskmaster than any government, and can be even worse any privacy advocate. You cannot negotiate the Y2K problem away, and ultimately you cannot negotiate the privacy problem away. You're going to have to fix it, whatever the cost, and the costs and the risks are going up the longer you leave it.

Finally, rather than ending on a note of millennial gloom, let me point to an encouraging example: about two years ago some highly respected experts were predicting the collapse of the Internet under the weight of its own traffic. This didn't happen, due to a colossal effort and investment from a wide range of parties. If you think the future looks dark, let me leave you with some of Winston Churchill's advice from a speech he gave in 1941, one of the darkest years in England's history. "Do not let us speak of darker days; let us rather speak of sterner days. These are not dark days: they are great days--the greatest days our country has ever lived; and we must all thank God that we have been allowed, each of us according to our stations, to play a part in making these days memorable in the history of our race."

Copyright © 1996-2005 Guidescope Inc ®. Copying and distribution permitted under the GNU General Public License. 2005/01/15 http://www.junkbusters.com/fip.html