Whatever Happened to the. Fair Information Practices?

Similar documents
Our position. ICDPPC declaration on ethics and data protection in artificial intelligence

Privacy Policy SOP-031

Toward Objective Global Privacy Standards. Ari Schwartz Senior Internet Policy Advisor

Global Trade and Personal Data Flows Are the Rules of Engagement Incompatible with Privacy?

ISO/TR TECHNICAL REPORT. Intelligent transport systems System architecture Privacy aspects in ITS standards and systems

Analysis of Privacy and Data Protection Laws and Directives Around the World

ITAC RESPONSE: Modernizing Consent and Privacy in PIPEDA

March 27, The Information Technology Industry Council (ITI) appreciates this opportunity

The Evolving Privacy Landscape: 30 Years After the OECD Privacy Guidelines

What does the revision of the OECD Privacy Guidelines mean for businesses?

Legislative and Regulatory Update. Diane Bowers, CASRO President CASRO Data Collection Conference November 19, 2009

Privacy Procedure SOP-031. Version: 04.01

Privacy by Design: essential for organizational accountability and strong business practices

About the Office of the Australian Information Commissioner

Protection of Privacy Policy

The EFPIA Perspective on the GDPR. Brendan Barnes, EFPIA 2 nd Nordic Real World Data Conference , Helsinki

CONSENT IN THE TIME OF BIG DATA. Richard Austin February 1, 2017

APEC PRIVACY FRAMEWORK

Legal Issues Related to Accountable-eHealth Systems in Australia

Dr Nicholas J. Gervassis University of Plymouth THE EMERGING UK DATA PROTECTION FRAMEWORK AND BEYOND

Privacy by Design: Integrating Technology into Global Privacy Practices

First Components Ltd, Savigny Oddie Ltd, & Datum Engineering Ltd. is pleased to provide the following

Reporters' Memorandum: Restatement Third of Information Privacy Principles

Presentation Outline

GDPR Awareness. Kevin Styles. Certified Information Privacy Professional - Europe Member of International Association of Privacy professionals

Re: Review of Market and Social Research Privacy Code

This policy sets out how Legacy Foresight and its Associates will seek to ensure compliance with the legislation.

Robert Bond Partner, Commercial/IP/IT

ICC POSITION ON LEGITIMATE INTERESTS

ARTICLE 29 Data Protection Working Party

Session 1, Part 2: Emerging issues in e-commerce Australian experiences of privacy and consumer protection regulation

Ocean Energy Europe Privacy Policy

Managing Information Systems Seventh Canadian Edition. Laudon, Laudon and Brabston. CHAPTER 4 Social, Ethical, and Legal Issues in the Digital Firm

Seminar on Consultation on. Review of the Personal Data (Privacy) Ordinance. Why the review is being conducted and what this means to you

EXIN Privacy and Data Protection Foundation. Preparation Guide. Edition

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: Safeguarding Policy Data Protection Policy

Building DIGITAL TRUST People s Plan for Digital: A discussion paper

2

Responsible Data Use Policy Framework

Software Patents in the European Union

This Privacy Policy describes the types of personal information SF Express Co., Ltd. and

Updating Data Protection: Part I -- Identifying the Objectives

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: T:Drive. Safeguarding Policy Data Protection Policy

Pan-Canadian Trust Framework Overview

Privacy by Design Assessment and Certification. For discussion purposes only

Primary IVF Conditions for Registration For Assisted Reproductive Treatment Providers under the Assisted Reproductive Treatment Act 2008

Should privacy impact assessments be mandatory? David Wright Trilateral Research & Consulting 17 Sept 2009

Committee on the Internal Market and Consumer Protection. of the Committee on the Internal Market and Consumer Protection

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT. pursuant to Article 294(6) of the Treaty on the Functioning of the European Union

Digital Identity Innovation Canada s Opportunity to Lead the World. Digital ID and Authentication Council of Canada Pre-Budget Submission

04 - Introduction to Privacy

the Companies and Intellectual Property Commission of South Africa (CIPC)

Data Protection and Privacy in a M2M world. Yiannis Theodorou, Regulatory Policy Manager GSMA Latam Plenary Peru, November 2013

Interaction btw. the GDPR and Clinical Trials Regulation

Toronto Real Estate Board Submission to Office of the Privacy Commissioner of Canada. July 2016

The new GDPR legislative changes & solutions for online marketing

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Privacy Management in Global Organisations

IV/10. Measures for implementing the Convention on Biological Diversity

MULTIPLE SCENARIOS FOR PRIVATE-SECTOR USE OF RFID

BUREAU OF LAND MANAGEMENT INFORMATION QUALITY GUIDELINES

REPORT ON THE INTERNATIONAL CONFERENCE MEMORY OF THE WORLD IN THE DIGITAL AGE: DIGITIZATION AND PRESERVATION OUTLINE

Applied Safety Science and Engineering Techniques (ASSET TM )

Honourable Guests, Ladies and Gentlemen, In April 1995, the Personal Data (Privacy) Bill was introduced into the Legislative Council.

Global Harmonization Task Force

Global Alliance for Genomics & Health Data Sharing Lexicon

The General Data Protection Regulation and use of health data: challenges for pharmaceutical regulation

Standardised Privacy Policies: A Post-mortem and. Promising Developments

Australian Census 2016 and Privacy Impact Assessment (PIA)

Malcolm Crompton. Future trends in consumer credit and privacy. Cockle Bay Wharf Sydney

Phase 2 Executive Summary: Pre-Project Review of AECL s Advanced CANDU Reactor ACR

Global Standards Symposium. Security, privacy and trust in standardisation. ICDPPC Chair John Edwards. 24 October 2016

THE BEST PRACTICES ACT OF 2010 AND OTHER FEDERAL PRIVACY LEGISLATION

24 May Committee Secretariat Justice Committee Parliament Buildings Wellington. Dear Justice Select Committee member,

Lecture 7 Ethics, Privacy, and Politics in the Age of Data

2016 Farmer Cooperatives Conference. Drones Take Flight: Privacy and Intellectual Property Issues

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Privacy framework

Having regard to the Treaty establishing the European Community, and in particular its Article 286,

Internet 2020: The Next Billion Users

Effective Data Protection Governance An Approach to Information Governance in an Information Age. OECD Expert Consultation Boston October 2016

Counterfeit, Falsified and Substandard Medicines

What We Heard Report Inspection Modernization: The Case for Change Consultation from June 1 to July 31, 2012

LAB3-R04 A Hard Privacy Impact Assessment. Post conference summary

GDPR Implications for ediscovery from a legal and technical point of view

Towards a Magna Carta for Data

Privacy by Design: Research and Action. Deirdre K. Mulligan

EDQM COUNCIL OF EUROPE CONFERENCE CERTIFICATION PROCEDURE : 20 YEARS OF EXPERIENCE March EDQM, Strasbourg, France ABSTRACTS

Internet, Human Rights and privacy

The General Data Protection Regulation

Privacy Laws, Technological Developments, and Their Impact on You Review of: Understanding Privacy and Data Protection: What You Need to Know

COMMISSION OF THE EUROPEAN COMMUNITIES COMMISSION RECOMMENDATION

Ten Principles for a Revised US Privacy Framework

HBM4EU project. Information, Invitation and Informed Consent Lisbeth E. Knudsen, Berit A. Faber. Information and recruitment of participants

Development Dimensions of Digital Platforms

The Alan Turing Institute, British Library, 96 Euston Rd, London, NW1 2DB, United Kingdom; 3

Self regulation applied to interactive games : success and challenges

Regulatory Oversight of Rapidly Changing Technology

The Information Commissioner s response to the Draft AI Ethics Guidelines of the High-Level Expert Group on Artificial Intelligence

ITI Comment Submission to USTR Negotiating Objectives for a U.S.-Japan Trade Agreement

Charter of the Regional Technical Forum Policy Advisory Committee

Transcription:

Whatever Happened to the Fair Information Practices?

Beth Givens Director Privacy Rights Clearinghouse Privacy Symposium August 22, 2007 Cambridge, MA

Topics Definition and origins of FIPs Overview of key codes U.S. HEW principles, 1973 OECD principles, 1981 Canadian Model Code, 1995, & nat l law, 2000 U.S. NTIA s Elements of Self-Regulation, 1998 U.S. Federal Trade Commission s FIPs, 1998 EU Data Protection Directive, 1998 U.S. Safe Harbor Agreement, 2000 APEC Privacy Framework, 2005 Global Privacy Standard, 2006 Sector-Specific Codes Accountancy and Health Conclusions & Resources

About the Privacy Rights Clearinghouse Nonprofit organization Established 1992, San Diego, CA Two-part mission: education & advocacy Consumer hotline via e-mail and phone Consumer guides: 50+ Fact Sheets ID theft, credit, online, telemarketing, medical, employment screening, & more Web: www.privacyrights.org

What Are the Fair Information Practices (FIPs)? Fair information practices (FIPs) are a set of principles for defining and addressing concerns about privacy of personal information. In most countries with privacy laws, [they are the] core privacy principles incorporated in privacy and data protection laws. -- Robert Gellman s essay on FIPS in Encyclopedia of Privacy (2007)

Origins of the Fair Information Practices An early expression of FIPs is found in the definition of information privacy (1967): the claim of individuals to determine for themselves when, how, and to what extent information about them is communicated to others. -- Alan Westin, Privacy and Freedom (1967)

Origins of FIPs, cont d. Embedded in U.S. Fair Credit Reporting Act (FCRA) of 1970 Access to one s own credit report Use limitations -- legitimate business purposes Accuracy and correction Recourse if illegitimately accessed and misused

Development of FIPs Reports in early 1970s In Britain, the Younger Committee report 10 principles (1972) Alan Westin & Michael Baker, Databanks in a Free Society (1973) -- called for formulation of codes for record-keeping practices U.S. Health, Education and Welfare (HEW) committee report (1973) -- Records, Computers, and the Rights of Citizens -- Colin Bennett, Regulating Privacy (1992)

Development of FIPs, cont d. Data protection laws enacted in 1970s FIPs embedded Concerns over advancement of computer technology and its impact on privacy State of Hesse, Germany (1970) Sweden (first nation, 1973), U.S. (1974), Germany (1977), France(1978) Council of Europe Resolutions: 73, 74, 81 OECD Guidelines -- International code established by Organization for Economic Cooperation and Development (1981) -- Colin Bennett, Regulating Privacy

U.S. HEW Principles (1973) [Paraphrased] 1. No secret systems of personal data. 2. Ability for individual to find out what is in the record, and how it is used. 3. Ability for individual to prevent secondary use. 4. Ability to correct or amend record. 5. Data must be secure from misuse. -- Paraphrased from 1973 U.S. Health, Education and Welfare report: Advisory Committee on Automated Personal Data Systems

OECD Principles (1981) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data 1. Collection limitation 2. Data quality 3. Purpose specification 4. Use limitation 5. Security safeguards 6. Openness 7. Individual participation 8. Accountability

Criticisms of OECD FIPs Some consider them too weak. Allow too many exceptions. Do not require a privacy agency. Have not kept pace with information technology. Some industry critics want them reduced to notice, choice, and accountability. -- Summarized from Robert Gellman s essay on FIPs, Encyclopedia of Privacy (2007)

Canadian Standards Assoc. Model Code for Protection of Personal Information (1995) Accountability Identifying purposes Consent Limiting collection Limiting use, disclosure, retention Accuracy Safeguards Openness Individual access Challenging compliance Incorporated into Canada s nat l law, PIPEDA (2001)

Emphasis on Self-Regulation in the U.S. TRUSTe web site seal program (1997) Elements of model privacy disclosures Information collection and use Communications from the site Information sharing and disclosure Choice / Opt-out Log files, cookies, clear gifs, third-party advertisers, links to other sites, co-branding Access, security, changes in policy

Self-Regulation in U.S., cont d. Online Privacy Alliance -- Guidelines for Online Privacy Policies (1998) 1. Adoption of Privacy Policy 2. Notice and Disclosure 3. Choice and Consent 4. Data Security 5. Data Quality and Access

U.S. NTIA s Elements of Self-Regulation (Jan. 1998) Fair Info. Practices 1. Awareness a. Privacy policies b. Notification c. Consumer education 2. Choice 3. Data security 4. Consumer access Enforcement 1. Consumer recourse 2. Verification 3. Consequences Nat l Telecomm s and Information Admin., U.S. Dept. of Commerce

U.S. Federal Trade Commission Fair Information Practice Principles (June 1998) 1. Notice / Awareness 2. Choice / Consent 3. Access / Participation 4. Integrity / Security 5. Enforcement / Redress a. Self-Regulation b. Private Remedies c. Government Enforcement

Shortcomings of U.S. Self-Regulatory Approach Absence of collection limitation provision Absence of use limitation principle Self-regulatory environment Limited enforcement No privacy agency per se

European Union Data Protection Directive (Adopted 1998) Rights of data subjects, including: Right of access to data. Right to know where the data originated. Right to have inaccurate data corrected. Right of recourse in the event of unlawful processing of data. Cont d.

EU Data Protection Directive, cont d. (1998) Rights of data subjects, cont d. Right to withhold permission to use their data in certain circumstances. Where data is transferred from EU country to a non-eu country, Article 25: Non-EU country receiving the data must provide an adequate level of data protection. -- Summarized from Morrison & Foerster Legal Updates, 02/2000

Safe Harbor Privacy Principles U.S. Dept. of Commerce (Signed July 21, 2000, Implemented July 1, 2001) Notice Choice Onward transfer Security Data integrity Access Enforcement For use by U.S. entities receiving personal data from the EU in order to qualify for safe harbor and presumption of adequacy.

APEC Privacy Framework Asia-Pacific Economic Coop. (2005) Preventing harm Notice Collection limitation Uses of personal information Choice Integrity of personal information Security safeguards Access & correction Accountability

Global Privacy Standard (2006) Consent Accountability Purposes Collection limitation Data minimization Use, retention and disclosure limitation Accuracy Security Openness Access Compliance Adopted at 28 th Intnat l. Data Protection Commissioners Conference Nov. 2006

Sector-Specific Codes Privacy Framework, American Institute of Certified Public Accountants & Canadian Institute of Chartered Accountants (2003) renamed Generally Accepted Privacy Principles Connecting for Health s Policy Principles, Markle Foundation (2006) part of Connecting for Health Common Framework

Accountants Code Generally Accepted Privacy Principles Choice and consent Management Notice Collection Use and retention Disclosure to third parties Quality Security Notice Access Monitoring and enforcement AICPA / CICA Principles, 2003

Connecting for Health s Policy Principles -- Markle Foundation Openness and transparency Purpose specification and minimization Collection limitation Use limitation Individual participation & control Data integrity and quality Security safeguards and controls Accountability and oversight Remedies Connecting for Health s Common Framework -- 2006

Do the FIPs Matter? Concluding remarks on impact of FIPs: Setting the stage for effective laws and industry policies. The importance of robust standards for meaningful consumer protection. However FIPs are one thing implementation and enforcement are quite another.

Resources Colin Bennett, Regulating Privacy (1992) Paula Bruening, Elements of Effective Self- Regulation for Protection of Privacy at www.ntia.doc.gov (1998) Canadian Internet Policy & Public Interest Clinic, Compliance with Canadian Data Protection Laws: Are Retailers Measuring Up? (2006) Cont d.

Resources, cont d. Ann Cavoukian, A Comparison and Gap Analysis of Leading Privacy Codes: An Attempt at Harmonization (2005) Ann Cavoukian, 7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age (2006) Ann Cavoukian and Don Tapscott, Who Knows: Safeguarding Your Privacy in a Networked World (1997) Cont d.

Resources, cont d. Electronic Privacy Information Center & Privacy International, Transborder Data Flows and Data Havens,, Privacy & Human Rights (2004) David Flaherty, Protecting Privacy in Surveillance Societies (1989) Robert Gellman, Fair Information Practices, in Encyclopedia of Privacy (2007) Cont d.

Resources, cont d. Paul Schwartz & Joel Reidenberg, Data Privacy Law: A Study of United States Data Protection (1996) H. Jeff Smith, Managing Privacy: Information Technology and Corporate America (1994) Robert Ellis Smith, Ben Franklin s Web Site: Privacy and Curiosity from Plymouth Rock to the Internet (2004) Robert Ellis Smith, Law of Privacy in a Nutshell (1993) Cont d.

Resources, cont d. Doreen Starke-Meyerring, European Data Protection Directive, in Encyclopedia of Privacy (2007) Peter Swire, None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive (1998) U.S. Dept. of Health, Education and Welfare, Records, Computers and the Rights of Citizens: Report of Secretary s Advisory Committee on Automated Personal Data Systems (1973)

Contact Information Beth Givens, Director Privacy Rights Clearinghouse 3100-5th Ave., Suite B San Diego, Ca. 92103 Phone: (619) 298-3396 E-mail bgivens at privacyrights.org Web: www.privacyrights.org

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback