P1

Fair Information Practice Principles

Before discussing our core principles for a networked environment, it may be useful to briefly consider some existing principles for privacy protection. These principles provide a useful template, but they are not optimized for a network-driven world. Many were designed long before the age of the Internet, data brokers, and data aggregation. As such, they may need to be tailored, adapted, and, in some cases, expanded to address the specific risk management challenges posed by the digital age in general, and the rise of EMRs in particular.

The Privacy Rights Clearinghouse, a nonprofit consumer group located in California, provides a useful review of existing Fair Information Practices.²⁴ Here, we provide a summary, based on that review, of existing privacy laws in three jurisdictions:

1. The United States, including the 1973 Fair Information Principles and the 1974 Privacy Act;
2. The OECD, including the 1980 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data; and
3. Canada, including the 1995 Canadian Standards Association Model Code for the Protection of Personal Information.

1. The United States

The Fair Information Practices were implemented over thirty years ago (1973), when the US Department of Health Education and Welfare (HEW) formed a task force to consider the privacy effects of the spread of computer medical records. The Code of Fair Information Practices developed by this task force includes the following principles:²⁵

1. Collection limitation: There must be no personal data record keeping systems whose very existence is secret.
2. Disclosure: There must be a way for individuals to find out what information about them is in a record and how it is used.
3. Secondary usage:There must be a way for individuals to prevent information about them that was obtained for one purpose from being used or made available for other purposes without their consent.
4. Record correction: There must be a way for individuals to correct or amend a record of identifiable information about them.
5. Security: Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.

It is important to note that, unlike many other industrialized countries, these practices have not been put into law at the federal level. While they have been codified at the state and sectoral levels,²⁶ no blanket safeguards exist to implement and oversee these protections at the national level.

One notable exception is the Privacy Act of 1974. However, as noted earlier, this law only applies to systems of records that exist within government agencies. A major weakness is that it allows agencies to use private sector data without applying any of the protections contained in the law.

2. The OECD

Unlike the United States, many European countries have adopted broad, omnibus privacy protections that apply across sectors and jurisdictions. The OECD developed its Fair Information Practices as far back as 1980, and the European Union (EU) has adopted many of these principles. In particular, they were codified in the European Union's Directive on Protection of Personal Data, implemented in 1995. The privacy guidelines adopted by the OECD include the following eight principles:²⁷

1.     Collection Limitation: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

2.     Data quality principle: Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete, and kept up-to-date.

3.     Purpose specification: The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

4.     Use limitation principle:Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9²⁸except:

(a)   with the consent of the data subject; or

(b)   by the authority of law.

5.     Security safeguards principle: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data.

6.     Openness principle: There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity about usual residence of the data controller.

7.     Individual participation principle:Individuals should have the right:

(a)   to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to them;

(b)   to have communicated to them, data relating to them

1)    within a reasonable time;

2)    at a charge, if any, that is not excessive;

3)    in a reasonable manner; and

4)    in a form that is readily intelligible;

(c)   to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and

(d)   to challenge data relating to them and, if the challenge is successful, to have the data erased; rectified, completed, or amended.

8.     Accountability principle: A data controller should be accountable for complying with measures which give effect to the principles stated above.

3. Canada

Canada has adopted a unique model when it comes to privacy protections. Its privacy guidelines have been formulated not by the state, but by a nonprofit entity, the Canadian Standards Association (CSA), which in 1995 adopted the “Model Code for the Protection of Personal Information."²⁹ This Code, which includes the 10 principles listed below, can be adopted on a voluntary basis by companies or other entities.

1. Accountability: An organization is responsible for personal information under its control and shall designate a person who is accountable for the organization's compliance with the following principles.

2. Identifying purposes: The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

3. Consent: The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, with certain exceptions.

4. Limiting collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

5. Limiting use, disclosure, and retention: Personal information shall not be used or disclosed for purposes other than those for which it was collected except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

6. Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

7. Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

8. Openness: An organization shall make readily available to individuals specific information about its policies and practices relating to its handling of personal information.

9. Individual access: Upon request, an individual shall be informed of the existence, use, and disclosure of personal information about the individual and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

10. Challenging compliance: An individual shall be able to challenge compliance with the above principles with the person who is accountable within the organization.

As in many countries, these 10 principles are substantially similar to the OECD guidelines described above. However, it is worth noting that two principles in particular have been strengthened in Canada:

• Consent: As Principle 10 suggests, consent in Canada includes not just the right to limit access to one’s personal data (number 3), but also the right to challenge an entities’ compliance with the Code (number 10).
• Accountability: Accountability is held to be so important in Canada that it ranks first on the list of 10 principles. This puts the burden of protecting privacy substantially onto collectors and users of data.