The amount of online activity is ever increasing, especially with the expansion of the Internet of Things (IoT). We’re constantly bombarded with requests for data. The number of scam websites, phishing schemes, and cases of identify theft is always on the rise. It’s more important than ever to be super vigilant about the safety of your information. Moreover, knowing exactly who has your personal details and how they use them is a vital aspect of your right to privacy.
Whether you’re handing over your email address or making online payments, you want to be absolutely sure of where your information is going and how it will be used. As such, becoming familiar with the principles of fair information practices will help you make the right decisions as you navigate both offline and online environments. With your extra savvy, you’ll also be able to report those entities who aren’t following best practices to help create a safer landscape for all users.
In this post, we’ll take a brief look at the guidelines that have been developed surrounding fair information practices. Then, we’ll delve into the five core principles and what they mean for you as a consumer.
Some background about these principles
When we talk about information practices, we’re referring to how various entities collect and use your personal information. When we talk about these practices being fair, we need to look at how to ensure that rules governing information practices are in place and provide ample privacy protection for consumers.
The environment is constantly changing, and over the years there have been various reports surrounding the topic of fair information practices. There have also been guidelines introduced in a bid to establish standards for businesses to follow. In recent years, many countries have developed more concrete policies surrounding data protection. Throughout the various reports and guidelines, certain core principles emerge.
These were first laid out over a decade ago in a Federal Trade Commission (FTC) report “Fair Information Practice Principles,” which has since been retired. While that was based on now-outdated reports and guidelines, the underlying messages within the principles remain apparent in more up-to-date directives including:
- General Data Protection Regulation (GDPR): This was developed by the EU to supersede the Data Protection Directive and will be enforceable starting in May 2018.
- Personal Information Protection and Electronic Documents Act (PIPEDA): This applies in Canada and includes guidelines set out in the Digital Privacy Act and CSA Model Code.
- OECD Privacy Guidelines (originally published in 1980 but updated in 2013): The Organisation for Economic Co-operation and Development (OECD) sets international standards on a variety of things, including privacy.
Bear in mind that not all of these documents contain all of the below principles explicitly. Moreover, most, if not all, contain additional in-depth guidance. Therefore, if you’re looking at this from a business perspective or are a consumer in search of more in-depth information, you can consult the relevant document directly. You might also be interested in a side-by-side comparison of the privacy policies of some of the largest internet companies.
You may note the absence of a US document on the above list. There is currently no blanket data privacy legislation enforced in the US. However, there are certain acts that pertain to fair information practices, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Fair and Accurate Credit Transactions Act (FACTA). Moreover, many laws governing information practices in the US are instituted at a state level.
One last note before we delve into the principles is that some of these guidelines are based on the assumption that the consumer will have the necessary judgment to decide whether or not to hand over their information. However, when it comes to children, there is a strong chance that they won’t hold the same analytical abilities and judgment. In this case, the principles have to be adapted in order to ensure that parents are adequately equipped to protect their children’s information. We’ll be covering these adapted principles in an upcoming post.
The 5 core principles of fair information practices
Now that we know a little more about where these principles emerged from, let’s look at the key points they cover when it comes to the rights of consumers.
1. Consumers should be given notice
Notice refers to the fact that the person providing information must be made aware of exactly who the information is going to and what it will be used for. Also referred to as transparency, this is of the utmost importance so that the consumer is well-equipped to make a decision about whether to hand over information, as well as which information they want to divulge.
Some of the things that an entity should cover, as appropriate, are:
- Who is collecting the information
- What it will be used for
- Who could potentially receive the data
- What information will be collected and how
- Whether providing the data is optional
- How the collector will ensure the confidentiality, quality, and integrity of the information
- If and when the information will be disposed of
If the provider is filling out a physical form, this information would likely appear somewhere on the actual form. Alternatively, in an online environment, the information may be laid out on the form or on a separate webpage. In either case, it must be obvious and easily accessible to the reader.
For example, when signing up to NerdWallet, the user will be agreeing to the company’s terms of service and privacy policy, which are both laid out in separate documents, available by hyperlink:
In this case, simply signing up indicates that the user agrees to the terms and policies provided. In other cases, they may be required to take additional action, such as checking a box, that confirms they have read and understood the terms and policies provided.
In many situations, these things are skipped over, especially if the user already has a level of trust for the collecting entity. However, in certain situations, you may be far more apt to scour terms and policies for relevant information. Say for example, you’re using the services of an entity for the specific reason of data protection. If you’re shopping for a VPN provider or a browser privacy extension, you’ll want to know exactly how the companies in question are going to handle your information.
2. Choices should be offered and consent required
In basic terms, this principle gives consumers the right to decide how their information is used. This refers more to secondary use, as the primary use will typically be evident, for example, to sign up for a service, complete a purchase, or access a piece of content.
Beyond the primary reason, entities may want to record and use your data for other purposes, such as to add you to their own or other companies’ email lists. Alternatively, they may be selling mass data about user behavior or preferences to third parties.
Ultimately, any data use beyond the obvious should be clearly laid out. Plus, the consumer should have the option of whether they want to give their consent for their information to be used in the manner specified. This can be done on an opt-in or opt-out basis, but the main thing is that the options are clear and easy to take action upon.
The concept of choice and consent is something we come across on a regular basis within online activity. Signup, purchase, and submission forms often come with one or more checkboxes at the end, and you might feel bombarded with requests for your information to be used in various ways.
A common example is the option to receive promotional information from whichever entity you are handing your information to, as is the case with the California Lottery signup form:
There are also situations in which you may have multiple options for how your information may be used. In the case of NerdWallet, third-party opt-out options can found in the privacy policy, which is easy to locate from the signup form as we mentioned above:
Again, the key is that the options are clear and opting in or out is straightforward. As shown in the examples provided, this is fairly simple to achieve in the online environment, so there should be no excuses.
3. Consumers should be able to access and alter data
So what happens in terms of your rights after you’ve handed over your data? Well, the general consensus among data privacy reports and guidelines is that consumers should have the ability to access the information they’ve provided.
This principle also conveys their right to contest information that they believe is inaccurate and/or have the opportunity to change it. One of the major reasons behind this principle is that it gives the best chance that all information is accurate and complete – which actually ties into the next principle.
Of course, this won’t work if the information is difficult to access, either because of a lengthy process or an expensive one. As such, it’s important that entities have mechanisms in place to make it simple and straightforward for consumers to access and review their data. Similarly, they must be able to contest its accuracy of completeness and/or make changes without difficulty.
For example, email providers, social media platforms, and ecommerce sites – like Amazon – make it simple for users to alter their information. It makes sense for both the entities and the consumers.
4. Data should be accurate and secure
This principle refers to the integrity and security of all data. The integrity component ties into the last principle, with the onus being on entities to do what they can to ensure that all information is accurate and correct. We just talked about the accessibility of data and this comes back to that. Entities must ensure that consumers can access and contest or alter data so that it is indeed accurate.
However, it is also the responsibility of those collecting information to take other measures than accessibility to ensure the integrity of the data they hold. This may mean cross-referencing other sources to ensure that data providers are entering accurate information. It might also mean that entities have to dispose of data that may be out of date or make it anonymous after a certain period of time.
As well as integrity, entities also need to take the security of consumers’ data extremely seriously. This means putting measures in place to ensure that data is not lost and that it can’t be accessed, used, changed, destroyed, or disclosed without authorization. Failure to safeguard information can come at a huge price for companies like Morgan Stanley.
Of course, even with high security, data breaches do still happen. There are increasingly stricter measures in place to ensure that companies actually report data breaches. However, Yahoo’s fairly recent admission of a huge data breach that occurred several years earlier shows that we can never be absolutely certain that our information is safe. For this reason, it’s nearly impossible to say a particular company is better at security than others, simply because they haven’t had breaches hit the headlines.
As such, you should always do what you can to protect yourself. You can start by making sure you don’t use the same password on multiple accounts. Also, be sure to delete old accounts, so that your data isn’t being stored somewhere unnecessarily. Ideally, at this point, your information should be disposed of. If not, at the least, any personally identifiable information should be deleted, aggregated, or anonymized after a certain period of time.
Of course, aside from hacking, you might also be concerned about the privacy of your information from a government aspect. The Electronic Frontier Foundation (EFF) does a good job of identifying, through its “Who Has Your Back?” list, which companies to look out for when it comes to privacy.
5. Mechanisms for enforcement and redress are necessary
Of course, it’s all well and good having rules surrounding fair information practices, but if there are no mechanisms in place to enforce them, they are rendered pointless. Moreover, if there is no form of redress, there is little to no incentive for entities to abide by any rules.
As with many regulations, there are several different approaches that can be taken when it comes to enforcement of those surrounding fair information practices. Here, we’ll take a look at the main three:
Self-regulatory regimes
This type of regulation could be carried out at the discretion of the entity itself. For example, social media sites like YouTube provide a means for you to file a complaint. When it comes to redress, there should be processes in place for customers to easily access a complaint system, and for their complaints to be investigated.
Alternatively, enforcement might be carried out by an external regulatory body. This might include agreeing to fair information practices in order to join an industry association. An entity might also invite external auditors to verify that they are following guidelines, possibly with a certification granted at the end.
Private legislation
Private legislation would typically give the consumer the right to compensation if they fell victim to unfair information practices. For example, they might have the cause to sue if misuse of information led to damages. Electronic Privacy Information Centre (EPIC) is one independent organization that looks into these types of civil rights. Also, Privacy International is a UK-based human rights organization helping protect people’s right to privacy.
Government legislation
In certain cases, government regulation is exercised within specific industries. For example, within the US health industry, if you think you’ve been violated by a HIPAA-covered agency, you can file a complaint with the Office for Civil Rights (OCR). In many countries, there are also methods for reporting violations independent of industry (more on that in the next section).
Reporting breaches of information
As the online environment continues to change, regulation around fair information practices will continually evolve. The evolutionary nature of this landscape doesn’t exactly offer peace of mind for consumers who are constantly asked to provide personal information to all sorts of companies.
However, now that you’re aware of the core principles of fair information practices, you’ll be better equipped to look out for certain flags when providing entities with information. Moreover, although rules will vary between countries and industries, you’ll be better able to spot when an entity is not following fair information practices.
As mentioned, there are various places you can report instances where you believe there have been violations. We talked about a couple above, and there are also country-specific forms, some of which are listed here:
- UK: Information Commissioner’s Office (ICO)
- US: Federal Trade Commission (FTC)
- Canada: Office of the Privacy Commission of Canada (OPC)
- Australia: Office of the Australian Information Commissioner (OAIC)
In general, the best advice we can give is to safeguard your information carefully and try to only deal with businesses you trust to do the same. Remember to read terms, conditions, and privacy policies carefully, and if there’s any doubt, ask questions!