A Short Course on Privacy Principles
The first lesson is that privacy is a lousy term. No one can agree on exactly what privacy means. Theories and opinions abound, and scholarly literature is filled with different views. The courts don't help much either. Privacy arises in cases involving search warrants, procreation, education and information. It's impossible to distill a single or simple definition.
Instead of struggling, we are better off using another term. One substitute is data protection, which refers to the collection, maintenance, use and disclosure of personal information. Data protection is the term of choice in Europe.
The first is the principle of openness. Those who maintain personal information must disclose the existence of their databanks. Some countries require licensing or registration of databases, but that is not essential. In fact, licensing and registration are somewhat out of favor abroad. Both are anathema in the United States, but basic openness is noncontroversial.
The second FIP principle covers individual participation. A data subject should have the right to see any data about him or her and to seek correction or removal of erroneous data. The policy is straightforward, but implementation can be messy at the edges. Still, when information is used to make decisions about individuals, access and correction are essential elements of fairness. How would you feel if you couldn't get a mortgage or a tax refund because of inaccurate data that you couldn't see or correct?
Third is the principle of collection limitation, which provides that there should be limits to the collection of personal data, that data should be collected by lawful and fair means and that data should be collected, where appropriate, with the knowledge or consent of the subject. This principle should be unobjectionable because it includes enough weasel words -- limits, fair, appropriate -- to allow a range of interpretations.
Fourth, the principle of data quality provides that personal data should be relevant to the purposes for which they are to be used, and should be accurate, complete and timely. This is the first place where we find purpose, the most important of all FIP weasel words. Who defines the purpose? Generally, it is the person who maintains the data. Uninhibited self-declaration is why purpose tests are loopholes that are welcome or not depending on your point of view.
The purpose issue is even more significant with the fifth principle, the principle of finality. The policy here is that data should be used or disclosed only for the purposes specified at the time of collection, with consent, or when required by law. Whoever specifies the purposes determines the uses. A vague purpose statement (for marketing purposes) may comply with the principle and impose no real limitation at all. The principle itself is sound, but it has the potential to be little more than an exercise in creative drafting. Data protection authorities that oversee self-declared purpose statements offer a barrier to overly broad purpose statements.
The finality principle is the one most abused in statements about privacy in the United States. Companies, would-be self-regulators like the DMA, and the FTC often restate it as a mere requirement for consent. But the restatement overlooks the important notion that there should be defined limits to data usage. Consent is an exception to the limits, but it is not the entire principle.
The last two principles -- security and accountability -- are simple and basic. Data keepers should provide reasonable security measures and be accountable for complying with the fair information practice rules.
Several things should be apparent at this point. First, basic FIP concepts are not wildly outrageous or impossible to implement. FIP will not prevent all uses of personal data. The idea is to have some rules and to require record keepers to live by those rules.
Second, FIP offers a general statement of principles that must be adapted to different information and to different record keepers. One size does not fit all. How to accomplish this is where we find much of the controversy and most of the art of writing privacy policies.
Third, the code calls for enforcement, but it is not specific on the appropriate types of enforcement. One option is an industry code, although an incomplete, self-serving, one-sided code without adequate public disclosure of enforcement methods is not playing fair. If you want to see such an industry code, you need look no further than the DMA. In Europe, Canada, and elsewhere, data protection boards or privacy commissioners provide independent enforcement of privacy laws. These offices also help translate the principles into practical guidance, and this help industry to develop balanced self-regulatory codes.
Class is now dismissed. You can assign your own grade. If at any time while reading this article you thought, "We can live with that," then you get an A. Everybody else who finished the article gets a B. I'm an easy grader.
Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the House of Representatives' subcommittee on information, justice, transportation and agriculture. His e-mail address is firstname.lastname@example.org.