Options for Promoting Privacy on the National Information Infrastructure. 2. The IITF Privacy Principles

04/01/1997

In 1993, Vice President Gore established the Information Infrastructure Task Force (IITF) to articulate and implement the Administration's vision for the National Information Infrastructure (NII). The Task Force's Information Policy Committee (IPC) created a Privacy Working Group (PWG) to consider the ways in which the NII might affect individual privacy. The PWG issued the Principles for Providing and Using Personal Information (Privacy Principles) in 1995,8 to articulate the elements of fair information practices needed to ensure continued development of the NII. The Privacy Principles are the starting point for this Options Paper. The goal of this Options Paper is to frame the debate needed to identify the best approach to promoting privacy on the NII based on those Privacy Principles.

The Privacy Principles are designed to apply to the collection and use of information by both government and industry. They are based on existing international articulations of fair information practices in order to provide a common vocabulary for resolution of international conflicts involving data use.

The Privacy Principles reflect a recognition that the nature of the electronic medium itself must shape development of a workable privacy policy. Specifically:

  1. consumers, government, and businesses have a shared responsibility for the fair and secure use of personal information;
  2. the technology of the NII has the potential, as yet unexploited, to empower individuals to take steps to protect their personal information;
  3. openness about, and accountability for, the process of collecting and using personal information is crucial on the NII; but,
  4. openness and accountability will not be meaningful until consumers become educated about the ways in which their personal information is being used in cyberspace, and by whom.

The Privacy Principles identify three values to govern the way in which personal information is acquired, disclosed and used online -- information privacy, information integrity, and information quality.

First, an individual's reasonable expectation of privacy regarding access to, and use of, his or her personal information should be assured. Second, personal information should not be improperly altered or destroyed. And, third, personal information should be accurate, timely, complete, and relevant for the purposes for which it is provided and used.

The Privacy Principles call on those who gather and use personal information to recognize and respect the privacy interest that individuals have in personal information by (1) assessing the impact on privacy in deciding whether to obtain or use personal information; and, (2) obtaining and keeping only information that could be reasonably expected to support current or planned activities. Data gatherers should use the information only for those current or planned activities or for compatible purposes.

Because individuals need to be able to make informed decisions about providing personal information, the organizations that collect information should disclose: (1) why they are collecting the information; (2) for what purposes they expect to use the information; (3) what steps will be taken to protect the confidentiality, quality and integrity of information collected; (4) the consequences of providing or withholding information; and (5) any rights of redress that are available to individuals for wrongful or inaccurate disclosure of their information.

Organizations that gather personal information should take reasonable steps to prevent improper disclosure or alteration of information collected, and should enable individuals to limit the use of their personal information if the intended use is incompatible with the reason for which the information was collected, or not disclosed in the notice provided by collectors.

Organizations that gather personal data should educate themselves, their employees, and the public about how personal information is obtained, sent, stored, processed, and protected, and how these activities affect individuals and society.

The Privacy Principles obligate individuals to obtain relevant information about why the information is being collected, what the information will be used for, what steps will be taken to protect that information, the consequences of providing or withholding information, and any rights of redress that they may have. They should have notice and a means of redress -- and they should use the means provided -- if they are harmed by improper use or disclosure of personal information.

The Privacy Principles are designed to balance the rights of individuals with the information needs of both government and business. They establish a foundation upon which industry and associations may develop codes and standards for their profession, agencies may evaluate privacy policies, and legislators may enact legislative solutions. The Privacy Principles were developed collaboratively, with input from both the public and the private sectors. This Options Paper incorporates extensive research, analysis and writing undertaken in 1995 and 1996 by the Privacy Working Group in its subsequent study of options for protecting personal privacy on the NII.


8. Privacy Working Group, Information Infrastructure Task Force, Principles for Providing and Using Personal Information (1995) (hereinafter Privacy Principles) available at IITF Principles (visited 4/3/97) <http://www.iitf.nist.gov/ipc/ipc-pub.html>.