History of FIPPs

The Fair Information Practice Principles (FIPPs) are a set of eight internationally accepted privacy principles which have provided the foundation for all privacy regulation during the last 50 years. First gaining momentum in the 1970s, these principles remain the core of privacy regulation today, exemplified by the passage of two new state privacy laws passed in 2021

(i.e., Virginia’s Consumer Data Protection Act (CDPA) and the Colorado Privacy Act).

In 1973, the U.S. Department of Health, Education, and Welfare (HEW) published a report on Records, Computer, and the Rights of Citizens that discussed the importance of privacy safeguards and introduced the concepts of transparency, accessibility, accountability, and use limitation. Soon after, the Privacy Act of 1974 was built on those same four principles and enacted as one of the earliest federal privacy laws. The FIPPs continue to been heavily referenced, including influencing some of the most impactful contemporary privacy laws, the European Union’s (EU)

General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

The Eight Principles

According to the International Association of Privacy Professionals, Organization for Economic Cooperation and Development’s FIPPs are the most widely used, yet considered minimum standards. Many federal agencies and private sector companies use these principles as a starting point to build their own organization-specific codes, such as VA’s Privacy Principles.

These eight principles drive the core aspects of dozens of privacy laws, both domestically and worldwide.

NumberPrincipleDescription
1Collection LimitationThere should be limits to the collection of personal data – data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
2Data QualityPersonal data should be relevant to the purposes for which it is to be used, and should be accurate, complete and kept up-to-date.
3Purpose SpecificationThe purposes for which personal data are collected should be specified at the time of data collection and the subsequent use limited to the fulfilment of those purposes.
4Use LimitationPersonal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the Purpose Specification principle except: with the consent of the data subject; or by the authority of law.
5Security SafeguardsPersonal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
6OpennessThere should be a general policy of openness about developments, practices and policies with respect to personal data, such as main purposes of their use and identity of the data controller.
7Individual ParticipationAn individual should have the right: to obtain from a data controller the data the controller has about them. to challenge data relating to them and, if the challenge is successful to have the data erased, rectified, completed or amended.
8AccountabilityA data controller should be accountable for complying with measures which give effect to the principles stated above.