Skip to main content
. Author manuscript; available in PMC: 2016 Jan 6.
Published in final edited form as: Clin Trials. 2015 Sep 15;12(5):520–529. doi: 10.1177/1740774515597677

Table 1.

Fair Information Practice Principles (FIPPS)

Principle Description (from The Markle Connecting for Health Common Framework for Networked Personal Health Information)29 Link to Ethical Principles
Openness and Transparency “Consumers should be able to know what information has been collected about them, the purpose of its use, who can access and use it, and where it resides. They should also be informed about how they may obtain access to information collected about them and how they may control who has access to it.” Openness and transparency allow individuals to better understand how their information is collected and used at all stages of the research process (including scientific publications), which is important for respecting persons independent of their choice in matters and, in some cases, targets the fundamental principle of the individual’s right to know.
Purpose Specification “The purposes for which personal data are collected should be specified at the time of collection, and the subsequent use should be limited to those purposes, or others that are specified on each occasion of change of purpose.” Specifying purposes helps ensure that persons have the opportunity to understand and, in some cases, endorse the purposes to which their information is put, which is an important facet of respecting them as participants.
Collection limitation and data minimization “Personal health information should only be collected for specified purposes and should be obtained by lawful and fair means. The collection and storage of personal health data should be limited to that information necessary to carry out the specified purpose. Where possible, consumers should have the knowledge of or provide consent for collection of their personal health information.” Because health information is associated with some of the deepest, most personal, and most intimate facets of ourselves, respect for persons demands that sharing health information occur only under appropriate conditions, to appropriate parties, and for appropriate reasons. Limiting collection and minimizing data helps ensure that sharing is limited to such circumstances.
Use Limitation “Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified.” See comment under “collection limitation and data use.”
Individual Participation and Control “Consumers should be able to control access to their personal information – specifically, they should know who is storing what information on them, and how that information is being used. They should also be able to review the way their information is being used or stored.” Individual choice, or consent, is a component of the FIPPs, but it is not absolute, and the degree of choice may depend on how completely the other principles are exercised. Moreover, choice may be based on alternative models, such as opt out models that allow individuals with particularly acute privacy concerns to avoid information sharing, rather than seeking opt-in permission from all individuals.30
Data Quality and Integrity “All personal data collected should be relevant to the purposes for which they are to be used and should be accurate, complete, and up-to-date.” Data integrity helps ensure that information attributed to people is actually about them, and hence that they are not treated unfairly or unjustifiably; again, this is important in respecting persons.
Security Safeguards and controls “Reasonable safeguards should protect personal data against such risks as loss or unauthorized access, use, destruction, modification, or disclosure.” Data security policies and technical requirements should be in place to help protect data and reinforce stewardship practices adopted to implement the other principles.
Accountability and Oversight “Entities in control of personal health information must be held accountable for implementing these principles.” Helps ensure entities controlling personal health information follow all of the principles.
Remedies “Remedies must exist to address security breaches or privacy violations.” Allowing persons to exercise control in effecting remedies is a crucial aspect of respecting persons whose data security or privacy has been breached.