Table 3.1 | Who Goes There? Authentication Through the Lens of Privacy | Committee on Authentication Technologies and Their Privacy Implications | Computer Science and Telecommunications Board | Division on Engineering and Physical Sciences | National Research Council of the National Academies | Stephen T. Kent and Lynette I. Millett, Editors

Principle	Practice/Meaning
Collection limitation	Collect the minimum amount of information that is needed for the relationship or transaction at issue— —By lawful and fair means. —With the knowledge and consent of the individual.
Data quality	Information should be relevant, accurate, timely, and complete.
Purpose specification	Use of data should be specified at the time that data are collected.
Use limitation (restriction on secondary uses)	Data should only be used for the specific purpose for which they are collected and for which the individual understands they will be used, except under two conditions: —With the prior consent of the individual, and —With the appropriate legal authority.
Security	The integrity of the information and the system should be maintained to ensure against loss, destruction, unauthorized access, modification, unauthorized use, or disclosure.
Openness/notice	There should be no secret data systems. People should be able to ascertain the existence of data systems and their purposes and uses.
Individual participation	An individual has rights to —Know if he or she is a subject of a system, —Access information about him- or herself, —Challenge the quality of that information, and —Correct and amend that information.
Accountability	The organization collecting and using information can be held responsible for abiding by these principles through: —Enforcement and/or —Redress.