Omaerz: 9 revisions imported: Initial Upload of old pages from IDESG Wiki

2018-06-28T04:02:58Z

9 revisions imported: Initial Upload of old pages from IDESG Wiki

← Older revision	Revision as of 04:02, 28 June 2018
(No difference)

Mary Hodder: updated SG for phase II

2018-06-13T20:52:36Z

updated SG for phase II

New page

''<< Back to [[Baseline_Functional_Requirements_v1.0|Baseline Functional Requirements Index]]''

== PRIVACY-12. ANONYMITY ==
Wherever feasible, entities MUST utilize identity systems and processes that enable transactions that are anonymous, anonymous with validated [[IDEF Glossary ATTRIBUTES|attributes]], pseudonymous, or where appropriate, uniquely identified. Where applicable to such transactions, entities employing service providers or intermediaries MUST mitigate the risk of those [[IDEF Glossary THIRD PARTIES|THIRD-PARTIES]] collecting [[IDEF Glossary USERS|USER]] [[IDEF Glossary PERSONAL INFORMATION|personal information]]. Organizations MUST request individuals’ credentials only when necessary for the transaction and
then only as appropriate to the risk associated with the transaction or only as appropriate to the
risks to the parties associated with the transaction.

=== SUPPLEMENTAL GUIDANCE ===
In support of legal, policy or personal requirements for anonymous or pseudonymous USER
participation, [[IDEF Glossary DIGITAL IDENTITY MANAGEMENT FUNCTIONS|digital identity management functions]] and systems should permit anonymous and
(persistent across sessions) pseudonymous registration and participation, where required by law or
otherwise feasible. To further facilitate that goal, identifiers and personal data (including attributes)
should be kept separate wherever feasible: see [[Privacy Req 4|PRIVACY-4 (CREDENTIAL LIMITATION)]] and [[Privacy Req 15|PRIVACY-15 (ATTRIBUTE SEGREGATION)]].

Risk needs to be assigned by each entity based the risk of loss to assets or reputation of that entity.

See [[Interop Req 6|INTEROP-6 (THIRD-PARTY COMPLIANCE)]] on the mitigation of risks associated with third-party
service providers or data users.

See [[Privacy Req 5|PRIVACY-5 (DATA AGGREGATION RISK)]] regarding the risk of collecting additional information.

See [[Privacy Req 13|PRIVACY-13 (CONTROLS PROPORTIONATE TO RISK)]] regarding the implementation of controls to
mitigate identified privacy risk.

See [[Privacy Req 11|PRIVACY-11 (OPTIONAL INFORMATION)]] regarding availability of user choices regarding optional
disclosure of personal information.

=== REFERENCES ===
Further reference materials to aid organizations interested in conforming to these Requirements can be found at the wiki page [[Supplemental Privacy Guidance]]; this has been archived at https://workspace.idesg.org/kws/public/download.php/56/Supplemental-Privacy-Guidance.docx

=== APPLIES TO ACTIVITIES ===
[[IDEF Functional Model REGISTRATION|REGISTRATION]], [[IDEF Functional Model CREDENTIALING|CREDENTIALING]], [[IDEF Functional Model AUTHENTICATION|AUTHENTICATION]], [[IDEF Functional Model AUTHORIZATION|AUTHORIZATION]], [[IDEF Functional Model INTERMEDIATION|INTERMEDIATION]]

=== KEYWORDS ===
[[IDEF Keywords ACCOUNT|ACCOUNT]], [[IDEF Keywords ANONYMITY|ANONYMITY]], [[IDEF Keywords CHOICE|CHOICE]], [[IDEF Keywords IDENTIFIERS|IDENTIFIER]], [[IDEF Keywords PRIVACY|PRIVACY]]

=== APPLIES TO ROLES ===
1 - [[IDEF Glossary RELYING PARTIES|RELYING PARTIES]] 
2 - [[IDEF Glossary IDENTITY PROVIDERS|IDENTITY PROVIDERS]] 
3 - Attribute Providers 
4 – Intermediaries 
5 - Credential Service Providers (where there is user interaction) 

----
----
Quick Links: [[SALS]] | [[Baseline Functional Requirements v1.0]] | [[Glossary]] |

----
----

Privacy Req 12 - Revision history

Omaerz: 9 revisions imported: Initial Upload of old pages from IDESG Wiki

Mary Hodder: updated SG for phase II