Privacy Requirements - Revision history

Omaerz: 61 revisions imported: Initial Upload of old pages from IDESG Wiki

2018-06-28T04:03:08Z

61 revisions imported: Initial Upload of old pages from IDESG Wiki

New page

The Privacy Requirements Work Group is drafting privacy requirements to support the development of the [[Identity Ecosystem Framework]]. These requirements are designed to align with the [[Functional Model]]. All requirements listed are under development until noted otherwise.

A collection of materials to help organizations understand the guidance for Version 1 of the IDEF can be found in the [[Privacy References and Guides]] page.

== High-Level Requirements ==
''High-level requirements that are guiding functional requirements development. (Submitted to the FMO on 3/18/15)''
* Organizations shall limit the collection and transmission of personal information to the minimum necessary to fulfill the transaction’s purpose and related legal requirements.
* Organizations shall limit the use of the personal information that is collected and transmitted to the specified purposes of the transaction.
* Organizations shall limit the retention of personal information to the time necessary for providing and administering the services and transactions to the individual end-user for which the personal information was collected, except as otherwise required by law, regulation or legal process.
* Organizations shall provide concise, meaningful, timely, and easy-to-understand mechanisms to communicate to end-users how they collect, use, disseminate, and maintain personal information.
* Organizations shall assess the privacy risk of aggregating personal information, and deploy controls to minimize that risk, including limiting linkages across transactions.
* Organizations shall provide appropriate mechanisms to enable individuals to access, correct, and delete personal information.
* Organizations shall determine the necessary quality of personal information used in identity assurance solutions based on the risk of that transaction, including to the individuals involved.
* Organizations shall be accountable for conformance to these requirements, and provide mechanisms for auditing, validation, and verification.
* Organizations shall provide effective redress mechanisms for, and facilitation on behalf of, individuals who believe their rights under these requirements have been violated.
* Where individuals make choices regarding the treatment of their personal information (such as to restrict particular uses), those choices shall be automatically applied to all parties downstream from the initial transaction.
* Organizations shall, where feasible, utilize identity solutions that enable transactions that are anonymous, anonymous with validated attributes, pseudonymous, and/or uniquely identified.
* Organizations will request individuals’ credentials only when necessary for the transaction and then only as appropriate to the risk associated with the transaction or only as appropriate to the risks to the parties associated with the transaction.
* Participation in the Identity Ecosystem shall be voluntary.
* Organizations shall clearly indicate to individuals what personal information is mandatory and what information is optional prior to the transaction.
* Controls on the processing or use of individuals' personal information shall be commensurate with the degree of risk of the processing or use.
* Identifiers shall be segregated from attributes whenever feasible.
* Organizations shall, upon any material changes to a service that affects the prior or ongoing collection, use, dissemination, or maintenance of users’ personal information, provide users with compensating controls designed to mitigate privacy risks that may arise from the material changes, which may include seeking express affirmative consent of users in accordance with relevant law or regulation.

== Privacy Requirements Development Documentation ==
''Current drafts of relevant documentation.''

'''The permalink to the most recent version of the Core Operations Privacy Requirements Development document can be found [https://www.idecosystem.org/filedepot/folder/138?fid=1516 here].'''

{| class="wikitable"
|-
! Document Description !! Date
|-
| [https://www.idecosystem.org/filedepot/folder/186 Initial IDEF v1.0 Requirements] || March 18, 2015 '''Folder of all v1.0 initial committee-approved IDEF requirements'''
|-
| [https://www.idecosystem.org/idesgwiki/index.php?title=Privacy_Requirements&action=edit&section=2 Core Operations Privacy Requirements Development] || March 16, 2015 '''Editorial updates submitted to FMO on 3/16/15'''
|-
| [https://www.idecosystem.org/filedepot_download/1573/1516/12 Core Operations Privacy Requirements Development] || February 3, 2015 '''Approved by the PCC on 2/9/15 for submission to Framework Management Office'''
|-
| [https://www.idecosystem.org/filedepot_download/1573/1516/9 Core Operations Privacy Requirements Development] || January 29, 2015
|-
| [https://www.idecosystem.org/filedepot_download/1573/1516/8 Core Operations Privacy Requirements Development] || January 26, 2015
|-
| [https://www.idecosystem.org/filedepot_download/1573/1516/7 Core Operations Privacy Requirements Development] || January 12, 2015
|-
| [https://www.idecosystem.org/filedepot_download/1573/1516/6 Core Operations Privacy Requirements Development] || January 6, 2015
|-
| [https://www.idecosystem.org/filedepot_download/1573/1516/5 Core Operations Privacy Requirements Development] || December 8, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1516/4 Core Operations Privacy Requirements Development] || November 24, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1516/3 Core Operations Privacy Requirements Development] || November 10, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1516/2 Core Operations Privacy Requirements Development] || November 3, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1516/1 Core Operations Privacy Requirements Development] || October 27, 2014
|-
| [https://www.idecosystem.org/index.php?q=filedepot_download/1573/1407/5 Functional Privacy Requirements Development] || October 20, 2014
|-
| [https://www.idecosystem.org/index.php?q=filedepot_download/1573/1407/4 Functional Privacy Requirements Development] || October 8, 2014
|-
| [https://www.idecosystem.org/index.php?q=filedepot_download/1573/1407/3 Functional Privacy Requirements Development] || September 22, 2014
|-
| [https://www.idecosystem.org/index.php?q=filedepot_download/1573/1407/2 Functional Privacy Requirements Development] || August 28, 2014
|-
| [https://www.idecosystem.org/index.php?q=filedepot_download/1573/1407/1 Functional Privacy Requirements Development] || August 20, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1370/3 Risk-Based Privacy Requirements] || August 4, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1370/2 Risk-Based Privacy Requirements] || July 28, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1370/1 Risk-Based Privacy Requirements] || July 16, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1240/8 Functional Privacy Requirements - Derived Requirements Edits] || July 14, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1240/7 Functional Privacy Requirements - Derived Requirements Edits] || July 7, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1240/6 Functional Privacy Requirements - Derived Requirements Edits] || June 30, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1240/5 Functional Privacy Requirements - Derived Requirements Edits] || June 23, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1240/4 Functional Privacy Requirements - Derived Requirements Edits] || June 16, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1240/3 Functional Privacy Requirements - Derived Requirements Edits] || June 9, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1240/2 Functional Privacy Requirements - Derived Requirements Edits] || June 2, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1240/1 Functional Privacy Requirements] || May 5, 2014
|-
| ||
|}

== Notes from Privacy Requirements Development Meetings ==

{| class="wikitable"
|-
! Meeting Date !! Summary
|-
| [[Meeting notes from November 24, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from November 10, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from November 3, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from October 27, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from October 20, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from October 6, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from September 22, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from September 8, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from July 28, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from July 7, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from June 30, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from June 23, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from June 16, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from June 9, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from June 2, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from May 12, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from April 28, 2014]] || PRWG Meeting Notes
|-
| ||
|}

Mary Hodder: formatting fix

2015-01-09T18:44:13Z

formatting fix

New page

The Privacy Requirements Work Group is drafting privacy requirements to support the development of the [[Identity Ecosystem Framework]]. These requirements are designed to align with the [[Functional Model]]. All requirements listed are under development until noted otherwise.

== High-Level Requirements ==
''High-level requirements that are guiding functional requirements development.''
* Organizations shall limit the collection and transmission of information to the minimum necessary to fulfill the transaction’s purpose and related legal requirements.
* Organizations shall limit the use of the individual’s data that is collected and transmitted to the specified purposes of the transaction.
* Organizations shall limit the retention of data to the time necessary for providing and administering the services and transactions to the individual end-user for which the data was collected, except as otherwise required by law.
* Organizations shall provide concise, meaningful, timely, and easy-to-understand mechanisms to end-users on how they collect, use, disseminate, and maintain personal information.
* Organizations shall minimize data aggregation, including linkages across transactions.
* Organizations shall provide appropriate mechanisms to enable individuals to access, correct, and delete personal information.
* Organizations shall determine the necessary quality of data used in identity assurance solutions based on the risk of that transaction, including to the individuals involved.
* When terminating business operations or overall participation in the Identity Ecosystem, organizations shall, while maintaining the security of individuals' information, transfer it upon their request and destroy it unless they request otherwise.
* Organizations shall be accountable for conformance to these requirements, and provide mechanisms for auditing, validation, and verification.
* Organizations shall provide effective redress mechanisms for, and advocacy on behalf of, individuals who believe their rights under these requirements have been violated.
* Where individuals make choices regarding the treatment of their information (such as to restrict particular uses), those choices shall be automatically applied to all parties downstream from the initial transaction.
* Organizations shall, where feasible, utilize identity solutions that enable transactions that are anonymous, anonymous with validated attributes, * pseudonymous, and/or uniquely identified.
* Organizations will request individuals’ credentials only when necessary for the transaction and then only as appropriate to the risk associated with the transaction or only as appropriate to the risks to the parties associated with the transaction.
* Participation in the Identity Ecosystem shall be voluntary.
* Privacy controls should be situated as low in the technology stack as possible.
* Organizations shall clearly indicate to individuals what personal information is mandatory and what information is optional prior to the transaction.
* Controls on the processing or use of individuals' information shall be commensurate with the degree of risk of the processing or use.
* Identifiers shall be segregated from attributes whenever feasible.
* Organizations shall, upon any material changes to a service that affect the prior or ongoing collection, use, dissemination, or maintenance of users’ personal information: <br>
: a) provide clear and conspicuous descriptions of the changes and their impacts on users in advance, and <br>
: b) with respect to previously collected personal information, provide users with compensating controls designed to mitigate privacy risks that may arise from the material changes, which may include seeking express affirmative consent of users in accordance with relevant law or regulation. In the event that users elect to terminate the service, organizations shall meet other stated requirements on termination and retention.

== Privacy Requirements Development Documentation ==
''Current drafts of relevant documentation.''

'''The permalink to the most recent version of the Core Operations Privacy Requirements Development document can be found [https://www.idecosystem.org/filedepot/folder/138?fid=1516 here].'''

{| class="wikitable"
|-
! Document Description !! Date
|-
| [https://www.idecosystem.org/filedepot_download/1573/1516/5 Core Operations Privacy Requirements Development] || December 8, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1516/4 Core Operations Privacy Requirements Development] || November 24, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1516/3 Core Operations Privacy Requirements Development] || November 10, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1516/2 Core Operations Privacy Requirements Development] || November 3, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1516/1 Core Operations Privacy Requirements Development] || October 27, 2014
|-
| [https://www.idecosystem.org/index.php?q=filedepot_download/1573/1407/5 Functional Privacy Requirements Development] || October 20, 2014
|-
| [https://www.idecosystem.org/index.php?q=filedepot_download/1573/1407/4 Functional Privacy Requirements Development] || October 8, 2014
|-
| [https://www.idecosystem.org/index.php?q=filedepot_download/1573/1407/3 Functional Privacy Requirements Development] || September 22, 2014
|-
| [https://www.idecosystem.org/index.php?q=filedepot_download/1573/1407/2 Functional Privacy Requirements Development] || August 28, 2014
|-
| [https://www.idecosystem.org/index.php?q=filedepot_download/1573/1407/1 Functional Privacy Requirements Development] || August 20, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1370/3 Risk-Based Privacy Requirements] || August 4, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1370/2 Risk-Based Privacy Requirements] || July 28, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1370/1 Risk-Based Privacy Requirements] || July 16, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1240/8 Functional Privacy Requirements - Derived Requirements Edits] || July 14, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1240/7 Functional Privacy Requirements - Derived Requirements Edits] || July 7, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1240/6 Functional Privacy Requirements - Derived Requirements Edits] || June 30, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1240/5 Functional Privacy Requirements - Derived Requirements Edits] || June 23, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1240/4 Functional Privacy Requirements - Derived Requirements Edits] || June 16, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1240/3 Functional Privacy Requirements - Derived Requirements Edits] || June 9, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1240/2 Functional Privacy Requirements - Derived Requirements Edits] || June 2, 2014
|-
| [https://www.idecosystem.org/filedepot_download/1573/1240/1 Functional Privacy Requirements] || May 5, 2014
|-
| ||
|}

== Notes from Privacy Requirements Development Meetings ==

{| class="wikitable"
|-
! Meeting Date !! Summary
|-
| [[Meeting notes from November 24, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from November 10, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from November 3, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from October 27, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from October 20, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from October 6, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from September 22, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from September 8, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from July 28, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from July 7, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from June 30, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from June 23, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from June 16, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from June 9, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from June 2, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from May 12, 2014]] || PRWG Meeting Notes
|-
| [[Meeting notes from April 28, 2014]] || PRWG Meeting Notes
|-
| ||
|}