Privacy Req 12: Difference between revisions
Mary Hodder (talk | contribs) (updated SG for phase II) |
(No difference)
|
Revision as of 20:52, 13 June 2018
<< Back to Baseline Functional Requirements Index
PRIVACY-12. ANONYMITY
Wherever feasible, entities MUST utilize identity systems and processes that enable transactions that are anonymous, anonymous with validated attributes, pseudonymous, or where appropriate, uniquely identified. Where applicable to such transactions, entities employing service providers or intermediaries MUST mitigate the risk of those THIRD-PARTIES collecting USER personal information. Organizations MUST request individuals’ credentials only when necessary for the transaction and then only as appropriate to the risk associated with the transaction or only as appropriate to the risks to the parties associated with the transaction.
SUPPLEMENTAL GUIDANCE
In support of legal, policy or personal requirements for anonymous or pseudonymous USER participation, digital identity management functions and systems should permit anonymous and (persistent across sessions) pseudonymous registration and participation, where required by law or otherwise feasible. To further facilitate that goal, identifiers and personal data (including attributes) should be kept separate wherever feasible: see PRIVACY-4 (CREDENTIAL LIMITATION) and PRIVACY-15 (ATTRIBUTE SEGREGATION).
Risk needs to be assigned by each entity based the risk of loss to assets or reputation of that entity.
See INTEROP-6 (THIRD-PARTY COMPLIANCE) on the mitigation of risks associated with third-party service providers or data users.
See PRIVACY-5 (DATA AGGREGATION RISK) regarding the risk of collecting additional information.
See PRIVACY-13 (CONTROLS PROPORTIONATE TO RISK) regarding the implementation of controls to mitigate identified privacy risk.
See PRIVACY-11 (OPTIONAL INFORMATION) regarding availability of user choices regarding optional disclosure of personal information.
REFERENCES
Further reference materials to aid organizations interested in conforming to these Requirements can be found at the wiki page Supplemental Privacy Guidance; this has been archived at https://workspace.idesg.org/kws/public/download.php/56/Supplemental-Privacy-Guidance.docx
APPLIES TO ACTIVITIES
REGISTRATION, CREDENTIALING, AUTHENTICATION, AUTHORIZATION, INTERMEDIATION
KEYWORDS
ACCOUNT, ANONYMITY, CHOICE, IDENTIFIER, PRIVACY
APPLIES TO ROLES
1 - RELYING PARTIES
2 - IDENTITY PROVIDERS
3 - Attribute Providers
4 – Intermediaries
5 - Credential Service Providers (where there is user interaction)
Quick Links: SALS | Baseline Functional Requirements v1.0 | Glossary |