Privacy Req 13: Difference between revisions

<< Back to Baseline Functional Requirements Index

PRIVACY-13. CONTROLS PROPORTIONATE TO RISK

Controls on the processing or use of USERS' personal information MUST be commensurate with the degree of risk of that processing or use. A privacy risk analysis MUST be conducted by entities who conduct digital identity management functions, to establish what risks those functions pose to users' privacy.

SUPPLEMENTAL GUIDANCE

Regarding "personal information", see Appendix A, and PRIVACY-1 (DATA MINIMIZATION).

Many risk analysis models include examples or guidance about the implementation of controls that are appropriate to either specific risks or levels of existing risk. Entities may satisfy this Requirement by confirming that they have conducted that risk assessment and, based on that assessment, made appropriate adjustments to their practices.

REFERENCES

Further reference materials to aid organizations interested in conforming to these Requirements can be found at the wiki page Supplemental Privacy Guidance; this has been archived at https://workspace.idesg.org/kws/public/download.php/56/Supplemental-Privacy-Guidance.docx

APPLIES TO ACTIVITIES

REGISTRATION, CREDENTIALING, AUTHENTICATION, AUTHORIZATION, INTERMEDIATION

KEYWORDS

ASSESSMENT, CONTROLS, LIMITATION, POLICIES, PRIVACY, RISK

APPLIES TO ROLES

1 - RELYING PARTIES
2 - IDENTITY PROVIDERS
3 - Attribute Providers
4 – Intermediaries
5 - Credential Service Providers (where there is user interaction)

Quick Links: SALS | Baseline Functional Requirements v1.0 | Glossary |