Privacy Req 14: Difference between revisions
Mary Hodder (talk | contribs) (updated SG for phase II) |
(No difference)
|
Revision as of 20:54, 13 June 2018
<< Back to Baseline Functional Requirements Index
PRIVACY-14. DATA RETENTION AND DISPOSAL
Entities MUST limit the retention of personal information to the time necessary for providing and administering the functions and services to USERS for which the information was collected, except as otherwise required by law or regulation. When no longer needed, personal information MUST be securely disposed of in a manner aligning with appropriate industry standards and/or legal requirements.
SUPPLEMENTAL GUIDANCE
Retention requirements arising from "law, regulation or legal process" may include litigation-related legal holds, and requirements arising from mandatory audits.
Regarding "personal information", see Appendix A, and PRIVACY-1 (DATA MINIMIZATION).
“Functions” refer to the functions listed in the IDESG Functional Model; see supplemental guidance in PRIVACY-13 (CONTROLS PROPORTIONATE TO RISK).
REFERENCES
Further reference materials to aid organizations interested in conforming to these Requirements can be found at the wiki page Supplemental Privacy Guidance; this has been archived at https://workspace.idesg.org/kws/public/download.php/56/Supplemental-Privacy-Guidance.docx
APPLIES TO ACTIVITIES
REGISTRATION, CREDENTIALING, AUTHENTICATION, AUTHORIZATION, INTERMEDIATION
KEYWORDS
LIMITATION, PRIVACY, PURPOSE, RETENTION
APPLIES TO ROLES
1 - RELYING PARTIES
2 - IDENTITY PROVIDERS
3 - Attribute Providers
4 – Intermediaries
5 - Credential Service Providers (where there is user interaction)
Quick Links: SALS | Baseline Functional Requirements v1.0 | Glossary |