Privacy Req 6: Difference between revisions
Mary Hodder (talk | contribs) (added roles to updated SG phase II) |
(No difference)
|
Revision as of 20:41, 13 June 2018
<< Back to Baseline Functional Requirements Index
PRIVACY-6. USAGE NOTICE
Entities MUST provide concise, meaningful, and timely communication to USERS describing how they collect, generate, use, transmit, and store personal information.
SUPPLEMENTAL GUIDANCE
Regarding "personal information", see Appendix A, and PRIVACY-1 (DATA MINIMIZATION).
The goal of notice is to work toward informed consent from USERS: functional requirements should work toward strategies for improving USERS' understanding of their choices when engaging with services. Strategies include layered approaches, just-in-time notice, and other examples that can illustrate effective types of notice mechanism alternatives to privacy policies. In the case of material changes to the service, entities shall provide clear and conspicuous descriptions of the changes and their impacts on USERS in advance of the change.
“Consent” alone should not be used to mitigate privacy risks created by technical architecture or design, such as to mitigate risks that individuals could not be reasonably expected to be able to assess; see PRIVACY-5 (DATA AGGREGATION RISK).
See also Requirements PRIVACY-1 (DATA MINIMIZATION) and PRIVACY-2 (PURPOSE LIMITATION) on the application of limitations to, and scope of, individual transactions and data exchanges.
See also the IDESG Usability Requirements (USABLE-1 through USABLE-7) regarding the clarity of notices given to USERS and others.
REFERENCES
Further reference materials to aid organizations interested in conforming to these Requirements can be found at the wiki page Supplemental Privacy Guidance; this has been archived at https://workspace.idesg.org/kws/public/download.php/56/Supplemental-Privacy-Guidance.docx
The Kantara Consent Receipt is now available (January 2018) in draft form at https://groups.google.com/forum/#!topic/wg-infosharing/553qIdgaq0o
APPLIES TO ACTIVITIES
REGISTRATION, CREDENTIALING, AUTHENTICATION, AUTHORIZATION, INTERMEDIATION
KEYWORDS
APPLIES TO ROLES
1 - RELYING PARTIES
2 - IDENTITY PROVIDERS
3 - Attribute Providers
4 – Intermediaries
Quick Links: SALS | Baseline Functional Requirements v1.0 | Glossary |