Privacy Requirements: Difference between revisions

From IDESG Wiki
Jump to navigation Jump to search
m (formatting fix)
(No difference)

Revision as of 18:44, 9 January 2015

The Privacy Requirements Work Group is drafting privacy requirements to support the development of the Identity Ecosystem Framework. These requirements are designed to align with the Functional Model. All requirements listed are under development until noted otherwise.

High-Level Requirements

High-level requirements that are guiding functional requirements development.

  • Organizations shall limit the collection and transmission of information to the minimum necessary to fulfill the transaction’s purpose and related legal requirements.
  • Organizations shall limit the use of the individual’s data that is collected and transmitted to the specified purposes of the transaction.
  • Organizations shall limit the retention of data to the time necessary for providing and administering the services and transactions to the individual end-user for which the data was collected, except as otherwise required by law.
  • Organizations shall provide concise, meaningful, timely, and easy-to-understand mechanisms to end-users on how they collect, use, disseminate, and maintain personal information.
  • Organizations shall minimize data aggregation, including linkages across transactions.
  • Organizations shall provide appropriate mechanisms to enable individuals to access, correct, and delete personal information.
  • Organizations shall determine the necessary quality of data used in identity assurance solutions based on the risk of that transaction, including to the individuals involved.
  • When terminating business operations or overall participation in the Identity Ecosystem, organizations shall, while maintaining the security of individuals' information, transfer it upon their request and destroy it unless they request otherwise.
  • Organizations shall be accountable for conformance to these requirements, and provide mechanisms for auditing, validation, and verification.
  • Organizations shall provide effective redress mechanisms for, and advocacy on behalf of, individuals who believe their rights under these requirements have been violated.
  • Where individuals make choices regarding the treatment of their information (such as to restrict particular uses), those choices shall be automatically applied to all parties downstream from the initial transaction.
  • Organizations shall, where feasible, utilize identity solutions that enable transactions that are anonymous, anonymous with validated attributes, * pseudonymous, and/or uniquely identified.
  • Organizations will request individuals’ credentials only when necessary for the transaction and then only as appropriate to the risk associated with the transaction or only as appropriate to the risks to the parties associated with the transaction.
  • Participation in the Identity Ecosystem shall be voluntary.
  • Privacy controls should be situated as low in the technology stack as possible.
  • Organizations shall clearly indicate to individuals what personal information is mandatory and what information is optional prior to the transaction.
  • Controls on the processing or use of individuals' information shall be commensurate with the degree of risk of the processing or use.
  • Identifiers shall be segregated from attributes whenever feasible.
  • Organizations shall, upon any material changes to a service that affect the prior or ongoing collection, use, dissemination, or maintenance of users’ personal information:
a) provide clear and conspicuous descriptions of the changes and their impacts on users in advance, and 
b) with respect to previously collected personal information, provide users with compensating controls designed to mitigate privacy risks that may arise from the material changes, which may include seeking express affirmative consent of users in accordance with relevant law or regulation. In the event that users elect to terminate the service, organizations shall meet other stated requirements on termination and retention.

Privacy Requirements Development Documentation

Current drafts of relevant documentation.

The permalink to the most recent version of the Core Operations Privacy Requirements Development document can be found here.

Document Description Date
Core Operations Privacy Requirements Development December 8, 2014
Core Operations Privacy Requirements Development November 24, 2014
Core Operations Privacy Requirements Development November 10, 2014
Core Operations Privacy Requirements Development November 3, 2014
Core Operations Privacy Requirements Development October 27, 2014
Functional Privacy Requirements Development October 20, 2014
Functional Privacy Requirements Development October 8, 2014
Functional Privacy Requirements Development September 22, 2014
Functional Privacy Requirements Development August 28, 2014
Functional Privacy Requirements Development August 20, 2014
Risk-Based Privacy Requirements August 4, 2014
Risk-Based Privacy Requirements July 28, 2014
Risk-Based Privacy Requirements July 16, 2014
Functional Privacy Requirements - Derived Requirements Edits July 14, 2014
Functional Privacy Requirements - Derived Requirements Edits July 7, 2014
Functional Privacy Requirements - Derived Requirements Edits June 30, 2014
Functional Privacy Requirements - Derived Requirements Edits June 23, 2014
Functional Privacy Requirements - Derived Requirements Edits June 16, 2014
Functional Privacy Requirements - Derived Requirements Edits June 9, 2014
Functional Privacy Requirements - Derived Requirements Edits June 2, 2014
Functional Privacy Requirements May 5, 2014

Notes from Privacy Requirements Development Meetings

Meeting Date Summary
Meeting notes from November 24, 2014 PRWG Meeting Notes
Meeting notes from November 10, 2014 PRWG Meeting Notes
Meeting notes from November 3, 2014 PRWG Meeting Notes
Meeting notes from October 27, 2014 PRWG Meeting Notes
Meeting notes from October 20, 2014 PRWG Meeting Notes
Meeting notes from October 6, 2014 PRWG Meeting Notes
Meeting notes from September 22, 2014 PRWG Meeting Notes
Meeting notes from September 8, 2014 PRWG Meeting Notes
Meeting notes from July 28, 2014 PRWG Meeting Notes
Meeting notes from July 7, 2014 PRWG Meeting Notes
Meeting notes from June 30, 2014 PRWG Meeting Notes
Meeting notes from June 23, 2014 PRWG Meeting Notes
Meeting notes from June 16, 2014 PRWG Meeting Notes
Meeting notes from June 9, 2014 PRWG Meeting Notes
Meeting notes from June 2, 2014 PRWG Meeting Notes
Meeting notes from May 12, 2014 PRWG Meeting Notes
Meeting notes from April 28, 2014 PRWG Meeting Notes