Privacy Req 2

From IDESG Wiki
Revision as of 20:34, 13 June 2018 by Mary Hodder (talk | contribs) (Added roles for phase II)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

<< Back to Baseline Functional Requirements Index

PRIVACY-2. PURPOSE LIMITATION

Entities MUST limit the use of personal information that is collected, used, transmitted, or stored to the specified purposes of that transaction. Persistent records of contracts, assurances, consent, or legal authority MUST be established by entities collecting, generating, using, transmitting, or storing personal information, so that the information consistently is used in the same manner originally specified and permitted.

SUPPLEMENTAL GUIDANCE

Regarding "personal information", see Appendix A. Entities should also assure that their data controls reliably apply these limitations to their future actions.

See also Requirement PRIVACY-1 (DATA MINIMIZATION) on the application of limitations to, and scope of, individual transactions and data exchanges.

Please note the applicability of best practice INTEROP-BP-G (RECOMMENDED LEGAL COMPLIANCE) regarding limitations imposed by laws. Please note the applicability of best practice INTEROP-BP-F (RECOMMENDED FEDERATION COMPLIANCE) and Requirement INTEROP-6 (THIRD-PARTY COMPLIANCE) regarding limitations arising from the involvement of THIRD-PARTIES such as intermediaries, similar service providers, or FEDERATIONS.

See the IDESG Functional Model for definition of Transaction Intermediation for the scope of “intermediaries.” The functional model describes Transaction Intermediation as “Processes and procedures that limit linkages between transactions and facilitate credential portability. This includes functions defined as “Blinding,” “Pseudonymization/Anonymization,” and “Exchange.”

See also Privacy Req 2 Supplemental Guidance.

REFERENCES

Further reference materials to aid organizations interested in conforming to these Requirements can be found at the wiki page Supplemental Privacy Guidance; this has been archived at https://workspace.idesg.org/kws/public/download.php/56/Supplemental-Privacy-Guidance.docx


APPLIES TO ROLES

1 - RELYING PARTIES
2 - IDENTITY PROVIDERS
3 - Attribute Providers
4 – Intermediaries
5 - Credential Service Providers (where there is user interaction)


APPLIES TO ACTIVITIES

REGISTRATION, CREDENTIALING, AUTHENTICATION, AUTHORIZATION, INTERMEDIATION

KEYWORDS

LIMITATION, PRIVACY, PURPOSE



Quick Links: SALS | Baseline Functional Requirements v1.0 | Glossary |