Privacy Req 13
<< Back to Baseline Functional Requirements Index
PRIVACY-13. CONTROLS PROPORTIONATE TO RISK
Controls on the processing or use of USERS' personal information MUST be commensurate with the degree of risk of that processing or use. A privacy risk analysis MUST be conducted by entities who conduct digital identity management functions, to establish what risks those functions pose to users' privacy.
SUPPLEMENTAL GUIDANCE
Regarding "personal information", see Appendix A, and PRIVACY-1 (DATA MINIMIZATION).
Many risk analysis models include examples or guidance about the implementation of controls that are appropriate to either specific risks or levels of existing risk. Entities may satisfy this Requirement by confirming that they have conducted that risk assessment and, based on that assessment, made appropriate adjustments to their practices.
REFERENCES
Further reference materials to aid organizations interested in conforming to these Requirements can be found at the wiki page Supplemental Privacy Guidance; this has been archived at https://workspace.idesg.org/kws/public/download.php/56/Supplemental-Privacy-Guidance.docx
APPLIES TO ACTIVITIES
REGISTRATION, CREDENTIALING, AUTHENTICATION, AUTHORIZATION, INTERMEDIATION
KEYWORDS
ASSESSMENT, CONTROLS, LIMITATION, POLICIES, PRIVACY, RISK
APPLIES TO ROLES
1 - RELYING PARTIES
2 - IDENTITY PROVIDERS
3 - Attribute Providers
4 – Intermediaries
5 - Credential Service Providers (where there is user interaction)
Quick Links: SALS | Baseline Functional Requirements v1.0 | Glossary |