Privacy Req 8
<< Back to Baseline Functional Requirements Index
PRIVACY-8. THIRD-PARTY LIMITATIONS
Wherever USERS make choices regarding the treatment of their personal information, those choices MUST be communicated effectively by that entity to any THIRD-PARTIES to which it transmits the personal information.
SUPPLEMENTAL GUIDANCE
Regarding "personal information", see Appendix A, and PRIVACY-1 (DATA MINIMIZATION).
One example of a USER's choice that creates a use limitation would be their election to restrict the use of their personal information to specific purposes only. This Requirement broadly means that entities convey all such restrictions to the "downstream" recipients of personal information, when they share that information. However, this Requirement does not dictate what elective choices a USER should be prompted to make; and it does not require an entity to convey (or enforce) a USER's choices or instructions if those choices contradict law, regulation or legal process.
Please note, Requirement INTEROP-6 (THIRD-PARTY COMPLIANCE) also includes certain specific duties in connection with THIRD-PARTIES receiving personal information from an entity.
Responsibilities for liability should be spelled out in agreements between organizations exchanging personal information in the identity ecosystem, as well as the format and style of the communication of user-stated privacy preferences and information.
This only applies instances of personal information passed to third parties.
REFERENCES
Further reference materials to aid organizations interested in conforming to these Requirements can be found at the wiki page Supplemental Privacy Guidance; this has been archived at https://workspace.idesg.org/kws/public/download.php/56/Supplemental-Privacy-Guidance.docx
APPLIES TO ACTIVITIES
REGISTRATION, CREDENTIALING, AUTHENTICATION, AUTHORIZATION, INTERMEDIATION
KEYWORDS
CHOICE, LIMITATION, NOTICE, PORTABILITY, PRIVACY, THIRD-PARTIES
APPLIES TO ROLES
1 - RELYING PARTIES
2 - IDENTITY PROVIDERS
3 - Attribute Providers
4 – Intermediaries
5 - Credential Service Providers (where there is user interaction)
Quick Links: SALS | Baseline Functional Requirements v1.0 | Glossary |