Privacy Req 6: Difference between revisions

From IDESG Wiki
Jump to navigation Jump to search
(added roles to updated SG phase II)
(No difference)

Revision as of 20:41, 13 June 2018

<< Back to Baseline Functional Requirements Index

PRIVACY-6. USAGE NOTICE

Entities MUST provide concise, meaningful, and timely communication to USERS describing how they collect, generate, use, transmit, and store personal information.

SUPPLEMENTAL GUIDANCE

Regarding "personal information", see Appendix A, and PRIVACY-1 (DATA MINIMIZATION).

The goal of notice is to work toward informed consent from USERS: functional requirements should work toward strategies for improving USERS' understanding of their choices when engaging with services. Strategies include layered approaches, just-in-time notice, and other examples that can illustrate effective types of notice mechanism alternatives to privacy policies. In the case of material changes to the service, entities shall provide clear and conspicuous descriptions of the changes and their impacts on USERS in advance of the change.

“Consent” alone should not be used to mitigate privacy risks created by technical architecture or design, such as to mitigate risks that individuals could not be reasonably expected to be able to assess; see PRIVACY-5 (DATA AGGREGATION RISK).

See also Requirements PRIVACY-1 (DATA MINIMIZATION) and PRIVACY-2 (PURPOSE LIMITATION) on the application of limitations to, and scope of, individual transactions and data exchanges.

See also the IDESG Usability Requirements (USABLE-1 through USABLE-7) regarding the clarity of notices given to USERS and others.

REFERENCES

Further reference materials to aid organizations interested in conforming to these Requirements can be found at the wiki page Supplemental Privacy Guidance; this has been archived at https://workspace.idesg.org/kws/public/download.php/56/Supplemental-Privacy-Guidance.docx

The Kantara Consent Receipt is now available (January 2018) in draft form at https://groups.google.com/forum/#!topic/wg-infosharing/553qIdgaq0o

APPLIES TO ACTIVITIES

REGISTRATION, CREDENTIALING, AUTHENTICATION, AUTHORIZATION, INTERMEDIATION

KEYWORDS

NOTICE, POLICIES, PRIVACY

APPLIES TO ROLES

1 - RELYING PARTIES
2 - IDENTITY PROVIDERS
3 - Attribute Providers
4 – Intermediaries



Quick Links: SALS | Baseline Functional Requirements v1.0 | Glossary |