Privacy References and Guides

From IDESG Wiki
Jump to navigation Jump to search

This page is considered a living document. Please check back for updates from the PCC.

References listed in this section are provided as potential tools for helping organizations understand how to evaluate their system for alignment to the privacy requirements. References should be considered informative guides only.

New documents can be suggested for inclusion by emailing the Privacy Committee listserv.


  • NSTIC FIPPs [1]
  • Privacy By Design [2]
  • AICPA Privacy Maturity Model [3]
  • AICPA GAPP 0909.pdf
  • OASIS Privacy Management Reference Model [4]
  • Privacy Policy Requirements [5]
  • ArcGIS Global Privacy Requirements [6]
  • ISO/IEC 27018 Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors [7]
  • ISO/IEC 29100 (2011) Privacy Framework [8]
  • ITU IDM Requirements Document [9]
  • Microsoft-Trustworthy Computing, A guide to Data Governance for Privacy, Confidentiality and Compliance [10]
  • The Sedona Conference - Cloud Computing & Data Privacy [11]
  • Privacy Impact Assessment Handbook [12]
  • Privacy and Biometrics: Building a Conceptual Foundation [13]
  • For issues related to clear communication with users (expectation-setting, communicating changes or updates, policy-writing, etc.), please see the User Experience Requirements and Supplemental Guidance. [14]

Regarding Privacy Risk Assessment

For Healthcare Organizations

  • HIPAA Privacy Rule Information Page [19]

For Organizations Doing Business with the US Government

  • FICAM Trust Framework Provider Assessment Package Application [20]
  • Privacy Certificate Guidance for Federal Grantees required by 28 CFR Part 22 [21]
  • NIST SP 800-162: Attribute Based Access Control Definition and Considerations (2014) [22]
  • NIST SP 800-53 "Recommended Security and Privacy Controls for Federal Information Systems and Organizations", Appendix J (Privacy Control Catalog) [23]

For Organizations Doing Business Abroad

Other References