Privacy Req 14

From IDESG Wiki
Jump to navigation Jump to search

<< Back to Baseline Functional Requirements Index

PRIVACY-14. DATA RETENTION AND DISPOSAL

Entities MUST limit the retention of personal information to the time necessary for providing and administering the functions and services to USERS for which the information was collected, except as otherwise required by law or regulation. When no longer needed, personal information MUST be securely disposed of in a manner aligning with appropriate industry standards and/or legal requirements.

SUPPLEMENTAL GUIDANCE

Retention requirements arising from "law, regulation or legal process" may include litigation-related legal holds, and requirements arising from mandatory audits.

Regarding "personal information", see Appendix A, and PRIVACY-1 (DATA MINIMIZATION).

“Functions” refer to the functions listed in the IDESG Functional Model; see supplemental guidance in PRIVACY-13 (CONTROLS PROPORTIONATE TO RISK).

REFERENCES

Further reference materials to aid organizations interested in conforming to these Requirements can be found at the wiki page Supplemental Privacy Guidance; this has been archived at https://workspace.idesg.org/kws/public/download.php/56/Supplemental-Privacy-Guidance.docx

APPLIES TO ACTIVITIES

REGISTRATION, CREDENTIALING, AUTHENTICATION, AUTHORIZATION, INTERMEDIATION

KEYWORDS

LIMITATION, PRIVACY, PURPOSE, RETENTION

APPLIES TO ROLES

1 - RELYING PARTIES
2 - IDENTITY PROVIDERS
3 - Attribute Providers
4 – Intermediaries
5 - Credential Service Providers (where there is user interaction)



Quick Links: SALS | Baseline Functional Requirements v1.0 | Glossary |