Privacy Requirements

From IDESG Wiki
(Redirected from Privacy requirements)
Jump to navigation Jump to search

The Privacy Requirements Work Group is drafting privacy requirements to support the development of the Identity Ecosystem Framework. These requirements are designed to align with the Functional Model. All requirements listed are under development until noted otherwise.

A collection of materials to help organizations understand the guidance for Version 1 of the IDEF can be found in the Privacy References and Guides page.

High-Level Requirements

High-level requirements that are guiding functional requirements development. (Submitted to the FMO on 3/18/15)

  • Organizations shall limit the collection and transmission of personal information to the minimum necessary to fulfill the transaction’s purpose and related legal requirements.
  • Organizations shall limit the use of the personal information that is collected and transmitted to the specified purposes of the transaction.
  • Organizations shall limit the retention of personal information to the time necessary for providing and administering the services and transactions to the individual end-user for which the personal information was collected, except as otherwise required by law, regulation or legal process.
  • Organizations shall provide concise, meaningful, timely, and easy-to-understand mechanisms to communicate to end-users how they collect, use, disseminate, and maintain personal information.
  • Organizations shall assess the privacy risk of aggregating personal information, and deploy controls to minimize that risk, including limiting linkages across transactions.
  • Organizations shall provide appropriate mechanisms to enable individuals to access, correct, and delete personal information.
  • Organizations shall determine the necessary quality of personal information used in identity assurance solutions based on the risk of that transaction, including to the individuals involved.
  • Organizations shall be accountable for conformance to these requirements, and provide mechanisms for auditing, validation, and verification.
  • Organizations shall provide effective redress mechanisms for, and facilitation on behalf of, individuals who believe their rights under these requirements have been violated.
  • Where individuals make choices regarding the treatment of their personal information (such as to restrict particular uses), those choices shall be automatically applied to all parties downstream from the initial transaction.
  • Organizations shall, where feasible, utilize identity solutions that enable transactions that are anonymous, anonymous with validated attributes, pseudonymous, and/or uniquely identified.
  • Organizations will request individuals’ credentials only when necessary for the transaction and then only as appropriate to the risk associated with the transaction or only as appropriate to the risks to the parties associated with the transaction.
  • Participation in the Identity Ecosystem shall be voluntary.
  • Organizations shall clearly indicate to individuals what personal information is mandatory and what information is optional prior to the transaction.
  • Controls on the processing or use of individuals' personal information shall be commensurate with the degree of risk of the processing or use.
  • Identifiers shall be segregated from attributes whenever feasible.
  • Organizations shall, upon any material changes to a service that affects the prior or ongoing collection, use, dissemination, or maintenance of users’ personal information, provide users with compensating controls designed to mitigate privacy risks that may arise from the material changes, which may include seeking express affirmative consent of users in accordance with relevant law or regulation.

Privacy Requirements Development Documentation

Current drafts of relevant documentation.

The permalink to the most recent version of the Core Operations Privacy Requirements Development document can be found here.

Document Description Date
Initial IDEF v1.0 Requirements March 18, 2015 Folder of all v1.0 initial committee-approved IDEF requirements
Core Operations Privacy Requirements Development March 16, 2015 Editorial updates submitted to FMO on 3/16/15
Core Operations Privacy Requirements Development February 3, 2015 Approved by the PCC on 2/9/15 for submission to Framework Management Office
Core Operations Privacy Requirements Development January 29, 2015
Core Operations Privacy Requirements Development January 26, 2015
Core Operations Privacy Requirements Development January 12, 2015
Core Operations Privacy Requirements Development January 6, 2015
Core Operations Privacy Requirements Development December 8, 2014
Core Operations Privacy Requirements Development November 24, 2014
Core Operations Privacy Requirements Development November 10, 2014
Core Operations Privacy Requirements Development November 3, 2014
Core Operations Privacy Requirements Development October 27, 2014
Functional Privacy Requirements Development October 20, 2014
Functional Privacy Requirements Development October 8, 2014
Functional Privacy Requirements Development September 22, 2014
Functional Privacy Requirements Development August 28, 2014
Functional Privacy Requirements Development August 20, 2014
Risk-Based Privacy Requirements August 4, 2014
Risk-Based Privacy Requirements July 28, 2014
Risk-Based Privacy Requirements July 16, 2014
Functional Privacy Requirements - Derived Requirements Edits July 14, 2014
Functional Privacy Requirements - Derived Requirements Edits July 7, 2014
Functional Privacy Requirements - Derived Requirements Edits June 30, 2014
Functional Privacy Requirements - Derived Requirements Edits June 23, 2014
Functional Privacy Requirements - Derived Requirements Edits June 16, 2014
Functional Privacy Requirements - Derived Requirements Edits June 9, 2014
Functional Privacy Requirements - Derived Requirements Edits June 2, 2014
Functional Privacy Requirements May 5, 2014

Notes from Privacy Requirements Development Meetings

Meeting Date Summary
Meeting notes from November 24, 2014 PRWG Meeting Notes
Meeting notes from November 10, 2014 PRWG Meeting Notes
Meeting notes from November 3, 2014 PRWG Meeting Notes
Meeting notes from October 27, 2014 PRWG Meeting Notes
Meeting notes from October 20, 2014 PRWG Meeting Notes
Meeting notes from October 6, 2014 PRWG Meeting Notes
Meeting notes from September 22, 2014 PRWG Meeting Notes
Meeting notes from September 8, 2014 PRWG Meeting Notes
Meeting notes from July 28, 2014 PRWG Meeting Notes
Meeting notes from July 7, 2014 PRWG Meeting Notes
Meeting notes from June 30, 2014 PRWG Meeting Notes
Meeting notes from June 23, 2014 PRWG Meeting Notes
Meeting notes from June 16, 2014 PRWG Meeting Notes
Meeting notes from June 9, 2014 PRWG Meeting Notes
Meeting notes from June 2, 2014 PRWG Meeting Notes
Meeting notes from May 12, 2014 PRWG Meeting Notes
Meeting notes from April 28, 2014 PRWG Meeting Notes