Privacy Requirements

The Privacy Requirements Work Group is drafting privacy requirements to support the development of the Identity Ecosystem Framework. These requirements are designed to align with the Functional Model. All requirements listed are under development until noted otherwise.

A collection of materials to help organizations understand the guidance for Version 1 of the IDEF can be found in the Privacy References and Guides page.

High-Level Requirements

High-level requirements that are guiding functional requirements development. (Submitted to the FMO on 3/18/15)

• Organizations shall limit the collection and transmission of personal information to the minimum necessary to fulfill the transaction’s purpose and related legal requirements.
• Organizations shall limit the use of the personal information that is collected and transmitted to the specified purposes of the transaction.
• Organizations shall limit the retention of personal information to the time necessary for providing and administering the services and transactions to the individual end-user for which the personal information was collected, except as otherwise required by law, regulation or legal process.
• Organizations shall provide concise, meaningful, timely, and easy-to-understand mechanisms to communicate to end-users how they collect, use, disseminate, and maintain personal information.
• Organizations shall assess the privacy risk of aggregating personal information, and deploy controls to minimize that risk, including limiting linkages across transactions.
• Organizations shall provide appropriate mechanisms to enable individuals to access, correct, and delete personal information.
• Organizations shall determine the necessary quality of personal information used in identity assurance solutions based on the risk of that transaction, including to the individuals involved.
• Organizations shall be accountable for conformance to these requirements, and provide mechanisms for auditing, validation, and verification.
• Organizations shall provide effective redress mechanisms for, and facilitation on behalf of, individuals who believe their rights under these requirements have been violated.
• Where individuals make choices regarding the treatment of their personal information (such as to restrict particular uses), those choices shall be automatically applied to all parties downstream from the initial transaction.
• Organizations shall, where feasible, utilize identity solutions that enable transactions that are anonymous, anonymous with validated attributes, pseudonymous, and/or uniquely identified.
• Organizations will request individuals’ credentials only when necessary for the transaction and then only as appropriate to the risk associated with the transaction or only as appropriate to the risks to the parties associated with the transaction.
• Participation in the Identity Ecosystem shall be voluntary.
• Organizations shall clearly indicate to individuals what personal information is mandatory and what information is optional prior to the transaction.
• Controls on the processing or use of individuals' personal information shall be commensurate with the degree of risk of the processing or use.
• Identifiers shall be segregated from attributes whenever feasible.
• Organizations shall, upon any material changes to a service that affects the prior or ongoing collection, use, dissemination, or maintenance of users’ personal information, provide users with compensating controls designed to mitigate privacy risks that may arise from the material changes, which may include seeking express affirmative consent of users in accordance with relevant law or regulation.

Privacy Requirements Development Documentation

Current drafts of relevant documentation.

The permalink to the most recent version of the Core Operations Privacy Requirements Development document can be found here.

Notes from Privacy Requirements Development Meetings