Privacy Req 13
<< Back to Baseline Functional Requirements Index
PRIVACY-13. CONTROLS PROPORTIONATE TO RISK
Controls on the processing or use of USERS' personal information MUST be commensurate with the degree of risk of that processing or use. A privacy risk analysis MUST be conducted by entities who conduct digital identity management functions, to establish what risks those functions pose to users' privacy.
Regarding “digital identity management functions” see see Appendix A.
Many risk analysis models include examples or guidance about the implementation of controls that are appropriate to either specific risks or levels of existing risk. Entities may satisfy this Requirement by confirming that they have conducted that risk assessment and, based on that assessment, made appropriate adjustments to their practices.
Further reference materials to aid organizations interested in conforming to these Requirements can be found at the wiki page Supplemental Privacy Guidance; this has been archived at https://workspace.idesg.org/kws/public/download.php/56/Supplemental-Privacy-Guidance.docx