Privacy Req 13

From IDESG Wiki
Jump to: navigation, search

<< Back to Baseline Functional Requirements Index

PRIVACY-13. CONTROLS PROPORTIONATE TO RISK

Controls on the processing or use of USERS' personal information MUST be commensurate with the degree of risk of that processing or use. A privacy risk analysis MUST be conducted by entities who conduct digital identity management functions, to establish what risks those functions pose to users' privacy.

SUPPLEMENTAL GUIDANCE

Regarding "personal information", see Appendix A, and PRIVACY-1 (DATA MINIMIZATION).

Regarding “digital identity management functions” see see Appendix A.

Many risk analysis models include examples or guidance about the implementation of controls that are appropriate to either specific risks or levels of existing risk. Entities may satisfy this Requirement by confirming that they have conducted that risk assessment and, based on that assessment, made appropriate adjustments to their practices.

REFERENCES

Further reference materials to aid organizations interested in conforming to these Requirements can be found at the wiki page Supplemental Privacy Guidance; this has been archived at https://workspace.idesg.org/kws/public/download.php/56/Supplemental-Privacy-Guidance.docx

APPLIES TO ACTIVITIES

REGISTRATION, CREDENTIALING, AUTHENTICATION, AUTHORIZATION, INTERMEDIATION

KEYWORDS

ASSESSMENT, CONTROLS, LIMITATION, POLICIES, PRIVACY, RISK



Quick Links: SALS | Baseline Functional Requirements v1.0 | Glossary |