Privacy Req 2 Supplemental Guidance

<< Back to Privacy Requirement 2

These links are provided as additional informative resources relevant to parties conducting self-assessments (and other identity stakeholders) when applying and evaluating IDEF Baseline Requirement PRIVACY-2.

Supplemental Information

Contracts, assurances or persistent records of consent or legal authority MUST be established by entities collecting, using, transmitting or storing personal information, so that the information, when passed between entities, is still used in the same manner as originally specified and permitted. Entities also must assure that their data controls reliably apply these limitations to their future actions.

Please note the applicability of requirement INTEROP-7 regarding limitations imposed by laws. Please note the applicability of requirements INTEROP-6 and INTEROP-8 regarding limitations arising from the involvement of THIRD-PARTIES such as intermediaries, similar service providers, or FEDERATIONS.

References and Guidance (non-normative)

• See ISO/IEC 29100 (2011) Privacy Framework, Section 5.3 ("Use, Retention and Disclosure Limitation") and Section 5.6 ("Purpose Legitimacy and Specification").
• See the "minimum necessary" disclosure standard in HIPAA regulations for health care transactions, 45 CFR Part 164, at §§ 164.502(b) and 164.514(d): http://www.ecfr.gov/cgi-bin/text-idx?node=pt45.1.164&rgn=div5
• See also the Fair Information Privacy Principles: "Organizations should use PII solely for the purpose(s) specified in the notice. Sharing PII should be for a purpose compatible with the purpose for which the PII was collected." http://www.nist.gov/nstic/NSTIC-FIPPs.pdf
• See OASIS Privacy Management Reference Model (PMRM) v1.0: Section 4.2 ("Service Details").
• See Privacy & Biometrics: Building a Conceptual Foundation: Data [p46],Audit [p47], and Storage [p47].