Privacy Requirements

The Privacy Requirements Work Group is drafting privacy requirements to support the development of the Identity Ecosystem Framework. These requirements are designed to align with the Functional Model. All requirements listed are under development until noted otherwise.

High-Level Requirements

High-level requirements that are guiding functional requirements development.

• Organizations shall limit the collection and transmission of information to the minimum necessary to fulfill the transaction’s purpose and related legal requirements.
• Organizations shall limit the use of the individual’s data that is collected and transmitted to the specified purposes of the transaction.
• Organizations shall limit the retention of data to the time necessary for providing and administering the services and transactions to the individual end-user for which the data was collected, except as otherwise required by law.
• Organizations shall provide concise, meaningful, timely, and easy-to-understand mechanisms to end-users on how they collect, use, disseminate, and maintain personal information.
• Organizations shall minimize data aggregation, including linkages across transactions.
• Organizations shall provide appropriate mechanisms to enable individuals to access, correct, and delete personal information.
• Organizations shall determine the necessary quality of data used in identity assurance solutions based on the risk of that transaction, including to the individuals involved.
• When terminating business operations or overall participation in the Identity Ecosystem, organizations shall, while maintaining the security of individuals' information, transfer it upon their request and destroy it unless they request otherwise.
• Organizations shall be accountable for conformance to these requirements, and provide mechanisms for auditing, validation, and verification.
• Organizations shall provide effective redress mechanisms for, and advocacy on behalf of, individuals who believe their rights under these requirements have been violated.
• Where individuals make choices regarding the treatment of their information (such as to restrict particular uses), those choices shall be automatically applied to all parties downstream from the initial transaction.
• Organizations shall, where feasible, utilize identity solutions that enable transactions that are anonymous, anonymous with validated attributes, * pseudonymous, and/or uniquely identified.
• Organizations will request individuals’ credentials only when necessary for the transaction and then only as appropriate to the risk associated with the transaction or only as appropriate to the risks to the parties associated with the transaction.
• Participation in the Identity Ecosystem shall be voluntary.
• Privacy controls should be situated as low in the technology stack as possible.
• Organizations shall clearly indicate to individuals what personal information is mandatory and what information is optional prior to the transaction.
• Controls on the processing or use of individuals' information shall be commensurate with the degree of risk of the processing or use.
• Identifiers shall be segregated from attributes whenever feasible.
• Organizations shall, upon any material changes to a service that affect the prior or ongoing collection, use, dissemination, or maintenance of users’ personal information:
  

a) provide clear and conspicuous descriptions of the changes and their impacts on users in advance, and 

b) with respect to previously collected personal information, provide users with compensating controls designed to mitigate privacy risks that may arise from the material changes, which may include seeking express affirmative consent of users in accordance with relevant law or regulation. In the event that users elect to terminate the service, organizations shall meet other stated requirements on termination and retention.

Privacy Requirements Development Documentation

Current drafts of relevant documentation.

The permalink to the most recent version of the Core Operations Privacy Requirements Development document can be found here.

Notes from Privacy Requirements Development Meetings