(Drafted 16 April 2012)
A. Kantara Framework Privacy Documents
Within the Kantara Framework, privacy issues are addressed in three types of documents, plus existing law.
1. The first type of document is a Privacy Requirements Document. This type of document is part of the identity assurance framework, and sets forth the general rules and requirements imposed upon credential service providers by the framework in a given geographical jurisdiction, or industry sector. Depending on the jurisdiction, these privacy requirements are either aligned with, or are in addition to, the requirements of existing law.
2. The second type of document is a Privacy Assessment Criteria Document. This type of document is written with reference to a particular Privacy Requirements Document, and provides the detailed assessment criteria that must be used by Assessors when assessing the compliance of a credential service provider with that specific Privacy Requirements Document. There may be a separate Privacy Assessment Criteria Document for each Privacy Requirements Document, or there may be a single Privacy Assessment Criteria Document that contains a separate section for each Privacy Requirements Document.
3. The third type of document is a Privacy Guidance Document. This type of document sets forth P3WG-recommended privacy practices, but does not currently impose any requirements on CSPs within the Kantara Framework. Its purpose is to state best practices which at some point in the future may be recommended for inclusion in the Kantara Framework as a Privacy Requirements Document applicable to all Kantara CSPs. The Privacy Guidance Document may be a separate document, or it may be part of each Privacy Assessment Criteria Document.
4. Existing law in each applicable geographic jurisdiction might be considered as a fourth type of document, although it is not within the control of Kantara. It sets forth the rules and requirements imposed by law upon credential service providers.
B. Role of the P3 WG
1. Privacy Requirements Documents
In the interests of timeliness, as an extension of the Service Assessment Criteria development, the FICAM Privacy Requirements was written by the IAWG, in collaboration with the ARB, P3WG, and FICAM. P3WG will have the following ongoing responsibilities (as per the founding charter of P3WG, copied at the end of this document)--
2. Privacy Assessment Criteria Documents
The efforts of the P3 work group are currently focused on developing a Privacy Assessment Criteria Document to facilitate assessment of a CSP’s compliance with the FICAM Privacy Requirements. It plans to begin this first effort by providing specific privacy assessment criteria in respect of the for the existing FICAM Privacy Requirements Document, and which are aligned with the U.S.-government-developed FICAM Privacy Guidance for Trust Framework Assessors and Auditors Document.
In the future, the P3 Work Group may also consider as potential projects --
3. Privacy Guidance Document(s)
The P3 WG will develop an informative Privacy Guidance Document for the purpose of:
At the end of the day, we need to focus on the fact that there are two specific types of privacy Documents relevant to Kantara: (1) Privacy Requirements Documents; and (2) Privacy Assessment Criteria Documents that provide assessment criteria with respect to specific Privacy Requirements Documents. The Privacy Guidance Document will serve as an incubator for considerations that can be migrated into ongoing Privacy Requirements Documents. A secondary purpose, as a result of the collection of cross-border and cross-sector privacy representation and discussions, will be to clarify the distinctions between such jurisdictions, which may better enable the establishment of global and/or cross-sector CSP’s.
Note that the Privacy Requirements and Assessment Criteria Documents only consider CSP’s, whereas the Privacy Guidance Document will also discuss the privacy requirements for Relying Parties or Federation Brokers in an Identity Federation.
Excerpt from P3WG founding charter
1. WG NAME (and abbreviation):
Privacy and Public Policy Work Group (P3WG)
3. SCOPE AND DEFINITION OF WORK:
Is this site useful to you? Please share it!
| | More
Pages in this Space: