The intended audience of this implementer's guidance report includes architects, designers, developers, organization policy setters, standards organizations implementing mobile credentials and digital identity products. The report will provide implementation guidance to address privacy gaps within the standard ISO/IEC 18013-5 mobile driver's license transactions, but the privacy principles presented are applicable to the use of all privacy enhancing mobile credentials used for digital identity transactions. The goal of this report is to provide sufficient guidance such that an individual who holds a mobile credential can reasonably assume an organization implementing the report's guidance is meeting expectations for privacy best practices.
- All data will be protected in transit
- Verifiers will request only the minimum data required for a business process
Expected Best Practices:
- Verifiers will not retain any non-attribute transaction data provided by the Holder
- Verifiers will always seek consent before reading data from a digital ID
- Holders should never be required to hand their device to any verifier
- Attribute data will only be retained if sufficient notice has been provided and a business need exists for the purpose of the transaction.