IDEF Knowledge Base |

IDEF Registry
Privacy
PRIVACY-12. ANONYMITY

PRIVACY-12. ANONYMITY

Posted In: Authentication, Authorization, Credentialing, Intermediation, Registration
Tagged As: Account, Anonymity, Choice, Identifier, Privacy

Table of Contents: PRIVACY-12. ANONYMITY

REQUIREMENT

Wherever feasible, entities MUST utilize identity systems and processes that enable transactions that are anonymous, anonymous with validated attributes, pseudonymous, or where appropriate, uniquely identified. Where applicable to such transactions, entities employing service providers or intermediaries MUST mitigate the risk of those THIRD-PARTIES collecting USER personal information. Organizations MUST request individuals’ credentials only when necessary for the transaction and then only as appropriate to the risk associated with the transaction or only as appropriate to the risks to the parties associated with the transaction.

SUPPLEMENTAL GUIDANCE

In support of legal, policy or personal requirements for anonymous or pseudonymous USER participation, digital identity management functions and systems should permit anonymous and (persistent across sessions) pseudonymous registration and participation, where required by law or otherwise feasible. To further facilitate that goal, identifiers and personal data (including attributes) should be kept separate wherever feasible: see PRIVACY-4 (CREDENTIAL LIMITATION) and PRIVACY-15 (ATTRIBUTE SEGREGATION).

Risk needs to be assigned by each entity based the risk of loss to assets or reputation of that entity.

See INTEROP-6 (THIRD-PARTY COMPLIANCE) on the mitigation of risks associated with third-party service providers or data users.

See PRIVACY-5 (DATA AGGREGATION RISK) regarding the risk of collecting additional information.

See PRIVACY-13 (CONTROLS PROPORTIONATE TO RISK) regarding the implementation of controls to mitigate identified privacy risk.

See PRIVACY-11 (OPTIONAL INFORMATION) regarding availability of user choices regarding optional disclosure of personal information.

REFERENCES

Further reference materials to aid organizations interested in conforming to these Requirements can be found at the wiki page Privacy References and Guides. This page is a living document from the Privacy Committee, and as such will be added to over time.

APPLIES TO ROLES

Relying Parties
Identity Providers
Attribute Providers
Intermediaries
Credential Service Providers (where there is user interaction)