All data will be protected in transit
Verifiers will request only the minimum data required for a business process
Proposed
- mDL provider should not know what, where, when users presented their ID
- The intent to retain variable should be clearly communicated to the user

Expected Best Practices

Verifiers will not retain any non-attributed transaction data provided by the Holder
Verifiers will always seek consent before reading data from a digital ID
Holders should never be required to hand their device to any verifier
Attribute data will only be retained if sufficient notice has been provided and a business need exists for the purpose of the transaction.
Proposed
- Data attributes should only be released upon user consent
- User should know in advance whom is requesting their ID data
- User should have visibility into what data was shared, when it was shared and to whom it was shared
- Holders should not be required to show their device to any verifier.
- If attribute data is retained, the reason and retention period should be clearly outlined in the relying party's identity data privacy document.

Applicability

...

Christopher Williams Please review and update the content on the Scope and Applicability page.