Introduction

This Kantara Privacy Assessment Criteria (PAC) document is intended to provide informative 'assessment guidelines' for assessors and auditors of Identity Service Providers (IDP's) and Credential Service Providers (CSP's). It also includes normative sections relating to particular jurisdictional (territorial or industry sector) privacy requirements. It is noted that while each jurisdiction determines its own privacy requirements, it is anticipated that this collective set of requirements will clarify the distinctions between such jurisdictions, which may better enable the establishment of global and/or cross-sector IDP's and CSP's.

Scope

This document addresses the privacy assessment criteria that are relevant to IDP's and CSP's certified under the Kantara Identity Assurance Framework (IAF).
Part 1 - General Guidance for Assessors and Auditors (informative)
This section could be a generalization of: the P3WG document, "Draft Criteria for the US Federal Privacy Profile", Version 1.4 dated 9/13/2011; along with consideration of NIST Special Publication 800-53, Appendix J; European Article 29 of the Directive 95/46/EC of the European Parliament; and the Organization for Economic Cooperation and Development (OECD) Privacy Guidelines.
Part 2 - Additional Requirements for Credential Service Providers: US Federal Privacy Criteria (normative)
This section would appear to be sufficiently addressed by the Identity Assurance Working Group (IAWG) document, "Additional Requirements for Credential Service Providers: US Federal Privacy Criteria". This IAWG document contains a reference to the FICAM "Privacy Guidance for Trust Framework Assessors and Auditors", and includes additional criteria, such as "Unique Identity", "Adequate Notice", and "Changes in the Service".
Part 3 - Additional Requirements for Credential Service Providers: Other territorial jurisdiction (Canada, New Zealand, EU