Notice & Use Limitation Principle
PRINCIPLE: Notice and Use Limitation
NOTICE DEFINITION AND DESCRIPTION (WITH VARIATIONS)
Operational Definition of Notice from ISTPA:
Notice: Information regarding an entity’s privacy policies and practices including: definition of the personal information collected; its use (purpose specification); its disclosure to parties within or external to the entity; practices associated with the maintenance and protection of the information; options available to the data subject regarding the collector’s privacy practices; changes made to policies or practices; and information provided to data subject at designated times and under designated circumstances. [ISTPA, p29]
Transparency: Organizations should be transparent and provide notice to the individual regarding collection, use, dissemination, and maintenance of personally identifiable information (PII). [NSTIC, Appendix C]
Notice Variations:
Timing of Notification
There are two dominant positions on WHEN the Data Subject should be notified.
The APEC and Safe Harbor state that notification may be sent at the time of collection, before the time of collection or reasonably thereafter. However, the OECD, CSA and JPIPA state that Notification (or purpose specification) must be provided by the time of collection and no later.
Conditions and Qualifiers
There are exceptional notice conditions and qualifiers, and these require notice management capabilities long after the initial collection of data in order to control consent.
FRAMEWORKS WHERE THE PRINCIPLE APPEARS
The US Financial Trade Commission use of Fair Information Practice Principles explicitly states with the first principle, in the first sentence that: “The most fundamental principle is notice.”
Adequate Notice – Identity Provider must provide End Users with adequate notice regarding federated authentication. Adequate Notice includes a general description of the authentication event, any transaction(s) with the RP, the purpose of the transaction(s), and a description of any disclosure or transmission of PII to any party. Adequate Notice should be incorporated into the Opt In process. (ICAM; Section 3.3, 2.d.)
Notice is the only principle common in all privacy regulations, guidelines and principles reviewed in the ISTPA Analysis:
APEC Privacy Framework under “Notice” (Section II),
OECD Privacy Guidelines under “Purpose Specification” (Paragraph 9, 54),
EU Data Protection Directive under “Information Given to the Data Subject” (Section IV)*,
Safe Harbor Principles under “Notice”,
Health Insurance Portability and Accountability Act (HIPAA) under “Notice of privacy practices for protected health information” (§ 164.520),
UN Guidelines Concerning Computerized Personal Data Files under “Purpose- Specification” (Paragraph 3),
US FTC Fair Information Practices under “Notice/Awareness” (Section 1),
Japan Personal Information Protection Act under “Notice of Purpose of Use at the Time of Acquisition” (Article 18),
Australian National Privacy Principles under “Collection” (Sub clause 1.3),
US Privacy Act under “Agency Requirements” (Subsection e),
CSA Model Code under “Identifying Purposes” (Clause 4.2-4.2.6),
(Note: *It should be noted that the EU Data Protection Directive Section IX entitled “Notification” still refers to notification of a supervisory authority and not to the notification of the Data Subject)
CONTROLS ASSOCIATED WITH THE PRINCIPLE
A primary control for notice is purpose specification.
The purpose of data gathering should clearly be indicated in the notice
Notice should be provided before personal information is harvested
Across various jurisdictions specific types of regulated notices are used as controls to increase the veracity of consent and its management. These include; Notice of Collection, Policy Notification, Changes in Policy or Data Use.
The privacy notice is conspicuous and uses clear language (AICPA/CICA)
Purpose Specification Appears in numerous frameworks
Purpose Specification: DHS should specifically articulate the authority that permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used. (DHS 1)
Whereas certain processing operations involve data which the controller has not collected directly from the data subject; whereas, furthermore, data can he legitimately disclosed to a third party, even if the disclosure was not anticipated at the time the data were collected from the data subject; whereas, in all these cases, the data subject should be informed when the data arc recorded or at the latest when the data are first disclosed to a third party; (EU; Section 39)
(Note: Purpose Specification is also relevant for consent principle)
INTERACTION WITH OTHER PRINCIPLES
Notice is used as a vehicle for other principles online and is direct component of at least;
Accountability, Consent, Disclosure, Openness
Notice is also a control in that it is used to initiate other principles
For example consent, online and offline across jurisdictions notices are used to cultivate and maintain informed consent, the transference of consent (e.g. to a relying party), the withdrawal of consent and the maintenance of the status of consent.
ANALYSIS POINTS of REFERENCE
KANTARA-IAWG
IAF-1400 -
(Note: research on IAF Relevant controls pertaing to the consent between the SP and RP)
IAF Reference - Could be placed under ‘CONTROLS ASSOCIATED WITH THE PRINCIPLE’ section
IAF -1400 Service Assessment Criteria (ln 386-402) Service Definition Inclusions
a) Privacy, Identity Proofing & Verification, and Revocation and Termination Required Policies;
b) the country in or legal jurisdiction under which the service is operated;
c) if different from the above, the legal jurisdiction under which subscriber and any relying party agreements are entered into;
d) applicable legislation with which the service complies;
e) obligations incumbent upon the CSP;
f) obligations incumbent upon the subscriber;
g) notifications and guidance for relying parties, especially in respect of actions they are expected to take should they choose to rely upon the service;
h) statement of warranties;
i) statement of liabilities toward both Subjects and Relying Parties;
j) procedures for notification of changes to terms and conditions;
k) steps the CSP will take in the event that it chooses or is obliged to terminate the service;
l) availability of the specified service per se and of its help desk facility