Proposed PAC framework_V1_0 from Colin S.

Introduction

This Kantara Privacy Assessment Criteria (PAC) document is intended to provide informative 'assessment guidelines' for assessors and auditors of Identity Service Providers (IDP's) and Credential Service Providers (CSP's). It also includes normative sections relating to particular jurisdictional (territorial or industry sector) privacy requirements. It is noted that while each jurisdiction determines its own privacy requirements, it is anticipated that this collective set of requirements will clarify the distinctions between such jurisdictions, which may better enable the establishment of global and/or cross-sector IDP's and CSP's.

Scope

This document addresses the privacy assessment criteria that are relevant to IDP's and CSP's certified under the Kantara Identity Assurance Framework (IAF).
Part 1 - General Guidance for Assessors and Auditors (informative)
This section could be a generalization of: the P3WG document, "Draft Criteria for the US Federal Privacy Profile", Version 1.4 dated 9/13/2011; along with consideration of NIST Special Publication 800-53, Appendix J; European Article 29 of the Directive 95/46/EC of the European Parliament; and the Organization for Economic Cooperation and Development (OECD) Privacy Guidelines.
Part 2 - Additional Requirements for Credential Service Providers: US Federal Privacy Criteria (normative)
This section would appear to be sufficiently addressed by the Identity Assurance Working Group (IAWG) document, "Additional Requirements for Credential Service Providers: US Federal Privacy Criteria". This IAWG document contains a reference to the FICAM "Privacy Guidance for Trust Framework Assessors and Auditors", and includes additional criteria, such as "Unique Identity", "Adequate Notice", and "Changes in the Service".
Part 3 - Additional Requirements for Credential Service Providers: Other territorial jurisdiction (Canada, New Zealand, EU… ?) Privacy Criteria (normative)
Part 4 - Additional Requirements for Credential Service Providers: Specific Industry Sector (Health Care, Financial?) Privacy Criteria (normative)

Exclusions

This document does not consider the privacy requirements for Relying Parties or Federation Brokers in an Identity Federation. It is assumed that Relying Party applications and Federation Broker Services will operate in compliance with local privacy policies, laws and regulations.

Normative References

Terms and Definitions

Intended Audience

The informative Part 1 of this document is intended to be used as privacy guidelines for Identity Federation component suppliers. The normative Parts 2-N are intended to serve as specific assessment criteria for assessors and auditors in the respective jurisdiction.

Intended Course of Action

This document is intended to be developed as a Privacy and Public Policy Working Group (P3WG) Kantara Report. The P3WG-approved document will be submitted to the Kantara Assurance Review Board (ARB) for adoption into their Identity Assurance Certification Program.