| # | Statement | Scope | Primary Consideration | Other Considerations | Link | Status | Tasks |
|---|
| 1_BC_CC | The Issuer must ensure the existence of functionality allowing selective data release. | - Part A: Verifiers
- Part B: Issuers
- Part C: Providers
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| Selective Data Release | | |
| 2_ABC_IS | All identifying data shall be transacted through encrypted channels. | - Part A: Verifiers
- Part B: Issuers
- Part C: Providers
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| Encrypted Channel Transactions | | - Type your task here, using "@" to assign to a user and "//" to select a due date
|
| 3_C_OT | Transparency to Holder at mobile credential presentment | - Part A: Verifiers
- Part B: Issuers
- Part C: Providers
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| Transparency at presentment | | - Type your task here, using "@" to assign to a user and "//" to select a due date
|
| 4_A_CL | Verifiers shall not request more than the strictly necessary PII for the provision of their services. | - Part A: Verifiers
- Part B: Issuers
- Part C: Providers
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| Limited data collection/request | | - Requirement using template to be created
- Check overlapping with requirement no.13
|
| 5_A_CC | Verifiers shall request user consent prior the transmission of their PII. | - Part A: Verifiers
- Part B: Issuers
- Part C: Providers
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| Context for user consent | | - Requirement using template to be created
-
|
| 6_A_UR | Verifiers shall state a retention period for PII in their consent request. | - Part A: Verifiers
- Part B: Issuers
- Part C: Providers
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| Retention period | | - Requirement using template to be created
-
|
| 7_A_UR | Verifiers shall not store any PII unless user consents or justified for Law Enforcement purposes. | - Part A: Verifiers
- Part B: Issuers
- Part C: Providers
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| PII storage | | - Requirement using template to be created
-
|
| 8_A_PL | Verifiers shall not fall into collusive practices with Issuing Authorities or other Verifiers. | - Part A: Verifiers
- Part B: Issuers
- Part C: Providers
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| Collusive practices | | - Requirement using template to be created
-
|
| 9_A_IS | Verifiers shall adopt appropriate measures to ensure the security of stored PII. | - Part A: Verifiers
- Part B: Issuers
- Part C: Providers
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| Secure storage | | - Requirement using template to be created
-
|
| 10_A_OT | Verifiers shall guarantee appropriate means to guarantee the exercise of data subject rights. | - Part A: Verifiers
- Part B: Issuers
- Part C: Providers
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| Data subject rights | | - Requirement using template to be created
-
|
| 11_A_AC | Verifiers shall maintain appropriate data registries and ensure access to Law Enforcement Authorities for accountability purposes. | - Part A: Verifiers
- Part B: Issuers
- Part C: Providers
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| Data registry | | - Requirement using template to be created
-
|
| 12_A_DM | Verifiers shall not combine any PII for the purpose of re-identifying the data subject unless the user has consented. | - Part A: Verifiers
- Part B: Issuers
- Part C: Providers
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| Separate data | | - Requirement using template to be created
-
|
| 13_A_DM | Verifiers must only request the minimum data required for their transaction | - Part A: Verifiers
- Part B: Issuers
- Part C: Providers
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| Verifiers must only request the minimum data required for their transaction | | - Type your task here, using "@" to assign to a user and "//" to select a due date
|
| 14_C_PL | Providers must communicate to users any attestations associated with a verifier | - Part A: Verifiers
- Part B: Issuers
- Part C: Providers
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| Providers must communicate to users any attestations associated with a verifier | |
|
| 15_A_UR | Verifiers must attest their use-cases - which in turn defines the data they will need to collect and its retention policy | - Part A: Verifiers
- Part B: Issuers
- Part C: Providers
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| Verifiers must attest their use-cases - which in turn defines the data they will need to collect and its retention policy | |
|
| 16_A_AC | Verifiers must identify themselves | - Part A: Verifiers
- Part B: Issuers
- Part C: Providers
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| - CC (Consent and Choice)
- PL (Purpose legitimacy and specification)
- CL (Collection limitation)
- DM (Data minimization)
- UR (Use, retention, and disclosure limitation)
- AQ (Accuracy and quality)
- OT (Openness, transparency, and access)
- IA (Individual access & participation)
- AC (Accountability)
- IS (Information Security)
- PS (Privacy compliance)
| Verifiers must identify themselves | |
|