| TD: Privacy - Onward Transfer - Access Limitations

Privacy - Onward Transfer - Access Limitations, v1.0

Defines privacy requirements for organizations to document the types of user actions and permissions that are controlled by the organization's access limitations.

Assessment Step

1 Privacy - Onward Transfer - Access Limitations (Privacy-OnwardTransfer-AccessLimitations) Has the organization documented the types of user actions and permissions that are controlled by the organization's access limitations? Note: User actions and permissions are often used to identify agencies and individuals with a need and right to know particular information or intelligence, access case management information, access non-sensitive information only, or to identify who is authorized to submit or modify particular records or record sets, to have read only access or to be authorized to add/modify/delete records, or to be authorized to grant privileges. Best Practice: It is suggested that organizations specify their system for identifying user actions and permissions in their privacy policies. Artifact A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step. Parameters Information Types^required ENUM_MULTI : Select the type(s) of sensitive information that apply. PII PHI III IIHI Other Satisfied By Privacy Policy^required BOOLEAN : Is the organization's privacy policy the source for all supporting information for satisfying the issuance criteria of this Trustmark Definition? (TRUE=yes)

Conformance Criteria (1)

C-1 What types of user actions and permissions are controlled by the center's access limitations? Note: User actions and permissions are often used to identify agencies and individuals with a need and right to know particular information or intelligence, access case management information, access non-personally identifiable information (PII) only, or to identify who is authorized to submit or modify particular records or record sets, to have read only access or to be authorized to add/modify/delete records, or to be authorized to grant privileges. Best Practice: It is suggested that centers specify their system for identifying user actions and permissions in their privacy policies. Citation FCPP Section J.1, Sharing and Disclosure

Term Name	Abbreviations	Definition
Access		The ability to view personal information held by an organization
Adequacy		Adequacy refers to the recognition of the existence of a legal regime in another country that provides sufficient protection for personal information. As used in the EU Data Protection Directive, a country will be deemed "adequate" if its laws afford individuals rights that are similar to those afforded by the EU Data Protection Directive. In the EU context, if a country offers adequate protection, then data transfers from the European Economic Area (EEA) to that country may occur without any further limitation
Administrative safeguards		Administrative actions, and policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic individually identifiable health information and to manage the conduct of the entity's workforce in relation to the protection of that information. Administrative safeguards include policies and procedures, workforce training, risk management plans, and contingency plans.
Adopted Authentication Scheme (Adopted Scheme)		An open identity management standard that the ICAM assesses, approves, and scopes for government-wide use. An adopted scheme meets all applicable ICAM requirements, as well as other Federal statutes, regulations, and policies. In addition, the structured adoption process provides assurance to all ICAM participants that underlying identity assurance technologies are appropriate, robust, reliable, and secure.
Adoption		Acceptance of a 3rd party Trust Framework by the Federal Government after rigorous review and determination of comparability at a specified Level of Assurance.
Approved Encryption Method		FIPS-approved or NIST recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST Recommendation
Assertion		A statement from a Verifier to a RP that contains identity information about a Subscriber. Assertions may also contain verified attributes.
Assertion Reference		Identifies the Verifier and includes a pointer to the full assertion held by the Verifier.
Audit Criteria		TFP auditor qualifications, TFP CSP audit processes, and ongoing TFP CSP re-certification processes.
Authentication		The process of establishing confidence in the identity of users or information systems.
Authentication Protocol		A defined sequence of messages between a Claimant and a Verifier that demonstrates that the Claimant has control of a valid token to establish his/her identity, and optionally, demonstrates to the Claimant that he or she is communicating with the intended Verifier.
Bearer Assertion		An assertion that does not provide a mechanism for the Subscriber to prove that he or she is the rightful owner of the assertion. The RP has to assume that the assertion was issued to the Subscriber who presents the assertion or the corresponding assertion reference to the RP.
Biometric		Automated recognition of individuals based on their behavioral and biological characteristics. In this document, biometrics may be used to unlock authentication tokens and prevent repudiation of registration.
Bona Fides		Evidence that provides insight into an organization's maturity, legitimacy, stability, and reputation.
Certification (Certify)		TFP certification of an CSP is the determination that the CSP's policies and practices are comparable to ICAM trust requirements.
Choice		An individual's ability to determine whether or how personal information collected from him or her may be used or disclosed by the entity that collected the information. Also: The ability of an individual to limit certain uses of his or her personal information. For example, an individual may have choice about whether to permit a organization to contact the individual or share the individual's data with third parties.
Claimant		A party whose identity is to be verified using an authentication protocol.
Collect/Collection		The acquisition or receipt of information, including individually identifiable health information.
Comparability		Equivalence of Trust Framework Provider criteria to ICAM trust criteria as determined by ICAM designated Assessment Teams.
Confidentiality		The property that sensitive information is not disclosed to unauthorized individuals, entities or processes.
Corrective measures		Actions taken to address a security breach or privacy violation, with the intent to counteract the breach or violation and reduce future risks.
Credential Service Provider (CSP)		A trusted entity that issues or registers subscriber tokens and issues electronic credentials to subscribers. The CSP may encompass Registration Authorities and verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use.
Cross-certified		A certificate used to establish a trust relationship between two Certification Authorities.
Cryptographic		A well-defined computational procedure that takes variable inputs, including a cryptographic key, and produces an output.
Data commissioner		Government official that runs a data protection office and that is charged with enforcing a country's data protection laws.
Data controller		A controller is any person who makes decisions with regard to the processing of personal data, including decisions about the purposes for which the personal data are processed and the manner in which the personal data are processed. The EU Directive defines a data "controller" as: "the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or community law."
Data processor		A data processor is a person who processes the data on behalf of the data controller, but who is under the authority of the data controller. The EU Directive defines data "processor" as: "a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller."
Data protection		The management of personal information. In the United States, "privacy" is the term that is used in policies, laws, and regulations. In contrast, in Switzerland, the European Union, and other countries, the term "data protection" often identifies privacy-related laws and regulations.
Data protection authority		See also Data protection office, Data commissioner.
Data protection office		A government agency that enforces data protection legislation. According to the EU Directive: "Each member state shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the member states pursuant to this Directive. These authorities shall act with complete independence in exercising the functions entrusted to them. Each authority has investigative powers necessary for the performance of its supervisory duties, power to engage in legal proceedings in case of violations. Each supervisory authority shall hear claims lodged by any person, or by an association representing that person." See also Data protection authority, Data commissioner.
Data subject		Term used in some data protection litigation to describe an individual who is the subject of a personal data record.
Deceptive trade practices		In the context of U.S. federal law, a term associated with corporate entities that mislead or misrepresent products or services to consumers and customers. These practices are regulated by the Federal Trade Commission at the federal level and typically by the Attorney General's Office of Consumer Protection at the state level. These laws typically provide both for enforcement by the government to stop the practice and individual actions for damages brought by consumers who are hurt by the practices.
Direct Assertion Model		The Claimant uses his or her E-authentication token to authenticate to the Verifier. Following successful authentication of the Claimant, the Verifier creates an assertion, and sends it to the Subscriber to be forwarded to the RP. The assertion is used by the Claimant/Subscriber to authenticate to the RP.
Disclose/Disclosure		The release, transfer, exchange, provision of access to, or divulging in any other manner of information outside the person or entity holding the information.
Dispute resolution		The response to a valid complaint or grievance, or the action taken to correct faulty information, or to make amends for harm or inconvenience caused to an individual.
E-Authentication Credential		An object that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a person.
Entropy		A measure of the amount of uncertainty that an Attacker faces to determine the value of a secret. Entropy is usually stated in bits. See NIST SP 800-63 for additional information.
EU Data Protection Directive (EU Directive)		Several directives deal with personal data usage, but the most important is the general policy approved by the European Commission in 1995 (95/46/EC) which protects individuals' privacy and personal data use. The EU Directive was adopted in 1995 and became effective in 1998. The EU Directive recognizes the European view that privacy is a fundamental human right, and establishes a general comprehensive legal framework that is aimed at protecting individuals and promoting individual choice regarding the processing of personal data. The EU Directive imposes an onerous set of requirements on any person that collects or processes data pertaining to individuals in their personal or professional capacity. It is based on a set of data protection principles, which include the legitimate basis, purpose limitation, data quality, proportionality, and transparency principles, data security and confidentiality, data subjects' rights of access, rectification, deletion, and objection, restrictions on onwards transfers, additional protection where special categories of data and direct marketing are involved, and a prohibition on automated individual decisions. The EU Directive applies to all sectors of industry, from financial institutions to consumer goods companies, and from list brokers to any employer. The EU Directive's key provisions impose serious restrictions on personal data processing, grant individual rights to "data subjects," and set forth specific procedural obligations, including notification to national authority.
European Economic Area (EEA)		The EEA allows Iceland, Liechtenstein, and Norway to participate in the EU's internal market without a conventional EU membership. These three countries apply EEA law, which is identical to all EU legislation related to the single market, with the exception of legislation on agriculture, fisheries, and fiscal issues. The EEA, however, is not a customs union. Switzerland is not a member of the EEA, but has concluded a large number of bilateral agreements with the EU covering a significant part of EEA law.
European Union (EU)		The European Union is an organization of European countries dedicated to increasing economic integration and strengthening cooperation among its members. The European Union was involved in the development of the Safe Harbor Principles that affect data flows from the European Union into the United States. As of July 2008, the member states include: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and United Kingdom.
Federal Trade Commission (FTC)		The U.S. Federal Trade Commission enforces a variety of federal antitrust and consumer protection laws, including the Safe Harbor Principles. The FTC seeks to ensure that the nation's markets function competitively, and are vigorous, efficient, and free of undue restrictions. The FTC also works to enhance the smooth operation of the marketplace by eliminating acts or practices that are unfair or deceptive.
Full Legal Name		A person's name that is usually the name given at birth and recorded on the birth certificate but that may be a different name that is used by a person consistently and independently or that has been declared the person's name by a court. That is, the name one has for official purposes; not a nickname or pseudonym.
Health Information		Any information that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Holder-of-key Assertion		A holder-of-key assertion contains a reference to a symmetric key or a public key (corresponding to a private key) possessed by the Subscriber. The RP may require the Subscriber to prove possession of the secret that is referenced in the assertion. In proving possession of the Subscriber's secret, the Subscriber also proves that he or she is the rightful owner of the assertion. It is therefore difficult for an Attacker to use a holder-of-key assertion issued to another Subscriber, since the former cannot prove possession of the secret referenced within the assertion.
Identity		A set of attributes that uniquely describe a person within a given context.
Identity Proofing		The process by which a CSP and an RA validate sufficient information to uniquely identify a person.
Indirect Assertion Model		In the indirect model, the Claimant uses his or her token to authenticate to the Verifier. Following successful authentication, the Verifier creates an assertion as well as an assertion reference (which identifies the Verifier and includes a pointer to the full assertion held by the Verifier). The assertion reference is sent to the Subscriber to be forwarded to the RP. In this model, the assertion reference is used by the Claimant/Subscriber to authenticate to the RP. The RP then uses the assertion reference to explicitly request the assertion from the Verifier.
Individual		A person who is the recipient of health and/or wellness services.
Individually Identifiable Health Information (IIHI)		Health information that identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Individually Identifiable Information (III)		Information that identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. Such information may include an individual's name, postal address, e-mail address, telephone number, Social Security number, or other unique identifier.
Integrity		The property that data has not been altered by an unauthorized entity.
Issuance		Delivery of token or credential to the subscriber of a CSP.
Level of Assurance (LOA)		In the context of OMB M-04-04 and this document, assurance is defined as 1) the degree of confidence in the vetting process used to establish the identity of an individual to whom the credential was issued, and 2) the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued.
Member state		In EU documents, this term refers to a country that is a full member of the European Union. See European Union.
Min-Entropy		A measure of the difficulty that an Attacker has to guess the most commonly chosen password used in a system. In this document, entropy is stated in bits. When a password has n-bits of min-entropy then an Attacker requires as many trials to find a user with that password as is needed to guess an n-bit random quantity. The Attacker is assumed to know the most commonly used password(s). See NIST SP 800-63 for additional information.
Multi-factor Authentication		Use of two or more of the following: 1. Something you know (for example, a password) 2. Something you have (for example, an ID badge or a cryptographic key) 3. Something you are (for example, a thumb print or other biometric data) Authentication systems that incorporate all three factors are stronger than systems that only incorporate one or two of the factors.
Multi-token Authentication		Two or more tokens are required to verify the identity of the Claimant.
Network		An open communications medium, typically the Internet, that is used to transport messages between the Claimant and other parties.
Non-repudiation		Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the information.
Nonce		A value used in security protocols that is never repeated with the same key. For example, challenges used in challenge-response authentication protocols generally must not be repeated until authentication keys are changed, or there is a possibility of a replay attack. Using a nonce as a challenge is a different requirement than a random challenge, because a nonce is not necessarily unpredictable.
Notice		A written description of an entity's practices with respect to its collection, use and disclosure of personal information. A private notice typically includes a description of what personal information the entity collects, how the entity uses the information, with whom it shares the information, whether the information is secured, and whether an individual has any choices as to how the entity uses the information.
Open		Actively communicating information through notice or otherwise.
Opt-in		A consumer's expression of affirmative consent based upon a specific act of the consumer.
Opt-out		A consumer's exercise of choice through an affirmative request that a particular use of disclosure of data not occur.
Out of Band		Communications which occur outside of a previously established communication method or channel.
Personal data		The EU Directive defines "personal data" as: "any information relating to an identified or identifiable natural person ('data subject')" and explains that an "identifiable person" is "one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity."
Personal Health Information (PHI)		Health information that identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Personal Identifying Information (PII)		Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.
Personal information		Any information that (i) relates to an individual and (ii) identifies or can be used to identify the individual. Such information may include an individual's name, postal address, e-mail address, telephone number, Social Security number, or other unique identifier.
Persons and Entities		Health care professionals, partnerships, proprietorships, corporations and other types of organizations and their agents when acting on their behalf.
Physical safeguards		Physical measures, policies and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion. Physical safeguards include workstation security and use procedures, facility security plans, data backup and storage, and portable device and media controls.
Possession and Control of a Token		The ability to activate and use the token in an authentication protocol.
Privacy		An individual's interest in protecting his or her individually identifiable health information and the corresponding obligation of those persons and entities, that participate in a network for the purposes of electronic exchange of such information, to respect those interests through fair information practices.
Privacy policy		An organization's standard pertaining to the user information it collects and what is done with the information after it is collected.
Privacy seal program		Self-regulatory regimes that certify compliance with a set of standards of privacy protection. Services provide a "trust" mark, as well as independent verification and remediation and dispute resolution mechanisms for online privacy practices. Websites display the program's seal to indicate that they adhere to these standards.
Privacy statement		An organization's communication regarding its privacy policies, such as what personal information is collected, how it will be used, with whom it will be shared, and whether one has the option to exercise control over how one's information is used. Privacy statements are frequently posted on websites.
Processing of personal data		The EU Directive defines "processing" as: "any operation or set of operations performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction."
Proof of Possession Protocol		A protocol where a Claimant proves to a Verifier that he/she possesses and controls a token (e.g., a key or password).
Pseudonym		A Subscriber name that has been chosen by the Subscriber that is not verified as meaningful by identity proofing.
Publicly available information		Personal information about an individual that the individual knowingly makes or permits to be made available to the public, or is legally obtained and accessed from: a) government records that are available to the public; b) journalistic reports; or c) information required by law to be made available to the public.
Registration		The process through which a party applies to become a Subscriber of a CSP and an RA validates the identity of that party on behalf of the CSP.
Registration Authority		A trusted entity that establishes and vouches for the identity of a Subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s).
Relying Party (RP)		An entity that relies upon the Subscriber's credentials or Verifier's assertion of an identity, typically to process a transaction or grant access to information or a system.
Safe Harbor		The EU Directive and the Swiss Federal Act on Data Protection (FADP) prohibit the transfer of personal data outside of the European Union and Switzerland respectively, to jurisdictions that do not meet the European "adequacy" standard for privacy protection. While the United States, the European Union, and Switzerland share the goal of privacy protection, the United States uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation, while the European Union and Switzerland rely on comprehensive legislation that requires, among other things, the creation of government data protection agencies. As a result of these different approaches to privacy protection, the EU Directive and the FADP could have significantly hampered the ability of U.S. organizations to engage in many trans-Atlantic transactions.
Salt		A non-secret value that is used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an Attacker.
Security		The physical, technological, and administrative safeguards used to protect individually identifiable health information.
Sensitive Information		Any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy.
Sensitive information controller		A person or organization who controls the collection, holding, processing or use of sensitive information. It includes a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose sensitive information on his or her behalf, but excludes a person or organization who performs such functions as instructed by another person or organization. It also excludes an individual who collects, holds, processes or uses sensitive information in connection with the individual's personal, family or household affairs.
Sensitive Personal information (SPI)		Sensitive information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, criminal convictions, or information specifying the sex life of the individual
Shared Secret		A secret used in authentication that is known to the Claimant and the Verifier.
SPO		Service Provider Organization (SPO)
Strong Man in the Middle Resistance		A protocol is said to be strongly resistant to man-in-the-middle attack if it does not allow the Claimant to reveal, to an attacker masquerading as the Verifier, information (token secrets, authenticators) that can be used by the latter to masquerade as the true Claimant to the real Verifier.
Strongly Bound Credentials		The association between the identity and the token within strongly bound credentials cannot be easily undone. For example, a digital signature binds the identity to the public key in a public key certificate; tampering of this signature can be easily detected through signature validation.
Subscriber		A party who has received a credential or token from a CSP.
Technical safeguards		The technology and the policies and procedures for its use that protect electronic individually identifiable health information and control access to it.
Threat		Any circumstance or event with the potential to adversely impact agency operations (including mission, functions, image, or reputation), agency assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Token		Something that the Claimant possesses and controls (typically a key or password) used to authenticate the Claimant's identity.
Token Authenticator		The value that is provided to the protocol stack to prove that the Claimant possesses and controls the token. Protocol messages sent to the Verifier are dependent upon the token authenticator, but they may or may not explicitly contain it.
Transborder flows of personal data		Movements of personal data across national borders
Transparent		Making information readily and publicly available.
Trust Criteria		Set of benchmarks used to measure a CSP's technical and operational controls with respect to registration and issuance, tokens, token and credential management, the authentication process, and assertions.
Trust Framework		Trust Framework Provider processes and controls for determining a CSP's compliance to OMB M-04-04 Levels of Assurance.
Trust Framework Provider (TFP)		A TFP is an organization that defines or adopts an on-line identity trust model and then, certifies CSPs that are in compliance with that model.
Use		Is the employment, application, utilization, examination, analysis or maintenance of individually identifiable health information.
Verifier		An entity that verifies the Claimant's identity by verifying the Claimant's possession of a token using an authentication protocol. To do this, the Verifier may also need to validate credentials that link the token and identity and check their status.
Weak Man in the Middle Resistance		A protocol is said to be weakly resistant to man-in-the-middle attacks if it provides a mechanism for the Claimant to determine whether he or she is interacting with the real Verifier, but still leaves the opportunity for the non-vigilant Claimant to reveal a token authenticator (to an unauthorized party) that can be used to masquerade as the Claimant to the real Verifier.
Weakly Bound Credentials		The association between the identity and the token within a weakly bound credential can be readily undone and a new association can be readily created. For example, a password file is a weakly bound credential since anyone who has "write" access to the password file can potentially update the associations contained within the file.

Term Name

Abbreviations

Definition

Access

The ability to view personal information held by an organization

Adequacy

Adequacy refers to the recognition of the existence of a legal regime in another country that provides sufficient protection for personal information. As used in the EU Data Protection Directive, a country will be deemed "adequate" if its laws afford individuals rights that are similar to those afforded by the EU Data Protection Directive. In the EU context, if a country offers adequate protection, then data transfers from the European Economic Area (EEA) to that country may occur without any further limitation

Administrative safeguards

Administrative actions, and policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic individually identifiable health information and to manage the conduct of the entity's workforce in relation to the protection of that information. Administrative safeguards include policies and procedures, workforce training, risk management plans, and contingency plans.

Adopted Authentication Scheme (Adopted Scheme)

An open identity management standard that the ICAM assesses, approves, and scopes for government-wide use. An adopted scheme meets all applicable ICAM requirements, as well as other Federal statutes, regulations, and policies. In addition, the structured adoption process provides assurance to all ICAM participants that underlying identity assurance technologies are appropriate, robust, reliable, and secure.

Adoption

Acceptance of a 3rd party Trust Framework by the Federal Government after rigorous review and determination of comparability at a specified Level of Assurance.

Approved Encryption Method

FIPS-approved or NIST recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST Recommendation

Assertion

A statement from a Verifier to a RP that contains identity information about a Subscriber. Assertions may also contain verified attributes.

Assertion Reference

Identifies the Verifier and includes a pointer to the full assertion held by the Verifier.

Audit Criteria

TFP auditor qualifications, TFP CSP audit processes, and ongoing TFP CSP re-certification processes.

Authentication

The process of establishing confidence in the identity of users or information systems.

Authentication Protocol

A defined sequence of messages between a Claimant and a Verifier that demonstrates that the Claimant has control of a valid token to establish his/her identity, and optionally, demonstrates to the Claimant that he or she is communicating with the intended Verifier.

Bearer Assertion

An assertion that does not provide a mechanism for the Subscriber to prove that he or she is the rightful owner of the assertion. The RP has to assume that the assertion was issued to the Subscriber who presents the assertion or the corresponding assertion reference to the RP.

Biometric

Automated recognition of individuals based on their behavioral and biological characteristics. In this document, biometrics may be used to unlock authentication tokens and prevent repudiation of registration.

Bona Fides

Evidence that provides insight into an organization's maturity, legitimacy, stability, and reputation.

Certification (Certify)

TFP certification of an CSP is the determination that the CSP's policies and practices are comparable to ICAM trust requirements.

Choice

An individual's ability to determine whether or how personal information collected from him or her may be used or disclosed by the entity that collected the information. Also: The ability of an individual to limit certain uses of his or her personal information. For example, an individual may have choice about whether to permit a organization to contact the individual or share the individual's data with third parties.

Claimant

A party whose identity is to be verified using an authentication protocol.

Collect/Collection

The acquisition or receipt of information, including individually identifiable health information.

Comparability

Equivalence of Trust Framework Provider criteria to ICAM trust criteria as determined by ICAM designated Assessment Teams.

Confidentiality

The property that sensitive information is not disclosed to unauthorized individuals, entities or processes.

Corrective measures

Actions taken to address a security breach or privacy violation, with the intent to counteract the breach or violation and reduce future risks.

Credential Service Provider (CSP)

A trusted entity that issues or registers subscriber tokens and issues electronic credentials to subscribers. The CSP may encompass Registration Authorities and verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use.

Cross-certified

A certificate used to establish a trust relationship between two Certification Authorities.

Cryptographic

A well-defined computational procedure that takes variable inputs, including a cryptographic key, and produces an output.

Data commissioner

Government official that runs a data protection office and that is charged with enforcing a country's data protection laws.

Data controller

A controller is any person who makes decisions with regard to the processing of personal data, including decisions about the purposes for which the personal data are processed and the manner in which the personal data are processed. The EU Directive defines a data "controller" as: "the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or community law."

Data processor

A data processor is a person who processes the data on behalf of the data controller, but who is under the authority of the data controller. The EU Directive defines data "processor" as: "a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller."

Data protection

The management of personal information. In the United States, "privacy" is the term that is used in policies, laws, and regulations. In contrast, in Switzerland, the European Union, and other countries, the term "data protection" often identifies privacy-related laws and regulations.

Data protection authority

See also Data protection office, Data commissioner.

Data protection office

A government agency that enforces data protection legislation. According to the EU Directive: "Each member state shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the member states pursuant to this Directive. These authorities shall act with complete independence in exercising the functions entrusted to them. Each authority has investigative powers necessary for the performance of its supervisory duties, power to engage in legal proceedings in case of violations. Each supervisory authority shall hear claims lodged by any person, or by an association representing that person." See also Data protection authority, Data commissioner.

Data subject

Term used in some data protection litigation to describe an individual who is the subject of a personal data record.

Deceptive trade practices

In the context of U.S. federal law, a term associated with corporate entities that mislead or misrepresent products or services to consumers and customers. These practices are regulated by the Federal Trade Commission at the federal level and typically by the Attorney General's Office of Consumer Protection at the state level. These laws typically provide both for enforcement by the government to stop the practice and individual actions for damages brought by consumers who are hurt by the practices.

Direct Assertion Model

The Claimant uses his or her E-authentication token to authenticate to the Verifier. Following successful authentication of the Claimant, the Verifier creates an assertion, and sends it to the Subscriber to be forwarded to the RP. The assertion is used by the Claimant/Subscriber to authenticate to the RP.

Disclose/Disclosure

The release, transfer, exchange, provision of access to, or divulging in any other manner of information outside the person or entity holding the information.

Dispute resolution

The response to a valid complaint or grievance, or the action taken to correct faulty information, or to make amends for harm or inconvenience caused to an individual.

E-Authentication Credential

An object that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a person.

Entropy

A measure of the amount of uncertainty that an Attacker faces to determine the value of a secret. Entropy is usually stated in bits. See NIST SP 800-63 for additional information.

EU Data Protection Directive (EU Directive)

Several directives deal with personal data usage, but the most important is the general policy approved by the European Commission in 1995 (95/46/EC) which protects individuals' privacy and personal data use. The EU Directive was adopted in 1995 and became effective in 1998. The EU Directive recognizes the European view that privacy is a fundamental human right, and establishes a general comprehensive legal framework that is aimed at protecting individuals and promoting individual choice regarding the processing of personal data. The EU Directive imposes an onerous set of requirements on any person that collects or processes data pertaining to individuals in their personal or professional capacity. It is based on a set of data protection principles, which include the legitimate basis, purpose limitation, data quality, proportionality, and transparency principles, data security and confidentiality, data subjects' rights of access, rectification, deletion, and objection, restrictions on onwards transfers, additional protection where special categories of data and direct marketing are involved, and a prohibition on automated individual decisions. The EU Directive applies to all sectors of industry, from financial institutions to consumer goods companies, and from list brokers to any employer. The EU Directive's key provisions impose serious restrictions on personal data processing, grant individual rights to "data subjects," and set forth specific procedural obligations, including notification to national authority.

European Economic Area (EEA)

The EEA allows Iceland, Liechtenstein, and Norway to participate in the EU's internal market without a conventional EU membership. These three countries apply EEA law, which is identical to all EU legislation related to the single market, with the exception of legislation on agriculture, fisheries, and fiscal issues. The EEA, however, is not a customs union. Switzerland is not a member of the EEA, but has concluded a large number of bilateral agreements with the EU covering a significant part of EEA law.

European Union (EU)

The European Union is an organization of European countries dedicated to increasing economic integration and strengthening cooperation among its members. The European Union was involved in the development of the Safe Harbor Principles that affect data flows from the European Union into the United States. As of July 2008, the member states include: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and United Kingdom.

Federal Trade Commission (FTC)

The U.S. Federal Trade Commission enforces a variety of federal antitrust and consumer protection laws, including the Safe Harbor Principles. The FTC seeks to ensure that the nation's markets function competitively, and are vigorous, efficient, and free of undue restrictions. The FTC also works to enhance the smooth operation of the marketplace by eliminating acts or practices that are unfair or deceptive.

Full Legal Name

A person's name that is usually the name given at birth and recorded on the birth certificate but that may be a different name that is used by a person consistently and independently or that has been declared the person's name by a court. That is, the name one has for official purposes; not a nickname or pseudonym.

Health Information

Any information that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Holder-of-key Assertion

A holder-of-key assertion contains a reference to a symmetric key or a public key (corresponding to a private key) possessed by the Subscriber. The RP may require the Subscriber to prove possession of the secret that is referenced in the assertion. In proving possession of the Subscriber's secret, the Subscriber also proves that he or she is the rightful owner of the assertion. It is therefore difficult for an Attacker to use a holder-of-key assertion issued to another Subscriber, since the former cannot prove possession of the secret referenced within the assertion.

Identity

A set of attributes that uniquely describe a person within a given context.

Identity Proofing

The process by which a CSP and an RA validate sufficient information to uniquely identify a person.

Indirect Assertion Model

In the indirect model, the Claimant uses his or her token to authenticate to the Verifier. Following successful authentication, the Verifier creates an assertion as well as an assertion reference (which identifies the Verifier and includes a pointer to the full assertion held by the Verifier). The assertion reference is sent to the Subscriber to be forwarded to the RP. In this model, the assertion reference is used by the Claimant/Subscriber to authenticate to the RP. The RP then uses the assertion reference to explicitly request the assertion from the Verifier.

Individual

A person who is the recipient of health and/or wellness services.

Individually Identifiable Health Information (IIHI)

Health information that identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Individually Identifiable Information (III)

Information that identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. Such information may include an individual's name, postal address, e-mail address, telephone number, Social Security number, or other unique identifier.

Integrity

The property that data has not been altered by an unauthorized entity.

Issuance

Delivery of token or credential to the subscriber of a CSP.

Level of Assurance (LOA)

In the context of OMB M-04-04 and this document, assurance is defined as 1) the degree of confidence in the vetting process used to establish the identity of an individual to whom the credential was issued, and 2) the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued.

Member state

In EU documents, this term refers to a country that is a full member of the European Union. See European Union.

Min-Entropy

A measure of the difficulty that an Attacker has to guess the most commonly chosen password used in a system. In this document, entropy is stated in bits. When a password has n-bits of min-entropy then an Attacker requires as many trials to find a user with that password as is needed to guess an n-bit random quantity. The Attacker is assumed to know the most commonly used password(s). See NIST SP 800-63 for additional information.

Multi-factor Authentication

Use of two or more of the following: 1. Something you know (for example, a password) 2. Something you have (for example, an ID badge or a cryptographic key) 3. Something you are (for example, a thumb print or other biometric data) Authentication systems that incorporate all three factors are stronger than systems that only incorporate one or two of the factors.

Multi-token Authentication

Two or more tokens are required to verify the identity of the Claimant.

Network

An open communications medium, typically the Internet, that is used to transport messages between the Claimant and other parties.

Non-repudiation

Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the information.

Nonce

A value used in security protocols that is never repeated with the same key. For example, challenges used in challenge-response authentication protocols generally must not be repeated until authentication keys are changed, or there is a possibility of a replay attack. Using a nonce as a challenge is a different requirement than a random challenge, because a nonce is not necessarily unpredictable.

Notice

A written description of an entity's practices with respect to its collection, use and disclosure of personal information. A private notice typically includes a description of what personal information the entity collects, how the entity uses the information, with whom it shares the information, whether the information is secured, and whether an individual has any choices as to how the entity uses the information.

Open

Actively communicating information through notice or otherwise.

Opt-in

A consumer's expression of affirmative consent based upon a specific act of the consumer.

Opt-out

A consumer's exercise of choice through an affirmative request that a particular use of disclosure of data not occur.

Out of Band

Communications which occur outside of a previously established communication method or channel.

Personal data

The EU Directive defines "personal data" as: "any information relating to an identified or identifiable natural person ('data subject')" and explains that an "identifiable person" is "one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity."

Personal Health Information (PHI)

Health information that identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Personal Identifying Information (PII)

Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.

Personal information

Any information that (i) relates to an individual and (ii) identifies or can be used to identify the individual. Such information may include an individual's name, postal address, e-mail address, telephone number, Social Security number, or other unique identifier.

Persons and Entities

Health care professionals, partnerships, proprietorships, corporations and other types of organizations and their agents when acting on their behalf.

Physical safeguards

Physical measures, policies and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion. Physical safeguards include workstation security and use procedures, facility security plans, data backup and storage, and portable device and media controls.

Possession and Control of a Token

The ability to activate and use the token in an authentication protocol.

Privacy

An individual's interest in protecting his or her individually identifiable health information and the corresponding obligation of those persons and entities, that participate in a network for the purposes of electronic exchange of such information, to respect those interests through fair information practices.

An organization's standard pertaining to the user information it collects and what is done with the information after it is collected.

Privacy seal program

Self-regulatory regimes that certify compliance with a set of standards of privacy protection. Services provide a "trust" mark, as well as independent verification and remediation and dispute resolution mechanisms for online privacy practices. Websites display the program's seal to indicate that they adhere to these standards.

Privacy statement

An organization's communication regarding its privacy policies, such as what personal information is collected, how it will be used, with whom it will be shared, and whether one has the option to exercise control over how one's information is used. Privacy statements are frequently posted on websites.

Processing of personal data

The EU Directive defines "processing" as: "any operation or set of operations performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction."

Proof of Possession Protocol

A protocol where a Claimant proves to a Verifier that he/she possesses and controls a token (e.g., a key or password).

Pseudonym

A Subscriber name that has been chosen by the Subscriber that is not verified as meaningful by identity proofing.

Publicly available information

Personal information about an individual that the individual knowingly makes or permits to be made available to the public, or is legally obtained and accessed from: a) government records that are available to the public; b) journalistic reports; or c) information required by law to be made available to the public.

Registration

The process through which a party applies to become a Subscriber of a CSP and an RA validates the identity of that party on behalf of the CSP.

Registration Authority

A trusted entity that establishes and vouches for the identity of a Subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s).

Relying Party (RP)

An entity that relies upon the Subscriber's credentials or Verifier's assertion of an identity, typically to process a transaction or grant access to information or a system.

Safe Harbor

The EU Directive and the Swiss Federal Act on Data Protection (FADP) prohibit the transfer of personal data outside of the European Union and Switzerland respectively, to jurisdictions that do not meet the European "adequacy" standard for privacy protection. While the United States, the European Union, and Switzerland share the goal of privacy protection, the United States uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation, while the European Union and Switzerland rely on comprehensive legislation that requires, among other things, the creation of government data protection agencies. As a result of these different approaches to privacy protection, the EU Directive and the FADP could have significantly hampered the ability of U.S. organizations to engage in many trans-Atlantic transactions.

Salt

A non-secret value that is used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an Attacker.

Security

The physical, technological, and administrative safeguards used to protect individually identifiable health information.

Sensitive Information

Any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy.

Sensitive information controller

A person or organization who controls the collection, holding, processing or use of sensitive information. It includes a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose sensitive information on his or her behalf, but excludes a person or organization who performs such functions as instructed by another person or organization. It also excludes an individual who collects, holds, processes or uses sensitive information in connection with the individual's personal, family or household affairs.

Sensitive Personal information (SPI)

Sensitive information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, criminal convictions, or information specifying the sex life of the individual

Shared Secret

A secret used in authentication that is known to the Claimant and the Verifier.

SPO

Service Provider Organization (SPO)

Strong Man in the Middle Resistance

A protocol is said to be strongly resistant to man-in-the-middle attack if it does not allow the Claimant to reveal, to an attacker masquerading as the Verifier, information (token secrets, authenticators) that can be used by the latter to masquerade as the true Claimant to the real Verifier.

Strongly Bound Credentials

The association between the identity and the token within strongly bound credentials cannot be easily undone. For example, a digital signature binds the identity to the public key in a public key certificate; tampering of this signature can be easily detected through signature validation.

Subscriber

A party who has received a credential or token from a CSP.

Technical safeguards

The technology and the policies and procedures for its use that protect electronic individually identifiable health information and control access to it.

Threat

Any circumstance or event with the potential to adversely impact agency operations (including mission, functions, image, or reputation), agency assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Token

Something that the Claimant possesses and controls (typically a key or password) used to authenticate the Claimant's identity.

Token Authenticator

The value that is provided to the protocol stack to prove that the Claimant possesses and controls the token. Protocol messages sent to the Verifier are dependent upon the token authenticator, but they may or may not explicitly contain it.

Transborder flows of personal data

Movements of personal data across national borders

Transparent

Making information readily and publicly available.

Trust Criteria

Set of benchmarks used to measure a CSP's technical and operational controls with respect to registration and issuance, tokens, token and credential management, the authentication process, and assertions.

Trust Framework

Trust Framework Provider processes and controls for determining a CSP's compliance to OMB M-04-04 Levels of Assurance.

Trust Framework Provider (TFP)

A TFP is an organization that defines or adopts an on-line identity trust model and then, certifies CSPs that are in compliance with that model.

Use

Is the employment, application, utilization, examination, analysis or maintenance of individually identifiable health information.

Verifier

An entity that verifies the Claimant's identity by verifying the Claimant's possession of a token using an authentication protocol. To do this, the Verifier may also need to validate credentials that link the token and identity and check their status.

Weak Man in the Middle Resistance

A protocol is said to be weakly resistant to man-in-the-middle attacks if it provides a mechanism for the Claimant to determine whether he or she is interacting with the real Verifier, but still leaves the opportunity for the non-vigilant Claimant to reveal a token authenticator (to an unauthorized party) that can be used to masquerade as the Claimant to the real Verifier.

Weakly Bound Credentials

The association between the identity and the token within a weakly bound credential can be readily undone and a new association can be readily created. For example, a password file is a weakly bound credential since anyone who has "write" access to the password file can potentially update the associations contained within the file.

Privacy - Onward Transfer - Access Limitations, v1.0

Assessment Step

Conformance Criteria (1)

Metadata

Sources (1)

Terms (107)