Privacy - Appropriate Attribute Request and Usage, v1.0

Specifies privacy requirements related to the requesting and usage of attributes about end-users.

Assessment Steps (4)

1
Policy for Appropriate Requests (PolicyforAppropriateRequests)
Does the Trustmark Applicant have established policies or procedures that demonstrate that it either requests user attributes as required, or does not request user attributes from other organizations to process transactions? Document references to sections of established policies and procedures that demonstrate conformance, and provide annotations that justify conformance.
Artifact
Annotated References
Annotated references to the conforming sections of established policies and procedures.
2
Technical Capabilities for Appropriate Requests (TechnicalCapabilitiesforAppropriateRequests)
If the Trustmark Applicant requests user attributes from other organizations to process transactions, then does it have established technical capabilities that enable it to request attributes as required? Evaluate and describe the relevant established technical capabilities.
Artifact
Technical Capabilities
Documented evaluation and description of the conforming technical capabilities.
3
Policy for Appropriate Usage (PolicyforAppropriateUsage)
Does the Trustmark Applicant have established policies or procedures that demonstrate that it either uses attributes as required, or does not request user attributes from other organizations to process transactions? Document references to sections of established policies and procedures that demonstrate conformance, and provide annotations that justify conformance.
Artifact
Annotated References
Annotated references to the conforming sections of established policies and procedures.
4
Technical Capabilities for Appropriate Usage (TechnicalCapabilitiesforAppropriateUsage)
If the Trustmark Applicant requests user attributes from other organizations to process transactions, then does it have established technical capabilities that enables it to use attributes as required? Evaluate and describe the relevant established technical capabilities.
Artifact
Technical Capabilities
Documented evaluation and description of the conforming technical capabilities.

Conformance Criteria (2)

Appropriate requests
If the organization requests user attributes from other organizations to process transactions, then the organization MUST ensure that it requests only those attributes that it requires for the purposes of making authorization decisions, dynamically provisioning accounts, performing audit logging, or forwarding the attributes to another organization for these purposes.
Citation
NIEF-Privacy
Item 6
Appropriate usage
If the organization requests user attributes from other organizations to process transactions, then the organization MUST ensure that it uses requested attributes only for the purposes of making authorization decisions, dynamically provisioning accounts, performing audit logging or forwarding the attributes to another organization for these purposes.
Citation
NIEF-Privacy
Item 6