From IdCommons

Privacy PRINCIPLEs: Notice and Use Limitation


• Operational Definition of Notice from ISTPA: ◦ Notice: Information regarding an entity’s privacy policies and practices including: definition of the personal information collected; its use (purpose specification); its disclosure to parties within or external to the entity; practices associated with the maintenance and protection of the information; options available to the data subject regarding the collector’s privacy practices; changes made to policies or practices; and information provided to data subject at designated times and under designated circumstances. [ISTPA, p29]

• Transparency: Organizations should be transparent and provide notice to the individual regarding collection, use, dissemination, and maintenance of personally identifiable information (PII). [NSTIC, Appendix C]

Notice Variations: • Timing of Notification

o There are two dominant positions on WHEN the Data Subject should be notified. • The APEC and Safe Harbor state that notification may be sent at the time of collection, before the time of collection or reasonably thereafter. However, the OECD, CSA and JPIPA state that Notification (or purpose specification) must be provided by the time of collection and no later.

• Conditions and Qualifiers There are exceptional notice conditions and qualifiers, and these require notice management capabilities long after the initial collection of data in order to control consent.

FRAMEWORKS WHERE THE PRINCIPLE APPEARS • The US Financial Trade Commission use of Fair Information Practice Principles explicitly states with the first principle, in the first sentence that: “The most fundamental principle is notice.” • Adequate Notice – Identity Provider must provide End Users with adequate notice regarding federated authentication. Adequate Notice includes a general description of the authentication event, any transaction(s) with the RP, the purpose of the transaction(s), and a description of any disclosure or transmission of PII to any party. Adequate Notice should be incorporated into the Opt In process. (ICAM; Section 3.3, 2.d.) • Notice is the only principle common in all regulations and guidelines reviewed in the ISTPA Analysis: ◦ APEC Privacy Framework under “Notice” (Section II), ◦ OECD Privacy Guidelines under “Purpose Specification” (Paragraph 9, 54), ◦ EU Data Protection Directive under “Information Given to the Data Subject” (Section IV)*, ◦ Safe Harbor Principles under “Notice”, ◦ Health Insurance Portability and Accountability Act (HIPAA) under “Notice of privacy practices for protected health information” (§ 164.520), ◦ UN Guidelines Concerning Computerized Personal Data Files under “Purpose- Specification” (Paragraph 3), ◦ US FTC Fair Information Practices under “Notice/Awareness” (Section 1), ◦ Japan Personal Information Protection Act under “Notice of Purpose of Use at the Time of Acquisition” (Article 18), ◦ Australian National Privacy Principles under “Collection” (Sub clause 1.3), ◦ US Privacy Act under “Agency Requirements” (Subsection e), ◦ CSA Model Code under “Identifying Purposes” (Clause 4.2-4.2.6), ▪ (Note: *It should be noted that the EU Data Protection Directive Section IX entitled “Notification” still refers to notification of a supervisory authority and not to the notification of the Data Subject)

CONTROLS ASSOCIATED WITH THE PRINCIPLE • A primary control for notice is purpose specification. • The purpose of data gathering should clearly be indicated in the notice • Notice should be provided before personal information is harvested • Across various jurisdictions specific types of regulated notices are used as controls to increase the veracity of consent and its management. These include; Notice of Collection, Policy Notification, Changes in Policy or Data Use. • The privacy notice is conspicuous and uses clear language (AICPA/CICA) • Purpose Specification Appears in numerous frameworks o Purpose Specification: DHS should specifically articulate the authority that permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used. (DHS 1) o Whereas certain processing operations involve data which the controller has not collected directly from the data subject; whereas, furthermore, data can he legitimately disclosed to a third party, even if the disclosure was not anticipated at the time the data were collected from the data subject; whereas, in all these cases, the data subject should be informed when the data arc recorded or at the latest when the data are first disclosed to a third party; (EU; Section 39) o (Note: Purpose Specification is also relevant for consent principle)

INTERACTION WITH OTHER PRINCIPLES • Notice is used as a vehicle for other principles online and is direct component of at least; o Accountability, Consent, Disclosure, Openness • Notice is also a control in that it is used to initiate other principles o For example consent, online and offline across jurisdictions notices are used to cultivate and maintain informed consent, the transference of consent (e.g. to a relying party), the withdrawal of consent and the maintenance of the status of consent.