Overview#Data Privacy is information relevant or pertaining to privacy aspects of a given data value
Data Privacy Legal and/or Regulatory compliance are largely based on "Fair Information Practice" that was first developed in the United States in the 1970s by the United States Department of Health , Education and Welfare (HEW). The basic principles of data protection are:
- For all data collected there should be a stated purpose.
- Data Collection from an individual cannot be disclosed to other organizations or individuals unless specifically authorized by law or by consent of the individual
- Records kept on an individual should be accurate and up to date
- There should be mechanisms for individuals to review data about them, to ensure accuracy. This may include periodic reporting (Data Subject Access Request)
- Data should be deleted when it is no longer needed for the stated purpose (Data Disposal)
- Transmission of personal information to locations where "equivalent" personal Data Protection cannot be assured is prohibited
- Some data is too sensitive to be collected, unless there are extreme circumstances (e.g., sexual orientation, religion)
- Yes - The individual expressly consented to the release of the attribute’s value for the purposes of the transaction.
- No - The individual has not expressly consented to the release of the attribute’s value.
- Unknown - It is not known by the Data Processor whether or not the individual has expressly consented to release of the Attribute Value.
For example, the Attribute Value might purely be useful in authorization, determining a user's eligibility for services; alternatively, values might be eligible for use beyond the initially intended purpose, or not eligible for any further disclosure. Additionally, organizational Entity or Trust Frameworks might also create their own categories of Acceptable Use based on their policies.
Recommended values for this element include:
- Authorization - The value can be used to determine user eligibility for services or privileges and can be used to provide those services.
- Secondary Use - The value may be used for purposes beyond that for which they were initially divulged. Additional use requires separate, explicit consent from user at initiation.
- No Further Data disclosure - The attribute value should not be passed on to other parties for any purpose unless required by law.