2.4.12 Privacy
This section’s intended audience is for those personnel who are responsible for Data Protection and Privacy regulatory compliance.
| Req No | Requirement | Primary Keyword | Compliance Class And Applicability |
|---|---|---|---|
| 2.4.12.1 | The product/service stores the minimum amount of Personal Information from users required for the operation of the service. | Business | Mandatory for Class 1 and above |
| 2.4.12.2 | The product/service ensures that all Personal Information is encrypted for confidentiality (both when stored and if communicated out of the device) and only accessible after successful authentication and authorisation. Note: authentication only proves who you are, but authorisation confirms if you are allowed access to the PI. The cryptography must be of sufficient strength to protect the Personal Information for however long it is expected to be retained (or remain confidential). | Business | Mandatory for Class 3 and above |
| 2.4.12.3 | The product/service ensures that only authorised personnel have access to personal data of users. | Business | Mandatory for Class 1 and above |
| 2.4.12.4 | The product/service ensures that Personal Information is anonymised whenever possible and in particular in any reporting. | Business | Mandatory for Class 1 and above |
| 2.4.12.5 | The Product Manufacturer or Service Provider shall ensure that a data retention policy is in place and documented for users. | Business | Mandatory for Class 1 and above |
| 2.4.12.6 | There is a method or methods for the product owner to be informed about what Personal Information is collected, why, where it will be stored and processed, and by whom and for what purposes. This includes sensing capabilities, such as sound or video recording, biometrics, location, etc. | Business | Mandatory for Class 1 and above |
| 2.4.12.7 | There is a method or methods for each user to check/verify what Personal Information is collected. | Business | Mandatory for Class 1 and above |
| 2.4.12.8 | The product / service can be made compliant with the local and/or regional Personal Information protection legislation where the product is to be sold. For example GDPR [ICO.GDPR]1[EU.GDPR]2 or NIST PII [NIST.SP.800-122]3. | Business | Mandatory for Class 1 and above |
| 2.4.12.9 | The supplier or manufacturer of any device shall provide documented information to end users about how the device(s) functions within the end user’s network may affect their privacy. | Business | Advisory for all classes |
| 2.4.12.10 | The supplier or manufacturer of any devices or devices shall provide clear information about how the device(s) should be set up to maintain the end user’s privacy and security. | Business | Mandatory for all classes |
| 2.4.12.11 | The supplier or manufacturer of any devices and/or services shall provide information about how the device(s) removal and/or disposal or replacement shall be carried out to maintain the end user’s privacy and security, including deletion of all personal information from the device and any associated services. | Business | Mandatory for Class 1 and above |
| 2.4.12.12 | The supplier or manufacturer of any devices or services shall provide clear information about the end user’s responsibilities to maintain the devices and/or services privacy and security. | Business | Mandatory for Class 1 and above |
| 2.4.12.13 | Security of devices and services should be designed with usability in mind (reducing user decision points that may have a detrimental impact on privacy and security). | System | Mandatory for Class 1 and above |
| 2.4.12.14 | The product or service only records audio/visual/or any other data in accordance with the authorisation of the user (e.g., no passive recording without explicit authorisation). | System | Mandatory for Class 1 and above |
| 2.4.12.15 | The supplier or manufacturer performs a privacy impact assessment (PIA) to identify Personally Identifiable Information (PII) [NIST.SP.800-122]3 and design approaches for safeguarding user privacy compliant with the legal requirements of the user's location (e.g. GDPR [EU.GDPR]2). This should extend to data gathered via Web APIs from third party platform suppliers. | Business | Advisory for all classes |
Footnotes
-
Information Commissioner's Office, "UK GDPR guidance and resources". https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/. ↩
-
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). ↩ ↩2
-
NIST Special Publication 800-122 "Guide to Protecting the Confidentiality of Personally Easily Identifiable Information (PII)", April 2010. https://csrc.nist.gov/pubs/sp/800/122/final. ↩ ↩2