Skip to main content

2.4.12 Privacy

Go to Detailed Requirements

This section's intended audience is for those personnel who are responsible for Data Protection and Privacy regulatory compliance.

Req NoRequirementCompliance Class And ApplicabilityPrimary KeywordSecondary Keyword
2.4.12.1The product/service stores the minimum amount of Personal Information from users required for the operation of the service.Mandatory for Class 1 and aboveBusinessPolicy
2.4.12.2The product/service ensures that all Personal Information is encrypted for confidentiality (both when stored and if communicated out of the device) and only accessible after successful authentication and authorisation. Note: authentication only proves who you are, but authorisation confirms if you are allowed access to the PI. The cryptography must be of sufficient strength to protect the Personal Information for however long it is expected to be retained (or remain confidential).Mandatory for Class 3 and aboveBusinessPolicy
2.4.12.3The product/service ensures that only authorised personnel have access to personal data of users.Mandatory for Class 1 and aboveBusinessPolicy
2.4.12.4The product/service ensures that Personal Information is anonymised whenever possible and in particular in any reporting.Mandatory for Class 1 and aboveBusinessPolicy
2.4.12.5The Product Manufacturer or Service Provider shall ensure that a data retention policy is in place and documented for users.Mandatory for Class 1 and aboveBusinessPolicy
2.4.12.6There is a method or methods for the product owner to be informed about what Personal Information is collected, why, where it will be stored and processed, and by whom and for what purposes. This includes sensing capabilities, such as sound or video recording, biometrics, location, etc.Mandatory for Class 1 and aboveBusinessProcess
2.4.12.7There is a method or methods for each user to check/verify what Personal Information is collected.Mandatory for Class 1 and aboveBusinessProcess
2.4.12.8The product / service can be made compliant with the local and/or regional Personal Information protection legislation where the product is to be sold. For example GDPR [ref 14]1.Mandatory for Class 1 and aboveBusinessProcess
2.4.12.9The supplier or manufacturer of any device shall provide documented information to end users about how the device(s) functions within the end user’s network may affect their privacy.Advisory for all classesBusinessProcess
2.4.12.10The supplier or manufacturer of any devices or devices shall provide clear information about how the device(s) should be set up to maintain the end user’s privacy and security.Mandatory for all classesBusinessProcess
2.4.12.11The supplier or manufacturer of any devices and/or services shall provide information about how the device(s) removal and/or disposal or replacement shall be carried out to maintain the end user’s privacy and security, including deletion of all personal information from the device and any associated services.Mandatory for Class 1 and aboveBusinessProcess
2.4.12.12The supplier or manufacturer of any devices or services shall provide clear information about the end user’s responsibilities to maintain the devices and/or services privacy and security.Mandatory for Class 1 and aboveBusinessProcess
2.4.12.13Security of devices and services should be designed with usability in mind (reducing user decision points that may have a detrimental impact on privacy and security).Mandatory for Class 1 and aboveSystemSoftware
2.4.12.14The product or service only records audio/visual/or any other data in accordance with the authorisation of the user (e.g., no passive recording without explicit authorisation).Mandatory for Class 1 and aboveSystemSoftware
2.4.12.15The supplier or manufacturer performs a privacy impact assessment (PIA) to identify Personally Identifiable Information (PII) and design approaches for safeguarding user privacy compliant with the legal requirements of the user's location (e.g. GDPR). This should extend to data gathered via Web APIs from third party platform suppliers.Advisory for all classesBusinessProcess

Footnotes

  1. Overview of the General Data Protection Regulations (GDPR), ICO: [https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr]