ABCDEFGHIJKLMNOPQRSTUVWXYZAA
1
ScopePrivacy Principles
2
Reference#StatusName/TitleStatementDescriptionVIPPPCCPLCLDMURAQOTIAACISPCRelated Requirements
3
1_IP_CC1SubmittedSelected Data ReleaseThe Issuer must ensure the existence of functionality allowing selective data release.The Issuer must ensure that the mobile credential app allows the mobile credential holder to share mobile credential data elements selectively. For example, if a request is for data elements A, B, and C it must be possible for a mobile credential holder to release only elements A and B.CC
4
2_VIP_IS2SubmittedEncrypted Channel TransactionsAll identifying data shall be transacted through encrypted channels.To provide holders and verifiers with confidentiality, verifiers shall only transact identifying data through encrypted secure channels to prevent exposure to third parties.
Note: In the context of a digital ID, identifying data also includes unique identifiers such as public keys and digest salt values.		IS
5
3_P_OT3SubmittedTransparency at presentmentTransparency to Holder at mobile credential presentment.Providers must identify which identity attributes are being requested in addition to which attributes will be retained by the verifier. OT
6
4_V_AC4SubmittedContextually appropriate Verifier IdentificationVerifiers shall identify themselves to the Holder with enough detail in the context of the transaction to help the Holder to make a decision to proceed with the transaction.In order for the Holder to proceed with a transaction, the first step is that the Verifiers should identify themselves in context. A context might be admission to a stadium. Another context might be a medical office. The Holder can verify that they are in the stadium or the doctor’s office themselves and the Holder Agent should be able to validate that.AC
7
5_P_PL5SubmittedInform users of Verifier policiesWallet [sic] Providers (Holder Agent) must communicate to the Holder any attestations about data use associated with a verifier in the context of the transaction.When a Holder Agent receives attestations from a verifier those attestations must be made available to the Holder. To inform users of a verifiers use-case and retention policy, along with the data requested - the provider should communicate to users how the verifier has claimed they will use the data and how they expect to retain it.PL
8
6_V_PL6SubmittedVerifiers must publicly state the purposes for collectionVerifiers must publicly state the purposes for collection.PL
9
7_V_CL7SubmittedVerifiers minimize collectionVerifiers shall not request more than the strictly necessary PII to provide their services.Verifiers shall only request the strictly necessary PII to provide the services according to justified purposes for data processing. When no identification of the user is needed, Verifiers should accept the isolated proof of attributes via selective disclosure techniques or when possible, zero-knowledge proofs.CL
10
8_V_CC8SubmittedContext for user consentVerifiers should request user consent prior to the presentation from their mobile credential but after presenting a notice.For in-person presentation, consent may be assumed to be implicit because the Holder has the option of not opening or presenting their mobile device. This implied consent should only apply to the minimum data required to fulfil the implicit purposes of the interaction. For example, presenting the mobile device for age verification implies consent for a yes/no age verification and a proof of possession (i.e. a photo of the Holder). Similarly, there is no implied necessity for the retention of that data. Any other data request or retention would need notice and explicit consent.CC
11
9_V_UR9SubmittedDeclare retention periodVerifiers shall state a retention period for PII in their consent request.Verifiers shall communicate the user the retention period for PII or if not PII will be retained. *Point of discussion: offline scenarios, if consent is agreed to be implicit.UR
12
10_V_UR10SubmittedJustifiable PII storageVerifiers shall not store any PII unless the user consents or is justified for Law Enforcement purposes.Verifiers shall not store any PII unless the user has consented for a specific purpose (e.g., marketing) or is required for accountability reasons.UR
13
11_V_PL11SubmittedSegregated AccountabilityVerifiers shall not enter into collusive practices with Issuing Authorities or other Verifiers.To avoid dilution of accountability or the possibility of regulatory capture, verifiers shall not engage in practices to discover the uses of mDLs, enable user re-identification, or enable traceability across Verifiers.PL
14
12_V_IS12SubmittedSecure storageVerifiers shall adopt appropriate measures to ensure the security of stored PII.If storage is required, Verifiers shall implement privacy by design and by default techniques (e.g., anonymization or psedonymization of data).IS
15
13_V_OT13SubmittedData subject rightsVerifiers shall implement appropriate means to guarantee the exercise of data subject rights. If verifiers store any data (*in particular for online scenarios), shall guarantee that the user can access and request the modification or erasure of their PII.the modification or erasure of their PII.OT
16
14_V_AC14SubmittedVerifier Data RegistryVerifiers shall maintain appropriate registries and ensure access to Law Enforcement Authorities for accountability.In compliance with the applicable law, Verifiers shall retain and make available requested data to Law Enforcement Authorities for accountability purposes.AC
17
15_V_DM15SubmittedVerifier Re-identificationVerifiers shall not combine any PII to re-identify the data subject unless the user has consented.Verifiers shall not combine presented data to identify the user or establish patterns unless the user has been previously informed and has consented.DM
18
16_V_DM16SubmittedVerifiers must only request the minimum data required for their transactionVerifiers shall only request the minimum data required for their transaction.To avoid excessive collection of data, the Verifiers attested data fields should map to the minimum required to meet their attested use-case.DM
19
17_VIP_IA17SubmittedMobile Credentials must be made available to all subjects that have right granted by IssuerThe Issuer Verifier and all Providers must ensure access to all subject that have rights that granted by issuer regardless of any special needs that the subject might need to endureIA
20
18
21
19
22
20
23
21
24
22
25
23
26
24
27
25
28
26
29
27
30
28
31
29
32
30
33
31
34
32
35
33
36
34
37
35
38
36
39
37
40
38
41
39
42
40
43
41
44
42
45
43
46
44
47
45
48
46
49
47
50
48
51
49
52
50
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100