RGalluzzo
commented
7 years ago We had considered including this during initial discussions, but consider that attributes bound to an identity are inherently PII and sensitive personal information. We added text to clarify this in the current version.
Organization: 2 www.iwelcome.com
Type:
Reference (Include section and paragraph number): 3.2.1.5
Comment (Include rationale for comment):
The classification section currently has 'classification' attribute, which can be used to document an attribute's security classification. For processing of personal data also a sensitivity/confidentiality classification may be relevant. For example, a person's racial or ethnic origin, sex life or sexual orientation should be treated with higher level of confidentiality as 'regular' personal data like address information.
Suggested Change:
A 'privacy/sensitivity/confidentiality classification' could be added to document an attribute's classification. Recommended values could be:
In the context of the EU's GDPR, this privacy classification is defined by http://www.privacy-regulation.eu/en/9.htm
Alternately, the definition of the 'classification' data could be made more general: "A sensitvity, confidentiality, security or any other classification level of the attribute"