Identity Proofing - Additional Attribute Collection, v3.0

Requirements for collecting additional attributes during identity proofing.

Assessment Steps (3)

1
Attributes Collected (AttributesCollected)
Does the CSP process attributes which it collects and stores for purposes other than identity proofing?
Artifact
Documentation
Provide policy or practices indicating conformance to the requirement.
2
Attribute Risk Documented (AttributeRiskDocumented)
Does the CSP document all risk associated with the collection of these attributes?
Artifact
Documentation
Provide policy or practices indicating conformance to the requirement.
3
Consent (Consent)
Does the CSP NOT make processing these attibutes a condition of provisioning?
Artifact
Documentation
Provide policy or practices indicating conformance to the requirement.

Conformance Criteria (3)

Attributes Collected
If the CSP processes attributes which it collects and stores for purposes other than identity proofing, authentication, or attribute assertions, related fraud mitigation, or to comply with law or legal process), it SHALL:
Citation
SP800-63A
Section 4.2 P4
Attribute Risk Documented
For attribute collection, The CSP must document and apply predictability and manageability measures associated with those additional processes based on the results of its privacy risk assessment.
Citation
SP800-63A
Section 4.2 P4
Consent
The CSP must NOT make consent to processing of these additional attributes a condition of provision of the service.
Citation
SP800-63A
Section 4.2 P4