Let’s start by stating the obvious: identity management systems must abide by provincial/state and national laws. An IAM assessment needs to identify the laws and legislation that govern the organization to ensure identity-related systems are appropriately structured and legally compliant.
(Disclaimer: I’m not a lawyer, not even close… I don’t even watch Law and Order anymore! Please consider this article general information only. For some actual legal opinion, check out the Canadian Privacy Law Blog.)
When implementing an IAM system, a review of the legal aspects of identity is important. Issues can arise when identity management systems do not consider the legal requirements. For example, privacy legislation may put limits on what type of information an organization may collect and store (e.g. sensitive personal information). Or there may be legal limits on how information is shared, or how a user is notified about identity information sharing.
On the flip side, misunderstandings about what legislation allows and disallows can lead to poor user experiences or systems with reduced functions. In one case, I was developing an identity strategy for a client who is subject to some fairly specific privacy legislation. We wanted to share identity information between business applications and with other partners.
Several senior people in the sessions insisted that the act disallowed this type of information sharing. I knew there were restrictions so I sifted through the actual privacy legislation to be sure. I was surprised to find that the restriction was not as severe as the group thought. The act stated that the intended use of personal information needed to be clearly stated, and that the individual needed to consent to this use. This clarification allowed the group to create a framework for collecting identity information for a specific use, collecting consent from their users, and then sharing the identity information within the stated use.
By including a legal review in an IAM assessment or solution project, clients can have confidence that their systems are compliant with their obligations.
Mike
Privacy considerations in identity management projects are, as you say, very important, but oddly enough they are often overlooked. There is a common perception that the security aspects of identity management solutions handle a privacy issues, which is only partly true. While privacy is dependent on adequate security, as you note there are aspects of privacy compliance, such as notification and consent, that go beyond pure security considerations. It is critical that any identity management project undertake a careful assessment of the requirements imposed by the applicable privacy legislation. Your experience with the overestimation of privacy restrictions is not uncommon, but the converse is not uncommon either.