313 – Inform inability to identify users

Summary

The system must inform its users whenever it can demonstrate its inability to individually identify them using the information it has collected from them.

Description

Systems usually request information from their users or collect it based on their interactions with the application. Some regulations related to the collection of personal data are only applicable if users can be identified using this data. Whenever the system is unable to individually identify its users with the data it collects from them, and it can demonstrate this, it must inform them of this situation.

Supported In

Advanced: True

References

• GDPR-11_2. Processing which does not require identification
• PDPA-6A_26B. Notifiable data breaches
• CMMC-AU_L2-3_3_4. Audit failure alerting
• CMMC-CM_L2-3_4_8. Application execution policy
• HITRUST-11_a. Reporting information security events
• IEC62443-SI-3_7. Error handling
• NISTSSDF-RV_2_2. Assess, prioritize, and remediate vulnerabilities
• OWASPRISKS-P3. Insufficient data breach response

Weaknesses

• 088 – Privacy violation

Last updated

2023/09/18