This is a very generic question which may have been answered by someone already. Appreciate if any one can point me in that direction.
Is there a generic list of attributes that can be shared as part of SAML federation partnership?
What are the general guidelines for information that can be shared with third parties?
What kind of approvals does IT have to go through before allowing information can be shared with third parties?
What are the guidelines to define a specific attribute as PII or not?
some attributes such as email can be considered personal in Europe but not in US. If a company has employees across all regions, who should create policy that complies with all regions.
I understand this differs from company to company but I am wondering if there is a generic policy which can be used as a base to customize for our company's needs.
Thanks in advance.
Generally speaking, you should send the least amount of data required to do the job. As you mentioned the PII requirements will usually steer this where it needs to go. Having said that, a large number of client's I've experienced do not adhere to that philosophy. Using opaque identifiers between partners helps to alleviate the concern most of the time. Here are a few places to get you started on PII:
I agree with Jeff Minder, the general consensus is to only send the least amount of information possible and where possible apply "pseudonymisation to personal data can reduce the risks to the data subjects concerned"