The organization must establish written agreements with all parties involved in data sharing interfaces, including data-requesting entities, data-offering entities, and any intermediaries. These agreements must clearly define the roles and responsibilities of each party regarding the security of data sharing operations.
All agreements must be in writing and must explicitly state the security responsibilities of each party. Clear responsibility boundaries must be established between the requesting entity, the offering entity, and any intermediaries involved in data exchange.
The data-offering entity is responsible for:
- Providing secure user authentication mechanisms that are trusted by the entities accessing the data sharing interface
- Verifying the legitimacy and identity of the data sharing interface and ensuring it can be validated by requesting entities
- Enforcing read and write permissions at the information element level based on individual user authorization
- Avoiding unnecessary intermediate storage of data transmitted through the interface
- Making common authentication components available where applicable and appropriate
The data-requesting entity is responsible for:
- Verifying that the user holds the necessary authorizations for the relevant data sharing interface prior to requesting access
- Ensuring that access requests are made only through legitimately verified data sharing interfaces
- Using common components for consumer authentication where available and appropriate
- Avoiding unnecessary intermediate storage of data received through the interface
.svg)
