Meeting notes from July 7, 2014: Difference between revisions

7/7/14 Privacy Requirements Working Group Meeting Notes

Agenda

• 4:00-4:05 - Call begins, call for notetaker
• 4:05-4:20 - Review Requirement: "Organizations shall be accountable for how information is actually used and provide mechanisms for compliance, audit, and verification."
  • Is "data" and "misuse" too limiting of a scope for redress? It could, for example, include asking for too much data.
  • Redress should be available to correct a wider range of concerns about the relationship between individuals and organizations
• 4:20-4:35 - Review Requirement: "Where individuals make choices regarding the use of their data (such as to restrict particular uses), those choices shall be automatically applied to all parties with whom that individual interacts."
• 4:35-4:50 - Review Requirement: "Organizations shall utilize identity solutions that enable a variety of transactions, including anonymous, anonymous with validated attributes, pseudonymous, and uniquely identified."
• 4:50-5:00 - Wrap-up

Meeting Notes

• Requirement: "Organizations shall be accountable for how information is actually used and provide mechanisms for compliance, audit, and verification."
  • Edit: "Organizations shall be accountable for conformance to these requirements, and provide mechanisms for auditing, validation, and verification."
  • Will need to provide definitions for the auditing, validation, and verification.
• Requirement: "Organizations shall provide effective redress mechanisms for, and advocacy on behalf of, individuals who believe their data may have been misused."
  • Edit: "Organizations shall provide effective redress mechanisms for, and advocacy on behalf of, individuals who believe their rights under these requriements have been violated."
  • See Requirement 6 comments.
  • Is "data" and "misuse" too limiting of a scope for redress? It could, for example, include asking for too much data.
  • Redress should be available to correct a wider range of concerns about the relationship between individuals and organizations"
• Requirement: "Where individuals make choices regarding the use of their data (such as to restrict particular uses), those choices shall be automatically applied to all parties with whom that individual interacts."
  • Edit: "Where individuals make choices regarding the treatment of their information (such as to restrict particular uses), those choices shall be automatically applied to all parties downstream from the initial transaction."
  • There will need to be recognition in the functional requirements for different choices across contexts.
• Requirement: "Organizations shall utilize identity solutions that enable a variety of transactions, including anonymous, anonymous with validated attributes, pseudonymous, and uniquely identified."
  • Edit: "Organizations shall, where feasible, utilize identity solutions that enable transactions that are anonymous, anonymous with validated attributes, pseudonymous, and/or uniquely identified."
  • "Feasible" will need to be defined, including a method for justifying why organizations chose not to include this functionality (beyond just basic cost-benefit analysis).
  • Decision tree can be used to illustrate these justifications."

• Actions:
  • Stuart Shapiro to provide additional Derived Requirements
  • Sean Brooks to develop comment format for Functional Requirements

Attendees

• Sean Brooks
• Sarah Branam
• Jim Zok
• Jim Fenton
• Stuart Shapiro
• Edmund Jay
• Jeff Brennan
• Jennifer Behrens
• David Bruggeman
• Michael Garcia