Meeting notes from May 12, 2014: Difference between revisions

Notes from May 12, 2014 Privacy Requirements Working Group Meeting

PRWG wants to shift strategies to massage existing derived requirements

• Quick turnaround
• Potentially add in some more info regarding risks
• Want to burrow down after that and build out a "something" that defines what requirements
  • "construct trees" in order to view privacy chains of action/events
• Don't want to "radically" rework the requirements
• Some general high level requirements may be missing - group wants to review to identify those
• Is the audience for these requirements something other than a trustmark review process?

Derived requirements:

• "Organizations shall limit the collection and transmission of information to the minimum necessary to fulfill the transaction’s purpose and related legal requirements."
  • Within the context of these derived requirements, "Transaction" refers to identity-specific transactions
  • Data minimization principles should apply to all transactions - including those conducted anonymously and pseudonymously
• "Organizations shall limit the use of the individual’s data that is collected and transmitted to specified purposes."
  • Proposed change: "…to specify transactional purposes."
  • Proposed change: "… to the specific purposes for which the information was collected."