Meeting notes from July 7, 2014
Jump to navigation
Jump to search
7/7/14 Privacy Requirements Working Group Meeting Notes
Agenda
- 4:00-4:05 - Call begins, call for notetaker
- 4:05-4:20 - Review Requirement: "Organizations shall be accountable for how information is actually used and provide mechanisms for compliance, audit, and verification."
- Is "data" and "misuse" too limiting of a scope for redress? It could, for example, include asking for too much data.
- Redress should be available to correct a wider range of concerns about the relationship between individuals and organizations
- 4:20-4:35 - Review Requirement: "Where individuals make choices regarding the use of their data (such as to restrict particular uses), those choices shall be automatically applied to all parties with whom that individual interacts."
- 4:35-4:50 - Review Requirement: "Organizations shall utilize identity solutions that enable a variety of transactions, including anonymous, anonymous with validated attributes, pseudonymous, and uniquely identified."
- 4:50-5:00 - Wrap-up
Meeting Notes
- Requirement: "Organizations shall be accountable for how information is actually used and provide mechanisms for compliance, audit, and verification."
- Edit: "Organizations shall be accountable for conformance to these requirements, and provide mechanisms for auditing, validation, and verification."
- Will need to provide definitions for the auditing, validation, and verification.
- Requirement: "Organizations shall provide effective redress mechanisms for, and advocacy on behalf of, individuals who believe their data may have been misused."
- Edit: "Organizations shall provide effective redress mechanisms for, and advocacy on behalf of, individuals who believe their rights under these requriements have been violated."
- See Requirement 6 comments.
- Is "data" and "misuse" too limiting of a scope for redress? It could, for example, include asking for too much data.
- Redress should be available to correct a wider range of concerns about the relationship between individuals and organizations"
- Requirement: "Where individuals make choices regarding the use of their data (such as to restrict particular uses), those choices shall be automatically applied to all parties with whom that individual interacts."
- Edit: "Where individuals make choices regarding the treatment of their information (such as to restrict particular uses), those choices shall be automatically applied to all parties downstream from the initial transaction."
- There will need to be recognition in the functional requirements for different choices across contexts.
- Requirement: "Organizations shall utilize identity solutions that enable a variety of transactions, including anonymous, anonymous with validated attributes, pseudonymous, and uniquely identified."
- Edit: "Organizations shall, where feasible, utilize identity solutions that enable transactions that are anonymous, anonymous with validated attributes, pseudonymous, and/or uniquely identified."
- "Feasible" will need to be defined, including a method for justifying why organizations chose not to include this functionality (beyond just basic cost-benefit analysis).
- Decision tree can be used to illustrate these justifications."
- Actions:
- Stuart Shapiro to provide additional Derived Requirements
- Sean Brooks to develop comment format for Functional Requirements
Attendees
- Sean Brooks
- Sarah Branam
- Jim Zok
- Jim Fenton
- Stuart Shapiro
- Edmund Jay
- Jeff Brennan
- Jennifer Behrens
- David Bruggeman
- Michael Garcia