Meeting notes from July 28, 2014

7/287/14 Privacy Requirements Working Group Meeting Notes

Meeting Notes

Risk: Breach of Trust

• Tabled until 8/4/14 - Stuart Shapiro to provide proposed edits.

Risk: Distortion

• Requirement: Prior to transmitting an individual's information to another organization, organizations shall ensure that all data quality obligations have been met.
  • Comment: In the case that both organizations belong to a larger consortium/entity that has governing agreements about data quality standards, this requirement may be met by conforming to those requirements.

Risk: Exclusion

• PRWG agreed other subject-matter committees may have requirements to cover this risk.

Risk: Induced Disclosure

• Requirement: Organizations shall clearly indicate to individuals what personal information is mandatory and what information is optional prior to the transaction.
  • Comment: In functional requirements, we should discuss how organizations should communicate "mandatory" (e.g. more than a "*"), and "optional" and provide guidance about how to clearly communicate the exchange of information for level of service with users.'

Risk: Insecurity

• Requirement: Organizations shall maximize use of architectural and technical point controls for privacy.
  • Comment: More clarity about how to realize this will been defined during the decision tree/functional requirement analysis.

Actions:

• Stuart Shapiro to provide proposed edits to Breach of Trust risk requirement
• Ann Racuya-Robbins to prepare definitional draft for functional requirements work on "Valuation" concept in Appropriation risk requirement.