Meeting notes from July 7, 2014

From IDESG Wiki
Jump to navigation Jump to search

7/7/14 Privacy Requirements Working Group Meeting Notes

Agenda

  • 4:00-4:05 - Call begins, call for notetaker
  • 4:05-4:20 - Review Requirement: "Organizations shall be accountable for how information is actually used and provide mechanisms for compliance, audit, and verification."
    • Is "data" and "misuse" too limiting of a scope for redress? It could, for example, include asking for too much data.
    • Redress should be available to correct a wider range of concerns about the relationship between individuals and organizations
  • 4:20-4:35 - Review Requirement: "Where individuals make choices regarding the use of their data (such as to restrict particular uses), those choices shall be automatically applied to all parties with whom that individual interacts."
  • 4:35-4:50 - Review Requirement: "Organizations shall utilize identity solutions that enable a variety of transactions, including anonymous, anonymous with validated attributes, pseudonymous, and uniquely identified."
  • 4:50-5:00 - Wrap-up

Meeting Notes

  • Requirement: "Organizations shall be accountable for how information is actually used and provide mechanisms for compliance, audit, and verification."
    • Edit: "Organizations shall be accountable for conformance to these requirements, and provide mechanisms for auditing, validation, and verification."
    • Will need to provide definitions for the auditing, validation, and verification.
  • Requirement: "Organizations shall provide effective redress mechanisms for, and advocacy on behalf of, individuals who believe their data may have been misused."
    • Edit: "Organizations shall provide effective redress mechanisms for, and advocacy on behalf of, individuals who believe their rights under these requriements have been violated."
    • See Requirement 6 comments.
    • Is "data" and "misuse" too limiting of a scope for redress? It could, for example, include asking for too much data.
    • Redress should be available to correct a wider range of concerns about the relationship between individuals and organizations"
  • Requirement: "Where individuals make choices regarding the use of their data (such as to restrict particular uses), those choices shall be automatically applied to all parties with whom that individual interacts."
    • Edit: "Where individuals make choices regarding the treatment of their information (such as to restrict particular uses), those choices shall be automatically applied to all parties downstream from the initial transaction."
    • There will need to be recognition in the functional requirements for different choices across contexts.
  • Requirement: "Organizations shall utilize identity solutions that enable a variety of transactions, including anonymous, anonymous with validated attributes, pseudonymous, and uniquely identified."
    • Edit: "Organizations shall, where feasible, utilize identity solutions that enable transactions that are anonymous, anonymous with validated attributes, pseudonymous, and/or uniquely identified."
    • "Feasible" will need to be defined, including a method for justifying why organizations chose not to include this functionality (beyond just basic cost-benefit analysis).
    • Decision tree can be used to illustrate these justifications."
  • Actions:
    • Stuart Shapiro to provide additional Derived Requirements
    • Sean Brooks to develop comment format for Functional Requirements

Attendees

  • Sean Brooks
  • Sarah Branam
  • Jim Zok
  • Jim Fenton
  • Stuart Shapiro
  • Edmund Jay
  • Jeff Brennan
  • Jennifer Behrens
  • David Bruggeman
  • Michael Garcia