Meeting notes from June 16, 2014
Privacy Requirements Working Group Meeting notes from June 16, 2014
Requirement: "Organizations shall provide concise, meaningful, timely, and easy-to-understand notice to end-users on how they collect, use, disseminate, and maintain personal information...."
- What is "superfluous leakage"? Who does it leak to?
- Are there good leakages?
- Is anything that is not in the EULA include superfluous leakage?
- Should service agreements dictate the boundries of information collection? What if the agreement is too broad?
- Can this be a positive?
- Privacy-enhancing technology is how, not what. too much influence on implementation.
Requirement: "Organizations shall only transmit minimally-necessary information."
- What are IDP's going to say there?
- Much of data minimization covered by requirement 2.
Requirement: "Organizations shall provide appropriate mechanisms to allow individuals to access, correct, and delete personal information."
- Are there situations in which the ability to remove information is undesirable?
- What if it disrupts functionality of the service?
- What does "appropriate" cover?
- Would this requirement, as worded, help individuals point organizations toward new information they may not already hold? Does mechanism hold that?
- Does "appropriate" cover the size/scope of an organization? Do we need to cover that in functional requirements.
- Can this requirement be a good place to provide a decision tree to determine what appropriate is?