Meeting notes from June 16, 2014

Privacy Requirements Working Group Meeting notes from June 16, 2014

Requirement: "Organizations shall provide concise, meaningful, timely, and easy-to-understand notice to end-users on how they collect, use, disseminate, and maintain personal information...."

• What is "superfluous leakage"? Who does it leak to?
• Are there good leakages?
• Is anything that is not in the EULA include superfluous leakage?
• Should service agreements dictate the boundries of information collection? What if the agreement is too broad?
• Can this be a positive?
• Privacy-enhancing technology is how, not what. too much influence on implementation.

Requirement: "Organizations shall only transmit minimally-necessary information."

• What are IDP's going to say there?
• Much of data minimization covered by requirement 2.

Requirement: "Organizations shall provide appropriate mechanisms to allow individuals to access, correct, and delete personal information."

• Are there situations in which the ability to remove information is undesirable?
• What if it disrupts functionality of the service?
• What does "appropriate" cover?
• Would this requirement, as worded, help individuals point organizations toward new information they may not already hold? Does mechanism hold that?
• Does "appropriate" cover the size/scope of an organization? Do we need to cover that in functional requirements.
• Can this requirement be a good place to provide a decision tree to determine what appropriate is?