Meeting notes from June 16, 2014

From IDESG Wiki
Jump to navigation Jump to search

Privacy Requirements Working Group Meeting notes from June 16, 2014

Requirement: "Organizations shall provide concise, meaningful, timely, and easy-to-understand notice to end-users on how they collect, use, disseminate, and maintain personal information...."

  • What is "superfluous leakage"? Who does it leak to?
  • Are there good leakages?
  • Is anything that is not in the EULA include superfluous leakage?
  • Should service agreements dictate the boundries of information collection? What if the agreement is too broad?
  • Can this be a positive?
  • Privacy-enhancing technology is how, not what. too much influence on implementation.

Requirement: "Organizations shall only transmit minimally-necessary information."

  • What are IDP's going to say there?
  • Much of data minimization covered by requirement 2.

Requirement: "Organizations shall provide appropriate mechanisms to allow individuals to access, correct, and delete personal information."

  • Are there situations in which the ability to remove information is undesirable?
  • What if it disrupts functionality of the service?
  • What does "appropriate" cover?
  • Would this requirement, as worded, help individuals point organizations toward new information they may not already hold? Does mechanism hold that?
  • Does "appropriate" cover the size/scope of an organization? Do we need to cover that in functional requirements.
  • Can this requirement be a good place to provide a decision tree to determine what appropriate is?