Meeting notes from May 12, 2014

From IDESG Wiki
Jump to navigation Jump to search

Notes from May 12, 2014 Privacy Requirements Working Group Meeting

PRWG wants to shift strategies to massage existing derived requirements

  • Quick turnaround
  • Potentially add in some more info regarding risks
  • Want to burrow down after that and build out a "something" that defines what requirements
    • "construct trees" in order to view privacy chains of action/events
  • Don't want to "radically" rework the requirements
  • Some general high level requirements may be missing - group wants to review to identify those
  • Is the audience for these requirements something other than a trustmark review process?

Derived requirements:

  • "Organizations shall limit the collection and transmission of information to the minimum necessary to fulfill the transaction’s purpose and related legal requirements."
    • Within the context of these derived requirements, "Transaction" refers to identity-specific transactions
    • Data minimization principles should apply to all transactions - including those conducted anonymously and pseudonymously
  • "Organizations shall limit the use of the individual’s data that is collected and transmitted to specified purposes."
    • Proposed change: "…to specify transactional purposes."
    • Proposed change: "… to the specific purposes for which the information was collected."