Meeting notes from June 30, 2014

From IDESG Wiki
Jump to: navigation, search

6/30/14 Privacy Requirements Working Group Meeting Notes

Agenda

  • 4:00-4:05pm: Meeting begins, call for note-taker
  • 4:05-4:25: Complete requirement review: "Organizations shall be accountable for how information is actually used and provide mechanisms for compliance, audit, and verification."
    • "Used" is too narrow - does not cover transmission, collection, etc.
    • Other requirements don't relate to use - do we need to change them to include use, or can changes be made to this requirement to be broader?
    • Are any other uses of data outside of the user's agreement allowed (based on other requirements)?
    • How can we include the concept of appropriate use?
  • 4:25-4:40: Review requirement - "Organizations shall protect, transfer at the individual’s request, and securely destroy information when terminating business operations or overall participation in the Identity Ecosystem."
    • This requirement was tabled last week.
  • 4:40-4:55: Review requirement - "Organizations shall provide effective redress mechanisms for, and advocacy on behalf of, individuals who believe their data may have been misused."
  • 4:55-5:00: Review next steps/actions, set agenda for next week.


Meeting Notes

Requirement: "Organizations shall be accountable for how information is actually used and provide mechanisms for compliance, audit, and verification."

  • Requirement clarified to provide broader mandate. "Organizations shall be accountable for conformance to these requirements, and provide mechanisms for auditing, validation, and verification."

Requirement: "Organizations shall protect, transfer at the individual’s request, and securely destroy information when terminating business operations or overall participation in the Identity Ecosystem."

  • Proactive Privacy Subcommittee work provided language to clarify: "When terminating business operations or overall participation in the Identity Ecosystem, organizations shall, while maintaining the security of individuals' information, transfer it upon their request and destroy it unless they request otherwise."

Requirement: "Organizations shall provide effective redress mechanisms for, and advocacy on behalf of, individuals who believe their data may have been misused."

  • Committee should reference comments from Requirement.
  • Is "data" and "misuse" too limiting of a scope for redress? It could, for example, include asking for too much data.
  • Redress should be available to correct a wider range of concerns about the relationship between individuals and organizations
  • Next PRWG meeting will begin with a discussion of how to reflect these concerns in a clarifying edit. Likely will focus on changing the end clause: "individuals who believe their data may have been misused."