Meeting notes from May 12, 2014

From IDESG Wiki
Jump to: navigation, search

Notes from May 12, 2014 Privacy Requirements Working Group Meeting

PRWG wants to shift strategies to massage existing derived requirements

  • Quick turnaround
  • Potentially add in some more info regarding risks
  • Want to burrow down after that and build out a "something" that defines what requirements
    • "construct trees" in order to view privacy chains of action/events
  • Don't want to "radically" rework the requirements
  • Some general high level requirements may be missing - group wants to review to identify those
  • Is the audience for these requirements something other than a trustmark review process?

Derived requirements:

  • "Organizations shall limit the collection and transmission of information to the minimum necessary to fulfill the transaction’s purpose and related legal requirements."
    • Within the context of these derived requirements, "Transaction" refers to identity-specific transactions
    • Data minimization principles should apply to all transactions - including those conducted anonymously and pseudonymously
  • "Organizations shall limit the use of the individual’s data that is collected and transmitted to specified purposes."
    • Proposed change: "…to specify transactional purposes."
    • Proposed change: "… to the specific purposes for which the information was collected."