Meeting notes from May 12, 2014
From IDESG Wiki
Notes from May 12, 2014 Privacy Requirements Working Group Meeting
PRWG wants to shift strategies to massage existing derived requirements
- Quick turnaround
- Potentially add in some more info regarding risks
- Want to burrow down after that and build out a "something" that defines what requirements
- "construct trees" in order to view privacy chains of action/events
- Don't want to "radically" rework the requirements
- Some general high level requirements may be missing - group wants to review to identify those
- Is the audience for these requirements something other than a trustmark review process?
- "Organizations shall limit the collection and transmission of information to the minimum necessary to fulfill the transaction’s purpose and related legal requirements."
- Within the context of these derived requirements, "Transaction" refers to identity-specific transactions
- Data minimization principles should apply to all transactions - including those conducted anonymously and pseudonymously
- "Organizations shall limit the use of the individual’s data that is collected and transmitted to specified purposes."
- Proposed change: "…to specify transactional purposes."
- Proposed change: "… to the specific purposes for which the information was collected."