Meeting notes from November 3, 2014

From IDESG Wiki
Jump to: navigation, search

11/3/14 Privacy Requirements Working Group Meeting Notes

Attendees

  • Jennifer Behrens
  • Sean Brooks
  • David Bruggeman
  • Jessica Esparza
  • Jim Fenton
  • Edmund Jay
  • Naomi Lefkovitz
  • Ellen Nadeau
  • Ann Racuya-Robbins
  • Jim Kragh

Meeting Notes

Close Earlier Discussion

  • Requirement: “When a relationship between an individual and an organization is terminated, or the organization ceases to participate in the Identity Ecosystem, the organization shall, while maintaining the security of individuals' information, transfer that information to the individual upon their request and destroy it unless they request otherwise.”
    • Ann suggested editing to say “maintaining the security and privacy…”
    • Ann: could consider purging audit/security/other logs.
    • Ann will send more info re: how an organization could facilitate these privacy goals to enable further conversation of these details. Once Ann develops more specific language, the committee will add to the agenda to discuss again.

Requirements Edits

  • Requirement: “Where individuals make choices regarding the treatment of their information (such as to restrict particular uses), those choices shall be automatically applied to all parties downstream from the initial transaction.”
    • Registration: Organizations must provide a technical mechanism to bundle individuals' privacy choices along with attributes, and have technical or policy mechanisms to ensure other parties who receive those attributes abide by those choices.
    • Important to clarify that mechanisms can be either technical or policy.

Requirements for Discussion Next Meeting

  • Requirement: “Organizations shall, where feasible, utilize identity solutions that enable transactions that are anonymous, anonymous with validated attributes, pseudonymous, and/or uniquely identified.”
    • Registration: (check)
  • Requirement: “Organizations will request individuals’ credentials only when necessary for the transaction and then only as appropriate to the risk associated with the transaction or only as appropriate to the risks to the parties associated with the transaction.”
    • Registration: N/A
  • Requirement: “Participation in the Identity Ecosystem shall be voluntary.”
    • Registration: (check)

Actions

  • Group will continue down registration column at next meeting (11/10).
    • Will begin discussion with above 3 requirements and drafted requirements sections.
  • Ann will provide specific language regarding the addition of “and privacy” to the following requirement:
    • “When a relationship between an individual and an organization is terminated, or the organization ceases to participate in the Identity Ecosystem, the organization shall, while maintaining the security of individuals' information, transfer that information to the individual upon their request and destroy it unless they request otherwise.”