Meeting notes from October 6, 2014
From IDESG Wiki
10/6/14 Privacy Requirements Working Group Meeting Notes
- Jennifer Behrens
- Doug Blough
- Jeff Brennan
- Sean Brooks
- David Bruggeman
- Scott David
- Jessica Esparza
- Jim Fenton
- Edmund Jay
- Naomi Lefkovitz
- Ellen Nadeau
- Ann Racuya-Robbins
- Stuart Shapiro
- Jim Zok
- Requirement 7: Organizations shall determine the necessary quality of data used in identity assurance solutions based on the risk of that transaction, including to the individuals involved.
- Data quality requirement – not about data quantity.
- Risk to privacy factor in determining an organization’s practices when assessing how complete/accurate/timely data is that they collect to provide their service. How do we provide guidance to companies based on risk of that transaction to the individuals involved? OMB 0404: evaluate your risk.
- If you’re doing something related to verification, you’re likely automatically in column E, so multiple functions won’t overlap.
- Only need guidance in “attribute verification” box: In the absence of data quality standards, organizations should consider the timeliness, completeness, accuracy, and sources of data when evaluating the quality of data about individuals.
- Requirement 8: When terminating business operations or overall participation in the Identity Ecosystem, organizations shall, while maintaining the security of individuals’ information, transfer it upon their request and destroy it unless they request otherwise.
- “Attribute control”: Attributes should be made available in open format for users to download and migrate to other services.
- Eligibility is NA because it will be destroyed, not used to make decisions.
- Is there a standard re: how and when to destroy?
- All will continue discussing requirement 8 next week (10/13). Will discuss deletion methods, standards, etc. before moving on to requirement 9.
- Sean will post meeting notes and updated document to the wiki.