...
- Administration:
- Roll Call
- Agenda Confirmation
- Reviews minutes: P3WG Meeting Notes 2012-06-28
- AI review
- Presentation
Presenter:
Gershon Janssen, Secretary, OASIS Privacy Management Reference Model Technical Committee
Topic:
OASIS Privacy Management Reference Model - Privacy Assessment Criteria
- Development of US FICAM PAC
- AOB
- Adjourn
...
Motion to approve by Anna; Jeff seconds; no discussion, minutes approved by unanimous consent
Action item Review
Action | Assigned To | Status | Description | Comments |
---|---|---|---|---|
|
|
|
New Action Item
...
Action
...
Assigned To
...
...
Presentation
Presenter:
Gershon Janssen, Secretary, OASIS Privacy Management Reference Model Technical Committee
Topic:
OASIS Privacy Management Reference Model
...
Questions for discussion 1. For each of the assessment questions listed below, what level of assessment do we expect (observer, inquire, inspect)? 2. Do we want to indicate any "passing critieria" or examples of acceptable practices for any of the questions listed? 3. What additional questions or lines of inquiry are warranted? 2.1.1 Adequate Notice (From the US Fed Profile--Kantara's Additional Requirements) Adequate Notice – Identity Provider must provide End Users with adequate notice regarding federated authentication. Adequate Notice includes a general description of the authentication event, any transaction(s) with the RP, the purpose of the transaction(s), and a description of any disclosure or transmission of PII to any party. Adequate Notice should be incorporated into the Opt In process. Existing Assessment Guidance Suggested Assessment Questions: 1. Is the notice written in plain language so that it is easily understood by the average user? 2. Does the notice convey what information is being transmitted, the user’s options, and the outcome of not transmitting the information? 3. Is the user information being transmitted the same information that is described in the notice? Is that the only information being transmitted? 4. Is the notice incorporated into the “opt in” mechanism? 5. If so, is the notice clear, concise, unavoidable, and in real-time? 6. Is the notice merely a linked general privacy policy or terms of service? Supplemental Explanation: Adequate notice is a practical message that is designed to help the average user understand how to engage in the authentication transaction, including, what information is being transmitted about the user, what options the user has with respect to the transmission of the information, and the consequences of refusing any transmission. For example, if the information to be transmitted is required by the Relying Party for the authentication, the notice should make clear that the transmission is required and refusal will cancel the transaction and return the user to the Relying Party’s website for further assistance. If the information to be transmitted is not required for authentication, but, for example, will be collected by the Relying Party in order to provide the service requested by the user more conveniently, the notice should make this distinction clear and indicate that if the user refuses the transmission, the user will be able to provide the information directly on the Relying Party’s website. Assessors and Auditors should look for a notice that is generated at the time of the authentication transaction. The notice should be in visual proximity (i.e. unavoidable) to the action being requested, and the page should be designed in such a way that any other elements on the page do not distract the user from the notice. The content of the notice should be tailored to the specific transaction. The notice may be divided into multiple or “layered” notices if such division makes the content more understandable or enables users to make more meaningful decisions. For these reasons, the notice should be incorporated into the “opt in” mechanism as set forth below. In sum, an Adequate Notice is never just a link somewhere on a page that leads to a complex, legalistic privacy policy or general terms and conditions.
- Discussion:
- Can the notice itself be used as an assessment? The first question is the whether the notice itself conforms with the expectations of what should be in a notice (is it accessible, readable, easy to find, etc); whether those practices are any good is a separate question
- Adequate Notice criteria concern: in the notice we will have to make a point about how crisp/clean/short the notice has to be depending on the type of device to be used to read it; the basic criteria of accessibility, readability, etc still apply but it be answered differently depending on the device
- agreement that this point must be captured
- Process: work from the top down, once we have a clear understanding what that is, what the assessor's are therefore are looking for, we can then look at various technology platforms and give more specific guidance; Maybe take these two categories of criteria and also add a type of evidence; want to see "usable readable accessible" - these terms do not exist in the current documents
- Some of these conversations should flow back to the IAWG; their docs are silent on type of device, so this will be good feedback
Call closes @ 18:06