Versions Compared

Old Version 3

changes.mady.by.user Former user

Saved on

compared with

New Version 4

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Reviews minutes: P3WG Meeting Notes 2012-06-28
    4. AI review
  2. Presentation
    Presenter:
    Gershon Janssen, Secretary, OASIS Privacy Management Reference Model Technical Committee
    Topic:
    OASIS Privacy Management Reference Model
  3. Privacy Assessment Criteria
    1. Development of US FICAM PAC
  4. AOB
  5. Adjourn

...

Motion to approve by Anna; Jeff seconds; no discussion, minutes approved by unanimous consent

 

Action item Review

Action

Assigned To

Status

DescriptionComments

 

 

 

  

 

New Action Item

...

Action

...

Assigned To

...

...

Presentation

Presenter:
Gershon Janssen, Secretary, OASIS Privacy Management Reference Model Technical Committee
Topic:
OASIS Privacy Management Reference Model

...

Questions for discussion
1.  For each of the assessment questions listed below, what level of
assessment do we expect (observer, inquire, inspect)?
2.  Do we want to indicate any "passing critieria" or examples of
acceptable practices for any of the questions listed?
3.  What additional questions or lines of inquiry are warranted?


2.1.1 Adequate Notice  (From the US Fed Profile--Kantara's Additional
Requirements)

Adequate Notice – Identity Provider must provide End Users with
adequate notice regarding federated authentication. Adequate Notice
includes a general description of the authentication event, any
transaction(s) with the RP, the purpose of the transaction(s), and a
description of any disclosure or transmission of PII to any party.
Adequate Notice should be incorporated into the Opt In process.

Existing Assessment Guidance
Suggested Assessment Questions:

1. Is the notice written in plain language so that it is easily
understood by the average user?
2. Does the notice convey what information is being transmitted, the
user’s options, and the outcome of not transmitting the information?
3. Is the user information being transmitted the same information that
is described in the notice? Is  that the only information being
transmitted?
4. Is the notice incorporated into the “opt in” mechanism?
5. If so, is the notice clear, concise, unavoidable, and in real-time?
6. Is the notice merely a linked general privacy policy or terms of service?

Supplemental Explanation:
Adequate notice is a practical message that is designed to help the
average  user understand how to engage in the authentication
transaction, including, what information is being  transmitted about
the user, what options the user has with respect to the transmission
of the information,  and the consequences of refusing any
transmission. For example, if the information to be transmitted is
required by the Relying Party for the authentication, the notice
should make clear that the transmission is  required and refusal will
cancel the transaction and return the user to the Relying Party’s
website for  further assistance. If the information to be transmitted
is not required for authentication, but, for example,  will be
collected by the Relying Party in order to provide the service
requested by the user more  conveniently, the notice should make this
distinction clear and indicate that if the user refuses the
transmission, the user will be able to provide the information
directly on the Relying Party’s website.  Assessors and Auditors
should look for a notice that is generated at the time of the
authentication  transaction. The notice should be in visual proximity
(i.e. unavoidable) to the action being requested, and  the page should
be designed in such a way that any other elements on the page do not
distract the user  from the notice. The content of the notice should
be tailored to the specific transaction. The notice may be divided
into multiple or “layered” notices if such division makes the content
more understandable or  enables users to make more meaningful
decisions. For these reasons, the notice should be incorporated  into
the “opt in” mechanism as set forth below. In sum, an Adequate Notice
is never just a link  somewhere on a page that leads to a complex,
legalistic privacy policy or general terms and conditions.
  • Discussion:
    • Can the notice itself be used as an assessment? The first question is the whether the notice itself conforms with the expectations of what should be in a notice (is it accessible, readable, easy to find, etc); whether those practices are any good is a separate question
    • Adequate Notice criteria concern: in the notice we will have to make a point about how crisp/clean/short the notice has to be depending on the type of device to be used to read it; the basic criteria of accessibility, readability, etc still apply but it be answered differently depending on the device
      • agreement that this point must be captured
    • Process: work from the top down, once we have a clear understanding what that is, what the assessor's are therefore are looking for, we can then look at various technology platforms and give more specific guidance; Maybe take these two categories of criteria and also add a type of evidence; want to see "usable readable accessible" - these terms do not exist in the current documents
    • Some of these conversations should flow back to the IAWG; their docs are silent on type of device, so this will be good feedback

 

Call closes @ 18:06