Versions Compared

Old Version 6

changes.mady.by.user Mark Lizar

Saved on

compared with

New Version 7

changes.mady.by.user Mark Lizar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Guidance on Article 29 Working Group. Consent Report
    •  Much conversation about consent for data processing. The problems is between using the application or not or entering a system or not. Just because you gave consent perhaps it's not the consent that was originally intended. Article 29 Working Group have made the case clear regarding what constitutes consent. Interesting to see what transpires as the NSTIC progresses.
    • Clarifies what constitutes consent and the extend data protection can be relied upon 
    • Consent in regards to 'guaranteeing Fair Processing'
    • Anna-Brings up an interesting question for attribute level consent. What happens if an individual doesnt want to share an attribute?  Does the service get withdrawn? Looking at the power distribution and looking at consent as a mechanism.
    • Hedy - In Canada, in such circumstances PIPEDA principles would be examined against the needs for the attributes
    • The organization would have to do it according to how it applies in law.
    • In Canada there are a number of limiting principles come into play. Currently under review for strenght of enforcement goes from complaint to Privacy Commissioner before sending to court.
    • Hedy makes a proposal to have a meeting focused on identity management in Canada.  We can share documents,
    • Action: Anna: Hedy & Anna Schedule meeting in September - Goal of the call to discuss Canada Identity Management solutions.
    • Hedy provide Canadian feedback, Anna FICAM US Feedback, Mark - EU Feedback, (Mark ask Colin if interested in providing input ), 
    Latest privacy guidance
  • Call for Comments Due Sept 2: Latest privacy control documents: NIST SP 800-53, Appendix J, and Article 29 working paper on consent. 
    • There is a call for comments, we can look at that as a collective group and provide input from various regions (Canada, U.S., Europe). They have added privacy controls, this makes it convenient to cross-walk to other places, then there is a way to make it work solving some interoperability issues.
    • Lots of interest in evaluating this appendix against Canada, and EU Law, (action: Mark to invite other comparison from international members)
    • Anna- Interesting is that NIST as an Appendix to existing as a cross walk for industry standards, as it is also the active standard it makes this very important. 
    • So we discuss the response: 2 piecies: Compare NIST against FICAM Guidance 2. Does NIST 800 support an interoperability privacy standard, what could be added
    • Questions to Review while Commenting: What are the notification requirements for assessment with and without consent? Does this appendix interoperate with existing law internationally, does the standards strengthen and coexist with exisiting privacy legislation and practices?  What are other jurisdictional interpretations of this standard? What are the legal comparisons (discovery)? (Quote Relevant, US, Canadian, EU Laws, NZ Laws) In assessment would NIST accommodate notification requirements in each jurisdiction?
    • Action: Hedy and Mark to meet and develop a couple of paragraphs to start this document with each and send to Anna -(Action: Mark send email to Hedy) we could
    • Plan is to get something drafted for the next meeting and then submit it to Kantara community (if appropriate )  for a comment and input.  If process moves fast enough, then perhaps even getting a motion for Kantara to also approve the comments formally before submission. (Mark Action: to send a note to Joni asking about on appropriate protocol)
  • FTC and DOC and industry-led privacy rules of behavior in the US
    •  Additional issues, - convening industry groups to develop their own codes of conduct and having the FTC enforce them.
    • This is interesting because NIST Appendix discusses memorandum which would work very well with formalizing codes of conduct
    • Watch out for the companies that are good publically stating their intentions, with companies that are not compliant not complying
    • Hedy - In Canada, the codes of practice  were written by industry and adopted in its entirety to the law. A meaty law was made to reference this code of practice and passed to control
    • This then moves the reliance on to legal requirements.
    • Concern that the US will continue a secotral approach as there outliers that require greater regulation and are not interoperable or accountable across sectors.
    • A big distinction between sectoral and jurisdciotnjurisdcitional approaches.  In NSTIC - the idea is that drawing out the common elements
    • Common set of requirement for identity providers  like the IAWG as a set of core principles for identity proofing. 
    • What are the common elements that Kanatara can point out across the privacy domain?
    • The P3 intent is to gather this criteria and focus on FICAM as it is a pressing requirement, especially leading to NSTIC discussions
    • Colin : Clarification and Anna agree's with clarification that  FICAM is one interpretation of standards and implementation and that this need to considered from other jurisdictional considerations is an important approach to take. Although Anna makes the point that its the focus of criteria because of timing and the needs of Kantara programs. Able to use this to explore interoperability of privacy assessments.

4. AOB:

Government of Canada would like to make a presentation in September. Anna Ticktin to schedule.

5. Actions:

  • Anna: Hedy & Anna Schedule meeting in September - Goal of the call to discuss Canada Identity Management solutions.
  • Mark an Hedy Meet to create first couple of paragraphs each of NIST response
  •  

Meeting Adjourned