Versions Compared

Old Version 7

changes.mady.by.user Mark Lizar

Saved on

compared with

New Version 8

changes.mady.by.user Mark Lizar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Leadership Council (LC) call update
    • Mark updated that the LC approved provided an LC updated approving to move forward with the FICAM privacy profile. Funds were re-allocated so that we can start on the Privacy Assessment Criteria, right away as this is time critical.
  • Kantara response to National Strategy for Trusted Identities in Cyberspace (NSTIC ) Notice of Inquiry (NOI)
    • Kantara submitted the report by July 22 deadline, an 18-page document was provided. Our input was a collection of thoughts rather than processes. NSTIC hope to review comments and respond in September.
    • Mark was on the NSTIC working group and it was recieved received by theLC and included P3 driven commentsthe LC and submitted to NIST
    • There were 50 submission and revisions to the Notice of Inquiry
    • We discussed the subsantive substantive response (Action: Mark send Kantara NOI  and NSIT Comment References   to the list)
    • Mark reported:  that the NSTIC Steering Group Notice of Inquiry was a call for comments on what a steering group will need to accomplish for identity standards ineroperabiltyinteroperabilty
    • Anna noticed that the response revolved around Kantara's experience in this area, already running an international standards community in identity management.  Kanatara presents a successful model that prodcues produces standards with participantsand interoperability
    • Jeremy Grant indicated that NSTIC is hoping to respond to the NOI's submitted in September
    • EFF and Liberty response was focused on consumer protection advocates and strong privacy protection, something we should also review,
    • Action: Mark: look up EFF and Liberty ResponsesLiberty  Input
  • Guidance on Article 29 Working Group. Consent Report
    •  Much conversation about consent for data processing. The problems is between using the application or not or entering a system or not. Just because you gave consent perhaps it's not the consent that was originally intended. Article 29 Working Group have made the case clear regarding what constitutes consent. Interesting to see what transpires as the NSTIC progresses.
    • Clarifies what constitutes consent and the extend extent data protection can be relied upon 
    • Consent in regards to 'guaranteeing Fair Processing'
    • Anna-Brings up an interesting question for attribute level consent. What happens if an individual doesnt doesn't want to share an attribute?  Does the service get withdrawn? Looking at the power distribution and looking at consent as a mechanism.
    • Hedy - In Canada, in such circumstances PIPEDA principles would be examined against the needs for the attributes provided by the
    • The organization would have to do it according to how it applies in law.
    • In Canada there are a number of limiting principles come into play. Currently under review for strenght strength of enforcement goes from complaint to Privacy Commissioner before sending to court.
    • Hedy makes a proposal to have a meeting focused on identity management in Canada.  We can share documents,
    • Action: Anna: Hedy & Anna Schedule meeting in September - Goal of the call to discuss Canada Identity Management solutions.
    • Hedy provide Canadian feedback, Anna FICAM US Feedback, Mark - EU Feedback,
  • Call for Comments Due Sept 2: Latest privacy control documents: NIST SP 800-53, Appendix J, 
    • There is a call for comments, we can look at that as a collective group and provide input from various regions (Canada, U.S., Europe). They have added privacy controls, this makes it convenient to cross-walk to other places, then there is a way to make it work solving some interoperability issues.
    • Lots of interest in evaluating this appendix against Canada, and EU Law,
    • Anna- Interesting is that NIST as an Appendix to existing as is a cross walk for industry standards into the federal government, as it is also the active standard it Equifax was asked how it complies with NIST 800 as a government supplier. This makes this appendix apart of an active standard in the US and makes this very important. 
    • So we discuss the response: 2 pieciespieces: Compare NIST against FICAM Guidance 2. Does NIST 800 support an interoperability privacy standard, what could be added
    • Questions to Review while Commenting: What are the notification requirements for assessment with and without consent? Does this appendix interoperate inter operate with existing law internationally, does the standards strengthen and coexist with exisiting existing privacy legislation and practices?  What are other jurisdictional interpretations of this standard? What are the legal comparisons (discovery)? (Quote Relevant, US, Canadian, EU Laws, NZ Laws) In assessment would NIST accommodate notification requirements in each jurisdiction?
    • Action: Hedy and Mark to meet and develop a couple of paragraphs to start this document with each and send to Anna -(Action: Mark send email to Hedy) we could
    • Plan is to get something drafted for the next meeting and then submit it to Kantara community (if appropriate )  for a comment and input.  If process moves fast enough, then perhaps even getting a motion for Kantara to also approve the comments formally before submission. (Mark Action: to send a note to Joni asking about on appropriate protocol)

...