Date
2017-09-21
Status of Minutes
DRAFTApproved
Approved at: <<Insert link to minutes showing approval>> 2019-12-12 Meeting notes (CR) DRAFT
Attendees
Voting
- Andrew Hughes
- Jim Pasquale
- Mark Lizar
Non-Voting
...
Info |
---|
|
Participant Roster (2016) - Quorum is 5 of 8 as of 2017-08-24 Iain Henderson, Mary Hodder, Harri Honko, MarkLizar, Jim Pasquale, John Wunderlich, Andrew Hughes, Rupert Graves |
Discussion Items
Time | Item | Who | Notes |
---|
4 mins | | | |
1 min | | All | Please review these blogs offline for current status on Kantara and all the DG/WG:
|
5 min | Discuss 'sprint' process diagram | David | What is left to do for v1.1? - Sprint 5 resolution - issues will be closed - the Appendix listing examples will be moved into a different document/wiki
- Sprint 6
- The remaining issues
- Looking to the end of October for completion of a stable draft
|
20 min | Discuss work backlog priorities for CR v1.1 | David | Github Issues: https://github.com/KantaraInitiative/CISWG/issues - Issue #104: "Data Controller Contact Info"
- The underlying issue here is whether this field is mandatory or optional - because administrative information is probably in the published privacy policy
- Should the receipt be usable 'offline'? If yes, then there should be an email and phone number contact
- In most jurisdictions the Notice requirements will require statement of name and address of the data controller
- Proposed: make reference to jurisdiction regulations for mandatory; since there is no field validation, it could be null
- Proposed: make conditions based on degree of functionality of the receipt e.g. 'must include URI in order to be machine processable'
- These fields are the place where the information required for in the Privacy Notice goes
- David: these fields should be 'SHOULD' - and the guidance should describe how these fields relate to the requirements of the Privacy notice in the Jurisdiction. Note that the Specification describes WHAT is required, not HOW to implement it.
- Issue #65: "Support for multiple data controllers"
- There is no higher level structure around 'data controller' fields (there is a data structure for "Purposes")
- Should there be a single contact point and refer to a separate list of controllers?
- This is related to the Notice requirements
- GDPR: "Name and contact details of the Controller, and where applicable, the Joint Controller, Controller's representative and DPO"
- Q: Is there ever a situation where a Privacy Notice contains more than one Data Controller contact information?
- David to create a new structure ("PII Controllers") to hold one or more Controller (including the existing fields)
|
10 min | Draft of publication synopsis for new WG | Not discussed | The purpose of the Consent Management Solutions – Best Current Practices publication is to establish an open standard of good practice for the management of an individual’s consent to process their personal data in electronic systems. The publication describes the practices used by leading organizations to manage the full lifecycle of an individual’s consent to process their personal data. The lifecycle stages include privacy notice, prompt for acceptance of terms, collection of consent, production and storage of consent receipt, and, management of the record of consent. The practices and requirements derived from them described in the publication can be used as the basis for a conformity assessment scheme which may include product and services certification.
Proposed Table of Contents - Introduction
- Scope
- Notations and Abbreviations
- Terms and Definitions
- Best Current Practices – Consent management solutions
- General
- Regulations
- Privacy Notice
- Collection of consent
- Management of consent records (creation, updates, expiry, change of scope)
- Interoperability of consent records
Considerations (Non-Normative) |
Discussion
- There is a new wiki page that will hold all the known implementations of Consent Receipts
- Includes a space to describe how the implementation uses the Kantara CR spec
...