Potential Work Items - Detailed Descriptions
NOTE FOR SUBMISSIONS--Please include:
- Title
- Contributor (name/affiliation)
- Scope of Work
- Desired output (i.e. position paper/technical paper)
- Intended Audience (i.e. submission to policy body/publication on P3 Working Group site etc.)
- Editor, co-editor, contributors
- Target date for completion
MODEL PRIVACY POLICY
Contributor
Jeff Stollman / Iain Henderson
Scope of Work
P3wg can make a valuable contribution to privacy by crafting a model Privacy Policy. This model policy would consist of multiple choice options for the various standard elements of a privacy policy (e.g., what information we collect, with whom we share the information, how we protect the information). This would allow the sites adopting the model policy to rapidly craft comprehensive policies. But more importantly, the use of a standard model would have extensive benefits for users asked to sign the policy.
...
note (from Iain) - the Information Sharing Group will be developing equivalent 'information sharing agreements' as seen from the individual perspective; i.e. 'I will let you have data type X for purpose Y, subject to constraint Z'. If the two workgroups collaborate then we'd have the ability to icon based, machine readable policies agreements at both ends of the data sharing pipe.
Desired Output
Output 1
Privacy policy template(s) that can be used by enterprises collecting Personally Identifiable Information (PII) that cover most common policy considerations and offers a fixed menu of choices.
Output 2
Consumer guidance on the impact of their decisions in accepting/rejecting the various terms of the privacy policy.
Intended Audience
Output 1
Enterprises collecting Personally Identifiable Information (PII).
Output 2
Consumers.
Editor, co-editor, contributors
Jeff Stollman
Target date for completion
Output 1
The first draft privacy policy template will be developed by the end of Q1, 2010.
Output 2
Draft consumer guidance for the first privacy template will be developed 60 after the template is completed.
CONSENT AND ANTI-PATTERNS
Proposal is that P3 collect examples of consent anti-patterns... i.e. if we see real instances of poor practice in the collection of user data, or presumed consent, or making service provision conditional on acceptance of privacy-hostile terms, etc to record these instances (not with the intent of alienating the service provider concerned).
...
A link to a page with Consent and AntiPattern examples
PRIVACY RISK ASSESSMENT
Contributor
Jeff Stollman
Scope of Work
P3wg can make a valuable contribution to privacy by crafting a Privacy Risk Assessment. To date, this type of assessment has not been done even though it is a fundamental to any privacy risk analysis. Current discussions of risk rely on citing of examples of breaches, but have not evaluated which data items subject a person to the most risk.
...
7. identify follow-on work
Desired Output
A detailed analysis that identifies and prioritizes the risks associated with each data item.
Intended Audience
Government regulators, consumers, enterprises that collect PII.
Editor, co-editor, contributors
Jeff Stollman
Target date for completion
This is a massive effort and will not be completed using only voluntary labor. One of the inital tasks will be to identify sponsors to help fund the effort. This alone could take months. Depending on the funding provided, an analysis could be completed within 90 days.