Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Attendees:

Anna Slomovic
Mark Lizar
Colin Soutar
Hedy Kirkby

Apologies:
Ann Geyer

Staff:
Dervla O'Reilly

Minutes:

1. Roll Call - (Quorum Not Reached)

2. Privacy Assessment Criteria---status update
LC approved the group to move forward with the FICAM privacy profile. Joni and Anna discussed finding additional funding. Joni will reach out to Internet Society. Bob is on vacation until August 8, we will need to update the contract based on any changes or input and then move forward.

3. Updates

  • Leadership Council (LC) call update
    • Mark updated that the LC approved to move forward with the FICAM privacy profile. Funds were re-allocated so that we can start on the Privacy Assessment Criteria, right away as this is time critical.
  • Kantara response to National Strategy for Trusted Identities in Cyberspace (NSTIC ) Notice of Inquiry (NOI)
    • Kantara submitted the report by July 22 deadline, an 18-page document was provided. Our input was a collection of thoughts rather than processes. NSTIC hope to review comments and respond in September.
    • Mark was on the NSTIC working group and it was recieved by theLC and included P3 driven comments
    • There were 50 submission and revisions to the Notice of Inquiry
    • We discussed the subsantive response (Action: Mark send Kantara NOI  and NSIT Comment References   to the list)
    • Mark reported:  that the NSTIC Steering Group Notice of Inquiry was a call for comments on what a steering group will need to accomplish for identity standards ineroperabilty
    • Anna noticed that the response revolved around Kantara's experience in this area, already running an international standards community in identity management.  Kanatara presents a successful model that prodcues standards with participants
    • Jeremy Grant indicated that NSTIC is hoping to respond to the NOI's submitted in September
    • EFF and Liberty response was focused on consumer protection advocates and strong privacy protection, something we should also review,
    • Action: Mark: look up EFF and Liberty Responses
  • Guidance on Article 29 Working Group. Consent Report
    •  Much conversation about consent for data processing. The problems is between using the application or not or entering a system or not. Just because you gave consent perhaps it's not the consent that was originally intended. Article 29 Working Group have made the case clear regarding what constitutes consent. Interesting to see what transpires as the NSTIC progresses.
    • Clarifies what constitutes consent and the extend data protection can be relied upon 
    • Consent in regards to 'guaranteeing Fair Processing'
    • Anna-Brings up an interesting question for attribute level consent. What happens if an individual doesnt want to share an attribute?  Does the service get withdrawn? Looking at the power distribution and looking at consent as a mechanism.
    • Hedy - In Canada, in such circumstances PIPEDA principles would be examined against the needs for the attributes
    • The organization would have to do it according to how it applies in law.
    • In Canada there are a number of limiting principles come into play. Currently under review for strenght of enforcement goes from complaint to Privacy Commissioner before sending to court.
    • Hedy makes a proposal to have a meeting focused on identity management in Canada.  We can share documents,
    • Action: Anna: Hedy & Anna Schedule meeting in September - Goal of the call to discuss Canada Identity Management solutions.
    • Hedy provide Canadian feedback, Anna FICAM US Feedback, Mark - EU Feedback,
  • Call for Comments Due Sept 2: Latest privacy control documents: NIST SP 800-53, Appendix J, 
    • There is a call for comments, we can look at that as a collective group and provide input from various regions (Canada, U.S., Europe). They have added privacy controls, this makes it convenient to cross-walk to other places, then there is a way to make it work solving some interoperability issues.
    • Lots of interest in evaluating this appendix against Canada, and EU Law,
    • Anna- Interesting is that NIST as an Appendix to existing as a cross walk for industry standards, as it is also the active standard it makes this very important. 
    • So we discuss the response: 2 piecies: Compare NIST against FICAM Guidance 2. Does NIST 800 support an interoperability privacy standard, what could be added
    • Questions to Review while Commenting: What are the notification requirements for assessment with and without consent? Does this appendix interoperate with existing law internationally, does the standards strengthen and coexist with exisiting privacy legislation and practices?  What are other jurisdictional interpretations of this standard? What are the legal comparisons (discovery)? (Quote Relevant, US, Canadian, EU Laws, NZ Laws) In assessment would NIST accommodate notification requirements in each jurisdiction?
    • Action: Hedy and Mark to meet and develop a couple of paragraphs to start this document with each and send to Anna -(Action: Mark send email to Hedy) we could
    • Plan is to get something drafted for the next meeting and then submit it to Kantara community (if appropriate )  for a comment and input.  If process moves fast enough, then perhaps even getting a motion for Kantara to also approve the comments formally before submission. (Mark Action: to send a note to Joni asking about on appropriate protocol)
  • FTC and DOC and industry-led privacy rules of behavior in the US
    •  Additional issues, - convening industry groups to develop their own codes of conduct and having the FTC enforce them.
    • This is interesting because NIST Appendix discusses memorandum which would work very well with formalizing codes of conduct
    • Watch out for the companies that are good publically stating their intentions, with companies that are not compliant not complying
    • Hedy - In Canada, the codes of practice  were written by industry and adopted in its entirety to the law. A meaty law was made to reference this code of practice and passed to control
    • This then moves the reliance on to legal requirements.
    • Concern that the US will continue a secotral approach as there outliers that require greater regulation and are not interoperable or accountable across sectors.
    • A big distinction between sectoral and jurisdcitional approaches.  In NSTIC - the idea is that drawing out the common elements
    • Common set of requirement for identity providers  like the IAWG as a set of core principles for identity proofing. 
    • What are the common elements that Kanatara can point out across the privacy domain?
    • The P3 intent is to gather this criteria and focus on FICAM as it is a pressing requirement, especially leading to NSTIC discussions
    • Colin and Anna agree's with clarification that  FICAM is one interpretation of standards and implementation and that this need to considered from other jurisdictional considerations is an important approach to take. Although Anna makes the point that its the focus of criteria because of timing and the needs of Kantara programs. Able to use this to explore interoperability of privacy assessments.

4. AOB:

Government of Canada would like to make a presentation in September. Anna Ticktin to schedule.

5. Actions:

  • Anna: Hedy & Anna Schedule meeting in September - Goal of the call to discuss Canada Identity Management solutions.
  • Mark an Hedy Meet to create first couple of paragraphs each of NIST response
  •  

Meeting Adjourned

  • No labels