Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Date

Jun 23, 2016

Attendees

 

Here are questions the group should address tomorrow, in our meeting on the Consent Receipt Standard Candidate, in no particular order:

1. Should we have a unique number for each consent receipt as a requirement?

What is the benefit of this? And the potential harms?

  • Reciept ID - is important for receipts portable, machine readable,  alice and bob can reference it in communications
    • Conformance Mode 1
      • MUST be unique for receipt issuer
      • MAY BE UUID
    • Conformance Mode 2
      • MUST be UUID

 

2. PII Categories? Should this be a MUST in the Field table?

  • Yes this should be MUST
  • But not required to use categories specified
  • Minimum of one category - 1 < N 
  • Guidance Note
    • added in spreadsheet "PI Category MUST be supplied, and should reflect the category that will be shared as understood by the user. Our categories are advisory and the PII Controller may use their own list of categories."

 

3. Should PII Category descriptions and informational examples be moved to "supplemental guidance" if not a MUST?

 

4. If Sensitive Data = No and data is not confidential can a consent receipt be sent via email? 

  • security - proportional to method of collection  
  • general guidance 
  • good tip send link to secure web page and pick up, put it in the users profile pages

 

5. Consent Notices? Are these receipts? Can we back out of "notices" as a descriptor for a receipt?

 

6. Disclosure Y/N  and 3rd Party Disclosure Y/N: see suggested descriptions here:

https://docs.google.com/spreadsheets/d/1KmHxYJRNxtDZsy5hSDTHcQTZbsxI-cMQ7HE7hd47DUU/edit#gid=1136261486

In law, and the use for policy Disclosure is referenced : pre-trial phase where parties to the case obtain evidence, where parties are compelled to share personal information about their customers. etc

This is IMO the dominant definition of disclosure for implementors. 



https://en.wikipedia.org/wiki/Disclosure

 

All remaining items tabled

 

7. Suggested glossary definitions and suggested changes:

a. consent notice - remove

b. PII confidentiality impact levels - remove

c. PII Processor

d. Processing of PII

e. Purpose

f. Purpose specification - remove

g. Sensitive information categories - remove

h. Sensitive PI categories - remove and place in Supplemental Guidance

 

Here is the proposed Standard for Consent Receipt:

https://docs.google.com/document/d/19Ot2g_NacXQs2nf6KnEVoZkrBJV6pPg5LF_UgRaXoNg/edit# 

 

Supplemental Guidance (A very basic list at this point of things we will need to work up while the Standard is with the spec editor):

https://docs.google.com/document/d/1I7e9KVu0UuZYOGAP7HJ0s5T8Fl1oycPOTxByvZJfw6k/edit# 

 

Field tables and other tabs for the Modes of compliance, glossary, and other items:

https://docs.google.com/spreadsheets/d/1KmHxYJRNxtDZsy5hSDTHcQTZbsxI-cMQ7HE7hd47DUU/edit#gid=1136261486 

  • No labels