2017-10-05 Meeting notes (CR)

• Roll call
• Agenda bashing

• Organization updates

Please review these blogs offline for current status on Kantara and all the DG/WG:

• Update on the new WG title being proposed as Privacy for Public Policy
• Discusse that the current IPR - RF RAND does not allow for derivative works
• Discussed with Iain that the new GDPR for customers might be better placed under the non-assert covenant
• Action - Iain to send an email to principle in this work and see if the new WG IPR be placed under this new wg for customer commons and Kantara

 What is left to do for v1.1?

David to produce a new update of the document after this call

• 3 issues
  • security considerations
    • Tom brings up confirmation of the receipt of the receipt out of scope but could/should be mentioned
    • Is the receipt is PII?
      • Tom mentions a Latanya Sweeney PII identifiably study - needs trusted 3rd party
    • This boils down to wether or not encryption is required and at which level
    • we decide to err on the side of caution and put in a MUST.
  • examples for list of collection methods
  • combining the on-behalf -
    • clarify use of third party field name
      • which party is on the front of the data collection process and which party is on the behalf
      • reconciling on behalf with the 3rd party
      • example
        • SAAS service in the cloud
          • SAAS is the data controller
          • hosted storage wold be the PII processor
        • Is this being shared with related parties on non-related parties
    • David suggests
      • we keep it as is, and to keep this as an item to be dealt with in the next iteration of the receipt
      • in addition, disclosure to process or 3rd party is deal with in the next generation of the
• Disclosure to another jurisdiction - as a remaining field need for the CR v1.1

1

min

Github Issues: https://github.com/KantaraInitiative/CISWG/issues