2017-09-21 Meeting notes (CR)

• Roll call
• Agenda bashing

• Organization updates

Please review these blogs offline for current status on Kantara and all the DG/WG:

• Director's Corner
• Working + Discussion Group Activity

 What is left to do for v1.1?

• Sprint 5 resolution - issues will be closed - the Appendix listing examples will be moved into a different document/wiki
• Sprint 6
  • The remaining issues
  • Looking to the end of October for completion of a stable draft

Github Issues: https://github.com/KantaraInitiative/CISWG/issues

• Issue #104: "Data Controller Contact Info"
  • The underlying issue here is whether this field is mandatory or optional - because administrative information is probably in the published privacy policy
  • Should the receipt be usable 'offline'? If yes, then there should be an email and phone number contact
  • In most jurisdictions the Notice requirements will require statement of name and address of the data controller
  • Proposed: make reference to jurisdiction regulations for mandatory; since there is no field validation, it could be null
  • Proposed: make conditions based on degree of functionality of the receipt e.g. 'must include URI in order to be machine processable'
  • These fields are the place where the information required for in the Privacy Notice goes
  • David: these fields should be 'SHOULD' - and the guidance should describe how these fields relate to the requirements of the Privacy notice in the Jurisdiction. Note that the Specification describes WHAT is required, not HOW to implement it.
• Issue #65: "Support for multiple data controllers"
  • There is no higher level structure around 'data controller' fields (there is a data structure for "Purposes")
  • Should there be a single contact point and refer to a separate list of controllers?
  • This is related to the Notice requirements
    • GDPR: "Name and contact details of the Controller, and where applicable, the Joint Controller, Controller's representative and DPO"
  • Q: Is there ever a situation where a Privacy Notice contains more than one Data Controller contact information?
  • David to create a new structure ("PII Controllers") to hold one or more Controller (including the existing fields)

The purpose of the Consent Management Solutions – Best Current Practices publication is to establish an open standard of good practice for the management of an individual’s consent to process their personal data in electronic systems.

The publication describes the practices used by leading organizations to manage the full lifecycle of an individual’s consent to process their personal data. The lifecycle stages include privacy notice, prompt for acceptance of terms, collection of consent, production and storage of consent receipt, and, management of the record of consent.

The practices and requirements derived from them described in the publication can be used as the basis for a conformity assessment scheme which may include product and services certification.

Proposed Table of Contents

• Introduction
• Scope
• Notations and Abbreviations
• Terms and Definitions
• Best Current Practices – Consent management solutions
  • General
  • Regulations
  • Privacy Notice
  • Collection of consent
  • Management of consent records (creation, updates, expiry, change of scope)
  • Interoperability of consent records