Date

2017-09-21

Status of Minutes

Approved

Approved at: 2019-12-12 Meeting notes (CR) DRAFT

Attendees

Voting

Andrew Hughes
Jim Pasquale
Mark Lizar

Non-Voting

David Turner
Dorota Filpczuk
Tom Jones

Quorum Status

Meeting was << status>>

Voting participants

Participant Roster (2016) - Quorum is 5 of 8 as of 2017-08-24

Iain Henderson, Mary Hodder, Harri Honko, MarkLizar, Jim Pasquale, John Wunderlich, Andrew Hughes, Rupert Graves

Discussion Items

Time	Item	Who	Notes
4 mins	Roll call Agenda bashing	Former user (Deleted)
1 min	Organization updates	All	Please review these blogs offline for current status on Kantara and all the DG/WG: Director's Corner Working + Discussion Group Activity
5 min	Discuss 'sprint' process diagram	David	What is left to do for v1.1? Sprint 5 resolution - issues will be closed - the Appendix listing examples will be moved into a different document/wiki Sprint 6 The remaining issues Looking to the end of October for completion of a stable draft
20 min	Discuss work backlog priorities for CR v1.1	David	Github Issues: https://github.com/KantaraInitiative/CISWG/issues Issue #104: "Data Controller Contact Info" The underlying issue here is whether this field is mandatory or optional - because administrative information is probably in the published privacy policy Should the receipt be usable 'offline'? If yes, then there should be an email and phone number contact In most jurisdictions the Notice requirements will require statement of name and address of the data controller Proposed: make reference to jurisdiction regulations for mandatory; since there is no field validation, it could be null Proposed: make conditions based on degree of functionality of the receipt e.g. 'must include URI in order to be machine processable' These fields are the place where the information required for in the Privacy Notice goes David: these fields should be 'SHOULD' - and the guidance should describe how these fields relate to the requirements of the Privacy notice in the Jurisdiction. Note that the Specification describes WHAT is required, not HOW to implement it. Issue #65: "Support for multiple data controllers" There is no higher level structure around 'data controller' fields (there is a data structure for "Purposes") Should there be a single contact point and refer to a separate list of controllers? This is related to the Notice requirements GDPR: "Name and contact details of the Controller, and where applicable, the Joint Controller, Controller's representative and DPO" Q: Is there ever a situation where a Privacy Notice contains more than one Data Controller contact information? David to create a new structure ("PII Controllers") to hold one or more Controller (including the existing fields)
10 min	Draft of publication synopsis for new WG	Not discussed	The purpose of the Consent Management Solutions – Best Current Practices publication is to establish an open standard of good practice for the management of an individual’s consent to process their personal data in electronic systems. The publication describes the practices used by leading organizations to manage the full lifecycle of an individual’s consent to process their personal data. The lifecycle stages include privacy notice, prompt for acceptance of terms, collection of consent, production and storage of consent receipt, and, management of the record of consent. The practices and requirements derived from them described in the publication can be used as the basis for a conformity assessment scheme which may include product and services certification. Proposed Table of Contents Introduction Scope Notations and Abbreviations Terms and Definitions Best Current Practices – Consent management solutions General Regulations Privacy Notice Collection of consent Management of consent records (creation, updates, expiry, change of scope) Interoperability of consent records Considerations (Non-Normative)

Discussion

There is a new wiki page that will hold all the known implementations of Consent Receipts
- Includes a space to describe how the implementation uses the Kantara CR spec

Browser not supported