Date

2019-03-07

Status of Minutes

Approved

Approved at: 2019-12-12 Meeting notes (CR) DRAFT

Attendees

Voting

Andrew Hughes
Jim Pasquale
Oscar Santolalla
Iain Henderson
Mark Lizar

Non-Voting

Sneha Ved
Colin Wallis
Lisa LeVasseur

Regrets

Quorum Status

Meeting was <<<>>> quorate

Voting participants

Participant Roster (2016) - Quorum is 6 of 11 as of 2018-11-19

Iain Henderson, Mary Hodder, Harri Honko, Mark Lizar, Jim Pasquale (C), John Wunderlich (VC), Andrew Hughes (VC), Oscar Santolalla, Richard Gomer, Paul Knowles, Samantha Zirkin

Discussion Items

Time	Item	Who	Notes
4 mins	Roll call Agenda bashing	Former user (Deleted)	Deferred: Status: Wiki refresh work Deferred: Status: Distribution-version of slide deck describing the work here (consent receipt today → personal data processing receipt tomorrow - or whatever we decide) Discuss EIC demo and scheduling Discuss proposal for specification extension approach
5 min	Organization updates	All	Please review these blogs offline for current status on Kantara and all the DG/WG: Director's Corner: 2019: February Work + Discussion Group Activity There is a wiki page that will hold all the known implementations of Consent Receipts - Please update the page or inform Jim, or John, or Andrew of your implementation. EIC, Munich, May Identiverse, Washington, June MyData, Helsinki, September
10 min	Product roadmap for the demo	All	Target is EIC May 2019 Here's the project page for the "Demo v2" Go to the demo v2 page for the breakdown of roles and functions for 2019-02-21 call ======= 2019-03-07 notes More discussion about roles and responsibilities for demo 10 weeks to go until EIC Discussion around how to build/implement the control panel part of the demo - challenges in getting a team to get resources to built this part THESE NOTES ARE FROM 2019-01-31 CALL AND ARE DIRECT-EDIT-UPDATED FROM 2019-02-07 CALL Andrew's personal opinion on what to highlight: The fact that giving the person tools necessary for them to keep records (the 'receipts') about their data controller & personal data processing interactions is a new thing in the world The ability for the person to take action because they have these records in their possession - the Privacy Control Panel The fact that interoperability standards allow many products to work in an 'ecosystem' way Even if the audience does not believe that the lawful basis of consent will become a mainstream thing, the person-side record keeping idea is a good one that has broad applicability Comments: This opens the door to ongoing management of the relationship by the person with the data controller/other The consent receipt is also a Notice People have an independent record of the interaction in the receipt Have hard receipts gone away because they are viewed as 'too much friction'? Is this dangerous? Decisions needed: The specific set of user stories we want to showcase - what is the "Consent Journey" of the person? The roles that each product will cover in the demo Comments (2019-02-14): Jim spoke to Gavin (CTO) - apps in the digi.me ecosystem are able to signal to the 'right to erasure' API because the 3rd party app knows the person, digi.me knows no people in the system Comments (2019-02-07): Jim: all should work on the Export function to allow others apps to view Andrew: what are we able to show that tells the audience that there is something new coming to the world - where people can see the receipts and take an action that is recognized and acted on at a data controller. The Control Panel idea is powerful Maybe the user click transfers control over to the receipt issuer's app In digi.me ecosystem there is an app that allows the user to look into their private library there are 3rd party apps - these 3rd party apps use the digi.me APIs and issue the Kantara-compliant consent receipts. The receipt is shown in the user's digi.me management console So, if the user takes an action on that receipt in the digi.me management console, the 3rd party app receives the signal and can act digi.me: https://developers.digi.me and https://developers.digi.me/consent-access Peter to sketch up a rough sequence Comments (2019-01-31): The discrete functions need to be identified Receipt issuers should be enrolled in advance (data controller should be known) Can we show multiple wallets that hold receipts? Should build on the flow of the Demo v1 - person does stuff, gets receipts, sees them, acts on them Is the 'wallet' (a.k.a. the receipt storage location) singular or multiple? Sphere app can display receipts from their own storage locations Digi.me only shows receipts within their system Jim is pushing engineering towards the idea that the 'control panel' should be able to work on receipts in other app storage locations Passing control over a receipt (to act on a receipt and manage it going forward) to a 3rd party breaks the security concept of digi.me and Sphere's apps Exporting a receipt is possible, but action on the exported receipt might require a redirect back into the Sphere app This is probably the same with all app ecosystems Jan - looking at the topic of using the receipt as a data schema but also using the universal namespace/identifiers (a.k.a. Decentralized Identifiers) to reference the entities and object might allow for broader interoperability Peter: we lack the protocols for operations on the receipts themselves - maybe do this in Kantara Jan - last week call - Paul and Jan presented on the Hyperledger Indy work for interop Remember that we are limited by what exists today - a list of JSON files The 'take action' function might be a simple "open URL in the receipt issuer's app" Action: Andrew to draw an information flow diagram for discussion for the demo Action: ALL - to think about the functionality that your products can do today in light of the "Privacy Control Panel" idea - we will try to do a heat map to try to sort out role assignments and find gaps
20 min	Approach to "extension kit"	Mark	I have start a wiki page for working on a consent receipt extension and was thinking of trying to work on the document outline during the call tomorrow and just get a basic set of steps for the work effort to complete a simple scope. . 1. Draft & Review extension Outline 2. Walk through use of extension 3. Recommend extension Here is the link - https://kantarainitiative.org/confluence/pages/viewpage.action?pageId=104600510 Meeting notes Approach to mapping the CR to a specific law/regulation and ensuring that the terms/fields are correct for the specific law Then, replacing the terms in the specification to create a law-specific specification Try this out on CFR 42 - a healthcare regulation in US that requires explicit consent - on top if HIPPA - which did not cover explicit consent HIPPA has a 'burden of proof' requirement Discussion about interoperability between domains, parsing and
Deferred	Specification update approach		Discovery approach leading to backlog leading to prioritization? How do we decide what changes we must do in this round versus deferrable changes? See https://github.com/KantaraInitiative/consent-receipt-v-next See a flowchart version of this here: https://share.mindmanager.com/#publish/b-DWOcuKGnVY1PXBKXTpL0-DQOeqmZMGfGUAPiC5
5 min	AOB	Sneha	Update from Sphere Identity about ID4D challenge "How could an identity solution work for 1 Billion people"
	Next meeting		*** Next call 2019-03-14 10:30 am Eastern DAYLIGHT Time / 15:30 GMT https://global.gotomeeting.com/join/323930725

Browser not supported