P3WG Meeting Notes 2013-01-24

P3WG Plenary Meeting 24 January 2013

Date and Time

  • Date: Thursday, 24 January 2013
  • Time: 08:00 PT | 11:00 ET | 16:00 UTC (time chart)
  • Dial in info: Skype: +99051000000481 North American Dial-In: +1-805-309-2350 Conference ID: 402-2737

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Review minutes: P3WG Meeting Minutes 2012-10-04, P3WG Meeting Minutes 2012-10-18
  2. Discussion
    1. Privacy By Design liaison relationship with OASIS
    2. Privacy Assessment Criteria - update
  3. AOB
  4. Adjourn

Attendees

  • Colin Soutar
  • Bill Braithwaite

Quorum is 3 of 5 as of 10 January 2013

Staff

  • Heather Flanagan (scribe)
  • Andrew Hughes

Non-Voting

  • Anna Slomovic
  • Colin Wallis
  • Tom Smedinghoff
  • Peter Capek

Apologies:

Minutes & Notes

Administration

Motion for minutes -

Discussion

Privacy By Design liaison
  • Privacy By Design = "The OASIS PbD-SE TC provides privacy governance and documentation standards for software engineers. It enables software organizations to embed privacy into the design and architecture of IT systems, without diminishing system functionality. "
  • Ontario Privacy Commissioner= http://privacybydesign.ca/
  • Very short call; it is a new group in OASIS (they have had all of 2 calls so far); HF has pointed them the current version of the PAC, and they will be crafting a liaison statement to work with Kantara
  • we are more in to assessing privacy against a criteria, and they are interested in making sure privacy considerations are built in to tools; the efforts are complimentary in that if Privacy By Design is applied, then it is more likely that tool/site will pass through a PAC
  • to the extent that there is overlap between our groups, it will likely be in the Best Practices space
Review of the Privacy Assessment Criteria - PAC v 1.7 WD.doc
  • Need clarification on how this relates to the IAF since there are several points on notification in the IAF that do not seem to take in to account the PAC
    • where is the distinction between the requirements and the assessment against those requirements? We are working on an assessment document based on a set of requirements, and they may not be taking in to account or relate in any way to the other requirements being developed
    • a notice is required out of both the IAF and the PAC - but is is the same notice?
    • the IAF was developed in the IAWG, and 2 years ago in absence of information from the P3WG, they put in some provisions for privacy assessment, but the intent was to change/update their information with whatever the P3WG provides through the PAC
    • the IAF is up for ballot right now; we should put it on record that we are developing the PAC and that the IAWG should replace their privacy components with the PAC when it is published
    • in addition to that, we should tie what we're doing with what we're going to what is going to be replaced; make sure that the references match, when the PAC talks about service definitions, we shouldn't replicate that since its already in the IAF
    • it will be up to the applicant and assessor what is applicable to the applicant at the time of the assessment; we should just provide guidance
    • ColinS and Tom will reach out to Myisha to schedule a joint call between IAWG and P3WG to review the overlap and discuss how the documents will relate going forward
  • 3.4.4 and 3.4.5 are the two sections Peter is currently focusing on, incorporating comments from previous discussions
    • a pseudonym is an identifier generally created by the CSP but it may ALSO be created by the RP; under auditing considerations, will need to reflect that potential flow - should we limit this to the creation by the CSP? no, there does not need to be any such specific requirement - concern withdrawn
    • 3.4.5 title changed; need to be careful with this section, and need to understand the relationship between what data is retained, what is required for operation of the service, and what is required by law; so there might be a statement that the auditor should inspect the rational for the data being retained and whether the analysis has been done; they should also ask what does required by law mean - is it in response to specific subpoena, legislation, or something else; is this just part of the request for evidence of conformance? Peter to flesh out this section some more
  • Next steps?
    • Peter to continue the edits and send out next items for discussion prior to the next call; overall the tenor of the changes and the method makes sense

AOB

Next call

  • Date: February 7, 2013
  • Time: 08:00 PT | 11:00 ET | 15:00 UTC (time chart)
  • Dial in info: Skype: +99051000000481 North American Dial-In: +1-805-309-2350 Conference ID: 402-2737