P3WG Plenary Meeting 24 January 2013

Date and Time

Date: Thursday, 24 January 2013
Time: 08:00 PT | 11:00 ET | 16:00 UTC (time chart)
Dial in info: Skype: +99051000000481 North American Dial-In: +1-805-309-2350 Conference ID: 402-2737

Agenda

Administration:
1. Roll Call
2. Agenda Confirmation
3. Review minutes: P3WG Meeting Minutes 2012-10-04, P3WG Meeting Minutes 2012-10-18
Discussion
1. Privacy By Design liaison relationship with OASIS
2. Privacy Assessment Criteria - update
AOB
Adjourn

Attendees

Colin Soutar
Bill Braithwaite

Quorum is 3 of 5 as of 10 January 2013

Staff

Heather Flanagan (scribe)
Andrew Hughes

Non-Voting

Anna Slomovic
Colin Wallis
Tom Smedinghoff
Peter Capek

Apologies:

Minutes & Notes

Administration

Motion for minutes -

Discussion

Privacy By Design liaison

Privacy By Design = "The OASIS PbD-SE TC provides privacy governance and documentation standards for software engineers. It enables software organizations to embed privacy into the design and architecture of IT systems, without diminishing system functionality. "
Ontario Privacy Commissioner= http://privacybydesign.ca/
Very short call; it is a new group in OASIS (they have had all of 2 calls so far); HF has pointed them the current version of the PAC, and they will be crafting a liaison statement to work with Kantara
we are more in to assessing privacy against a criteria, and they are interested in making sure privacy considerations are built in to tools; the efforts are complimentary in that if Privacy By Design is applied, then it is more likely that tool/site will pass through a PAC
to the extent that there is overlap between our groups, it will likely be in the Best Practices space

Review of the Privacy Assessment Criteria - PAC v 1.7 WD.doc

Need clarification on how this relates to the IAF since there are several points on notification in the IAF that do not seem to take in to account the PAC
- where is the distinction between the requirements and the assessment against those requirements? We are working on an assessment document based on a set of requirements, and they may not be taking in to account or relate in any way to the other requirements being developed
- a notice is required out of both the IAF and the PAC - but is is the same notice?
- the IAF was developed in the IAWG, and 2 years ago in absence of information from the P3WG, they put in some provisions for privacy assessment, but the intent was to change/update their information with whatever the P3WG provides through the PAC
- the IAF is up for ballot right now; we should put it on record that we are developing the PAC and that the IAWG should replace their privacy components with the PAC when it is published
- in addition to that, we should tie what we're doing with what we're going to what is going to be replaced; make sure that the references match, when the PAC talks about service definitions, we shouldn't replicate that since its already in the IAF
- it will be up to the applicant and assessor what is applicable to the applicant at the time of the assessment; we should just provide guidance
- ColinS and Tom will reach out to Myisha to schedule a joint call between IAWG and P3WG to review the overlap and discuss how the documents will relate going forward
3.4.4 and 3.4.5 are the two sections Peter is currently focusing on, incorporating comments from previous discussions
- a pseudonym is an identifier generally created by the CSP but it may ALSO be created by the RP; under auditing considerations, will need to reflect that potential flow - should we limit this to the creation by the CSP? no, there does not need to be any such specific requirement - concern withdrawn
- 3.4.5 title changed; need to be careful with this section, and need to understand the relationship between what data is retained, what is required for operation of the service, and what is required by law; so there might be a statement that the auditor should inspect the rational for the data being retained and whether the analysis has been done; they should also ask what does required by law mean - is it in response to specific subpoena, legislation, or something else; is this just part of the request for evidence of conformance? Peter to flesh out this section some more
Next steps?
- Peter to continue the edits and send out next items for discussion prior to the next call; overall the tenor of the changes and the method makes sense

AOB

Next call

Date: February 7, 2013
Time: 08:00 PT | 11:00 ET | 15:00 UTC (time chart)
Dial in info: Skype: +99051000000481 North American Dial-In: +1-805-309-2350 Conference ID: 402-2737

Browser not supported