P3WG Meeting Minutes 2012-03-08

Attendees:

Colin Soutar
Ann Geyer
Aaron Brauer-Rieki
Jeff Stollman
Susan landau
Colin Wallis
Peter Capek
Tom Smedinghoff
Mark Lizar
Nathan Faut

Apologies:
Anna Slomovic
Bill Braithwaite
Myisha Frazier McElveen

Staff:
Anna Ticktin

Minutes:

1. Administrative:

• Roll Call
• Motion for minutes approval: 23 Feb 2012
• Ann moves to approve the minutes as captured. Colin Wallis seconds. With no objection, the minutes are approved.

• ACTION ITEM REVIEW:
• 20120223-01 Colin will take a stab at a second round of refining the framework of the PAC reflective of the discussion today.

• NSTIC update: Kantara will not be submitting any proposals but will support any wg-sponsored effort.

2. PAC---discussion continued

• Draft document sent to the list from Colin Soutar on 7 Mar 2012.
• Document framework posted on wiki: http://kantarainitiative.org/confluence/display/p3wg/proposed+PAC+framework_V1_0++from+Colin+S.
• Colin stepped participants through his draft proposal on the framework of the PAC.

• Susan notes that Joni's comments to the list on 23 Feb are not included.
• "The concept entails a kind of phased approach regarding specific Privacy Criteria for compliance.  Phase 1 capture what we (collective we) know needs to be fulfilled in terms of compliance (this is set by governments, regulators etc).  That phase is the starting point.  Phase 2 starts to approach the stretch goals and predictions.  For example: We know X must be done to satisfy regulations today.  Additionally, we predict (based on research and discussion with stakeholders) that Y will become a regulation / best practice in the future.  So orgs would do well to do X and Y if they can today.  But today only X is required. What this approach does is allow for current practices and technologies to comply with the regulations of today... but it starts to position the next steps as to the direction we believe privacy regulation and best practices will push toward in the future.  This approach is meant NOT to create barriers - but a hard line on what's needed RIGHT NOW for compliance ---- and then starts to drive the discussions and developments toward the future regulations and constraints a particular jurisdiction or vertical might have."

• FICAM is imposing legal requirements on businesses above and beyond the law.
• The wg discussed and arrived at consensus around inclusion of the following concept:  Certification and validation should be done at an entity level to ensure there is a process for validation in place on the upstream and downstream parties. Ann will draft some language and make a recommendation for the next draft.
• The PAC is meant to provide direct guidance (a criteria set) for assessors to assess against IDPs.
• Secondarily, there can be a practice statement directing assessors to flag issues, or findings deemed problematic and redirect those observations back to the IDP.
• The discussion arrives at the following statement: P3 wishes to expand the criteria set beyond the profile.
• How is the P3 addressing the FICAM Assessors Guidance approved by the ARB last Sept 2011.
• Relevant industry documents need to be pulled and grouped on the wiki for the P3 to have working access to.
• Examples: matrix of FICAM requirements, documents in existence to date,  a graphic of what the document set looks like from top to bottom illustrating hierarchical relationships.
• Ann has pulled comments from Jeff Stollman and David Simonsen. She will include Colin's introduction and repost the revisions of the document in advance of next Thursday's working session. Colin proposes a comment disposition in the working session next week.

3. AOB

Adjourn