P3WG Meeting Notes 2012-05-17
Notes from 17 May 2012 P3WG teleconference
Attendees:
Voting
- Colin Soutar
- Anna Slomovic
- Mark Lizar
Non-voting
- Gershon Jensen
- Nathan Faut
Apologies:
- Tom Smedinghoff
- Aaron Brauer-Rieke
- Myisha Frazier-Mc-Elveen
Kantara Staff:
- Joni Brennan
Notes
1. Administrative:
Roll Call
19 April 2012 minutes.
- http://kantarainitiative.org/confluence/display/p3wg/P3WG+Meeting+Minutes+2012-04-19
- Approval deferred to next call due to lack of quorum.
2. Privacy Assessment Criteria
a) Further review and discussion of draft P3WG Privacy Work Charter.
The 17 May draft was discussed.
The following three points were noted:
There was some confusion in a previous version with the terminology around identity assurance framework. The Privacy Requirements Document expresses the requirements for a particular jurisdiction or industry sector and is not intended to mean that it would be part of the Kantara Identity Assurance Framework. The generic term “identity framework” has now been used to indicate an external framework, such as FICAM.
The term “Privacy Guidance Document” was deemed to be a little ambiguous, in light of its use in other documents sets – this has been re-termed “Privacy Best Practices Document”.
It was suggested that the Privacy Best Practices should relate to all actors within an identity framework – the text has been modified to reflect this. Note that while Best Practices are stated to relate to all actors within the identity framework, the work in progress on the Privacy Assessment Criteria is, of course, focused only on CSP’s as per the FICAM framework and current Kantara assessment process.
The following additional point was discussed and noted:
Some gaps have been identified between: “Federal Identity, Credentialing, and Access Management: Privacy Guidance for Trust Framework Assessors and Auditors”, issued by FICAM; and the “Identity Assurance Framework: Additional Requirements for Credential Service Providers: US Federal Privacy Criteria”, issued by Kantara. It was noted that these gaps will be clearly noted in the P3WG Privacy Assessment Criteria Document, as discussed by the ad hoc group, and the P3WG Privacy Work Charter document will be updated to reflect this.
Attached is the updated document, dated 18 May 2012.
b) Update on working draft of Privacy Assessment Criteria Document
The Ad-Hoc calls will resume on the 24th May with “Consent” being the next Requirement for which Criteria will be developed. As a reminder, Ann Geyer is working with the Ad Hoc group to step through each of the FICAM Requirements individually, after which the collective set of Privacy Assessment Criteria will be re-reviewed.
3. Upcoming Presentations
May 31
Presenter:
Gershon Janssen, Secretary, OASIS Privacy Management Reference Model Technical Committee
Topic:
OASIS Privacy Management Reference Model
June 7
Presenter:
Steve Johnston, Senior Security and Technology Advisor at Office of the Privacy Commissioner of Canada
Topic:
ISO/IEC SC27 WG 5 Identity Management and Privacy
June 14
Presenter:
Joshua Harris, Associate Director of the Office of Technology and Electronic Commerce, US Department of Commerce, Vice-Chair of the APEC ECSG Data Privacy Sub-Group
Topic:
APEC Cooperation Arrangement for Cross-Border Privacy Enforcement
4. AOB
Joni met with Naomi Lefkovitz last week. Naomi was formerly the privacy lead for FICAM and is now privacy lead with NSTIC.
Naomi has agreed to present her thoughts to the P3WG (tentatively set for 28 June 2012), regarding FICAM/NSTIC and the direction of the Privacy Assessment Criteria. For her review, the current draft of the P3WG Privacy Work Charter document will be sent to her, and the Privacy Assessment Criteria draft will be forwarded to her, shortly after the 7 June ad hoc call.
Joni provided an update of other highlights of the Privacy Identity Innovation - PII 2012 – conference. There was a good percentage of attendees (~75%) that were not traditional identity experts, but were more focused on the privacy aspects, so it was a good opportunity to spread the P3WG message. Joni noted that the general theme supported a migration from an “opt-out of an ambiguous set of privacy regulations” to “opt-in to a clearly-defined and articulated set of requirements” and that this was engendering much more trust with users.
5. Meeting Adjourned