P3WG Meeting Minutes 2012-05-31

Voting

  • Bill Braithwaite
  • Myisha Frazier-McElveen
  • Susan Landau
  • Mark Lizar
  • Anna Slomovic
  • Colin Soutar

Non-voting

  • Nathan Faut
  • Colin Wallis

Kantara Staff:

  • Joni Brennan

Apologies:

  • Tom Smedinghoff

Peter Capek was removed as a voting member following non-attendance at 3 consecutive meetings.
Quorum was achieved - requirement is 5 voting members (of 9)

Minutes

1. Administrative:

  • Roll Call
  • Discussion of significant topics from 17 May 2012 notes for incorporation into these minutes.
    • The following notes were discussed from the 17 May meeting and adopted into these minutes, with the one amendment as noted in red font.

“There was some confusion in a previous version with the terminology around identity assurance framework. The Privacy Requirements Document expresses the requirements for a particular jurisdiction or industry sector and is not intended to mean that it would be part of the Kantara Identity Assurance Framework. The generic term “identity framework” has now been used to indicate an external framework, such as FICAM.

The term “Privacy Guidance Document” was deemed to be a little ambiguous, in light of its use in other documents sets – this has been re-termed “Privacy Best Practices Document”.

It was suggested that the Privacy Best Practices should relate to all actors within an identity framework – the text has been modified to reflect this. Note that while Best Practices are stated to relate to all actors within the identity framework, the work in progress on the Privacy Assessment Criteria is, of course, focused only on CSP’s as per the FICAM framework and the resulting current Kantara assessment process.

Some gaps have been identified between: “Federal Identity, Credentialing, and Access Management: Privacy Guidance for Trust Framework Assessors and Auditors”, issued by FICAM; and the “Identity Assurance Framework: Additional Requirements for Credential Service Providers: US Federal Privacy Criteria”, issued by Kantara. It was noted that these gaps will be clearly noted in the P3WG Privacy Assessment Criteria Document, as discussed by the ad hoc group, and the P3WG Privacy Work Charter document will be updated to reflect this.”

  • Approval of Agenda

The agenda was approved as circulated, with the addition of a discussion of “scheduling” under AOB.

2. Presentation

Due to a last-minute development, this was not able to be presented at the meeting and will be re-scheduled for July.

Presenter:
Gershon Janssen, Secretary, OASIS Privacy Management Reference Model Technical Committee
Topic:

OASIS Privacy Management Reference Model

3. Privacy Assessment Criteria

a. P3WG Privacy Work Charter.

http://kantarainitiative.org/confluence/download/attachments/58493818/P3WG+Document+Charter+draft+18+May+2012.docx

The version noted above, inclusive of the changes reflecting the discussions in section 1 of these minutes, was approved.

Motion: Anna Slomovic

Second: Susan Landau

Approved by Unanimous Consent

b. Update on working draft of Privacy Assessment Criteria Document

http://kantarainitiative.org/confluence/display/p3wg/P3WG+Meeting+Minutes+2012-05-24

There was a discussion regarding the diagram that Nathan (on behalf of ARB) provided to the PAC draft, which is in support of introductory paragraphs that the ARB had previously provided as contextual material.

There was a discussion regarding the recent email discussions about how the Kantara privacy documents relate to existing statutory privacy requirements, and the resulting scope and representations of Kantara assessments.   It was decided that this topic needs to be addressed in detail, and that it should be considered in light of a forthcoming Pro Forma Letter of Assessment from the IAWG.   The P3WG should review this Pro Forma Letter, along with the appropriate contextual IAF and SAC background material, to determine if it will appropriately address the Privacy Assessment requirements, or whether an addendum or a separate additional letter is required.   This issue is tabled until there is more progress on the PAC and the Pro Forma Letter is provided by the IAWG.   At that point, the P3WG will invite an IAWG representative to provide said contextual background.

It was noted that, as we consider the requirements for the Letter of Assessment with regards to Privacy Assessment, we may wish to consider the scope and representations of analogous assessments, such as ISO 9000 or ISO 15408.   

4. Future Presentations  

June 14
Presenter:

Joshua Harris, Associate Director of the Office of Technology and Electronic Commerce, US Department of Commerce, Vice-Chair of the APEC ECSG Data Privacy Sub-Group
Topic:

APEC Cooperation Arrangement for Cross-Border Privacy Enforcement

June 21
Presenter:

Steve Johnston, Senior Security and Technology Advisor at Office of the Privacy Commissioner of Canada
Topic:

ISO/IEC SC27 WG 5 Identity Management and Privacy

June 28
Presenter:

Naomi Lefkovitz, Senior Privacy Advisor, Information Technology Laboratory, National Institute of Standards and Technology, Department of Commerce
Topic:

Updates on FICAM and NSTIC, and feedback on PAC

July TBD
Presenter:

Gershon Janssen, Secretary, OASIS Privacy Management Reference Model Technical Committee
Topic:

OASIS Privacy Management Reference Model

5. AOB

Joni noted that she is exploring options for program management and that an individual is currently available who would be appropriate to cover a few WG’s, such as IAWG, HIAWG and P3WG.   This person is not available at the currently scheduled time of the P3WG call.   We will continue without program management for June and Joni will issue a doodle poll to assess other available meetings times for the P3WG meeting from July onwards.

6. Meeting Adjourned