P3WG Meeting Notes 2011-07-28
Attendees:
Anna Slomovic
Mark Lizar
Colin Soutar
Hedy Kirkby
Apologies:
Ann Geyer
Staff:
Dervla O'Reilly
Minutes:
1. Roll Call - (Quorum Not Reached)
2. Privacy Assessment Criteria---status update
LC approved the group to move forward with the FICAM privacy profile. Joni and Anna discussed finding additional funding. Joni will reach out to Internet Society. Bob is on vacation until August 8, we will need to update the contract based on any changes or input and then move forward.
3. Updates
- Leadership Council (LC) call update
- Mark provided an LC updated approving to move forward with the FICAM privacy profile. Funds were re-allocated so that we can start on the Privacy Assessment Criteria, right away as this is time critical.
- Kantara response to National Strategy for Trusted Identities in Cyberspace (NSTIC ) Notice of Inquiry (NOI)
- Kantara submitted the report by July 22 deadline, an 18-page document was provided. Our input was a collection of thoughts rather than processes. NSTIC hope to review comments and respond in September.
- Mark was on the NSTIC working group and it was received by the LC and submitted to NIST
- There were 50 submission and revisions to the Notice of Inquiry
- We discussed the substantive response (Action: Mark send Kantara NOI and NSIT Comment References  to the list)
- Mark reported:Â that the NSTIC Steering Group Notice of Inquiry was a call for comments on what a steering group will need to accomplish for identity standards interoperabilty
- Anna noticed that the response revolved around Kantara's experience in this area, already running an international standards community in identity management. Kanatara presents a successful model that produces standards and interoperability
- Jeremy Grant indicated that NSTIC is hoping to respond to the NOI's submitted in September
- EFF and Liberty response was focused on consumer protection advocates and strong privacy protection, something we should also review,
- Action: Mark: look up EFF and Liberty Input
- Guidance on Article 29 Working Group. Consent Report
- Â Much conversation about consent for data processing. The problems is between using the application or not entering a system or not. Just because you gave consent perhaps it's not the consent that was originally intended. Article 29 Working Group have made the case clear regarding what constitutes consent. Interesting to see what transpires as the NSTIC progresses.
- Clarifies what constitutes consent and the extent data protection can be relied uponÂ
- Consent in regards to 'guaranteeing Fair Processing'
- Anna-Brings up an interesting question for attribute level consent. What happens if an individual doesn't want to share an attribute? Does the service get withdrawn? Looking at the power distribution and looking at consent as a mechanism.
- Hedy - In Canada, in such circumstances PIPEDA principles would be examined against the needs for the attributes provided by the
- The organization would have to do it according to how it applies in law.
- In Canada a number of limiting principles come into play. Currently under review for strength of enforcement goes from complaint to Privacy Commissioner before sending to court.
- Hedy makes a proposal to have a meeting focused on identity management in Canada. We can share documents,
- Action: Anna: Hedy & Anna Schedule meeting in September - Goal of the call to discuss Canada Identity Management solutions.
- Hedy provide Canadian feedback, Anna FICAM US Feedback, Mark - EU Feedback,
- Call for Comments Due Sept 2: Latest privacy control documents: NIST SP 800-53, Appendix J,Â
- There is a call for comments, we can look at that as a collective group and provide input from various regions (Canada, U.S., Europe). They have added privacy controls, this makes it convenient to cross-walk to other places, then there is a way to make it work solving some interoperability issues.
- Lots of interest in evaluating this appendix against Canada, and EU Law,
- Anna- Interesting is that NIST as an Appendix is a cross walk for industry standards into the federal government, Equifax was asked how it complies with NIST 800 as a government supplier. This makes this appendix apart of an active standard in the US and makes this very important.Â
- So we discuss the response: 2 pieces: Compare NIST against FICAM Guidance 2. Does NIST 800 support an interoperability privacy standard, what could be added
- Questions to Review while Commenting: What are the notification requirements for assessment with and without consent? Does this appendix inter operate with existing law internationally, does the standards strengthen and coexist with existing privacy legislation and practices? What are other jurisdictional interpretations of this standard? What are the legal comparisons (discovery)? (Quote Relevant, US, Canadian, EU Laws, NZ Laws) In assessment would NIST accommodate notification requirements in each jurisdiction?
- Action: Hedy and Mark to meet and develop a couple of paragraphs to start this document with each and send to Anna -(Action: Mark send email to Hedy) we could
- Plan is to get something drafted for the next meeting and then submit it to Kantara community (if appropriate ) for a comment and input. If process moves fast enough, then perhaps even getting a motion for Kantara to also approve the comments formally before submission. (Mark Action: to send a note to Joni asking about on appropriate protocol)
- FTC and DOC and industry-led privacy rules of behavior in the US
- Â Additional issues, - convening industry groups to develop their own codes of conduct and having the FTC enforce them.
- This is interesting because NIST Appendix discusses memorandum which would work very well with formalizing codes of conduct
- Watch out for the companies that are good publically stating their intentions, with companies that are not compliant not complying
- Hedy - In Canada, the codes of practice were written by industry and adopted in its entirety to the law. A meaty law was made to reference this code of practice and passed to control
- This then moves the reliance on to legal requirements.
- Concern that the US will continue a secotral approach as there outliers that require greater regulation and are not interoperable or accountable across sectors.
- A big distinction between sectoral and jurisdcitional approaches. In NSTIC - the idea is that drawing out the common elements
- Common set of requirement for identity providers like the IAWG as a set of core principles for identity proofing.Â
- What are the common elements that Kanatara can point out across the privacy domain?
- The P3 intent is to gather this criteria and focus on FICAM as it is a pressing requirement, especially leading to NSTIC discussions
- Colin and Anna agree's with clarification that FICAM is one interpretation of standards and implementation and that this need to considered from other jurisdictional considerations is an important approach to take. Although Anna makes the point that its the focus of criteria because of timing and the needs of Kantara programs. Able to use this to explore interoperability of privacy assessments.
4. AOB:
Government of Canada would like to make a presentation in September. Anna Ticktin to schedule.
5. Actions:
- Anna: Hedy & Anna Schedule meeting in September - Goal of the call to discuss Canada Identity Management solutions.
- Mark an Hedy Meet to create first couple of paragraphs each of NIST response
- Â