Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

 

P3WG Plenary Meeting 20 September 2012

Date and Time

  • Date: Thursday, 20 September 2012
  • Time: 08:00 PT | 11:00 ET | 15:00 UTC (time chart)
  • Dial in info:
    Skype: +99051000000481
    North American Dial-In: +1-805-309-2350
    Conference ID: 402-2737

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Reviews minutes: P3WG Meeting Minutes 2012-09-06
  2. Privacy Assessment Criteria
  3. AOB
  4. Adjourn

 

Attendees

Quorum is 4 of 7 as of 23 August 2012.

Staff:

  • Heather Flanagan (scribe)

Non-Voting

Apologies:

  • Colin Soutar

Minutes & Notes

Administration

Motion for minutes -

 

 

Discussion

  1. Privacy Assessment Criteria
    1. Email from Ann Geyer to P3WG list:
Questions for discussion
1.  For each of the assessment questions listed below, what level of
assessment do we expect (observer, inquire, inspect)?
2.  Do we want to indicate any "passing critieria" or examples of
acceptable practices for any of the questions listed?
3.  What additional questions or lines of inquiry are warranted?


2.1.1 Adequate Notice  (From the US Fed Profile--Kantara's Additional
Requirements)

Adequate Notice – Identity Provider must provide End Users with
adequate notice regarding federated authentication. Adequate Notice
includes a general description of the authentication event, any
transaction(s) with the RP, the purpose of the transaction(s), and a
description of any disclosure or transmission of PII to any party.
Adequate Notice should be incorporated into the Opt In process.

Existing Assessment Guidance
Suggested Assessment Questions:

1. Is the notice written in plain language so that it is easily
understood by the average user?
2. Does the notice convey what information is being transmitted, the
user’s options, and the outcome of not transmitting the information?
3. Is the user information being transmitted the same information that
is described in the notice? Is  that the only information being
transmitted?
4. Is the notice incorporated into the “opt in” mechanism?
5. If so, is the notice clear, concise, unavoidable, and in real-time?
6. Is the notice merely a linked general privacy policy or terms of service?

Supplemental Explanation:
Adequate notice is a practical message that is designed to help the
average  user understand how to engage in the authentication
transaction, including, what information is being  transmitted about
the user, what options the user has with respect to the transmission
of the information,  and the consequences of refusing any
transmission. For example, if the information to be transmitted is
required by the Relying Party for the authentication, the notice
should make clear that the transmission is  required and refusal will
cancel the transaction and return the user to the Relying Party’s
website for  further assistance. If the information to be transmitted
is not required for authentication, but, for example,  will be
collected by the Relying Party in order to provide the service
requested by the user more  conveniently, the notice should make this
distinction clear and indicate that if the user refuses the
transmission, the user will be able to provide the information
directly on the Relying Party’s website.  Assessors and Auditors
should look for a notice that is generated at the time of the
authentication  transaction. The notice should be in visual proximity
(i.e. unavoidable) to the action being requested, and  the page should
be designed in such a way that any other elements on the page do not
distract the user  from the notice. The content of the notice should
be tailored to the specific transaction. The notice may be divided
into multiple or “layered” notices if such division makes the content
more understandable or  enables users to make more meaningful
decisions. For these reasons, the notice should be incorporated  into
the “opt in” mechanism as set forth below. In sum, an Adequate Notice
is never just a link  somewhere on a page that leads to a complex,
legalistic privacy policy or general terms and conditions.
  • Discussion:

 

 

  • No labels