Attendees

Agenda Items

Time ItemWho
5 minIntroductionsNew group members
2 minWelcome & antitrust policy noticeTBC

Review of group's Google Doc and next steps

Everyone

3 minWrap upChair 

Notes

  • Notification of IP and antitrust notice.
  • Review of the updates to the group’s working Google Doc.
  • We shouldn’t need to go into each and every regulation, as they will vary from location and location.
  • Pagona suggested a number of principles that can be used. She would like a global reaction, and would like responses.
  • Pagona would like someone with a standards background to review which of the standards listed in question #1 should apply.
  • Drummond noted that the question is about whether or not specific standards should be required or suggested as part of the GHPC output.
  • Pagona brought up the application of “zones” to the questions. We discussed this approach.
  • Ann brought up the question of how consent works with the requirement for health passports where there are people who do not want to consent. This is a difficult question.
  • Pagona suggests that we provide a list of assessment criteria. Drummond noted that this is something that would likely be something that would be part of the governance framework. He likes the approach of providing recommendations to those who are doing the evaluations.
  • We discussed the importance of data security (e.g., encryption, privacy, etc.).
  • Tony brought up a discussion in yesterday’s Credential Schema group regarding consent wherein the use policy would be presented to the holder as part of the request.
  • Abdul Sattar wondered if there would be a need for a revocation as part of the consent. Drummond asked how that would relate in the case where sharing is a one-time consent. This is based on whether or not data is being retained beyond the bare minimum required by law.
  • This led to a conversation on the importance of restriction of use on the Verifiers.
  • We discussed the potential of unintended consequences of expansion of use.
  • We discussed the use of zero-knowledge proofs.
  • Trev brought up the possibility of data sunsetting.
  • Jim noted that we should also look at ISO 29100.

Chat Log

10:03:13 From  Robin Renwick (IE)  to  Everyone : hello. I am here officially in an observer capacity as IP issues are not yet signed. Thank you.
10:03:27 From  Trev Harmon  to  Everyone : Hi Robin. Happy to have you join us.
10:09:02 From  Drummond Reed  to  Everyone : Ann, great to have you join us
10:12:19 From  Drummond Reed  to  Everyone : +1 to those suggestions
10:14:52 From  Jim StClair  to  Everyone : I can assist with security strandards
10:28:44 From  Drummond Reed  to  Everyone : Yes, the Credential Formats, Signatures, and Exchange Protocols Drafting Group will be specifying the on-the-wire security. The rest of it will be wallet hosting (as Tony is saying) and key management.
10:29:05 From  Drummond Reed  to  Everyone : That is where the list of data security standards at the start of the call come in.
10:31:08 From  Drummond Reed  to  Everyone : This is where we can in fact specify the purpose and use limitations.
10:36:05 From  Jim StClair  to  Everyone : I know Jan is on here, so let me add that ISO 29100 can be considered for Privacy as part of the framework
10:36:57 From  Drummond Reed  to  Everyone : I really like the idea of this very specific purpose and usage limitation
10:39:17 From  Jim StClair  to  Everyone : Retain data as permitted by consent
10:40:37 From  Robin Renwick (IE)  to  Everyone : +1 to the ‘classification of personal data’ conversation! - it’s the basis of the legal basis, and the legal implications.
10:41:29 From  Drummond Reed  to  Everyone : There is definitely personal data transmitted as part of a verifiable credential proof transmitted to the verifier. However we are saying the only data retention allowed is what is necessary for legal compliance.
10:44:56 From  Jim StClair  to  Everyone : This also means “forcing” agreement of minimal data sets and abstraction of data from rules determinations
10:46:10 From  Drummond Reed  to  Everyone : Yes, Jim, we could also do that. It feels like we need to specify the purpose and data retention limitations.
10:48:22 From  Drummond Reed  to  Everyone : This is a key reason we want to require zero-knowledge proof (ZKP)-based credentials.
10:48:57 From  Jim StClair  to  Everyone : +1 to both
10:50:05 From  Jim StClair  to  Everyone : It’s personal data elements without compromising PII/PHI
10:50:55 From  Tony Rose  to  Everyone : Bbs+++ 😎
10:53:07 From  Drummond Reed  to  Everyone : +1 to this being part of Privacy and Data Protection
10:53:36 From  Robin Renwick (IE)  to  Everyone : https://ec.europa.eu/info/live-work-travel-eu/coronavirus-response/safe-covid-19-vaccines-europeans/covid-19-digital-green-certificates_en#documents
10:55:13 From  Drummond Reed  to  Everyone : +1!
10:55:22 From  Jim StClair  to  Everyone : https://www.cigionline.org/articles/whats-really-stake-vaccine-passports
10:56:51 From  Drummond Reed  to  Everyone : This is hugely important policy decision about purpose limitation and data retention limitation. It could be one of the hallmarks of what distinguishes a Good Health Pass!


Action Items

  1. The group needs to provide contributions to the documents. Please look at it and provide comments before our next meeting on Thursday.
  2. Trev to add information from the Digital Green Certificate.