Attendees
- Chuck Curran
- Drummond Reed
- Jan Lindquist
- Kaliya Young, WG co-chair
- Pagona Tzormpatzidou, chair
- Peter Davis
- Scott Perry
- Trev Harmon, PM
- Xavier Vila
- Zsombor Szabo
Agenda Items
| Time | Item | Who |
|---|---|---|
| 2 min | Welcome & Antitrust Policy Notice | Trev |
| 5 min | Review of the template | Pagona |
| Topic discussions | Everyone | |
| 3 min | Wrap up | Pagona |
Recording - Link
Notes
- DId the IP / antitrust announcement
- We are going to start with a review of the template.
- Drummond mentioned different groups are using the template in different ways.
- How do we want to handle the phasing approach outlined in the template, especially as our group is going to be dealing primarily with principles.
- We may be able to pull over content from our current KIQ document.
- Drummond, wearing his governance framework hat, would like recommendations that will end up in the governance framework. These would include MUST, SHOULD, and MAY statements.
- Jan had a call with Scott to get a consensus about how we bring in the governance work. Jan is working on privacy, and Scott is working on a higher level.
- Scott said that one of the things that needs to be asked regarding the governance framework is does it require a risk assessment, and does it require that sub-governance frameworks also have a risk assessment.
- The decision that they made was that we did need to have a risk assessment based on ISO 27005 requirements. That proposal has been posted by Scott to the other groups for feedback. There is a hope that this will be a discussion point in tomorrow’s Leads meeting.
- There was a discussion regarding where the work of the risk assessment would live in the current drafting groups. Our group will certainly need to provide input on this.
- Scott mentioned that we are trying to limit / mitigate the risks associated with these transactions. We need to be identifying the risks.
- Pagona noted that if we want policy makers and regulators to look at our work, there needs to be a recognition of how that currently works in privacy regulation.
- Jan has interest in us looking at the notice receipt work that has been done at Kantara. This would be relevant for all three zones.
- Our document does need a table of contents to provide an overview.
- Had a short discussion regarding levels of assurance.
- Drummond asked about integrating in privacy by design principles. Peter asked about the IP rights regarding the proposed content. He is going to put it in the Google Drive as a submission.
- There was a question regarding who the audience is for the deliverables.
https://docs.google.com/document/d/1uml0h7ImzHaZnQPiauhICr_3aztloWVcNRe0K67xKAo/edit?usp=sharing - Drummond provided an overview of the differentiation between a “credential” and a “pass” in the way we are using it. A pass is meant to be the minimal information needed to do a particular action.
- Chuck brought up the article last week’s Washington Post.
- Pagona brought up that in our data minimization section we need to consider levels of assurance and context to determine what requirements we put forward.
- Jan asked if Drummond was looking for machine-readable or human-readable policy statements. Drummond is primarily looking for the human-readable form of governance policies, but we could provide additional example privacy policies.
- Chuck noted that there is a high degree of variance with model privacy policies across jurisdictions. It may be difficult to do more than statements of “my adhere to applicable laws”. Pagona seconded that.
- Chuck brought up the data sunsetting / discarding of data. This has not only been brought up in the EU, but also now in the US government. Our document needs to address this. It’s not the technology that gets sunsetted, but the data. Policy makers are going to be looking for this.
- This conversation is also related to data retention, as well.
- We’ll pick up the conversation on Thursday regarding what our position is going to be on the proposals and approaches to sunset data.
Chat Log
Action Items