Attendees

Agenda Items

Time ItemWho
2 minWelcome & Antitrust Policy NoticeTrev

Open topics discussion
3 minWrap upPagona

Notes

  • Review of the antitrust and IP requirements
  • Our main discussion point is around the technology at the end of the pandemic.
  • Ann mentioned that the position that has been taken is after the pandemic.
  • Peter noted that this is a question of scope of whether this is about just COVID or something beyond that.
  • A discussion on scope then followed.
  • Chuck brought up the regulation regarding retention that is being considered by policy makers in the EU and now the US.
  • Pagona suggested that this means we leave the question of retention to the policy makers to handle regionally.
  • Drummond shared the slides regarding credentials and passes (slides #10-12). https://docs.google.com/presentation/d/1fM-EpIdLGdKniFjHR4ZhdgFA-HBSEmpMai8ljqti4Gw/edit#slide=id.gcbdd182e9d_0_144
  • We discussed how this would work at the airport terminal counter, in terms of data retention, laws, and ZKPs.
  • All passes, even those yes/no passes, should be treated as PHI.
  • Trev noted some things from the reading of S.81: https://www.congress.gov/bill/117th-congress/senate-bill/81/text
  • Jan brought up the Irish DPIA as a potential template for risk assessment. https://www.hse.ie/eng/gdpr/data-protection-covid-19/data-protection-impact-assessment.pdf
  • There are a number of different methodologies for risk assessments and data protection assessments. In the EU, a data protection assessment has a specific meaning as it has the GDPR framework. However, this approach (process and assessment) can also be used elsewhere.
  • Jim presented a question earlier on Slack regarding wallet security, and is interested in scope. Jim is monitoring the work on this in DIF. Jan would like questions asked about vulnerability testing. Jim noted that right now the DIF group is probably focusing on secure coding practices. This is meant to be a bulwark against other malicious processes on one’s device.
  • We’re unsure whether the DIF wallet security group has anything for us to reference.
  • Jan is taking on the privacy part of the risk assessment. Scott is taking on the security part.
  • Chuck brought up the fact that the limits of what is currently happening from an operational point of view in terms of consent, data management, etc. We need to keep this in mind, and we should include it in the “what’s happening now” section.

Chat Log

00:12:24	Drummond Reed:	I have a suggestion based on how the architecture is working out between credentials and passes.
00:14:48	Drummond Reed:	Trev, you go first
00:22:28	Trev Harmon:	These are the slides that Drummond is showing:
https://docs.google.com/presentation/d/1fM-EpIdLGdKniFjHR4ZhdgFA-HBSEmpMai8ljqti4Gw/edit#slide=id.gcbdd182e9d_0_144
This part starts at slide #10.
00:42:22	Trev Harmon:	S.81 - Public Health Emergency Privacy Act
https://www.congress.gov/bill/117th-congress/senate-bill/81/text
00:44:22	Drummond Reed:	I don’t believe Jan, I think he’s just been out for a swim and making up an excuse for being late ;-)
00:45:04	Jan Lindquist:	https://www.hse.ie/eng/gdpr/data-protection-covid-19/data-protection-impact-assessment.pdf


Action Items