Attendees
- Abdul Sattar
- Alan Whitemore
- Chuck Curran
- Daniel Bachenheimer
- Drummond Reed
- Jan Lindquist
- Kaliya Young
- Ken Adler, Co-chair
- Peter Davis
- Trev Harmon, PM
Agenda Items
| Time | Item | Who |
|---|---|---|
| 2 min | Welcome & Antitrust Policy Notice | Trev |
| Discussion on Problem #10 in the draft | Everyone | |
| 3 min | Wrap up | Ken |
Recording - Link
Notes
- Did the IP and antitrust announcement.
- Chuck provided background information on the edts he has been making in the document.
- Other ecosystems (non–international travel) that might come in will need to define its own set of disclosures.
- Kaliya provided a number of edits to make sure that credentials and passes are being appropriately used. “Good Health Pass solution provider” as a term is only being used in our group.
- Drummond noted that there will be a section written that will be at the start of the outline that will set the stage for the rest of the sections, and we’ll be able to refer back to it.
- Chuck noted that it’s standard (especially in the EU) for there to be data protection/rights agreements for data transfer between two organizations.
- When this is applied into the issuer-holder-verifier world view, the chain is quite complex, especially where the issuer doesn’t have a connection to the verifier.
- Chuck’s perspective is that the data transfer agreement doesn’t work in this circumstance. It may only work if it is ecosystem wide.
- Chuck and Jan are discussing this on the document.
- Jan provided some additional information on the work that he’s done.
- Jan showed a diagram where he added two consent blocks to the “flows” diagram.
- Consent is needed in both the issuer-holder and holder-verifier relationship.
- We would like the language used to capture the consent that is being given.
- When data is being transferred from one organization to another, Jan would like there to be accountability.
- Jan noted that in some jurisdictions that even if the data goes through the holder that the responsibility of the issuer may not be released.
- Since GDPR was done before the issuer-holder-verifier model, it didn’t contemplate it.
- Drummond noted that in the US, with HIPAA the transference of a copy to the holder, which does break that chain.
- Chuck suggested that the data transfer agreement may not be the correct mechanism for us to use, as it may not be best for this to be global requirement.
- Drummond: A code of conduct is something (set of policies) that can be in the governance framework. Drummond is going to follow up on this. Governing Authority -> Governance Framework -> Code of Conduct
- Drummond requested that everyone read the Governance Framework drafts. As part of the governance framework, it states that the organizations under the framework must adhere to the recommendations (MUSTs / SHOULDs / MAYs) in all of the individual “group” documents. Eventually it may be consolidated in a single document, but for right now it will refer to the other documents.
- Chuck suggested and Drummond strongly stated that data transfer agreements shouldn’t be part of this.
- Drummond suggested that consent doesn’t apply when receiving a credential. Jan noted that there does need proper notification. Jan noted that “consent” is an (over)loaded term. We may not all be using the term “consent” in the same way.
- Chuck noted that there is a dialog needed with how this works. Jan and Chuck will work on reconciling terms here.
- Jan asked if it was okay to annotate the general diagrams. Drummond said that it was. We talked about the mechanism to do so.
- We talked about the diagram in terms of the diagram in Problem #10. Jan is going to check with his GDPR lawyer associates.
- Jan provided some ideas to share with the User Experience group in their meeting today:
- From a usability perspective, it’s important for there to be proper notice for informed consent.
- There is a suggestion of a badge system to help with providing transparency with this.
- We had a conversation about the incentives that airlines have for checking the health status. Daniel brought up that what is required at the border is different in terms of data minimization than what is needed for boarding a plane.
Action Items
- Continue clean up of the draft.