...
- Notification of IP and antitrust notice.
- Review of the updates to the group’s working Google Doc.
- We shouldn’t need to go into each and every regulation, as they will vary from location and location.
- Pagona suggested a number of principles that can be used. She would like a global reaction, and would like responses.
- Pagona would like someone with a standards background to review which of the standards listed in question #1 should apply.
- Drummond noted that the question is about whether or not specific standards should be required or suggested as part of the GHPC output.
- Pagona brought up the application of “zones” to the questions. We discussed this approach.
- Ann brought up the question of how consent works with the requirement for health passports where there are people who do not want to consent. This is a difficult question.
- Pagona suggests that we provide a list of assessment criteria. Drummond noted that this is something that would likely be something that would be part of the governance framework. He likes the approach of providing recommendations to those who are doing the evaluations.
- We discussed the importance of data security (e.g., encryption, privacy, etc.).
- Tony brought up a discussion in yesterday’s Credential Schema group regarding consent wherein the use policy would be presented to the holder as part of the request.
- Abdul Sattar wondered if there would be a need for a revocation as part of the consent. Drummond asked how that would relate in the case where sharing is a one-time consent. This is based on whether or not data is being retained beyond the bare minimum required by law.
- This led to a conversation on the importance of restriction of use on the Verifiers.
- We discussed the potential of unintended consequences of expansion of use.
- We discussed the use of zero-knowledge proofs.
- Trev brought up the possibility of data sunsetting.
- Jim noted that we should also look at ISO 29100.
Chat Log
Code Block | ||
---|---|---|
| ||
10:03:13 From Robin Renwick (IE) to Everyone : hello. I am here officially in an observer capacity as IP issues are not yet signed. Thank you. 10:03:27 From Trev Harmon to Everyone : Hi Robin. Happy to have you join us. 10:09:02 From Drummond Reed to Everyone : Ann, great to have you join us 10:12:19 From Drummond Reed to Everyone : +1 to those suggestions 10:14:52 From Jim StClair to Everyone : I can assist with security strandards 10:28:44 From Drummond Reed to Everyone : Yes, the Credential Formats, Signatures, and Exchange Protocols Drafting Group will be specifying the on-the-wire security. The rest of it will be wallet hosting (as Tony is saying) and key management. 10:29:05 From Drummond Reed to Everyone : That is where the list of data security standards at the start of the call come in. 10:31:08 From Drummond Reed to Everyone : This is where we can in fact specify the purpose and use limitations. 10:36:05 From Jim StClair to Everyone : I know Jan is on here, so let me add that ISO 29100 can be considered for Privacy as part of the framework 10:36:57 From Drummond Reed to Everyone : I really like the idea of this very specific purpose and usage limitation 10:39:17 From Jim StClair to Everyone : Retain data as permitted by consent 10:40:37 From Robin Renwick (IE) to Everyone : +1 to the ‘classification of personal data’ conversation! - it’s the basis of the legal basis, and the legal implications. 10:41:29 From Drummond Reed to Everyone : There is definitely personal data transmitted as part of a verifiable credential proof transmitted to the verifier. However we are saying the only data retention allowed is what is necessary for legal compliance. 10:44:56 From Jim StClair to Everyone : This also means “forcing” agreement of minimal data sets and abstraction of data from rules determinations 10:46:10 From Drummond Reed to Everyone : Yes, Jim, we could also do that. It feels like we need to specify the purpose and data retention limitations. 10:48:22 From Drummond Reed to Everyone : This is a key reason we want to require zero-knowledge proof (ZKP)-based credentials. 10:48:57 From Jim StClair to Everyone : +1 to both 10:50:05 From Jim StClair to Everyone : It’s personal data elements without compromising PII/PHI 10:50:55 From Tony Rose to Everyone : Bbs+++ 😎 10:53:07 From Drummond Reed to Everyone : +1 to this being part of Privacy and Data Protection 10:53:36 From Robin Renwick (IE) to Everyone : https://ec.europa.eu/info/live-work-travel-eu/coronavirus-response/safe-covid-19-vaccines-europeans/covid-19-digital-green-certificates_en#documents 10:55:13 From Drummond Reed to Everyone : +1! 10:55:22 From Jim StClair to Everyone : https://www.cigionline.org/articles/whats-really-stake-vaccine-passports 10:56:51 From Drummond Reed to Everyone : This is hugely important policy decision about purpose limitation and data retention limitation. It could be one of the hallmarks of what distinguishes a Good Health Pass! |
...