View Source

Attendees

Abdul Sattar
Ann Cavoukian
Daryl Thomas
Drummond Reed
Jan Lindquist
Jim St.Clair
Juan Carlos Gonzalez
Kaliya Young, WG Co-chair
Pagona Tsormpatzoudi, Chair
Robin Renwick
Scott Perry
Tony Rose
Trev Harmon, PM
Tricia Loveland
Xavier Vila

Agenda Items

Time	Item	Who
5 min	Introductions	New group members
2 min	Welcome & antitrust policy notice	TBC
	Review of group's Google Doc and next steps	Everyone
3 min	Wrap up	Chair

Recording - Link

Notes

Notification of IP and antitrust notice.
Review of the updates to the group’s working Google Doc.
We shouldn’t need to go into each and every regulation, as they will vary from location and location.
Pagona suggested a number of principles that can be used. She would like a global reaction, and would like responses.
Pagona would like someone with a standards background to review which of the standards listed in question #1 should apply.
Drummond noted that the question is about whether or not specific standards should be required or suggested as part of the GHPC output.
Pagona brought up the application of “zones” to the questions. We discussed this approach.
Ann brought up the question of how consent works with the requirement for health passports where there are people who do not want to consent. This is a difficult question.
Pagona suggests that we provide a list of assessment criteria. Drummond noted that this is something that would likely be something that would be part of the governance framework. He likes the approach of providing recommendations to those who are doing the evaluations.
We discussed the importance of data security (e.g., encryption, privacy, etc.).
Tony brought up a discussion in yesterday’s Credential Schema group regarding consent wherein the use policy would be presented to the holder as part of the request.
Abdul Sattar wondered if there would be a need for a revocation as part of the consent. Drummond asked how that would relate in the case where sharing is a one-time consent. This is based on whether or not data is being retained beyond the bare minimum required by law.
This led to a conversation on the importance of restriction of use on the Verifiers.
We discussed the potential of unintended consequences of expansion of use.
We discussed the use of zero-knowledge proofs.
Trev brought up the possibility of data sunsetting.
Jim noted that we should also look at ISO 29100.

Chat Log

10:03:13 From Robin Renwick (IE) to Everyone : hello. I am here officially in an observer capacity as IP issues are not yet signed. Thank you.
10:03:27 From Trev Harmon to Everyone : Hi Robin. Happy to have you join us.
10:09:02 From Drummond Reed to Everyone : Ann, great to have you join us
10:12:19 From Drummond Reed to Everyone : +1 to those suggestions
10:14:52 From Jim StClair to Everyone : I can assist with security strandards
10:28:44 From Drummond Reed to Everyone : Yes, the Credential Formats, Signatures, and Exchange Protocols Drafting Group will be specifying the on-the-wire security. The rest of it will be wallet hosting (as Tony is saying) and key management.
10:29:05 From Drummond Reed to Everyone : That is where the list of data security standards at the start of the call come in.
10:31:08 From Drummond Reed to Everyone : This is where we can in fact specify the purpose and use limitations.
10:36:05 From Jim StClair to Everyone : I know Jan is on here, so let me add that ISO 29100 can be considered for Privacy as part of the framework
10:36:57 From Drummond Reed to Everyone : I really like the idea of this very specific purpose and usage limitation
10:39:17 From Jim StClair to Everyone : Retain data as permitted by consent
10:40:37 From Robin Renwick (IE) to Everyone : +1 to the ‘classification of personal data’ conversation! - it’s the basis of the legal basis, and the legal implications.
10:41:29 From Drummond Reed to Everyone : There is definitely personal data transmitted as part of a verifiable credential proof transmitted to the verifier. However we are saying the only data retention allowed is what is necessary for legal compliance.
10:44:56 From Jim StClair to Everyone : This also means “forcing” agreement of minimal data sets and abstraction of data from rules determinations
10:46:10 From Drummond Reed to Everyone : Yes, Jim, we could also do that. It feels like we need to specify the purpose and data retention limitations.
10:48:22 From Drummond Reed to Everyone : This is a key reason we want to require zero-knowledge proof (ZKP)-based credentials.
10:48:57 From Jim StClair to Everyone : +1 to both
10:50:05 From Jim StClair to Everyone : It’s personal data elements without compromising PII/PHI
10:50:55 From Tony Rose to Everyone : Bbs+++ 😎
10:53:07 From Drummond Reed to Everyone : +1 to this being part of Privacy and Data Protection
10:53:36 From Robin Renwick (IE) to Everyone : https://ec.europa.eu/info/live-work-travel-eu/coronavirus-response/safe-covid-19-vaccines-europeans/covid-19-digital-green-certificates_en#documents
10:55:13 From Drummond Reed to Everyone : +1!
10:55:22 From Jim StClair to Everyone : https://www.cigionline.org/articles/whats-really-stake-vaccine-passports
10:56:51 From Drummond Reed to Everyone : This is hugely important policy decision about purpose limitation and data retention limitation. It could be one of the hallmarks of what distinguishes a Good Health Pass!

Action Items

The group needs to provide contributions to the documents. Please look at it and provide comments before our next meeting on Thursday.
Trev to add information from the Digital Green Certificate.