Attendees
- Abdul Sattar
- Ann Cavoukian
- Chuck Curran
- Daryl Thomas
- Drummond Reed
- Jan Lindquist
- Jim St.Clair
- Pagona Tsormpatzoudi, Chair
- Peter Davis
- Trev Harmon, PM
- Tricia Loveland
Agenda Items
Time | Item | Who |
---|---|---|
2 min | Welcome & Antitrust Policy Notice | Trev |
Open topics discussion | ||
3 min | Wrap up | Pagona |
Recording - Link
Notes
- Review of the antitrust and IP requirements
- Our main discussion point is around the technology at the end of the pandemic.
- Ann mentioned that the position that has been taken is after the pandemic.
- Peter noted that this is a question of scope of whether this is about just COVID or something beyond that.
- A discussion on scope then followed.
- Chuck brought up the regulation regarding retention that is being considered by policy makers in the EU and now the US.
- Pagona suggested that this means we leave the question of retention to the policy makers to handle regionally.
- Drummond shared the slides regarding credentials and passes (slides #10-12). https://docs.google.com/presentation/d/1fM-EpIdLGdKniFjHR4ZhdgFA-HBSEmpMai8ljqti4Gw/edit#slide=id.gcbdd182e9d_0_144
- We discussed how this would work at the airport terminal counter, in terms of data retention, laws, and ZKPs.
- All passes, even those yes/no passes, should be treated as PHI.
- Trev noted some things from the reading of S.81: https://www.congress.gov/bill/117th-congress/senate-bill/81/text
- Jan brought up the Irish DPIA as a potential template for risk assessment. https://www.hse.ie/eng/gdpr/data-protection-covid-19/data-protection-impact-assessment.pdf
- There are a number of different methodologies for risk assessments and data protection assessments. In the EU, a data protection assessment has a specific meaning as it has the GDPR framework. However, this approach (process and assessment) can also be used elsewhere.
- Jim presented a question earlier on Slack regarding wallet security, and is interested in scope. Jim is monitoring the work on this in DIF. Jan would like questions asked about vulnerability testing. Jim noted that right now the DIF group is probably focusing on secure coding practices. This is meant to be a bulwark against other malicious processes on one’s device.
- We’re unsure whether the DIF wallet security group has anything for us to reference.
- Jan is taking on the privacy part of the risk assessment. Scott is taking on the security part.
- Chuck brought up the fact that the limits of what is currently happening from an operational point of view in terms of consent, data management, etc. We need to keep this in mind, and we should include it in the “what’s happening now” section.
Chat Log
Action Items