PAC Work Charter

(Drafted 16 April 2012)

A. Kantara Framework Privacy Documents

Within the Kantara Framework, privacy issues are addressed in three types of documents, plus existing law.

1. The first type of document is a Privacy Requirements Document. This type of document is part of the identity assurance framework, and sets forth the general rules and requirements imposed upon credential service providers by the framework in a given geographical jurisdiction, or industry sector. Depending on the jurisdiction, these privacy requirements are either aligned with, or are in addition to, the requirements of existing law.

An example of a Privacy Requirements Document is the “Identity Assurance Framework: Additional Requirements for Credential Service Providers: US Federal Privacy Criteria” version 2.0 dated Feb 15, 2012, which was approved by the ARB shortly thereafter (“FICAM Privacy Requirements” [reference 1]). That document specifies privacy requirements for credentials used by federal government agencies as a relying parties.

2. The second type of document is a Privacy Assessment Criteria Document. This type of document is written with reference to a particular Privacy Requirements Document, and provides the detailed assessment criteria that must be used by Assessors when assessing the compliance of a credential service provider with that specific Privacy Requirements Document. There may be a separate Privacy Assessment Criteria Document for each Privacy Requirements Document, or there may be a single Privacy Assessment Criteria Document that contains a separate section for each Privacy Requirements Document.

An example of a Privacy Assessment Criteria Document is the Document titled “Federal Identity, Credentialing, and Access Management: Privacy Guidance for Trust Framework Assessors and Auditors” version 1.0 issued by FICAM on June 29, 2011 [reference 2]. This was drafted by the federal government and on 12 July 2011 the Kantara Assurance Review Board unanimously voted to accept this document as an assessment guide applicable to the FICAM Privacy Requirements.
The P3 WG is currently working on development of a specifically tailored Privacy Assessment Criteria Document to define assessment criteria with respect to the FICAM Privacy Requirements Document noted above, which when completed will provide specific assessment criteria that are aligned with the guidance in “Federal Identity, Credentialing, and Access Management: Privacy Guidance for Trust Framework Assessors and Auditors” version 1.0 issued by FICAM on June 29, 2011 [reference 3].

3. The third type of document is a Privacy Guidance Document. This type of document sets forth P3WG-recommended privacy practices, but does not currently impose any requirements on CSPs within the Kantara Framework. Its purpose is to state best practices which at some point in the future may be recommended for inclusion in the Kantara Framework as a Privacy Requirements Document applicable to all Kantara CSPs. The Privacy Guidance Document may be a separate document, or it may be part of each Privacy Assessment Criteria Document.

Note that the Privacy Guidance Document will be informative, but any of the material that is migrated into subsequent Privacy Requirements Documents will be normative.

4. Existing law in each applicable geographic jurisdiction might be considered as a fourth type of document, although it is not within the control of Kantara. It sets forth the rules and requirements imposed by law upon credential service providers.

B. Role of the P3 WG

1. Privacy Requirements Documents

In the interests of timeliness, as an extension of the Service Assessment Criteria development, the FICAM Privacy Requirements was written by the IAWG, in collaboration with the ARB, P3WG, and FICAM. P3WG will have the following ongoing responsibilities (as per the founding charter of P3WG, copied at the end of this document)--

Developing new or additional Privacy Requirements Documents to specify privacy requirements for use by credential service providers with respect to other geographic jurisdictions or industry sectors (e.g., healthcare, financial, transportation, etc.).
Developing a Privacy Requirements Document to set forth general “best practice” privacy principles applicable to all CSPs within the Kantara Framework.

2. Privacy Assessment Criteria Documents

The efforts of the P3 work group are currently focused on developing a Privacy Assessment Criteria Document to facilitate assessment of a CSP’s compliance with the FICAM Privacy Requirements. It plans to begin this first effort by providing specific privacy assessment criteria in respect of the for the existing FICAM Privacy Requirements Document, and which are aligned with the U.S.-government-developed FICAM Privacy Guidance for Trust Framework Assessors and Auditors Document.

In the future, the P3 Work Group may also consider as potential projects --

Developing Privacy Assessment Criteria Documents for other Privacy Requirements Documents that may be issued for other sectors by the P3 WG or other groups.
Developing additional Privacy Requirements Documents to set forth general “best practice” privacy principles and associated assessment criteria with respect to those privacy principles.

3. Privacy Guidance Document(s)

The P3 WG will develop an informative Privacy Guidance Document for the purpose of:

Providing general background guidance to CSPs regarding recommended privacy principles
Providing general background guidance to assessor regarding privacy principles
Promoting adoption of developing best practice privacy principles
Defining and articulating the Kantara point of view with regards to Privacy issues.

At the end of the day, we need to focus on the fact that there are two specific types of privacy Documents relevant to Kantara: (1) Privacy Requirements Documents; and (2) Privacy Assessment Criteria Documents that provide assessment criteria with respect to specific Privacy Requirements Documents. The Privacy Guidance Document will serve as an incubator for considerations that can be migrated into ongoing Privacy Requirements Documents. A secondary purpose, as a result of the collection of cross-border and cross-sector privacy representation and discussions, will be to clarify the distinctions between such jurisdictions, which may better enable the establishment of global and/or cross-sector CSP’s.

Note that the Privacy Requirements and Assessment Criteria Documents only consider CSP’s, whereas the Privacy Guidance Document will also discuss the privacy requirements for Relying Parties or Federation Brokers in an Identity Federation.

Excerpt from P3WG founding charter

1. WG NAME (and abbreviation):

Privacy and Public Policy Work Group (P3WG)

2. PURPOSE:
Privacy, and the policy decisions which affect it, are increasingly a core theme of digital identity-related work. This Work Group is intended to ensure that the Kantara Initiative ("Kantara") contributes to better privacy outcomes for users, data custodians and other stakeholders, by defining privacy-related principles and good practice applicable to a broad range of prevalent technology platforms.

3. SCOPE AND DEFINITION OF WORK:

Become an active convening authority for privacy and public policy work - including productive engagement with the CPO, policymaker, regulatory and adoption communities.
Liaise and work with other Kantara groups to represent the privacy and public policy perspective, and to serve as an ongoing point of reference for privacy/policy-related questions.
Lead work to define and develop Privacy Management and Privacy Assurance deliverables which complement Kantara's initiatives in Identity Assurance and Identity Governance.
Liaise and work with projects and organisations outside Kantara to further the same objectives.

References:

Reference 1 available at: http://kantarainitiative.org/confluence/display/GI/Identity+Assurance+Framework+v2.0
Reference 2 available at: http://www.idmanagement.gov/documents/Guidance_for_Assessors.pdf
Reference 3 available at: http://www.idmanagement.gov/documents/Guidance_for_Assessors.pdf