[WG-P3] NIST 800-53, Appendix J, P3 comments v3

Anna Slomovic/Equifax anna.slomovic at equifax.com
Thu Sep 1 10:07:01 EDT 2011 

I agree with Susan's comments below.

On the comments re: data minimization and re-identification. I think we should include something on the subject. I propose the following modification of the comment now in the draft.

Additionally, we would urge inclusion of a control associated with re-identification and de-anonymization. As the Computer Security Division is aware, techniques for re-identification and de-anonymization are constantly improving.  The possibility that previously anonymous data will be turned into PII increases the importance of Data Minimization and Retention controls (p. 10-11), as well as the importance of Privacy Notice (TR-1, p. 4) and Consent (IP-1, p. 6) that account for such activities.

Anna
Anna Slomovic
Chief Privacy Officer
Equifax, Inc.
1010 N. Glebe Rd.
Suite 500
Arlington, VA 22201

P: 703.888.4620
M: 703.254.9656
F: 703.243.7576
E: Anna.Slomovic at equifax.com

From: wg-p3-bounces at kantarainitiative.org [mailto:wg-p3-bounces at kantarainitiative.org] On Behalf Of Susan Landau
Sent: Thursday, September 01, 2011 8:28 AM
To: wg-p3 at kantarainitiative.org
Subject: Re: [WG-P3] NIST 800-53, Appendix J, P3 comments v3

On 9/1/11 3:57 AM, Mark at Identity Trust wrote:

Draft V.3,

Attached is the latest draft of the comments.   If there are any additional comments or corrections please send them directly to me by 5 pm Thursday (today).  If necessary, I will then send out a final draft and a ballot.

Re: An additional specific worth considering is the quality of notice be commesurate to the quality of cosnet.  In that when consent or data is not actively or purposely provided mechanism.


There are two typos above, but also a dangling phrase whose meaning is unclear.  Furthermore, I don't understand how to turn  quality of notice to be commensurate with the quality of consent.   Mark, I would recommend we skip this.  The control enhancements provide clear operational suggestions.   It seems to me that the one you are proposing above does not.

Sorry.

Best,

Susan



________________________________
This message contains information from Equifax Inc. which may be confidential and privileged. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmaster at equifax.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20110901/39165e9d/attachment.html

More information about the WG-P3 mailing list