[WG-P3] Privacy Assessment Criteria for the US Federal Privacy Profile

Wed Sep 21 10:43:55 EDT 2011

Hello all,

sitting on the other side of the pond (EU/Denmark) it seems that now could be the right time to build a harmonized (internationally interoperable) view on many of the subjects described in this good document?

The EU Article 29 working party (consisting of the many national data protection authorities) have recently reached consensus (!) on 'informed consent', described in http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp187_en.pdf . Perhaps some of this can be useful?

WAYF (the federation I mange) has had 'informed consent' operational for all connected services for >2,5 years.
We have consulted both legal experts and usability gurus (Fraunhofer Institute in Stuttgart, Germany) along the way.These days I'm writing a summery of our experience, which hopefully will be ready to circulate in a few weeks. 
Would that be of interest to this group?

I have read the P3WG document and added what came to mind along the way. In the hope that at least some of it may be of help.

Regards
David Simonsen

David Simonsen
Executive manager
Phone: +45 31216152

H. C. Andersens Boulevard 2
DK-1553 København V

http://blog.wayf.dk

On Sep 18, 2011, at 4:13 AM, j stollman wrote:

> Bob,
> 
> I reviewed your extremely thoughtful and useful document and incorporated comments and markups in the attached.
> 
> Thank you.
> 
> Jeff
> 
> On Wed, Sep 14, 2011 at 6:22 PM, Mark Lizar <mark.lizar at gmail.com> wrote:
> Thanks Anna & Bob, 
> 
> This is a terrific start to the PAC draft, I look forward to the P3WG comments and discussion. 
> 
> Mark 
> 
> 
> On 13 Sep 2011, at 22:14, Anna Slomovic/Equifax wrote:
> 
>> Everyone,
>>  
>> Attached please find a draft of the Privacy Assessment Criteria for the US Federal Privacy Profile. Here are some explanations for the way the document is structured and color-coded.
>>  
>> Proposed language is shaded in gray.
>>  
>> Each set of proposed assessment criteria is followed by Drafter’s Notes, which raise issues and questions that need to be addressed for clarity and usability of the criteria.
>>  
>> Some of the Notes are shaded yellow; those need to be cross-referenced with IAWG and other Kantara documents. Most of the issues shaded in yellow are definitional, but not all. Some involve capability required in the Privacy Profile but absent in the current set of overall Service Assessment Criteria, like the ability to deliver a separate optional notice from the Relying Party in addition to the CSP’s notice about its own operations.
>>  
>> The issues that are unshaded will constitute the bulk of P3WG’s work to complete the Privacy Assessment Criteria. These issues form the substance of how the Privacy Profile will be implemented by CSPs and how their privacy practices will be judged. For example, under “Informed Consent,” we need to answer the question about whether notice and consent-related behavior can or should be different at different Levels of Assurance. In another example, the Minimalism requirement in the Profile applies only to the data transmitted to the Relying Party—but should there be any kind of limitation on data collected for identity verification or attribute verification?
>>  
>> I think you will find the document interesting and thought-provoking. In order to bring this work to conclusion, we will be discussing various topics as part of our P3WG calls. We need someone to serve as a champion and subject-matter expert to document the group’s deliberation, draft proposed language based on the group’s consensus, and then incorporate the changes into a final document. At the same time, Anna T will connect with the editors at IAWG to work through the issues related to the cross-reference between various Kantara documents.
>>  
>> Please let me and Mark know whether you would like to serve as champion for the Privacy Assessment Criteria going forward. I look forward to our first discussion of the document in about 10 days.
>>  
>> Thanks.
>>  
>> Anna
>>  
>>  
>> Anna Slomovic
>> Chief Privacy Officer
>> Equifax, Inc.
>> 1010 N. Glebe Rd.
>> Suite 500
>> Arlington, VA 22201
>>  
>> P: 703.888.4620
>> M: 703.254.9656
>> F: 703.243.7576
>> E: Anna.Slomovic at equifax.com
>>  
>>  
>> 
>> This message contains information from Equifax Inc. which may be confidential and privileged. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmaster at equifax.com.
>> <RG-Kantara-1-4.doc>_______________________________________________
>> WG-P3 mailing list
>> WG-P3 at kantarainitiative.org
>> http://kantarainitiative.org/mailman/listinfo/wg-p3
> 
> 
> _______________________________________________
> WG-P3 mailing list
> WG-P3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3
> 
> 
> 
> 
> -- 
> Jeff Stollman
> stollman.j at gmail.com
> 1 202.683.8699
> <RG-Kantara-1-4js.doc>_______________________________________________
> WG-P3 mailing list
> WG-P3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3

_______________________________________________
WG-P3 mailing list
WG-P3 at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-p3

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20110921/cd426cd3/attachment-0002.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RG-Kantara-1-4js-DSI-notes.doc
Type: application/msword
Size: 105472 bytes
Desc: not available
Url : http://kantarainitiative.org/pipermail/wg-p3/attachments/20110921/cd426cd3/attachment-0001.doc 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20110921/cd426cd3/attachment-0003.html 