[WG-P3] REMINDER!! P3WG Telecon Thursday 23 Feb 2012 8h PT / 11h ET / 16h UTC
Malcolm Crompton
mcrompton at iispartners.com
Fri Feb 24 19:00:08 EST 2012
On the other hand, there may be so many frameworks out there that it might be time simply to choose one and ‘get with the program’. It is at least something to be contemplated.
Interestingly, Appendix B to the Whitehouse privacy blueprint attempts a reconciliation table between APEC, the OECD 1980 Guidelines and some US DHS principles. It should not have ignored the new draft EU Regulation if it wanted to be genuinely inclusive.
Malcolm
From: Robin Wilton [mailto:racingsnake at fastmail.fm]
Sent: Saturday, 25 February 2012 10:46 AM
To: Malcolm Crompton
Cc: Kantara P3 WG
Subject: Re: [WG-P3] REMINDER!! P3WG Telecon Thursday 23 Feb 2012 8h PT / 11h ET / 16h UTC
I agree. There's a lot to be gained from studying the APEC model. However, I also think that, good as it is, it is unlikely to displace the investment in doing things differently, in and between the EU and the US... So the big challenge is to take a step back and see if there's a viable "translation table" between those three systems - APEC, the emerging EU revisions, and the even newer US consumer privacy proposals.
R
Sent from my iPod
On 24 Feb 2012, at 23:32, "Malcolm Crompton" <mcrompton at iispartners.com> wrote:
I have been following this debate with interest.
We have a great opportunity here NOT to re-invent the wheel AND to key off an international framework that has already been developed AND endorsed by National Leaders. It provides us with a system that sets out the standards for a company to be recognised as having appropriate cross border data transfer rules and standards for the independent third party accountability agents to which those companies are accountable.
The standards for independent third party accountability agents are particularly relevant for this work by WG-P3.
I am referring to the APEC Privacy Framework, the APEC Cross-border Privacy Enforcement Arrangement and the APEC Cross-Border Privacy Rules System.
They are the result of concerted effort by the APEC economies since 2003 in the APEC Data Privacy Working Group in which I have participated.
· The APEC Privacy Framework was endorsed in final form by APEC Ministers in 2005 and is available online at http://publications.apec.org/publication-detail.php?pub_id=390.
· The Cross-border Privacy Enforcement Framework (CPER) is described at http://www.apec.org/Groups/Committee-on-Trade-and-Investment/Electronic-Commerce-Steering-Group/Cross-border-Privacy-Enforcement-Arrangement.aspx. This provides the international backstop regulator enforcement behind the accountability agent.
· Both of these support the APEC Cross-Border Privacy Rules (CBPR) System.
APEC Ministers <http://www.apec.org/Meeting-Papers/Ministerial-Statements/Annual/2011/2011_amm.aspx> endorsed the principal documents of the APEC Privacy Pathfinder in November 2011 in Honolulu, Hawaii. Subsequently, APEC Leaders <http://www.apec.org/Meeting-Papers/Leaders-Declarations/2011/2011_aelm.aspx> also committed to implement the CBPR System “to reduce barriers to information flows, enhance consumer privacy, and promote interoperability across regional data privacy regimes.”
The APEC CBPR system was also referred to by the US President in the Consumer Privacy Bill of Rights <http://www.whitehouse.gov/sites/default/files/privacy-final.pdf> that he released on 23 February (p32).
The actual source documents have not yet been promulgated well by APEC, but they are available online in the APEC Meeting Document Database at http://aimp.apec.org/MDDB/Pages/search.aspx?setting=ListMeeting <http://aimp.apec.org/MDDB/Pages/search.aspx?setting=ListMeeting&DateRange=2011/09/01%2C2011/09/end&Name=24th%20Electronic%20Commerce%20Steering%20Group%20Meeting%202011> &DateRange=2011/09/01%2C2011/09/end&Name=24th%20Electronic%20Commerce%20Steering%20Group%20Meeting%202011. This link sets out the meeting papers for the meeting of the 24th Electronic Commerce Steering Group Meeting in September 2011.
Set out below is an extract from the meeting documents for that meeting. These are the final documents for the CBPR as endorsed by APEC Leaders. The third document in the table, the APEC Cross-Border Privacy Rules (CBPR) System – Accountability Agent Recognition Criteria is probably the most relevant to the WG, but the other documents and the links above provide the context.
I would suggest that the group consider very seriously the synergy, momentum and time saving that might be gained by drawing from these materials or even developing an arrangement that can be part of the CBPR and so gain international recognition.
Regards
Malcolm Crompton
Managing Director
Information Integrity Solutions Pty Ltd
ABN 78 107 611 898
T: +61 407 014 450
MCrompton at iispartners.com
www.iispartners.com
2011/SOM3/ECSG/012
<http://aimp.apec.org/MDDB/Pages/search.aspx?setting=ListMeeting&DateRange=2011/09/01%2C2011/09/end&Name=24th%20Electronic%20Commerce%20Steering%20Group%20Meeting%202011> Catalogue Record
P
APEC Cross-Border Privacy Rules (CBPR) System – Policies, Rules and Guidelines
2011/09/21
<http://aimp.apec.org/Documents/2011/ECSG/ECSG2/11_ecsg2_012.pdf> <image001.gif>
109.7 KB
2011/SOM3/ECSG/014
<http://aimp.apec.org/MDDB/Pages/search.aspx?setting=ListMeeting&DateRange=2011/09/01%2C2011/09/end&Name=24th%20Electronic%20Commerce%20Steering%20Group%20Meeting%202011> Catalogue Record
P
APEC Cross-Border Privacy Rules (CBPR) System – Intake Questionnaire
2011/09/21
<http://aimp.apec.org/Documents/2011/ECSG/ECSG2/11_ecsg2_014.doc> <image002.gif>
256.5 KB
2011/SOM3/ECSG/015
<http://aimp.apec.org/MDDB/Pages/search.aspx?setting=ListMeeting&DateRange=2011/09/01%2C2011/09/end&Name=24th%20Electronic%20Commerce%20Steering%20Group%20Meeting%202011> Catalogue Record
P
APEC Cross-Border Privacy Rules (CBPR) System – Accountability Agent Recognition Criteria
2011/09/21
<http://aimp.apec.org/Documents/2011/ECSG/ECSG2/11_ecsg2_015.doc> <image002.gif>
246.0 KB
2011/SOM3/ECSG/016
<http://aimp.apec.org/MDDB/Pages/search.aspx?setting=ListMeeting&DateRange=2011/09/01%2C2011/09/end&Name=24th%20Electronic%20Commerce%20Steering%20Group%20Meeting%202011> Catalogue Record
P
APEC Cross-Border Privacy Rules (CBPR) System – Program Requirements for Use by Accountability Agents
2011/09/21
<http://aimp.apec.org/Documents/2011/ECSG/ECSG2/11_ecsg2_016.doc> <image002.gif>
287.0 KB
2011/SOM3/ECSG/018
<http://aimp.apec.org/MDDB/Pages/search.aspx?setting=ListMeeting&DateRange=2011/09/01%2C2011/09/end&Name=24th%20Electronic%20Commerce%20Steering%20Group%20Meeting%202011> Catalogue Record
P
APEC Cross-Border Privacy Rules (CBPR) System - Workplan for the Development of a Directory of CBPR Certified Organizations and APEC-Recognized Accountability Agents
2011/09/21
<http://aimp.apec.org/Documents/2011/ECSG/ECSG2/11_ecsg2_018.doc> <image002.gif>
145.5 KB
From: wg-p3-bounces at kantarainitiative.org [mailto:wg-p3-bounces at kantarainitiative.org] On Behalf Of Rich Furr
Sent: Friday, 24 February 2012 7:14 AM
To: Frazier-mcelveen, Myisha (US - Arlington); David L. Wasley; Anna Slomovic/Equifax
Cc: Patrick Curry; Kantara P3 WG
Subject: Re: [WG-P3] REMINDER!! P3WG Telecon Thursday 23 Feb 2012 8h PT / 11h ET / 16h UTC
All,
Sorry that I was also not able to prrticipate fully but was having major home network issues and also am recovering (nicely) from a procedure to stent both my iliac arteries so I missed both the OASIS TC call which is also a conflict with P3 and most of the P3 call.
I truly do not want to start a drawn out email exchange on what follows, BUT, Into all these discussions I wanted to insert a plea for reasonableness moving forward. I see that Shin forwarded a couple interesting links earlier this morning and am getting sort of leery of the entire issue of privacy and the possible effects on internet/cloud or whatever other buzz word we attach to this space. I know that the NSTIC is also being careful of this whole realm as well.
My concern is simple. I have been the privacy contact for SAFE-BioPharma for the past 4 years. I wrote (with some rather expensive legal assistance our privacy policy under which we are DoC safe harbor certified for the EU. This same policy of course applies here in the US. We have tens of thousands of digital identities out in use and our coverage will increase significantly moving forward into healthcare. My concern is the in the four years that I have been the privacy contact and during which we have had our policy posted on our website I can count the number of inquiries we have had on the fingers of no hands — we have NOT had one inquiry!!! Granted we are a somewhat special case, and I will admit that during the development of same I had some rather interesting conversations with the German Works Council rep from one of our member companies re privacy of EU citizen PII.
Many of you know that I tend to be somewhat skeptical/heretical regarding many things. I often wonder just how many actual citizen inquiries there really are/have been or is the issue driven mainly by the legal profession that stands to make significant fees from awards if they can find a breach and really exploit it. There seems to me to be a fairly significant vested cadre out there whose interest would tend toward very restrictive privacy policies. I have said before that I hope that Kantara moves forward with policies that offer protection to the extent needed but not to the extent that we stifle technical advancement and more ubiquitous use of the Kantara framework. Okay, down from the soapbox and thanks for listening. I do hope we can come out the end of this with tangible guidance that meets multiple goals and I believe that we will.
Thanks for indulging
Rich Furr
Head, Global Regulatory Affairs, Policy & Compliance
SAFE-BioPharma Assn - The Biopharmaceutical & Healthcare Identity Management Standard
Cell: 704-575-1680
Office: 980-236-7576
<image003.png> SAFE-BioPharma
<image004.png> SAFE-BioPharma
<image005.png> SAFE-BioPharma
<image006.png>
From: "Frazier-mcelveen, Myisha (US - Arlington)" <mfraziermcelveen at deloitte.com>
Date: Thu, 23 Feb 2012 12:56:25 -0500
To: "David L. Wasley" <dlwasley at earthlink.net>, Anna Slomovic/Equifax <Anna.Slomovic at equifax.com>
Cc: Patrick Curry <patrick.curry at federatedbusiness.org>, Kantara P3 WG <wg-p3 at kantarainitiative.org>
Subject: Re: [WG-P3] REMINDER!! P3WG Telecon Thursday 23 Feb 2012 8h PT / 11h ET / 16h UTC
+1
Sincerely,
Myisha
Myisha Frazier-McElveen
Manager | Technology Risk
Deloitte and Touche LLP
Tel/Direct: +571 -814-6619 | Mobile: +1 571-814-0911
mfraziermcelveen at deloitte.com | www.deloitte.com
Please consider the environment before printing.
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message.
Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
v.E.1
From: wg-p3-bounces at kantarainitiative.org [mailto:wg-p3-bounces at kantarainitiative.org] On Behalf Of David L. Wasley
Sent: Thursday, February 23, 2012 12:55 PM
To: Anna Slomovic/Equifax
Cc: Patrick Curry; Kantara P3 WG
Subject: Re: [WG-P3] REMINDER!! P3WG Telecon Thursday 23 Feb 2012 8h PT / 11h ET / 16h UTC
Yes. That is exactly what we (I anyway) tried to suggest on our joint conference call several months ago.
The FICAM TFPAP states privacy principles. The IAWG Federal Privacy Requirements restates those principles. The FICAM "Privacy Guidelines" document suggests a number of questions that assessors might ask when evaluating compliance with the principles. None of that provides concrete statements that an assessor must use.
What Colin and Anna describe would bring the issues down to earth. It would not be easy since there are so many possibilities and different use case constraints as well as, currently, technology constraints.
Reality should also involve RP responsibilities at some point...
David
On Feb 23, 2012, at 6:57 AM, Anna Slomovic/Equifax wrote:
I agree with Colin's points. I do not think it makes sense to simply hand a pile of documents to someone and tell them to figure it out.
We need to have a document for privacy that states requirements for a Kantara-certified service. E.g IAWG Service Provider Criteria document doesn't just point to NIST 800-63 for different LOAs and tell IDPs to go do that. Also, the SPC document incorporates more than just legal requirements. For example, there is no legal requirement that IDP be an independently managed entity, but there is such a requirement for LOA 3 Kantara certification:
671 AL3_CO_ESM#070 Independent management and operations
672 Demonstrate that, for the purposes of providing the specified service, its
673 management and operational structures are distinct, autonomous, have discrete
674 legal accountability, and operate according to separate policies, procedures, and
675 controls.
Once we have a set of normative requirements for privacy, assessors need a document that they can use to determine whether requirements are being met. FICAM assessor guidance provides some of that, but unless Kantara adopts it and puts the Kantara name on the document, it's simply a FICAM suggestion.
At the moment, I know how to build an IDP that complies with Service Provider Criteria but not what privacy requirements need to be built in or how I would be assessed against those requirements. I think that's the document set we need.
Anna
Anna Slomovic
Chief Privacy Officer
Equifax
1010 N. Glebe Road, Suite 500
Arlington, VA 22205
O: 703.888.4620
C: 703.254.9656
From: wg-p3-bounces at kantarainitiative.org [mailto:wg-p3-bounces at kantarainitiative.org] On Behalf Of Colin Wallis
Sent: Wednesday, February 22, 2012 10:08 PM
To: Kantara P3 WG
Cc: Patrick Curry; Dave Wasley
Subject: Re: [WG-P3] REMINDER!! P3WG Telecon Thursday 23 Feb 2012 8h PT / 11h ET / 16h UTC
Importance: High
Folks
I have (as may some others) a call conflict at this time (with the OASIS Trust elevation TC).
I'll try to join at some stage.
Colin S: thanks for your efforts. Greatly appreciated.
In case I'm not on the call to say this, I have 3 main main comments about the proposed PAC framework.
1) There seems to be an ongoing confusion between 'requirements' and 'assessment' of the requirements to determine if they are (partially, or fully) met. There is no clearer example of this if you look at the title of Part 1, then look at the intended audience for Part 1 in Section 6. Requirements have either been made explicit (as they have been in the normative references in mentioned in Part 2), or they appear in applicable laws.
I do not believe the *primary* intention of this doc was to draw out the requirements from legislation or fed privacy criteria, useful as this might be. I thought the *primary* purpose was to guide assessors on where and how to look for compliance with the requirements - how they have been (partially or fully) met. Example (remembering I an *not* a privacy expert..so apologies in advance for strangling..) : Consent. We might advise the assessors to look for a policy note on the front web page, and check it for readability. Then suggest they use the said service to determine if the notice is repeated when an attribute is about to be passed to a third party, check how the user would give that consent, (radio button?/ some other way e.g. a user agent?).
2) Section 6: Sure, Federation component suppliers, IdPs etc will make use of the assessor guidelines, just as today, vendors use the SAML eGov Profile test plan (the test used to see if the requirement are met) to modify their products, rather than going to the SAML eGov Implementation Profile where the requirements live. The test plan is not designed as a way for a developer to tick off the features in his product are present, but that is an unfortunate outcome of making an 'assessor guiidelines' public.
3)Section 3: Exclusions. I do not agree with restricting the scope to IdPs only. What benefit are we offering the end user if the IDP is doing a great privacy aware/compliant job but the Fed broker or RP is crap? It may be that in some trust frameworks a business decision may be made to restrict the scope of the assessors to IDPs (as FICAM has sort of done so far), but the PAC should self enforce such a restriction and leave everyone involved, with no guidance.
Now, I may well be mistaken and maybe I have not understood the objective correctly. If so, please please shoot me down! A double check with the ARB/IAWG about what they expect will put the matter to rest.
Cheers
Colin
_____
From: annaticktin at me.com
Date: Wed, 22 Feb 2012 17:49:35 -0800
To: wg-p3 at kantarainitiative.org
CC: patrick.curry at federatedbusiness.org
Subject: [WG-P3] REMINDER!! P3WG Telecon Thursday 23 Feb 2012 8h PT / 11h ET / 16h UTC
DIAL-IN:
LINE A
* Skype:+99051000000481
* US Dial-In: +1-805-309-2350 | Conference ID: 402-2737
DATE:
Thursday 23 Feb 2012
TIME:
8h PT / 11h ET / 16h UTC
AGENDA:
1. Administrative:
Roll Call
Motion for minutes approval: 09 <http://kantarainitiative.org/confluence/display/p3wg/P3WG+Meeting+Minutes+2012-02-09> <http://kantarainitiative.org/confluence/display/p3wg/P3WG+Meeting+Minutes+2012-02-09> Feb 2012
(To review notes from last week's adhoc : 16 Feb 2012 <http://kantarainitiative.org/confluence/display/p3wg/P3WG+Meeting+Notes+2012-02-16> )
Open call for P3 Secretary nominations
Agenda confirmation
Action item review:
Ad hoc meeting with Bob Gelman on Privacy Assessment Criteria
Review of potential NSTIC proposal - Overcome By Events - see Kantara staff note
2. Privacy Assessment Criteria
<http://kantarainitiative.org/confluence/display/p3wg/Privacy+Assessment+Criteria+%28PAC%29> http://kantarainitiative.org/confluence/display/p3wg/Privacy+Assessment+Criteria+%28PAC%29
[1] Review of proposed framework (see attached)
Editor's discussion on comments to date.
Next Steps
3. Review of IAWG Report Additional Requirements for CSPs: US Federal Privacy Criteria
[2] Recommendation to Leadership Council (see attached)
4. Munich F2F
5.AOB
Adjourn
[1]
[2]
_______________________________________________ WG-P3 mailing list WG-P3 at kantarainitiative.orghttp://kantarainitiative.org/mailman/listinfo/wg-p3
_____
This message contains information from Equifax Inc. which may be confidential and privileged. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e- mailpostmaster at equifax.com.
_______________________________________________
WG-P3 mailing list
WG-P3 at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-p3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20120225/1ed3602e/attachment-0001.html
More information about the WG-P3
mailing list