|5 30 min||Discuss 'sprint' process diagram||David|
What is left to do for v1.1?
David to produce a new update of the document after this call
- 3 issues
- security considerations
- Tom brings up confirmation of the receipt of the receipt out of scope but could/should be mentioned
- Is the receipt is PII?
- Tom mentions a Latanya Sweeney PII identifiably study - needs trusted 3rd party
- This boils down to wether or not encryption is required and at which level
- we decide to err on the side of caution and put in a MUST.
- examples for list of collection methods
- combining the on-behalf -
- clarify use of third party field name
- which party is on the front of the data collection process and which party is on the behalf
- reconciling on behalf with the 3rd party
- SAAS service in the cloud
- SAAS is the data controller
- hosted storage wold be the PII processor
- Is this being shared with related parties on non-related parties
- David suggests
- we keep it as is, and to keep this as an item to be dealt with in the next iteration of the receipt
- in addition, disclosure to process or 3rd party is deal with in the next generation of the
- Disclosure to another jurisdiction -
- as a remaining field need for the CR v1.1