Skip to end of metadata
Go to start of metadata

Date

2017-05-18

Status of Minutes

DRAFT

Approved at: <<Insert link to minutes showing approval>>

Attendees

Voting

 

Non-Voting

  • David Turner

Quorum Status

Meeting was not quorate

 

 

Voting participants

Participant Roster (2016) - Quorum is 4 of 7 as of 2016-10-06

Iain Henderson, Mary Hodder, Harri Honko, Mark Lizar, Jim Pasquale, John Wunderlich, Andrew Hughes

Discussion Items

TimeItemWhoNotes
4 mins
  • Roll call
  • Agenda bashing
Andrew Hughes 
1 min
  • Organization updates
All

Please review these blogs offline for current status on Kantara and all the DG/WG:

1 min
  • Status of Consent Receipt Specification v1
Andrew Hughes
  • Congratulations!
  • The Consent Receipt Specification v1.0 is now formally approved as a Kantara Recommendation
  • Final touches to the document happening now before posting to the downloads page and promotion
40 minDiscuss work backlog priorities for CR v1.1All

Consent Receipt v1.1 Work Backlog

On Wed, May 10, 2017 at 1:56 PM, David Turner <david.turner@voltagegate.com> wrote:

I’ve been reviewing the input for v1.1 and I’ve grouped the issues into 5 broad categories to help focus discussions.

  • Terminology
    • Reconcile terms from various ISO specs (e.g., 29100, 29184) with other significant sources (e.g., GDPR).
    • We need to be clear that the CR spec is not the authoritative source for definitions and be clear that implementers must follow the appropriate definitions according to their relevant jurisdictions.
  • Data model
    • What is the proper relationship between different fields? For example, in the v1 spec there is only one dataController; and purpose, purposeCategory and piiCategory are subordinate to a service. What happens when we allow multiple dataControllers? Do we then make services subordinate to dataControllers, or the other way around? I’ve attached two views of the current JSON schema. One is pseudo-ERP and the other an expandable tree graph.
  • New fields
    • E.g., duration of consent, retention period
    • Some of these suggested fields raise the question of how much of a policy’s details should be repeated in the CR. What is the reason for including the field? Is it just for the implementer, for interchange/interop, for the end user, for regulatory compliance?
  • Field semantics/syntax
    • Some fields need more guidance and possibly specific data types. (e.g., jurisdiction, policyURL, termination)
  • Purpose, purposeCategory, piiCategory, primaryPurpose
    • A big ol’ discussion all by itself.

From David: CR Schema v1_0_0.html

From David: CR-1_0_0 data model v1 (1).gif

 General discussion 
  • There is a need to clarify the existence of a 'Record of Consent' as distinct from the 'Consent Receipt'
  • There is a need to define 'parameters' that an implementer or assessor would need to use to be compliant with any particular regulation or law
  • Discussed the path forward. Mark has contributions on the way on several topics - he committed to send small samples to help the WG plan.
  • David described his categorization of the backlog items
    • Security of the Receipt section needs clarification
  • Discussed the concept of creating "Implementer's Guidance for xxx" - to explain how terminology in the specification translates into whatever local regulation is applicable
  • Discussed what the source of defined terms is: ISO 29184

 

Parked notes about v1.1 approach from previous meetings:

  • Mary
    • The caution about "Purposes lists" and "Sensitive data types" needs to be resolved - must be very cautious about how these are displayed to the user, especially if it's sensitive data - need to create recommendations
  • Mark
    • Need to set up a backlog - and define a work plan and schedule
    • Set a date for CR v1.1
    • Need to write guidance on spec usage
  • Need consensus on
    • Prioritization of backlog
    • Need to consider any issues that are used for GDPR implementation
    • The original agreement was to do 6-month epics
  • ACTION: compare ISO 29184 (notice requirements) to GDPR definitions to identify discrepancies in concepts and definitions