Page tree
DIACC Comment Submission Form:
Privacy Component Overview Discussion Draft V0.05
Privacy Conformance Profile Discussion Draft V0.12
Open: August 5, 2019 at 23:59 PST
Close: September 5, 2019 at 23:59 PST
Comments submitted are subject to the DIACC Contributor Agreement:https://diacc.ca/contributor-agreement/
Please email your completed submission response form to:review@diacc.ca
Line #Type: Substantive or EditorialComponent Overview or Conformance ProfileComment by: Name & OrganizationCommentProposed edit or changeResolution / Next StepsAccepted, Deferred or Rejected
OverallSubstantivePrivacy Conformance Profile Discussion Draft V0.12KenAs conformance will be determined for an organization performing a specific role it is recommended that the criteria for each specific role be segregated. That is, that the criteria for each of Disclosing Organizations, Requesting Organizations, Notice and Consent Processors, Network Providers and the Governing Body be grouped together.Create subsections for Disclosing Organizations, Requesting Organizations, Notice and Consent Processors, Network Providers and the Governing Body that contain the criteria each will be assessed against.
OverallSubstantivePrivacy Component Overview Discussion Draft V0.05BarryThere does not appear to be a discussion of the concept of anonymity and how Disclosing Organizations, Requesting Organizations, Notice and Consent Processors, Network Providers and the Governing Body deal with it.Add discussion.
Overall SubstantivePrivacy Conformance Profile Discussion Draft V0.12BarryThere are no criteria that assess how Disclosing Organizations, Requesting Organizations, Notice and Consent Processors, Network Providers and the Governing Body deal with a Subjects desire to be anonymous .Add criteria.
Overall SubstantivePrivacy Component Overview Discussion Draft V0.05BarryThere does not appear to be a discussion of the concept of “break the glass” and how Disclosing Organizations, Requesting Organizations, Notice and Consent Processors, Network Providers and the Governing Body deal with the need to “break the glass” in certain situationsAdd discussion.
OverallSubstantivePrivacy Conformance Profile Discussion Draft V0.12BarryThere are no criteria to assess how Disclosing Organizations, Requesting Organizations, Notice and Consent Processors, Network Providers and the Governing Body deal with the “break the glass” scenario.Add criteria.
Overall SubstantivePrivacy Component Overview Discussion Draft V0.05BarryThere does not appear to be a discussion of “right to be forgotten” and how Disclosing Organizations, Requesting Organizations, Notice and Consent Processors, Network Providers and the Governing Body handle these request. Add discussion.
Overall SubstantivePrivacy Conformance Profile Discussion Draft V0.12BarryThere are no criteria to assess how Disclosing Organizations, Requesting Organizations, Notice and Consent Processors, Network Providers and the Governing Body handle “right to be forgotten” requestsAdd criteria.
Overall SubstantivePrivacy Component Overview Discussion Draft V0.05BarryThere is no discussion of how “fraudulent” activities with respect to the privacy of a Subject are handled by Disclosing Organizations, Requesting Organizations, Notice and Consent Processors, Network Providers and the Governing Body. It is unclear as to whether a discussion of how fraudulent activities with respect to privacy of a Subject belongs in this document. However, if not then a note should be added to indicate which component of the PCTF covers it.If relevant add a discussion.
Overall SubstantivePrivacy Conformance Profile Discussion Draft V0.12BarryThere are no criteria to assess how Disclosing Organizations, Requesting Organizations, Notice and Consent Processors, Network Providers and the Governing Body handle fraudulent activities with respect to the privacy of a Subject.If relevant, add criteria to assess how fraudulent activities with respect to the privacy of a Subject are handled.
92-97SubstantivePrivacy Component Overview Discussion Draft V0.05KenThe definition of Personal Information does not appear to include information that is derived about an end_user. As such, the age of an end_user (derived from the end_user’s date of birth) would not be Personal Information. Age would be Personal Information if an end_user consents to disclose it.Add discussion of “derived” information and whether it is Personal Information.
96-97SubstantivePrivacy Component Overview Discussion Draft V0.05KenAs the concept of “service information” is not widely known it is recommended that the discussion of it be expanded.Expand the discussion of “service information” by adding an explanation of what is and isn’t service information. The sentence at lines 81 to 84 in the Criteria might be applicable.
48-51EditorialPrivacy Conformance Profile Discussion Draft V0.12KenThe document states that “The Conformance Criteria for the Privacy Component specify how the PIPEDA Fair Information Principles, defined by the Office of the Privacy Commissioner of Canada, are relevant/apply to the handling of digital identity data.” Criteria don’t normally specify how something is relevant or applies to a situation. Rather, criteria specify tests that be conducted to determine if a process is performing to a set of requirements.Change the sentence to “The Conformance Criteria for the Privacy Component specify a set of tests that, when met, will identify that an organization performing the role of Disclosing Organizations, Requesting Organizations, Notice of Consent Processors, Networks Providers, and the Governing Body is handling digital identity data in conformance with the PIPEDA Fair Information Principles, defined by the Office of the Privacy Commissioner of Canada.