[KI-LC] Initial Comments on Privacy Policy for Consent Receipt Implementation

Ken Dagg kendaggtbs at gmail.com
Tue Jul 14 06:38:04 CDT 2015


Hi all,

Some specific comments:

- Some jurisdictions (i.e., Canada) consider an IP address to be PII. As
such, the statement "... we keep track of the domains and IP numbers from
which people visit us. We also collect site usage statistics such as web
browser types and page requests and track users' movements. This data is
not personally identifiable ..." regardless of the follow on statement.
- I would suggest that a "How we will not use your information" section be
added. Entries there could include: "We will not provide your information
to anyone or any company for the purposes of advertising. We will not sell
your information."
- I would suggest that "... not disclose your personally identifiable
information to any company not a member of Kantara Initiative ..." become
"... not disclose your personally identifiable information to anyone or any
company not a member of Kantara Initiative ...". However, this statement
seems to imply that KI will disclose an individual's PII to other members
of KI with no restriction. Is that true?
- as IP address is PII, the section "How you can view or update your
personal information" will need to be updated to accommodate viewing IP
addresses or state that IP addresses cannot be viewed or modified.

See comments on Mark's and Colin's comments inline below.

Ken





On Monday, July 13, 2015, Colin Wallis <colin_wallis at hotmail.com> wrote:

> Thanks Mark
> I've (personally) commented <<inline>> below.
> Cheers
> Colin
>
> ------------------------------
> From: mark at smartspecies.com
> <javascript:_e(%7B%7D,'cvml','mark at smartspecies.com');>
> Date: Mon, 13 Jul 2015 13:51:23 -0400
> To: lc at kantarainitiative.org
> <javascript:_e(%7B%7D,'cvml','lc at kantarainitiative.org');>
> CC: wilton at isoc.org <javascript:_e(%7B%7D,'cvml','wilton at isoc.org');>
> Subject: [KI-LC] Initial Comments on Privacy Policy for Consent Receipt
> Implementation
>
> Hi LC,
>
> I have updated the comments a little with a couple of policy notes and
> some edits. Robin do you have any thoughts about these comments? ( There
> are many ways to address notice and consent issues. )
>
> Kind Regards,
>
> Mark
>
> ***
>
> Upon a quick Review of the Privacy Policy there are a  couple of comments:
> http://kantarainitiative.org/confluence/display/GI/Privacy+Policy
>
>    1. Unable to find a Privacy policy  link of the main website, was only
>    able to find it on the join the WG form. (lack of usable transparency over
>    privacy practices)
>
> <<CW: We should link to it from the landing page of the main website as
> well as the WG GPA form, but..any word changes needed?>>
>
> “We may use your information to: To provide you with personalized
> content.”
>
>
>    1. - Is there personalised content or ads?  if not this should be
>       removed. If this is true, this should arguably be a listed purpose and
>       possibly reflected in a consent receipt.
>
> <<CW: I don't believe there is, or has ever been, but was probably
> considered as 'future proofing' Kantara's website activity.  I support
> removing this statement>>..
>

<<KD: I would suggest leaving the statement in the policy in order to
future proof the policy. However, I would suggest changing it to "To
personalize your visit to our website" to alleviate the issue with respect
to "advertising" that Mark raised. >>

>
> Consent for cross-border transfer of information:
> "Kantara Initiative is a business alliance of individuals, organizations,
> and companies operating globally. Please note that while the Website is
> located in the United States, data collected on the Website may be
> transferred to, and stored or processed in, other countries, including
> countries where Kantara Initiative members are located. Laws of these other
> countries may not be the same as the laws regulating the use and transfer
> of personal data in your country. By entering your personal information on
> this Web site, you are consenting to the transfer of that information to
> the United States or to other countries for the purposes described in this
> privacy policy."
>
> Comments
>
>    - its not clear why personal information would be transferred to
>    another country other than the US
>       - why this would be done without explicit consent - seem to
>       ambiguous and I suggest a review
>       - If this is necessary, then this will require something like Safe
>       Harbour or BCRS to make compliant, (or) adding more purposes and consent
>       options.
>
> <<CW: I don't know the background either, but I could imagine 2 possible
> intentions: 1) geographically distributed data centers for cloud based SaaS
> offerings like Confluence, 2) the opening of another (European?) office for
> Kantara which might require some transfer>>
> Possible Solutions
>
>    - Storing information in the US  could be added to the consent receipt
>    as a purpose and be explicitly agreed to in the join form.
>    - Remove/change ,” may be transferred to other countries … “  unless
>    Kantara is unaware, or does this without consent.  If this is the case,
>    then, Safe Harbour needs to be used.
>
>
> <<CW: So working on my assumptions above, and the notion of another office
> has not gone away, I think we need to do both of these suggestions
> above>>.
>
<<KD: I agree with Mark's first suggestion. However, for Colin's reasons, I
would suggest that the second suggestion not be followed. I would suggest
amending the statement to say something along the line of the following: KI
operates and transfers data to data centres in the following <list of
countries>.

>
> We are starting to work on best practices for an implementation of a
> consent receipt, these can be found here
> <https://kantarainitiative.org/confluence/display/infosharing/Draft:+Consent+Receipt+Documentation+Outlne?src=contextnavchildmode>
>
>
> _______________________________________________ LC mailing list
> LC at kantarainitiative.org
> <javascript:_e(%7B%7D,'cvml','LC at kantarainitiative.org');>
> http://kantarainitiative.org/mailman/listinfo/lc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20150714/17b93201/attachment.html>


More information about the LC mailing list