Allan,<div><br></div><div>I don&#39;t want to bug you but the Kantara responses to the SC Magazine questions are due on Friday. </div><div><br></div><div>Any thoughts on my revisions? If it is still not a good response from your perspective I will need to try another tack or get someone else to prepare Kantara&#39;s response. While Kantara doesn&#39;t have to respond to all questions I believe that this is one question that we should provide a response to.</div><div><br></div><div>Thanks,</div><div>Ken</div><div><br><br>On Tuesday, 23 February 2016, Ken Dagg &lt;<a href="mailto:kendaggtbs@gmail.com">kendaggtbs@gmail.com</a>&gt; wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div>Allan,<br><br></div>I agree wholeheartedly that this is a discussion of personas!<br><br></div>The question that was asked by SC Magazine was, &quot;My identity as my 
wife sees it may be different to my identity as my 
bank sees it, which may be different again to my identity as my employer
 sees it. How do we cope with multiple attributes in ID management?&quot; I 
agree that this is essentially a discussion of the use of the different 
personas that an individual maintains. I was loath, given my perception of the need for brevity and the readership of SC Magazine, to get into a discussion of the definitions and differences between the two terms.<br><br>In my opinion, most readers of the magazine are looking for solutions to their need / desire to offer online services and want some ability to lesson the risk of delivering a service to an illegible individual (e.g., a medical service to the wrong person) or delivering the wrong amount of service to an individual (e.g., a $10,000 lottery win to someone who only won a $100).<br><br></div>Given you comments, as well as trying to address the question that was asked, would the following make more sense? It implies a relationship between persona and identity - persona being an application of my identity in a broad context - but does not get into the discussion. <br></div><br>==========<br><br><div>Identity Management thinking is beginning to recognize that who an 
individual is (e.g., their identity) is dependent on the scenario in 
which that individual needs to assert who they are. Who you are, and how
 you represent yourself, in social situations, work situations and 
commercial situations is probably different - but all are just different
 representations or variations of who you are as an individual - different personas. That is, a persona is what someone needs to know about you in order to 
interact with you.</div><div><br></div><div>For example, in order for 
you to be able to establish an account, and carry out financial 
transactions, with a bank requires that the bank know certain 
information (i.e., attributes) about you. Some of this information is 
required in order for the bank to deal with you effectively while other 
information is required to satisfy legal requirements. Your employer 
also requires specific attributes about you in order to 
have you as an employee (i.e., to pay you, to provide benefits, to 
provide work facilities). While there may be some overlaps between the 
sets of attributes required to satisfy these two relationships there are
 most likely differences. What is emerging is that 1) the required 
attributes are defined by and specific to the relationship and 2) there is 
no one representation that satisfies all requirements.</div><div><br></div><div>As
 such, the relationship you want to establish identifies the required 
attributes (i.e., your &quot;persona&quot;) and manages them to accomplish the 
purpose that the relationship exists to perform. As the user - the 
Relying Party (RP) - of your persona (e.g., the bank) is at risk, they 
authenticate and manage the set of attributes they require of you in 
order to mitigate the risk of getting it wrong. That is, the RP manages 
the identity of its clients to the degree they need to in order to 
operate. It is essential that the RP undertake a risk assessment to 
identify the consequences - financial and reputational - they will 
suffer if they misidentify someone and then establish, at a cost they 
believe is affordable, the mechanisms they believe will mitigate that 
risk. </div><div><br></div><div>The set of mechanisms they use - the 
level of assurance they require - to mitigate their risk depend on the 
consequences they will suffer if they get it wrong (i.e., they 
misidentify you). These mechanisms can include doing nothing, using 
internal checks, using Social Media sites, using Government Agencies, or
 using companies that have established themselves as Identity Providers 
(IdPs), Credential Service Providers (CSPs), or Attribute Providers 
(APs). </div><div><br></div><div>Of importance to you as an individual, however, is 
knowing, and being able to correct errors in, the information / 
attributes the RP maintains about you as well as being assured that the 
RP respects your privacy.</div><span><div><br></div></span><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 23, 2016 at 1:36 PM, Allan Foster <span dir="ltr">&lt;<a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;allan.foster@forgerock.com&#39;);" target="_blank">allan.foster@forgerock.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <font face="Georgia">So this is the discussion of Personas<br>
      <br>
      I also fundamentally disagree that Identity is necessarily a
      collection of attributes.  And identity is simply a thing. 
      Collections of attributes might be associated with an identity
      when required for specific contexts<br>
      <br>
      Allan<br>
      <br>
      <br>
    </font>
    <div>
      <div>Simplify Email: <a href="http://emailcharter.org/" target="_blank">Email
          Charter</a>
        <br>
        <br>
        <table border="1" cellpadding="2" cellspacing="2" width="100%">
          <tbody>
            <tr>
              <td valign="top" width="160"> <img src="http://www.macguru.com/logo.png" alt="ForgeRock Logo" style="float:left;padding:2px 6px 0 0"> </td>
              <td valign="top"> <b><span>Allan Foster - ForgeRock </span></b><br>
                <i>VP Strategic Partner Enablement</i><br>
                <b>Location:</b>San Francisco<br>
                <b>p:</b> +1.214.755.9218<br>
              </td>
            </tr>
            <tr>
              <td colspan="3">
                <b>email:</b> <a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;allan.foster@forgerock.com&#39;);" target="_blank"></a><a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;allan.foster@forgerock.com&#39;);" target="_blank">allan.foster@forgerock.com</a><br>
                <b>blogs:</b> <a href="http://blogs.forgerock.com/GuruAllan" target="_blank">blogs.forgerock.com/GuruAllan</a><br>
                <b>Skype:</b> <a href="http://is.gd/lWVfMG" target="_blank">Call
                  GuruAllan</a><br>
                <b>www:</b> <a href="http://www.forgerock.com/" target="_blank">www.forgerock.com</a><br>
                <b>www:</b> <a href="http://www.forgerock.org/" target="_blank">www.forgerock.org</a><br>
              </td>
            </tr>
          </tbody>
        </table>
      </div>
    </div><div><div>
    <div>On 2/23/16 9:32 AM, Ken Dagg wrote:<br>
    </div>
    <blockquote type="cite">
      <div>Colin,</div>
      <div><br>
      </div>
      <div>How does this sound to address the question, &quot;My identity as
        my wife sees it may be different to my identity as my bank sees
        it, which may be different again to my identity as my employer
        sees it. How do we cope with multiple attributes in ID
        management?&quot;</div>
      <div><br>
      </div>
      <div>Ken</div>
      <div><br>
      </div>
      <div>===================</div>
      <div><br>
      </div>
      <div>Identity Management thinking is beginning to recognize that
        who an individual is (e.g., their identity) is dependent on the
        scenario in which that individual needs to assert who they are.
        Who you are, and how you represent yourself, in social
        situations, work situations and commercial situations is
        probably different - but all are just different representations
        or variations of you are as an individual. That is, your
        identity is what someone needs to know about you in order to
        interact with you.</div>
      <div><br>
      </div>
      <div>For example, in order for you to be able to establish an
        account, and carry out financial transactions, with a bank
        requires that the bank know certain information (i.e.,
        attributes) about you. Some of this information is required in
        order for the bank to deal with you effectively while other
        information is required to satisfy legal requirements. Your
        employer also requires specific information (attributes) about
        you in order to have you as an employee (i.e., to pay you, to
        provide benefits, to provide work facilities). While there may
        be some overlaps between the sets of attributes required to
        satisfy these two relationships there are most likely
        differences. What is emerging is that 1) the required attributes
        are defined by and part of the relationship and 2) there is no
        one representation that satisfies all requirements.</div>
      <div><br>
      </div>
      <div>As such, the relationship you want to establish identifies
        the required attributes (i.e., your &quot;identity&quot;) and manages them
        to accomplish the purpose that the relationship exists to
        perform. As the user - the Relying Party (RP) - of your identity
        (e.g., the bank) is at risk, they authenticate and manage the
        set of attributes they require of you in order to mitigate the
        risk of getting it wrong. That is, the RP manages the identity
        of its clients to the degree they need to in order to operate.
        It is essential that the RP undertake a risk assessment to
        identify the consequences - financial and reputational - they
        will suffer if they misidentify someone and then establish, at a
        cost they believe is affordable, the mechanisms they believe
        will mitigate that risk. </div>
      <div><br>
      </div>
      <div>The set of mechanisms they use - the level of assurance they
        require - to mitigate their risk depend on the consequences they
        will suffer if they get it wrong (i.e., they misidentify you).
        These mechanisms can include doing nothing, using internal
        checks, using Social Media sites, using Government Agencies, or
        using companies that have established themselves as Identity
        Providers (IdPs), Credential Service Providers (CSPs), or
        Attribute Providers (APs). </div>
      <div><br>
      </div>
      <div>Of importance to you, however, is knowing, and being able to
        correct errors in, the information / attributes the RP maintains
        about you as well as being assured that the RP respects your
        privacy.</div>
      <div><br>
      </div>
      <br>
      <br>
      On Tuesday, 23 February 2016, Colin Wallis &lt;<a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;colin_wallis@hotmail.com&#39;);" target="_blank"></a><a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;colin_wallis@hotmail.com&#39;);" target="_blank">colin_wallis@hotmail.com</a>&gt;
      wrote:<br>
      <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
        <div>
          <div dir="ltr">That&#39;s great. Many thanks Sal.
            <div>Perfect timing for the IRM call coming up in a few
              hours.</div>
            <div>Cheers</div>
            <div>Colin<br>
              <div><br>
                <br>
                <div>
                  <p><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">Colin,
                      I can pitch in on some of these:</span></p>
                  <p><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"> </span></p>
                  <p><span style="font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">What
                      are the latest advances in ID Management
                      technology?<br>
                      <br>
                      How has it evolved over the years?<br>
                      <br>
                    </span><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"></span></p>
                  <p><span style="font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">ID
                      management has been largely about people in the
                      past. How will  the Internet of Things change
                      that, if at all?</span></p>
                  <p><span style="font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> </span></p>
                  <p><span style="font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">I
                      can use UMA and IRM as an examplse and also bring
                      in some of the things we have been talking about
                      in the IDoT DG.</span><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"></span></p>
                  <p><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"> </span></p>
                  <div>
                    <div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
                      <p><b><span style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">
                          <a>lc-bounces@kantarainitiative.org</a>
                          [mailto:<a>lc-bounces@kantarainitiative.org</a>]
                          <b>On Behalf Of </b>Colin Wallis<br>
                          <b>Sent:</b> Monday, February 22, 2016 5:50 PM<br>
                          <b>To:</b> Mike Schwartz<br>
                          <b>Cc:</b> Kantara Leadership Council Kantara<br>
                          <b>Subject:</b> Re: [KI-LC] Media query from
                          SC Magazine - deadline 2/26/2016 17:30:00</span></p>
                    </div>
                  </div>
                  <p> </p>
                  <div>
                    <p><span style="font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">OK,
                        thanks for that offer Mike.</span></p>
                    <div>
                      <p><span style="font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">But
                          the thing is, the guy asked Kantara, so he is
                          expecting a response from experts on behalf of
                          Kantara.</span></p>
                    </div>
                    <div>
                      <p><span style="font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">Taking
                          him to Gluu is kind of one step removed.</span></p>
                    </div>
                    <div>
                      <p><span style="font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">I&#39;m
                          happy for responses to contain links to Gluu
                          and elsewhere, but I think we are setting
                          ourselves up for some copyright concerns if we
                          point folks away, straight out of the gate.</span></p>
                    </div>
                    <div>
                      <p><span style="font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">Cheers</span></p>
                    </div>
                    <div>
                      <p><span style="font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">Colin</span></p>
                      <div>
                        <p><span style="font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">&gt;
                            Date: Mon, 22 Feb 2016 15:11:16 -0600<br>
                            &gt; From: <a>mike@gluu.org</a><br>
                            &gt; To: <a>colin_wallis@hotmail.com</a><br>
                            &gt; CC: <a>lc@kantarainitiative.org</a><br>
                            &gt; Subject: Re: [KI-LC] Media query from
                            SC Magazine - deadline 2/26/2016 17:30:00<br>
                            &gt; <br>
                            &gt; <br>
                            &gt; Colin,<br>
                            &gt; <br>
                            &gt; I&#39;ll can offer to take a stab at
                            responding to these questions by the <br>
                            &gt; date requested on a Gluu blog.<br>
                            &gt; <br>
                            &gt; thx,<br>
                            &gt; <br>
                            &gt; Mike<br>
                            &gt; <br>
                            &gt; On 2016-02-22 11:13, Colin Wallis
                            wrote:<br>
                            &gt; &gt; Thanks Ken<br>
                            &gt; &gt; We&#39;ll consider this question dealt
                            to.<br>
                            &gt; &gt; Anyone else want to take on one of
                            the others?<br>
                            &gt; &gt; Cheers<br>
                            &gt; &gt; Colin<br>
                            &gt; &gt;
                            .....................................<br>
                            &gt; &gt;&gt; At airports around the world,
                            travelers&#39; identities are routinely<br>
                            &gt; &gt; verified using biometric
                            identification. Recently in India, a new<br>
                            &gt; &gt; facility for pension distribution
                            adapted an iris authentication<br>
                            &gt; &gt; scanner to validate citizens. New
                            generations of fully integrated,<br>
                            &gt; &gt; end-to-end cloud identity
                            management platforms offer clients secure<br>
                            &gt; &gt; and flexible means to pick and
                            choose which services they need. For<br>
                            &gt; &gt; this latest ebook from SC
                            Magazine, we speak to a number of experts<br>
                            &gt; &gt; with hands-on experience about how
                            these advances in technologies are<br>
                            &gt; &gt; changing the face of identity
                            management and opening up new<br>
                            &gt; &gt; opportunities for the enterprise
                            to become more secure—and we’ll<br>
                            &gt; &gt; throw in a few caveats (for one,
                            what happens to privacy when<br>
                            &gt; &gt; biometrics are added to the mix?)
                            that any organization should heed<br>
                            &gt; &gt; when revamping its identity
                            management strategy.<br>
                            &gt; &gt;&gt; <br>
                            &gt; &gt;&gt; Here are the questions he&#39;s
                            exploring:<br>
                            &gt; &gt;&gt; <br>
                            &gt; &gt;&gt; What are the latest advances
                            in ID Management technology?<br>
                            &gt; &gt;&gt; <br>
                            &gt; &gt;&gt; How has it evolved over the
                            years?<br>
                            &gt; &gt;&gt; <br>
                            &gt; &gt;&gt; What happens to privacy when
                            biometrics are thrown into the mix?<br>
                            &gt; &gt; GONE GONE....<br>
                            &gt; &gt;&gt; <br>
                            &gt; &gt;&gt; How are ID management systems
                            and access management/roles-based<br>
                            &gt; &gt; management converging?<br>
                            &gt; &gt;&gt; <br>
                            &gt; &gt;&gt; ID management has been largely
                            about people in the past. How will<br>
                            &gt; &gt; the Internet of Things change
                            that, if at all?<br>
                            &gt; &gt;&gt; <br>
                            &gt; &gt;&gt; Is authentication keeping up
                            with trends in ID management?<br>
                            &gt; &gt;&gt; <br>
                            &gt; &gt;&gt; My identity as my wife sees it
                            may be different to my identity as my<br>
                            &gt; &gt; bank sees it, which may be
                            different again to my identity as my<br>
                            &gt; &gt; employer sees it. How do we cope
                            with multiple attributes in ID<br>
                            &gt; &gt; management?<br>
                            &gt; &gt;&gt; <br>
                            &gt; &gt;&gt; How do we maintain and
                            preserve identity in the long term, as a<br>
                            &gt; &gt; person&#39;s life and circumstances
                            change?<br>
                            &gt; &gt;&gt; <br>
                            &gt; &gt;&gt; Are there standard for ID
                            management?<br>
                            &gt; &gt;&gt; <br>
                            &gt; &gt;&gt; What are the biggest
                            challenges facing companies that want to
                            design<br>
                            &gt; &gt; and deploy their own ID management
                            systems?<br>
                            &gt; &gt; <br>
                            &gt; &gt; -------------------------<br>
                            &gt; &gt; Date: Mon, 22 Feb 2016 06:58:22
                            -0500<br>
                            &gt; &gt; Subject: Re: [KI-LC] FW: Media
                            query from SC Magazine - deadline<br>
                            &gt; &gt; 2/26/2016 17:30:00<br>
                            &gt; &gt; From: <a>kendaggtbs@gmail.com</a><br>
                            &gt; &gt; To: <a>colin_wallis@hotmail.com</a><br>
                            &gt; &gt; CC: <a>lc@kantarainitiative.org</a><br>
                            &gt; &gt; <br>
                            &gt; &gt; Colin,<br>
                            &gt; &gt; <br>
                            &gt; &gt; I agree fully that the first two
                            paragraphs address the scope of his<br>
                            &gt; &gt; question regarding biometrics and
                            privacy.<br>
                            &gt; &gt; <br>
                            &gt; &gt; However, your comment, &quot;sense of
                            direction of travel for SC Magazine<br>
                            &gt; &gt; being towards Data Protection&quot;
                            prompts me to include the rest of the<br>
                            &gt; &gt; material regarding Privacy. In my
                            opinion, a focus solely on data<br>
                            &gt; &gt; protection misses the boat on
                            respecting privacy and probably does it<br>
                            &gt; &gt; a disservice. As you are aware,
                            having the best data protection<br>
                            &gt; &gt; practices in the world while using
                            an individual&#39;s PII for unstated<br>
                            &gt; &gt; purposes or disclosing it
                            inappropriately, still means the<br>
                            &gt; &gt; organization is not respecting an
                            individual&#39;s privacy.<br>
                            &gt; &gt; <br>
                            &gt; &gt; I agree with your concern
                            regarding &quot;a compromise in the sample or the<br>
                            &gt; &gt; templates database&quot; being a major
                            issue with respect to an individual<br>
                            &gt; &gt; having to re-establish and re-bind
                            their identity. However, I would<br>
                            &gt; &gt; argue that the same holds true for
                            any piece of an individual&#39;s PII<br>
                            &gt; &gt; that is used by an organization.
                            Biometric data, because it is viewed<br>
                            &gt; &gt; as unique to an individual, is in
                            some organization&#39;s minds, viewed as<br>
                            &gt; &gt; a silver bullet with respect to
                            Identifcation. However, in my opinion,<br>
                            &gt; &gt; it is just another piece of data
                            that can be used to mitigate the risk<br>
                            &gt; &gt; of misidentification. If the
                            consequences of misidentification are<br>
                            &gt; &gt; severe it should still be
                            corroborated with other PII. In other words,<br>
                            &gt; &gt; it is not a silver bullet.<br>
                            &gt; &gt; <br>
                            &gt; &gt; This being said, I restructured
                            the answer to address the &quot;silver<br>
                            &gt; &gt; bullet&quot; concept as well as the
                            out-of-scope text. I would recommend<br>
                            &gt; &gt; including the background in the
                            response as I believe that it is<br>
                            &gt; &gt; important to raise the &quot;technology
                            neutral&quot; idea with respect to<br>
                            &gt; &gt; privacy policy/legislation. I
                            would like to start the process of<br>
                            &gt; &gt; changing the perception held by
                            many people that current policy is<br>
                            &gt; &gt; outdated or has been overtaken by
                            advances in technology. (My soapbox<br>
                            &gt; &gt; rant for the day)<br>
                            &gt; &gt; <br>
                            &gt; &gt; Wile we probably aren&#39;t going to
                            be killed for not answering all the<br>
                            &gt; &gt; questions I hope that others can
                            address some of them.<br>
                            &gt; &gt; <br>
                            &gt; &gt; Ken<br>
                            &gt; &gt; <br>
                            &gt; &gt; ==============<br>
                            &gt; &gt; <br>
                            &gt; &gt; The perception that something
                            should happen to privacy because<br>
                            &gt; &gt; biometrics enter the mix is
                            erroneous.<br>
                            &gt; &gt; <br>
                            &gt; &gt; Privacy is a state that is
                            respected when an individual understands<br>
                            &gt; &gt; and consents to how their
                            personally identifiable information (PII) is<br>
                            &gt; &gt; collected, maintained, used,
                            disclosed and disposed. Biometric<br>
                            &gt; &gt; information, given its uniqueness
                            to each individual, should be<br>
                            &gt; &gt; considered to be PII.<br>
                            &gt; &gt; <br>
                            &gt; &gt; Regardless of its apparent
                            uniqueness, an organization that wishes to<br>
                            &gt; &gt; mitigate the risk of
                            misidentification of an individual should
                            not<br>
                            &gt; &gt; look at biometric data as a
                            &quot;silver bullet&quot;. If the consequences of<br>
                            &gt; &gt; misidentification are high they
                            should still corroborate the biometric<br>
                            &gt; &gt; data with other PII during their
                            authentication. The process, whether<br>
                            &gt; &gt; in the digital or real world,
                            still requires an organization to<br>
                            &gt; &gt; identify the consequences of
                            misidentification before it puts in place<br>
                            &gt; &gt; procedures and techniques (such as
                            the use of biometric data) to<br>
                            &gt; &gt; mitigate that risk.<br>
                            &gt; &gt; <br>
                            &gt; &gt; Background on Privacy<br>
                            &gt; &gt; <br>
                            &gt; &gt; It should be noted that
                            jurisdictions around the world have
                            identified<br>
                            &gt; &gt; that respect of an individual&#39;s
                            privacy is technology neutral.<br>
                            &gt; &gt; <br>
                            &gt; &gt; For the US Government NIST Special
                            Publication 800-122 defines PII as<br>
                            &gt; &gt; &quot;any information about an
                            individual maintained by an agency,<br>
                            &gt; &gt; including (1) any information that
                            can be used to distinguish or trace<br>
                            &gt; &gt; an individual‘s identity, such as
                            name, social security number, date<br>
                            &gt; &gt; and place of birth, mother‘s
                            maiden name, or biometric records; and<br>
                            &gt; &gt; (2) any other information that is
                            linked or linkable to an individual,<br>
                            &gt; &gt; such as medical, educational,
                            financial, and employment information.&quot;<br>
                            &gt; &gt; <br>
                            &gt; &gt; In other countries with privacy
                            protection laws derived from the OECD<br>
                            &gt; &gt; privacy principles, the term used
                            is more often &quot;personal<br>
                            &gt; &gt; information&quot;. This term, in
                            general, is broader than PII. For example,<br>
                            &gt; &gt; there are two pieces of
                            legislation that cover privacy at the
                            federal<br>
                            &gt; &gt; level in Canada: the Privacy Act
                            and the Personal Information<br>
                            &gt; &gt; Protection and Electronic
                            Documents Act (PIPEDA). The Privacy Act<br>
                            &gt; &gt; relates to an individual’s right
                            to access and correct personal<br>
                            &gt; &gt; information the Government of
                            Canada holds about them or the<br>
                            &gt; &gt; Government’s collection, use and
                            disclosure of their personal<br>
                            &gt; &gt; information in the course of
                            providing services (e.g., old age<br>
                            &gt; &gt; pensions or employment insurance).
                            PIPEDA sets out the ground rules<br>
                            &gt; &gt; for how private-sector
                            organizations collect, use or disclose
                            personal<br>
                            &gt; &gt; information in the course of
                            commercial activities across Canada.<br>
                            &gt; &gt; <br>
                            &gt; &gt; Both acts is essence define
                            personal information to be any factual or<br>
                            &gt; &gt; subjective information, recorded
                            or not, about an identifiable<br>
                            &gt; &gt; individual. This includes
                            information in any form, such as:<br>
                            &gt; &gt; * age, name, ID numbers, income,
                            ethnic origin, or blood type;<br>
                            &gt; &gt; * opinions, evaluations, comments,
                            social status, or disciplinary<br>
                            &gt; &gt; actions; and<br>
                            &gt; &gt; * employee files, credit records,
                            loan records, medical records,<br>
                            &gt; &gt; existence of a dispute between a
                            consumer and a merchant, intentions<br>
                            &gt; &gt; (for example, to acquire goods or
                            services, or change jobs).<br>
                            &gt; &gt; <br>
                            &gt; &gt; Excluded is information concerning
                            the name, title, business address<br>
                            &gt; &gt; or telephone number of an employee
                            of an organization.<br>
                            &gt; &gt; <br>
                            &gt; &gt; Both acts identify how personal
                            information should be collected,<br>
                            &gt; &gt; maintained, used, disclosed and
                            disposed. Of interest is the<br>
                            &gt; &gt; requirement to identify a
                            retention period for the personal<br>
                            &gt; &gt; information that is collected
                            about an individual and how that<br>
                            &gt; &gt; information is expunged from an
                            organization&#39;s records.<br>
                            &gt; &gt; <br>
                            &gt; &gt; Also of interest is how the power
                            and versatility of re-identification<br>
                            &gt; &gt; algorithms have significantly
                            increased the ability of identifying an<br>
                            &gt; &gt; individual without the use of PII.
                            As such, Big Data is becoming an<br>
                            &gt; &gt; issue in privacy circles.<br>
                            &gt; &gt; <br>
                            &gt; &gt; &lt;snip&gt;<br>
                            &gt; &gt; <br>
                            &gt; &gt; <br>
                            &gt; &gt;
                            _______________________________________________<br>
                            &gt; &gt; LC mailing list<br>
                            &gt; &gt; <a>LC@kantarainitiative.org</a><br>
                            &gt; &gt; <a href="http://kantarainitiative.org/mailman/listinfo/lc" target="_blank">http://kantarainitiative.org/mailman/listinfo/lc</a><br>
                            &gt; <br>
                            &gt; -- <br>
                            &gt; -------------------------------------<br>
                            &gt; Michael Schwartz<br>
                            &gt; Gluu<br>
                            &gt; Founder / CEO<br>
                            &gt; <a>mike@gluu.org</a></span></p>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
      </blockquote>
      <br>
      <br>
      -- <br>
      Kenneth Dagg<br>
      Independent Consultant<br>
      Identification and Authentication<br>
      613-825-2091<br>
      <a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;kendaggtbs@gmail.com&#39;);" target="_blank">kendaggtbs@gmail.com</a><br>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
LC mailing list
<a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;LC@kantarainitiative.org&#39;);" target="_blank">LC@kantarainitiative.org</a>
<a href="http://kantarainitiative.org/mailman/listinfo/lc" target="_blank">http://kantarainitiative.org/mailman/listinfo/lc</a>
</pre>
    </blockquote>
    <br>
  </div></div></div>

</blockquote></div><br></div>
</blockquote></div><br><br>-- <br>Kenneth Dagg<br>Independent Consultant<br>Identification and Authentication<br>613-825-2091<br><a href="mailto:kendaggtbs@gmail.com">kendaggtbs@gmail.com</a><br>