[WG-P3] Privacy Management Framework: Work Stream Item

McDowell, Brett bmcdowell at paypal.com
Wed May 26 15:57:36 EDT 2010

No, I'm not sure what the link is.

Who is the new liaison officer from Kantara to ISO?  That's who owns this action item IMHO.

On May 26, 2010, at 2:30 PM, Mark L wrote:

> Thanks Brett for this update!
> Can you provide a link for to the ISO SC27 WG5 for those of us who  
> wish to  opt-in? Perhaps we can add the liaison to the agenda of the  
> call we are now organizing.
> All those who interested in this PMF, It would be great to hear  
> descriptions of what should be included in a privacy management  
> framework discussion prior to the call.
> Mark
> On 26 May 2010, at 17:34, McDowell, Brett wrote:
>> (adding Trent, Joni and Matthew)
>> There is no NDA to sign, but they have rules of confidentiality.   
>> The binding is not a signature on a document.  When I showed up for  
>> the ISO meeting in November I asked the Secretary for a copy of the  
>> NDA to sign and she told me that by being in attendance and by  
>> responding to Liaison Statements, it is part of their terms of  
>> liaison that we (whoever we are) operate under confidentiality.  I'm  
>> sure there is something on their web site that explains this but all  
>> I needed was her verbal description.
>> So, P3WG could do what IAWG is doing... the chair is sending out a  
>> call for participation into a subgroup that will work as the Kantara  
>> Initiative liaison team to ISO SC27 WG5.  By opting-in to that  
>> group, you are agreeing to not disclose any materials you receive  
>> from ISO.
>> That's about it.
>> As I think about it, the Kantara liaison with ISO is bigger than any  
>> one WG and it impacts at least three or four.  So I think Joni or  
>> Trent or Matthew should provide a central authority for coordinating  
>> the liaison across all interested WG's.  At the end of the day  
>> Kantara needs to send only one liaison statement back to ISO... not  
>> one from each WG.
>> -- Brett
>> On May 26, 2010, at 11:17 AM, Robin Wilton wrote:
>>> Sorry, I hit "Send" sllightly prematurely.
>>> I meant to explain, in a footnote, that the current working title for
>>> 29190 is "Privacy Capability Assessment Model", following some  
>>> input to
>>> the ISO group about existing good practice under the heading of
>>> "Capability Assessment Models". It seemed to make a lot of sense to
>>> (i) align with existing terminology and
>>> (ii) neatly side-step any Carnegie Mellon University hassle over
>>> "Capability Maturity Model", which phrase they have registered as a
>>> "Service Mark"
>>> Yrs.,
>>> Robin
>>> On Wed, 2010-05-26 at 16:14 +0100, Robin Wilton wrote:
>>>> Thanks Mark -
>>>> As you say, one of the potential inputs to this piece of work is the
>>>> draft of ISO 29190 (Privacy Capability Assessment Model*).  
>>>> However, as
>>>> it's a draft ISO document, I believe the only way we can share it  
>>>> among
>>>> P3 participants is if those interested sign an NDA and agree not to
>>>> share it elsewhere.
>>>> Brett, by copy, have I remembered that correctly, and do you still  
>>>> have
>>>> the NDA?
>>>> What I suggest is that anyone who has indicated their interest via
>>>> Doodle should next be invited to sign the NDA... Then I could send  
>>>> round
>>>> a copy of the draft as a discussion item.
>>>> Hope this helps-
>>>> Robin
>>>> On Wed, 2010-05-26 at 14:11 +0100, Mark Lizar wrote:
>>>>> Dear All,
>>>>> This topic has been listed as a Charter Item for the P3 workgroup  
>>>>> and
>>>>> I know there has been a lot of work evolving in this area over the
>>>>> last few months.
>>>>> This was the most popular work item on the work stream list, as  
>>>>> almost
>>>>> everyone showed interest in being involved on this topic, it is
>>>>> clearly important to the membership of P3, and as secretary, I  
>>>>> invite
>>>>> people to post their thoughts, efforts, and IP that can be  
>>>>> donated (if
>>>>> any) on this work-stream item to the list.
>>>>> As such, I would like to stimulate this topic on the list and see  
>>>>> if
>>>>> this effort can be updated. My understanding is that the  
>>>>> intention was
>>>>> to create a framework that would support assessment of a site's
>>>>> (organisations) privacy in the same way that the IAF assesses  
>>>>> identity
>>>>> assurance.  The thought was that the same level of rigor needs to  
>>>>> be
>>>>> applied to privacy assurance as identity assurance.
>>>>> I understand that their are both bottom up approaches with people
>>>>> asserting privacy and the top down approaches with organisations
>>>>> protecting privacy.  I know that there has been some excellent  
>>>>> work on
>>>>> the top down approach by Iain Henderson.  Personally I am currently
>>>>> researching various trust frameworks and their impact on privacy
>>>>> management from the bottom up and would like to contribute a public
>>>>> policy framework to this effort.
>>>>> In addition, the ISO document (mentioned in the last call as a  
>>>>> global
>>>>> update on Privacy Regulations) being published will greatly  
>>>>> inform any
>>>>> effort working on a Privacy Management Framework. To this end, I  
>>>>> would
>>>>> like to invite further discussion on the P3 list, to ask if  
>>>>> anyone is
>>>>> producing a white paper in this area, and ultimately, to see if  
>>>>> there
>>>>> is an effort or work already under way that can be contributed to  
>>>>> this
>>>>> effort.
>>>>> I have created a doodle poll to arrange a call to discuss any  
>>>>> inputs
>>>>> put forward and thoughts on the direction and future of this  
>>>>> activity
>>>>> in P3.  As Iain, Brett, myself and Darrell have all indicated  
>>>>> strong
>>>>> interest, I am happy to support other efforts in this direction and
>>>>> facilitate this work item.
>>>>> Best Regards,
>>>>> Mark Lizar
>>>> _______________________________________________
>>>> WG-P3 mailing list
>>>> WG-P3 at kantarainitiative.org
>>>> http://kantarainitiative.org/mailman/listinfo/wg-p3
>>> <smime.p7s><ATT00001..txt>

More information about the WG-P3 mailing list