[WG-P3] NIST 800-53, Appendix J, comments v2

Mark@Identity Trust mark.lizar at gmail.com
Fri Aug 26 20:12:25 EDT 2011

Thanks Anna for the draft comments,

Like Susan,  I would also like to draw attention to a set of issues  
which I think should be further discussed (if necessary) in P3 and  
considered in the comment to this NIST Appendix.

A great example of the set of issues I refer to here was raised this  
week by the ULD  Data Protection Commissioners in Germany. In which  
the ULD argued:

"By using the Facebook service traffic and content data are  
transferred into the USA and a qualified feedback is sent back to the  
website owner concerning the web page usage, the so called web  

and that in this regard,

"There is no sufficient information of users and there is no choice; the
wording in the conditions of use and privacy statements of Facebook  
does not
nearly meet the legal requirements relevant for compliance of legal  
privacy consent and general terms of use," Source: https://www.datenschutzzentrum.de/presse/20110819-facebook-en.htm

The NIST Appendix, if the privacy control within were applied to this  
use case does provide guidance for assessing the points being argued  
by the ULD.  Although, this guidance is of limited use for non- 
consensual data capture.  There is no distinction made in the NIST  
Appendix between notification requirements when consent  is not   
available, (e.g. when a user is not logged into Facebook and service  
traffic is transferred, or even more generally under IP based video  
surveillance in a commercial premise, third party data transfers) in  
particular when consent for that data use does not come directly from  
the data subject.

Comment: Notice in the absence of consent should be specified in the  
privacy controls that NIST is presenting in the Appendix.   Perhaps an  
emphasis could be suggest in TR-1 b). on page 4 of the appendix to the  
non consensual requirements for notice. E.g. Altering section,

"(iv)  whether individuals have the ability to consent to specific  
uses or sharing of PII and how to exercise any such consent;" should  
be further considered and discussed.


   (iv) whether (or not) individuals have the ability to consent to  
specific uses or sharing of PII and how to exercise any such consent;  
(Or with the absence of consent  from the data subject (sufficiently  
functional notice for the systematic use of the subjects data rights.)

Best Regards,

Mark Lizar

On 25 Aug 2011, at 15:38, Anna Slomovic/Equifax wrote:

> Everyone,
> As we discussed, I am sending along a drafty draft of possible  
> comments on NIST 800-53, Appendix J, Privacy Control Catalog. As  
> Mark noted in the notes from our call today, the plan is:
> - Anna is submitting an initial draft today.
> - Please submit comments to the list or directly to Ann Geyer for  
> Monday.
> - Comment discussion and draft for Wednesday t
> - To be voted on in an email ballot on Thursday
> - Which will close at 12 noon EST on Friday the 2nd of September.
> Thanks!
> Anna
> Anna Slomovic
> Chief Privacy Officer
> Equifax, Inc.
> 1010 N. Glebe Rd.
> Suite 500
> Arlington, VA 22201
> P: 703.888.4620
> M: 703.254.9656
> F: 703.243.7576
> E: Anna.Slomovic at equifax.com
> This message contains information from Equifax Inc. which may be  
> confidential and privileged. If you are not an intended recipient,  
> please refrain from any disclosure, copying, distribution or use of  
> this information and note that such actions are prohibited. If you  
> have received this transmission in error, please notify by e-mail postmaster at equifax.com 
> .
> <P3WG NIST 800-53 App J comments  
> v2.docx>_______________________________________________
> WG-P3 mailing list
> WG-P3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20110826/d18c6503/attachment.html 

More information about the WG-P3 mailing list