[WG-P3] NIST 800-53, Appendix J, comments v2

Mark@Identity Trust mark.lizar at gmail.com
Mon Aug 29 12:47:59 EDT 2011


As the NIST privacy control are intended to apply to the operational  
environments of the organizations using them with the US gov, it seems  
clear that the intention is for these privacy controls to become  
extensible.  In this regard, I specifically refer to the privacy  
control of notification when consent or data is not provided by the  
data subject. This point is important for privacy control  
extensibility.  In such a context a high quality standard for  
notification and notification assessment is not only required but also  

This is a point  illustrated in the ISTPA Analysis of Privacy  
Principles in that "There are exceptional notice  conditions and  
qualifiers, and these require notice management capabilities long  
after the initial collection." (p.28)  An important observation to  
bring up as NSTIC policies may encounter some function creep over  
time, and of course policies change.

 From the point of view of developing assessments, a quality  
notification assessment criteria should be set above the minimum  
standards and legislation that currently exist.  In fact, IMHO, a  
compliance standard and assessment criteria for notice should be aimed  
higher than existing standards and legislation as to provide an  
'extensible' standard privacy controls not only to the organisations  
using them  but also across jurisdictions (or in the cloud).  Bottom  
line I would like folks at NIST to consider this issue, if not the  

Although, upon reflection, it is clear that from the P3  identity  
management perspective, and the Kantara role with FICAM, this comment  
may very well be  redundant as NSTIC privacy control should inherently  
be in place. Perhaps a more appropriate comment can be made to reflect  
this point?

Since we have little time to draft this comment, and with the absence  
of comment with consensus.  I will withdraw my comment to support   
submitting a general approval/appreciation of the Appendix by P3.



Even so, I still feel that this an important issue to raise from a  
privacy and public policy perspective.

On 27 Aug 2011, at 13:04, Susan Landau wrote:

> The NSTIC requirements include no activity tracking, which means  
> that if an identity provider is used to log onto a federal  
> government site, the identity provider is not permitted to make use  
> of tracking information on the federal sites.  Nor is the identity  
> provider allowed to share that data with third parties.  My feeling  
> is that this obviates the need for an additional comment below.
> Best,
> Susan
> On 8/26/11 8:12 PM, Mark at Identity Trust wrote:
>> ...
>> The NIST Appendix, if the privacy control within were applied to  
>> this use case does provide guidance for assessing the points being  
>> argued by the ULD.  Although, this guidance is of limited use for  
>> non-consensual data capture.  There is no distinction made in the  
>> NIST Appendix between notification requirements when consent  is  
>> not  available, (e.g. when a user is not logged into Facebook and  
>> service traffic is transferred, or even more generally under IP  
>> based video surveillance in a commercial premise, third party data  
>> transfers) in particular when consent for that data use does not  
>> come directly from the data subject.
>> Comment: Notice in the absence of consent should be specified in  
>> the privacy controls that NIST is presenting in the Appendix.    
>> Perhaps an emphasis could be suggest in TR-1 b). on page 4 of the  
>> appendix to the non consensual requirements for notice. E.g.  
>> Altering section,
>> "(iv)  whether individuals have the ability to consent to specific  
>> uses or sharing of PII and how to exercise any such consent;"  
>> should be further considered and discussed.
>> To,
>>   (iv) whether (or not) individuals have the ability to consent to  
>> specific uses or sharing of PII and how to exercise any such  
>> consent; (Or with the absence of consent  from the data subject  
>> (sufficiently functional notice for the systematic use of the  
>> subjects data rights.)
>> Best Regards,
>> Mark Lizar
>> On 25 Aug 2011, at 15:38, Anna Slomovic/Equifax wrote:
>>> Everyone,
>>> As we discussed, I am sending along a drafty draft of possible  
>>> comments on NIST 800-53, Appendix J, Privacy Control Catalog. As  
>>> Mark noted in the notes from our call today, the plan is:
>>> - Anna is submitting an initial draft today.
>>> - Please submit comments to the list or directly to Ann Geyer for  
>>> Monday.
>>> - Comment discussion and draft for Wednesday t
>>> - To be voted on in an email ballot on Thursday
>>> - Which will close at 12 noon EST on Friday the 2nd of September.
>>> Thanks!
>>> Anna
>>> Anna Slomovic
>>> Chief Privacy Officer
>>> Equifax, Inc.
>>> 1010 N. Glebe Rd.
>>> Suite 500
>>> Arlington, VA 22201
>>> P: 703.888.4620
>>> M: 703.254.9656
>>> F: 703.243.7576
>>> E: Anna.Slomovic at equifax.com
>>> This message contains information from Equifax Inc. which may be  
>>> confidential and privileged. If you are not an intended recipient,  
>>> please refrain from any disclosure, copying, distribution or use  
>>> of this information and note that                such actions are  
>>> prohibited. If you have received this transmission in error,  
>>> please notify by e-mail postmaster at equifax.com.
>>> <P3WG NIST 800-53 App J comments  
>>> v2.docx>_______________________________________________
>>> WG-P3 mailing list
>>> WG-P3 at kantarainitiative.org
>>> http://kantarainitiative.org/mailman/listinfo/wg-p3
>> _______________________________________________
>> WG-P3 mailing list
>> WG-P3 at kantarainitiative.org
>> http://kantarainitiative.org/mailman/listinfo/wg-p3
> _______________________________________________
> WG-P3 mailing list
> WG-P3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20110829/f6207649/attachment-0001.html 

More information about the WG-P3 mailing list