[WG-P3] NIST 800-53, Appendix J, comments v2
mark.lizar at gmail.com
Mon Aug 29 12:47:59 EDT 2011
As the NIST privacy control are intended to apply to the operational
environments of the organizations using them with the US gov, it seems
clear that the intention is for these privacy controls to become
extensible. In this regard, I specifically refer to the privacy
control of notification when consent or data is not provided by the
data subject. This point is important for privacy control
extensibility. In such a context a high quality standard for
notification and notification assessment is not only required but also
This is a point illustrated in the ISTPA Analysis of Privacy
Principles in that "There are exceptional notice conditions and
qualifiers, and these require notice management capabilities long
after the initial collection." (p.28) An important observation to
bring up as NSTIC policies may encounter some function creep over
time, and of course policies change.
From the point of view of developing assessments, a quality
notification assessment criteria should be set above the minimum
standards and legislation that currently exist. In fact, IMHO, a
compliance standard and assessment criteria for notice should be aimed
higher than existing standards and legislation as to provide an
'extensible' standard privacy controls not only to the organisations
using them but also across jurisdictions (or in the cloud). Bottom
line I would like folks at NIST to consider this issue, if not the
Although, upon reflection, it is clear that from the P3 identity
management perspective, and the Kantara role with FICAM, this comment
may very well be redundant as NSTIC privacy control should inherently
be in place. Perhaps a more appropriate comment can be made to reflect
Since we have little time to draft this comment, and with the absence
of comment with consensus. I will withdraw my comment to support
submitting a general approval/appreciation of the Appendix by P3.
Even so, I still feel that this an important issue to raise from a
privacy and public policy perspective.
On 27 Aug 2011, at 13:04, Susan Landau wrote:
> The NSTIC requirements include no activity tracking, which means
> that if an identity provider is used to log onto a federal
> government site, the identity provider is not permitted to make use
> of tracking information on the federal sites. Nor is the identity
> provider allowed to share that data with third parties. My feeling
> is that this obviates the need for an additional comment below.
> On 8/26/11 8:12 PM, Mark at Identity Trust wrote:
>> The NIST Appendix, if the privacy control within were applied to
>> this use case does provide guidance for assessing the points being
>> argued by the ULD. Although, this guidance is of limited use for
>> non-consensual data capture. There is no distinction made in the
>> NIST Appendix between notification requirements when consent is
>> not available, (e.g. when a user is not logged into Facebook and
>> service traffic is transferred, or even more generally under IP
>> based video surveillance in a commercial premise, third party data
>> transfers) in particular when consent for that data use does not
>> come directly from the data subject.
>> Comment: Notice in the absence of consent should be specified in
>> the privacy controls that NIST is presenting in the Appendix.
>> Perhaps an emphasis could be suggest in TR-1 b). on page 4 of the
>> appendix to the non consensual requirements for notice. E.g.
>> Altering section,
>> "(iv) whether individuals have the ability to consent to specific
>> uses or sharing of PII and how to exercise any such consent;"
>> should be further considered and discussed.
>> (iv) whether (or not) individuals have the ability to consent to
>> specific uses or sharing of PII and how to exercise any such
>> consent; (Or with the absence of consent from the data subject
>> (sufficiently functional notice for the systematic use of the
>> subjects data rights.)
>> Best Regards,
>> Mark Lizar
>> On 25 Aug 2011, at 15:38, Anna Slomovic/Equifax wrote:
>>> As we discussed, I am sending along a drafty draft of possible
>>> comments on NIST 800-53, Appendix J, Privacy Control Catalog. As
>>> Mark noted in the notes from our call today, the plan is:
>>> - Anna is submitting an initial draft today.
>>> - Please submit comments to the list or directly to Ann Geyer for
>>> - Comment discussion and draft for Wednesday t
>>> - To be voted on in an email ballot on Thursday
>>> - Which will close at 12 noon EST on Friday the 2nd of September.
>>> Anna Slomovic
>>> Chief Privacy Officer
>>> Equifax, Inc.
>>> 1010 N. Glebe Rd.
>>> Suite 500
>>> Arlington, VA 22201
>>> P: 703.888.4620
>>> M: 703.254.9656
>>> F: 703.243.7576
>>> E: Anna.Slomovic at equifax.com
>>> This message contains information from Equifax Inc. which may be
>>> confidential and privileged. If you are not an intended recipient,
>>> please refrain from any disclosure, copying, distribution or use
>>> of this information and note that such actions are
>>> prohibited. If you have received this transmission in error,
>>> please notify by e-mail postmaster at equifax.com.
>>> <P3WG NIST 800-53 App J comments
>>> WG-P3 mailing list
>>> WG-P3 at kantarainitiative.org
>> WG-P3 mailing list
>> WG-P3 at kantarainitiative.org
> WG-P3 mailing list
> WG-P3 at kantarainitiative.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the WG-P3