[WG-P3] NIST 800-53, Appendix J, comments v2

Anna Slomovic/Equifax anna.slomovic at equifax.com
Mon Aug 29 13:57:30 EDT 2011


Mark,

Question for you with regard to the following statement:

>From the point of view of developing assessments, a quality notification assessment criteria should be set above the minimum standards and legislation that currently exist.  In fact, IMHO, a compliance standard and assessment criteria for notice should be aimed higher than existing standards and legislation as to provide an 'extensible' standard privacy controls not only to the organisations using them  but also across jurisdictions (or in the cloud).

My concern with setting assessment criteria too high is that organizations may not be able to pass if they choose to comply with the law. Do we have a plan for what to do when this happens?

Anna

Anna Slomovic
Chief Privacy Officer
Equifax, Inc.
1010 N. Glebe Rd.
Suite 500
Arlington, VA 22201

P: 703.888.4620
M: 703.254.9656
F: 703.243.7576
E: Anna.Slomovic at equifax.com

From: wg-p3-bounces at kantarainitiative.org [mailto:wg-p3-bounces at kantarainitiative.org] On Behalf Of Mark at Identity Trust
Sent: Monday, August 29, 2011 12:48 PM
To: Susan Landau
Cc: Kantara P3WG
Subject: Re: [WG-P3] NIST 800-53, Appendix J, comments v2

Susan,

As the NIST privacy control are intended to apply to the operational environments of the organizations using them with the US gov, it seems clear that the intention is for these privacy controls to become extensible.  In this regard, I specifically refer to the privacy control of notification when consent or data is not provided by the data subject. This point is important for privacy control extensibility.  In such a context a high quality standard for notification and notification assessment is not only required but also needed.

This is a point  illustrated in the ISTPA Analysis of Privacy Principles in that "There are exceptional notice  conditions and qualifiers, and these require notice management capabilities long after the initial collection." (p.28)  An important observation to bring up as NSTIC policies may encounter some function creep over time, and of course policies change.

>From the point of view of developing assessments, a quality notification assessment criteria should be set above the minimum standards and legislation that currently exist.  In fact, IMHO, a compliance standard and assessment criteria for notice should be aimed higher than existing standards and legislation as to provide an 'extensible' standard privacy controls not only to the organisations using them  but also across jurisdictions (or in the cloud).  Bottom line I would like folks at NIST to consider this issue, if not the comment.

Although, upon reflection, it is clear that from the P3  identity management perspective, and the Kantara role with FICAM, this comment may very well be  redundant as NSTIC privacy control should inherently be in place. Perhaps a more appropriate comment can be made to reflect this point?

Since we have little time to draft this comment, and with the absence of comment with consensus.  I will withdraw my comment to support  submitting a general approval/appreciation of the Appendix by P3.

Thanks,


Mark


Even so, I still feel that this an important issue to raise from a privacy and public policy perspective.


On 27 Aug 2011, at 13:04, Susan Landau wrote:


The NSTIC requirements include no activity tracking, which means that if an identity provider is used to log onto a federal government site, the identity provider is not permitted to make use of tracking information on the federal sites.  Nor is the identity provider allowed to share that data with third parties.  My feeling is that this obviates the need for an additional comment below.

Best,

Susan

On 8/26/11 8:12 PM, Mark at Identity Trust wrote:
...

The NIST Appendix, if the privacy control within were applied to this use case does provide guidance for assessing the points being argued by the ULD.  Although, this guidance is of limited use for non-consensual data capture.  There is no distinction made in the NIST Appendix between notification requirements when consent  is not  available, (e.g. when a user is not logged into Facebook and service traffic is transferred, or even more generally under IP based video surveillance in a commercial premise, third party data transfers) in particular when consent for that data use does not come directly from the data subject.

Comment: Notice in the absence of consent should be specified in the privacy controls that NIST is presenting in the Appendix.   Perhaps an emphasis could be suggest in TR-1 b). on page 4 of the appendix to the non consensual requirements for notice. E.g. Altering section,

"(iv)  whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent;" should be further considered and discussed.

To,

  (iv) whether (or not) individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (Or with the absence of consent  from the data subject (sufficiently functional notice for the systematic use of the subjects data rights.)


Best Regards,

Mark Lizar

On 25 Aug 2011, at 15:38, Anna Slomovic/Equifax wrote:


Everyone,

As we discussed, I am sending along a drafty draft of possible comments on NIST 800-53, Appendix J, Privacy Control Catalog. As Mark noted in the notes from our call today, the plan is:

- Anna is submitting an initial draft today.
- Please submit comments to the list or directly to Ann Geyer for Monday.
- Comment discussion and draft for Wednesday t
- To be voted on in an email ballot on Thursday
- Which will close at 12 noon EST on Friday the 2nd of September.

Thanks!

Anna

Anna Slomovic
Chief Privacy Officer
Equifax, Inc.
1010 N. Glebe Rd.
Suite 500
Arlington, VA 22201

P: 703.888.4620
M: 703.254.9656
F: 703.243.7576
E: Anna.Slomovic at equifax.com<mailto:Anna.Slomovic at equifax.com>


________________________________
This message contains information from Equifax Inc. which may be confidential and privileged. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmaster at equifax.com<mailto:postmaster at equifax.com>.
<P3WG NIST 800-53 App J comments v2.docx>_______________________________________________
WG-P3 mailing list
WG-P3 at kantarainitiative.org<mailto:WG-P3 at kantarainitiative.org>
http://kantarainitiative.org/mailman/listinfo/wg-p3





_______________________________________________

WG-P3 mailing list

WG-P3 at kantarainitiative.org<mailto:WG-P3 at kantarainitiative.org>

http://kantarainitiative.org/mailman/listinfo/wg-p3

_______________________________________________
WG-P3 mailing list
WG-P3 at kantarainitiative.org<mailto:WG-P3 at kantarainitiative.org>
http://kantarainitiative.org/mailman/listinfo/wg-p3


________________________________
This message contains information from Equifax Inc. which may be confidential and privileged. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmaster at equifax.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20110829/d6dbe6eb/attachment-0001.html 


More information about the WG-P3 mailing list