[WG-P3] [WG-IDAssurance] What to call a Relying Party in terms of aTrust Framework
mark at smartspecies.com
Fri Mar 11 12:33:13 EST 2011
I wrote that report back in the days when there was a great deal of
discussion around owning Identity and controlling identity and what
the difference was. I made the observation that there was a missing
distinction of control and ownership in law and that there needed to
be an identity legal framework in order for an individual to aggregate
access, control and certify information. Which I presented a session
at IIW in 2006: called the Identity legal Framework. (To many blank
Master Controller, I was attempting to explain at the time, presented
the concept of a hierarchy of control where the Data Subject is the
Master Controller as well as the PII Principal. Over time I came to
understand more and more of the complexity of this concept.
Iain Henderson and I discussed this at great length back in those
days, As Iain mentioned he has recently "dug deeply into the 'who is
controller, who is processor etc. Needless to say, in their own words,
(UK ICO) the current legislation did not anticipate the situation
where the individual is quite clearly in the driving seat (i.e. acting
as controller for all practical purposes for at least some of the data
Still today most of the conversation in identity does not include the
(for lack of a better term) Master Controller perspective. The
primary perspective is that of the Enterprise who is charged with
making everything work. Which I believe is where levels of control
(LOC) and protection (LOP) are also finding their orientation from?
On 11 Mar 2011, at 15:51, Rainer Hörbe wrote:
> Aha. So the ISO term is "PII principal", which is a person to whom
> the PII relates, and that is the same as a “data subject”.
> Can you give me more details about the Master Controler?
> - Rainer
> Am 11.03.2011 um 13:59 schrieb Mark Lizar:
>> The term Principle came from a restricted ISO Privacy Standard's
>> doc that I recently read. I dont think I can reference directly.(I
>> will check)
>> It pertains to the term Principle Actor. As Iain Henderson points
>> out. There is no active term for Data Subject that is commonly
>> used, perhaps Principle gets closest to the description. Still, I
>> like the term Master Controller as invented the term in this
>> context in a paper I wrote in 2005 called building a Master
>> Controller Access Framework).
>> Currently in the Privacy Framework WG, led by Anna Solomovic we
>> are reviewing global priacy principles for use in the Privacy Trust
>> Framework analysis of Identity Management and the IAF. It would be
>> great to combine or link efforts in area's where we are doing the
>> same thing for similar purpose.
>> - Mark
>> On 11 Mar 2011, at 08:33, Rainer Hörbe wrote:
>>> I need to rephrase my question: What does Principal mean in the
>>> data protection context (receiver, data subject or something
>>> else)? Did you refer to a particular terminology?
>>> Scott David did a quite broad terminology comparison for his
>>> upcoming global grid glossary. Besides various IDM sources he
>>> researched 3 privacy frameworks, 2 from ITU-T and "Generally
>>> Accepted Privacy Principles: A Global Privacy Network". From this
>>> comparison it seems that controller, processor, recipient and data
>>> subject seem to be the most common terms.
>>> - Rainer
More information about the WG-P3