[WG-P3] [WG-IDAssurance] What to call a Relying Party in terms of aTrust Framework

Mark Lizar mark at smartspecies.com
Fri Mar 11 12:33:13 EST 2011


Well,

I wrote that report back in the days when there was a great deal of  
discussion around owning Identity and controlling identity and what  
the difference was.  I made the observation that  there was a missing  
distinction of control and ownership in law and that there needed to  
be an identity legal framework in order for an individual to aggregate  
access, control and certify information.  Which I presented a session  
at IIW in 2006: called the Identity legal Framework. (To many blank  
stares.)

Master Controller, I was attempting to explain at the time, presented  
the concept of a hierarchy of control where the Data Subject is the  
Master Controller as well as the PII Principal.  Over time I came to  
understand more and more of the complexity of this concept.

Iain Henderson and I discussed this at great length back in those  
days,  As Iain mentioned he has recently "dug deeply into the 'who is  
controller, who is processor etc. Needless to say, in their own words,  
(UK ICO) the current legislation did not anticipate the situation  
where the individual is quite clearly in the driving seat (i.e. acting  
as controller for all practical purposes for at least some of the data  
flows);"

Still today most of the conversation in identity does not include the  
(for lack of a better term) Master Controller perspective.  The  
primary perspective is that of the Enterprise who is charged with  
making everything work.  Which I believe is where levels of control  
(LOC) and protection (LOP) are also finding their orientation from?

Mark


On 11 Mar 2011, at 15:51, Rainer Hörbe wrote:

> Aha. So the ISO term is "PII principal", which is a person to whom  
> the PII relates, and that is the same as a “data subject”.
>
> Can you give me more details about the Master Controler?
>
> - Rainer
>
>
> Am 11.03.2011 um 13:59 schrieb Mark Lizar:
>
>> Rainer,
>>
>> The term Principle came from a restricted ISO Privacy Standard's  
>> doc that I recently read. I dont think  I can reference directly.(I  
>> will check)
>>
>> It pertains to the term Principle Actor.  As Iain Henderson points  
>> out.  There is no active term for Data Subject that is commonly  
>> used, perhaps Principle gets closest to the description. Still, I  
>> like the term Master Controller as invented the term in this  
>> context in a paper I wrote in 2005 called building a Master  
>> Controller Access Framework).
>>
>> Currently in the Privacy Framework WG, led by Anna Solomovic  we  
>> are reviewing global priacy principles for use in the Privacy Trust  
>> Framework analysis of Identity Management and the IAF.  It would be  
>> great to combine or link efforts in area's where we are doing the  
>> same thing for similar purpose.
>> .
>> - Mark
>>
>> On 11 Mar 2011, at 08:33, Rainer Hörbe wrote:
>>
>>> Mark,
>>>
>>> I need to rephrase my question: What does Principal mean in the  
>>> data protection context (receiver, data subject or something  
>>> else)? Did you refer to a particular terminology?
>>>
>>> Scott David did a quite broad terminology comparison for his  
>>> upcoming global grid glossary. Besides various IDM sources he  
>>> researched 3 privacy frameworks, 2 from ITU-T and "Generally  
>>> Accepted Privacy Principles: A Global Privacy Network". From this  
>>> comparison it seems that controller, processor, recipient and data  
>>> subject seem to be the most common terms.
>>>
>>> - Rainer
>



More information about the WG-P3 mailing list