Re: Data Purposes from Dave Lewis on 2018-12-11 (public-dpvcg@w3.org from December 2018)

From: Dave Lewis <dave.lewis@adaptcentre.ie>
Date: Tue, 11 Dec 2018 11:56:33 +0000
To: public-dpvcg@w3.org
Message-ID: <9e132caf-272b-1628-edc2-370b414b0c8d@adaptcentre.ie>
Hi Harsh, Guys

This is a good start, a few initial questions and comments :

1) Will you be aiming to provide definitions of these purposes in the 
table? This will be critical to making reasoned decisions about 
taxonomical relationship and in spotting non-taxonomical overlaps. A lot 
of these terms would already have definitions out there that you may be 
able to select from. Would it be worth considering the EU terminology 
database for some of these, you can search that easily enough via 
https://iate.europa.eu ? It would give the definitions an external 
reference which may help acceptance, though often IATA has multiple 
definition from different domains, so you need to be selective. Many 
references here also have PURLs which helps with maintenance of the 
purpose taxonomy

2) for taxonomy relationships, while clear definitions will help, you 
might also consult the EU thesaurus (EURVoc) which would give you 
perhaps a way of testing your reasoning against existing taxonomies: see 
https://publications.europa.eu/en/web/eu-vocabularies/

I wouldn't say this is authoritative (its certainly not compelte), but 
it might provide some useful perspectives, especially as it is grounded 
in EU legal docs.

3) a few specific comments on the table:

  * "Telemarketing" seems the same as: "Marketing by Phone"
  * is there a difference between "OtherContact" and "AnyContact" -
    either way it good to have these catch-all purposes, because they
    are use a lot and should come in for special attention by future
    tools using the taxonomy. Should "AuxPurpose" be in this branch
    also? Perhaps also "Custom". Perhaps these should be under an
    "InsufficientlyDefined" branch.
  * I don't see how "Scientific Purpose" is a subclass of "marketing",
    though perhaps it a subclass of "Research". The latter could also
    cover 'market research' which might get complicated - I recall that
    distinction wasn't enturiely clear in the text of GDPR perhaps.
    Also, as my colleagues in the humanties often remind me, there are
    many forms of academic research that are not scientific.
  * is "Humanitarian" a subclass of "Charity"
  * I'm not sure what the distinction of "Solo" analysis is compared to
    analysis in general. Is it intended to be part of "profiling" or
    "tailoring".

4) Several are stated in a way that I find difficult to equate to a 
clear purpose:  "Current", "Downloads"

5) There are others that perhaps need to be rephrased to better evoke 
the purpose as they are sort of dangling predicates. You've done a good 
job of addressing this for the concepts as phrased in the high level 
taxonomy already. So similar detailing is needed here, especially in 
relation to the role of data subject, controller and third parties - as 
the purpose is often different depending on the role configuration:

"Arts" performed by who, for the appreciation of whom?

"Browsing" by whom?

"Communication" between who?

"Delivery" by who to whom?

"Develop" of what, by who, for whom?

"Feedback" between who?

6) There are another set of purposes that seem to be sectional in 
nature, i.e. "Charity", "Education", Gaming"/"Gambling", "Government", 
"Health", "Historical", "Journalistic", "Judicial", "Public Interest", 
"Research", "State", "Statistics". Is the intention here to have 
specific branches of the taxonomy that fall neatly into purposes 
identified in GDPR for specific purposes? In which case should they be 
taxonomised as such? I see similar issues in the high level taxonomy 
where "non-commercial" and "academic" research and grouped under 
"research and development" with "commercial research", which could 
presumably include market research.

However in GDPR, these are significant distinctions, so the design 
question arises whether these distinctions should be branched nearer the 
root of the taxonomy, where it may be more immediately obvious for 
answering GDPR related competence questions.

Hope that's helpful,

Dave



On 10/12/2018 17:46, Harshvardhan J. Pandit wrote:
> Dear All,
> We (Axel, Javier, Elmar, Fajar, and Simon;) had a discussion today in 
> Vienna regarding Purpose Categories, and came up with some high-level 
> which are now in the wiki for discussion.
> https://www.w3.org/community/dpvcg/wiki/Purposes_for_handling_Personal_Data#High-level_categories_.28to-be-discussed.29 
>
>
> On 09/12/18 9:51 PM, Harshvardhan J. Pandit wrote:
>> Hello all,
>> We discussed in the Vienna F2F about high-level purposes or 
>> dimensions using examples from MyData.
>> Following that, on the 4th, we looked at Purposes as defined in 
>> Consent Receipt 
>> https://kantarainitiative.org/confluence/display/infosharing/Appendix+CR+-+V.9.3+-+Example+Purpose+Categories 
>>
>> TIt discusses things such as core functions (legitimate interest???), 
>> contracted service (contract???), contact requested (communication), 
>> personalisation, marketing, marketing by third parties. However, the 
>> last few purposes are very abstract as to their use and application.
>>
>> I like the distinction of categorising purposes at a high-level based 
>> on how they relate to the controller and the data subject (a point 
>> which Bud raised in the F2F) i.e. which of them are essential, which 
>> are legal, and which are complimentary, or which does the user have 
>> control over.
>> This would be separate from any other categorisation, such as basaed 
>> on domain or service.
>> There are examples of this being used in some privacy policies (in 
>> the wild, so to speak) as well.
>>
>> Regards,
>
Received on Tuesday, 11 December 2018 14:05:05 UTC