Re: DPVCG personal data categories from EnterPrivacy

Thanks Harsh and thanks for inviting me to join the group. I do want
to say something, before you get much further, since it might help
whether and how you adopt or integrate this taxonomy.

I developed these categories of personal INFORMATION, not data,
because it suited my purpose in privacy by design. It may or may not
suit your purpose. I want to differentiate between information content
and data.  A photo is a data element. But there could be a richness
in information in the photo. If it's a picture of a person, it could
show ethnicity information. It could show physical characteristics. It
could show medical and health conditions. I did some training and an
FBI agent said (of the photo I used as an example), they could
probably determine where it was taken. Not because of geotagging in
the meta-data, but because of the background in the photo.  A photo
of a bank card would have Account information. It probably also has
Identifying information (name on the bank card). Having a Gold card
implies Credit information (a higher relative credit over a non-Gold
card holder). If it's an affinity card (Delta Skymiles card for
instance) it could show Preference information (preference for Delta)
and Behavioral Information (the holder travels more that others). 

Similarly, a name field (a data element) might have information about
a person's ethnicity. If it contains Reverend as an honorific it would
show Public Life (under my taxonomy). Dr? Professional Information. Ms
or Mrs? Sexual information (gender). 

In my view, information, not data, is pertinent to determining risks
to people's privacy, hence why I use personal information rather than
personal data in my analysis. (I also have thoughts on the over
emphasis on "data" privacy as opposed to privacy, but that's a
different topic https://privacymaverick.com/?p=446) 

I tell you all this, because if you start to try to map personal data
elements to my taxonomy of personal information, you're going to find
both many-to-many relationship AND you're going to find that the
relationships are context dependent.

Hope that helps.

Jason 

	......................................................................
R. Jason Cronk                  | Juris Doctor  
Privacy and Trust Consultant    | IAPP Fellow of Information
Privacy
ENTERPRIVACY CONSULTING GROUP [1]   | CIPT, CIPM, CIPP/US, PbD
Ambassador
Privacy notices made simple: https://simpleprivacynotice.com [2] 
.....................................................................

	UPCOMING TRAINING

Privacy by Design Professional:  Cyprus (April [3]), Belarus -
English/Russian (July)

Online (coming soon): https://privacybydesign.training [4]

----- Original Message -----
From:
 "Harshvardhan J. Pandit" <me@harshp.com>

To:
 "public-dpvcg" <public-dpvcg@w3.org>
Cc:

Sent:
 Sun, 17 Feb 2019 00:57:11 +0530
Subject:
 DPVCG personal data categories from EnterPrivacy
 Hi Fajar, Everyone.

 See the email below, where the creator of the EnterPrivacy data 
 categories has shared (attached) the spreadsheet containing the terms

 and definitions.
 I've updated the terms and definitions in the ontology on Github,
where 
 each term has a label and attribution (rdfs:isDefinedBy) and
definition 
 where possible. The spreadsheet has also been put in the Github repo.

 Moving forward, I want to do a few things, and would like to know
what 
 you think about them.

 1) singular vs plural: I was confused if we should keep the terms in 
 their plural form or singular form - I prefer the singular from a
purely 
 philosophical point of view e.g. an ontology about animals will have
a 
 class called Cat and not Cats. The source (PDF) contains terms in the

 plural because I think this is how we refer to them in daily life.

 2) clean up terms: some of the terms can be confusing on their own 
 without an achor to the context e.g. Account by itself is vague, but
if 
 we see the hierarchy, it is under Finance. So I renamed it to 
 FinanceAccount. I think we need to go through each terms and clean
them 
 similarly.

 3) Relationships between terms: this is tricky, and there are several

 different types of relationships here. One type is part-of, such as 
 Account and Account Number, another is source, such as IPAddress and 
 Location. We need to identify such relationships, and also find a way
to 
 represent them in the ontology. We can create a separate ontology for

 these, and keep the current one only as a taxonomy or a thesauri.

 Best,
 Harsh

 P.S. Thanks to Mark for the connection and speeding this up, and
thanks 
 to Jason for providing the data in a spreadsheet.

 -------- Forwarded Message --------
 Subject: Re: [subject] Categories of
 Date: Fri, 15 Feb 2019 10:32:11 -0500
 From: R. Jason Cronk <rjc@privacymaverick.com>
 To: Mark Lizar <mark@openconsent.com>
 CC: Harshvardhan J. Pandit <harshvardhan.pandit@adaptcentre.ie>

 Mark and Harsh,

 Please see attached. Hopefully this meets your needs. It looks like
I'm 
 a member of the group now. I'll have to read through available 
 documentation to see what else the group is working on.

 I do want say I have several other categories/taxonomies I use that
may 
 be beneficial, including

 Dan Soloves' Taxonomy of Privacy
 Jaap-Henk Hoepman's  Control Strategies and Tactics
 FAIR based Privacy Risk Analysis
 and a few others of my own design

 Jason

 .*.*.*.*..................................................................
 R. Jason Cronk                  | Juris Doctor
 Privacy and Trust Consultant    | IAPP FIP, CIPT, CIPM, CIPP/US,
PbD 
 Ambassador
 *Enterprivacy Consulting Group <http://www.enterprivacy.com/>*    |

 Author ofStrategic Privacy by Design 
 <https://iapp.org/store/books/a191a00000345yDAAQ/>
 /Privacy notices made simple: https://simpleprivacynotice.com 
 <https://simpleprivacynotice.com/>
 /.....................................................................

 *Upcoming Training**
 *Privacy by Design Professional:Cyprus (April 
 <https://enterprivacy.com/cyprus-training/>), Belarus -
English/Russian 
 (July)
 Online (coming soon):https://privacybydesign.training 
 <https://privacybydesign.training/>

 ----- Original Message -----
 From:
 "Mark Lizar" <mark@openconsent.com>

 To:
 "R. Jason Cronk" <rjc@privacymaverick.com>
 Cc:
 "Harshvardhan J. Pandit" <harshvardhan.pandit@adaptcentre.ie>
 Sent:
 Tue, 12 Feb 2019 17:02:19 +0000
 Subject:
 Re: [subject] Categories of

 Thanks Jason,

 This is great !  I am cc’ing Harsh as he is managing the details.
  If you could provide an attribution license to the W3C DPVC CG,
  then this would enable them to use this as a starting point.

 If you could also provide the latest spreadsheet along with the
 license, then we could use this as the starting point.    These
 materials would then end up on the W3C wiki and we can iterate and
 discuss it from there.

 As for the application to join the group, it was a bit tricky for
 me, I think its pretty automated now.  If you have any issues
 joining let me or better yet Harsh know and we can help.

 - Mark

 On 12 Feb 2019, at 16:43, R. Jason Cronk
 <rjc@privacymaverick..com <mailto:rjc@privacymaverick.com>> wrote:

 Mark,

 Thanks for reaching back out to me. Unfortunately, given that
 I'm not in academia, there is no paper around this only my
 infographics. You can find the latest version at
 https://iapp.org/resources/article/categories-of-personal-data/

 Happy to offer an attribution only license.

 Jason

 P.S. I submitted a request to join though don't know how
 actively I can participate.

 .*.*.*.*..................................................................
 R. Jason Cronk                  | Juris Doctor
 Privacy and Trust Consultant    | IAPP FIP, CIPT, CIPM, 
 CIPP/US, PbD Ambassador
 *Enterprivacy Consulting Group <http://www.enterprivacy.com/>* 
    | Author ofStrategic Privacy by Design 
 <https://iapp.org/store/books/a191a00000345yDAAQ/>
 /Privacy notices made simple: https://simpleprivacynotice.com
 <https://simpleprivacynotice.com/>
 /.....................................................................

 *Upcoming Training**
 *Privacy by Design Professional:Cyprus (April 
 <https://enterprivacy.com/cyprus-training/>),
 Belarus - English/Russian (July)
 Online (coming soon):https://privacybydesign.training 
 <https://privacybydesign.training/>

 ----- Original Message -----
 From:
 "Mark Lizar" <mark@openconsent.com
 <mailto:mark@openconsent.com>>

 To:
 "R. Jason Cronk" <rjc@privacymaverick.com
 <mailto:rjc@privacymaverick.com>>
 Cc:
 "Harshvardhan J. Pandit" <harshvardhan.pandit@adaptcentre.ie
 <mailto:harshvardhan.pandit@adaptcentre.ie>>
 Sent:
 Tue, 12 Feb 2019 14:07:10 +0000
 Subject:
 Re: [subject] Categories of

 Greeting Jason,

 Its been a little while since I was in touch.   I hope you
 are doing well. I wanted to let you know that I have
 submitted these categories to the W3C group -Data Privacy
 Vocabulary and Controls WG, as the Kantara Initiative was
 not standardising semantics.

 This W3C Group has asked me to reach out to you and invite
 you to participate and to see if there is a) a paper that
 supports these categories b) if there has been any
 progression in this work.

 Here is a link to the CG
 https://www.w3.org/community/dpvcg/,  for more information
 you can ask me or Harsh (cc’d).

 Best Regards,

 Mark

 On 15 Aug 2017, at 20:10, R. Jason Cronk
 <rjc@privacymaverick.com
 <mailto:rjc@privacymaverick.com>> wrote:

 Mark,
 Attached is the spreadsheet with the Categories of
 Personal Information as I distributed on my infographic,
 along with definitions and examples. Thank you for the
 invite to participate. I will look into joining the
 group, though my time is stretched thin at the moment,
 so I'm not sure how much I can contribute.
 Jason
 --

 R. Jason Cronk, JD
 IAPP Fellow of Information Privacy
 CIPM, CIPT, CIPP/US, PbD Ambassador
 *Privacy and Trust Consultant*
 Enterprivacy Consulting Group 
 <http://www.enterprivacy.com/>

 [Upcoming Advanced Privacy by Design Workshops in
 October:Atlanta

 <https://www.eventbrite.com/e/advanced-privacy-by-design-workshop-atlanta-ga-oct-2017-tickets-35888070184>]

 On 2017-08-15 13:30, Mark Lizar wrote:

 Hi Jason,

 (I am ccing this to the CISWG mailing list).

  Apologies for the delayed response, specification
 work can move quite
 slowly.

 I very much appreciate the re-use of the PI
 Categories and the offer
 to provide these in different formats, a spreadsheet
 would be most
 helpful for Consent Receipt specification work.

 We are discussing the use of these PI categories for
 reference in the
 work we are working on now.   Our intent is to use
 these for PI
 Categories as defined in ISO 29100 and not PII.  The
 proposed use of
 these PI Categories are currently being discussed
 for use in purpose
 specification for the creation of  consent receipts
 and PII.  In this
 regard,  I can confirm we will not represent these
 categories as PII
 categories.

 Lastly, we would like to invite you to the Kantara
 CISWG workgroup so
 you can see how we put this great work to use :-)
  More information
 about jointing can be found at
 https://kantarainitiative.org/confluence/display/infosharing/Home [3
 <https://kantarainitiative.org/confluence/display/infosharing/Home>]
 where there is a link to join both the WG and the
 mailing list.

 Kind Regards,

 Mark

 On 30 May 2017, at 11:25, R. Jason Cronk
 <rjc@privacymaverick.com
 <mailto:rjc@privacymaverick.com>>
 wrote:

 Hi Mark,

 Feel free to use this PDF in it's original form
 in any forum. As for
 additional uses, please let me know if you'd
 like a file with the
 text of the categories and description so you
 can  use it in
 different formats. My only ask is that you use
 the term "Personal
 Information" rather than PII in reference to
 this categorization. I
 find the term PII has contextual limitations
 because much of
 personal information, which may be personal to
 me, is not
 identifying, i.e. my favorite color. Thus, in
 discussions, using
 "PII" immediately constrains the audience to a
 limited set of
 personal information.

 Also, I'm not sure what you mean by complete
 reference is your
 request below. Please clarify.

 --
 R. Jason Cronk, JD
 IAPP Fellow of Information Privacy
 CIPM, CIPT, CIPP/US, PbD Ambassador
 PRIVACY AND TRUST CONSULTANT
 Enterprivacy Consulting Group [2
 <http://www.enterprivacy.com/>]

 On 2017-05-29 05:22, WordPress wrote:

 From: Mark <mark@openconsent.com
 <mailto:mark@openconsent.com>>

 Message Body:
 Like your categories of personal information..

 We would like to use and reference it for
 developing our PII
 categories for an effort Called the Consent
 Receipt at the Kantara
 Initiative.

 Could you please provide us with a complete
 reference for this and
 perhaps even some formal permission to use 
 it ?

 Kind Regards,

 Mark

 --
 This e-mail was sent from a contact form on
 Enterprivacy
 Consulting
 Group (http://enterprivacy.com
 <http://enterprivacy.com/>[1
 <http://enterprivacy.com/>])

 Links:
 ------
 [1]http://enterprivacy.com/
 [2]http://www.enterprivacy.com/
 [3]https://kantarainitiative.org/confluence/display/infosharing/Home

 <information categories.ods>

 <Untitled.png>



Links:
------
[1] http://webmail.dreamhost.com/HTTP://WWW.ENTERPRIVACY.COM/
[2] https://simpleprivacynotice.com/
[3] https://enterprivacy.com/cyprus-training/
[4] https://privacybydesign.training/

Received on Sunday, 17 February 2019 00:03:56 UTC