- From: Harshvardhan J. Pandit <me@harshp.com>
- Date: Tue, 6 Nov 2018 13:38:57 +0000
- To: Axel Polleres <axel.polleres@wu.ac.at>, public-dpvcg@w3.org
- Message-ID: <61400283-435a-dfdb-1062-055a9bc82406@harshp.com>
Hello all. Comments/replies are inline. On 05/11/2018 09:50, Axel Polleres wrote: > 4) Progress since last time (which we may not discuss in detail, but > rather table, discuss action items around: > > * Discussion around categories of legitimation categories/lawfulness > of processing > https://lists.w3.org/Archives/Public/public-dpvcg/2018Oct/0027.html -> > I would like to task someone to summarize these and make a > proposal to the group we can discuss. > I have tried to summarise these as terms at https://www.w3.org/community/dpvcg/wiki/Legal_Basis along with a terms from two existing vocabularies. The proposal is to have a vocabulary of legal basis / lawfulness of processing terms which can be used to justify the processing or activities carried out. > > * Elements of consent/competency questions for consent > https://lists.w3.org/Archives/Public/public-dpvcg/2018Oct/0025.html, > https://lists.w3.org/Archives/Public/public-dpvcg/2018Oct/0038.html -> > I would like to task someone to summarize these and make a > proposal to the group we can discuss, e.g. based on what we had in > the minutes last time: > o consent = agreement through an [affirmative action] at a > specific [time] with a [data controller] to specific > [processing] and [storage] of specific [data categories] for > specific [purpose] and [duration] > o which of these aspects are similarly relevant for other forms > of legitmation than consent? > 1) Are processing and storage two separate actions/activities? Under the definition provided by the GDPR, Article 4(2), ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; Where storage is defined as a 'type' of processing. I would therefore propose to specify storage as a category of processing. Some of the categories or types of processing have further information associated with them that we should model e.g. storage -> location, jurisdiction, duration OR sharing -> recipient. I would also propose to add the terms from GDPR A4(2) under the types/categories of processing. > * Harsh's mail on collecting terms from vocabularies: > https://lists.w3.org/Archives/Public/public-dpvcg/2018Oct/0041.html, > https://www.w3.org/community/dpvcg/wiki/Taxonomy > In terms of scope, how much of these specified properties do we want to model? Because if we decide to include terms describing consent itself (data subject, duration, etc.), at what point does it become feasible to also define it as an ontology? Conversely, should we agree on a set of questions that any such consent ontology should answer/describe? These would allow us to define the terms and let (individual) implementations be based on them. > > To this end, I would like to go - in tomorrow's call to go through the > Use Case Stakeholders > https://www.w3.org/community/dpvcg/wiki/Use-Cases,_Requirements,_Vocabularies#Use-Cases > and task them to add subections on top of each use cases to describe, > in bullet points, the aspects we agreed [1] (plus the means of > ligitmation discussed in [2] to focus on in each use case: > > 1. categories of *personal data* involved > 2. *purposes* for personal data handling > 3. different kinds of *processing *involved > 4. data subjects, controllers, processors, and recipients involved > 5. storage & security aspects: > * storage locations > * storage duration > * security measures (including e.g. anonymisation "levels", > pseudonymisation) > 6. *means of legitimation* for personal data processing > e.g. consent, legitimate interest, etc. ... These are only the use-cases added to the wiki. What about capturing use-cases in the 'wild'? E.g. adding arbitrary use-cases based on information publicly available via privacy policies. My argument here is towards making it possible to use these vocabularies to also describe terms/concepts in privacy policies if we can. > "The current goal is to agree on first public drafts of minimal sets > of vocabularies to be finished by December 2018, with first stable > working drafts being reached latest on 25 May 2019." Should we have a plan (now) on how to reach consensus on the drafts later in December? Best, -- --- Harshvardhan Pandit PhD Researcher ADAPT Centre Trinity College Dublin
Received on Tuesday, 6 November 2018 13:41:29 UTC