- From: Bert Bos <bert@w3.org>
- Date: Wed, 19 Sep 2018 18:19:34 +0200
- To: public-dpvcg@w3.org
See also: https://www.w3.org/2018/09/18-dpvcg-minutes [1]W3C [1] https://www.w3.org/ – DRAFT – Data Privacy Vocabularies and Controls Community Group Teleconference 18 September 2018 [2]Agenda [3]IRC log [2] https://www.w3.org/mid/FF0D259C-CCAA-49D6-9AEB-9D259E0832A1@wu.ac.at [3] https://www.w3.org/2018/09/18-dpvcg-irc Attendees Present Bert, simonstey Regrets Chair Bert Scribe stefano Contents * [4]Meeting minutes 1. [5]Roll call, select scribe, agenda 2. [6]Approval of last telcon's minutes 3. [7]Go through action items 4. [8]Harsh's mail on how to structure what we collected so far * [9]Summary of action items * [10]Summary of resolutions * [11]Summary of issues Meeting minutes Roll call, select scribe, agenda Bert asks whether there are more items for the agenda, no items added Approval of last telcon's minutes <simonstey> +1 No comments on the previous meeting's minutes Go through action items action item "Add some overview of SPECIAL use case(s)" for Bert is half done still in progress <Bert> close action-9 <trackbot> Closed action-9. Action Nr. 9: Axel talked to Stefan Dekker but the action is not concluded yet About Action 12: Simon has already worked at the requirements templates some weeks ago <Bert> action-12? <trackbot> action-12 -- Simon Steyskal to Look over requirements template -- due 2018-08-14 -- OPEN <trackbot> [12]https://www.w3.org/community/dpvcg/track/ actions/12 [12] https://www.w3.org/community/dpvcg/track/actions/12 <simonstey> [13]https://www.w3.org/community/dpvcg/wiki/ Template_for_requirements [13] https://www.w3.org/community/dpvcg/wiki/Template_for_requirements The action has been discussed in a previous meeting, unclear why still open <Bert> close action-12 <trackbot> Closed action-12. About Action 14: Axel still needs to follow up with contact with IEEE 7012 About Action 17: Axel would like to decide what we want to build a vocabulary for, this is listed in the charter, this would be categories of data, purposes and processing Axel would like people would clarify their thoughts on these 3 points, since these are core points at least for a start It would be good to read the use cases in this light, so to categorize it according to the three above-mentioned points Axel is unsure about what more we need as far as requirements are concerned, more than what we already have or could get from what we have now also interesting categorisation of Data Controllers, but this is secondary <simonstey> is data controller == data processor? No, it is different Stefano proposes to add storage location, security and time of storage Simon asks whether we want to talk about data processors as well <simonstey> [14]https://www.gdpreu.org/the-regulation/ key-concepts/data-controllers-and-processors/ [14] https://www.gdpreu.org/the-regulation/key-concepts/data-controllers-and-processors/ Axel proposes to close the list of categories and start examining the use cases About Action 18: Stefano had a look at one use case from Mydata but more work needs to be done <Bert> close action-22 <trackbot> Closed action-22. Action 22: Nobody is going to the conference from the DECODE project <trackbot> Error finding '22'. You can review and register nicknames at <[15]https://www.w3.org/community/dpvcg/track/ users>. [15] https://www.w3.org/community/dpvcg/track/users>. <AxelPollleres> PROPOSED: This is the initial requirements we want to cover in DPVCG <AxelPollleres> * GDPR Terminology: <AxelPollleres> * agreed definition data controller <AxelPollleres> * agreed definition data processor <AxelPollleres> * agreed definition data recipient <AxelPollleres> * agreed definition data subject <AxelPollleres> * We want to define hierarchical taxonomies (backed by use cases) of <AxelPollleres> * categories of personal data <AxelPollleres> * (personal data handling) purposes <AxelPollleres> * processing categories <AxelPollleres> * categories of data controllers, processors, recipients (optional) <AxelPollleres> * storage locations <AxelPollleres> * security measures (incl. e.g. anonymisation "levels") <AxelPollleres> * storage duration <harsh> no audio :( <harsh> I'll type instead <harsh> Should we be comprehensive about ALL terms in the context of GDPR compliance? e.g. data source, consent & how it was given, etc. Javier: In Vienna there was a comment about anonymisation of personal data This might be included in the security category Pseudoanonymisation is explicitly mentioned as security measure in the GDPR Stefano: consent should be covered for GDPR Axel: we need to formalise consent, this is the reason why he proposed the categories already mentioned Stefano: I think we can start with what Axel proposes Axel: I'd be happy to take it from there if we think that this list is not enough to formalize consent (happy to open an issue for that along with the proposal Harsh's mail on how to structure what we collected so far Harsh proposes to have a different section on the discussion regarding terms such as consent, to have a place where the different meaning are listed so they can be referred back to This section would be on the wiki Harsh is willing to start this section Action: Harsh: create a section about different terms on the wiki SImon: we can explicitly indicate that the list could be expanded in the future <AxelPollleres> PROPOSED: This is an initial non-comprehensive list of GDPR Terminology terms, we want to define/agree upon in DPVCG (we might extend this list upon additional proposals): <AxelPollleres> * agreed definition data controller <AxelPollleres> * agreed definition data processor <AxelPollleres> * agreed definition data recipient <AxelPollleres> * agreed definition data subject <AxelPollleres> * agreed definition consent <simonstey> +1 <AxelPollleres> +1 <harsh> +1 <stefano> +1 <Bert> +1 <AxelPollleres> +1 <Ramisa> +1 harsh: should compliance be included? Axel: the notion should be put in a separete proposal <Javier> +1 Resolved: This is an initial non-comprehensive list of GDPR Terminology terms, we want to define/agree upon in DPVCG (we might extend this list upon additional proposals): … * agreed definition data controller … * agreed definition data processor … * agreed definition data recipient … * agreed definition data subject … * agreed definition consent <AxelPollleres> PROPOSED: We want to the define the following hierarchical taxonomies (backed by use cases), where again we might extend this list upon additional proposals): <AxelPollleres> * categories of personal data <AxelPollleres> * (personal data handling) purposes <AxelPollleres> * processing categories <AxelPollleres> * categories of data controllers, processors, recipients (optional) <AxelPollleres> * storage locations <AxelPollleres> * security measures (including e.g. anonymisation "levels", pseudonymisation) <AxelPollleres> * storage duration <AxelPollleres> +1 <harsh> +1 <simonstey> +1 <Javier> +1 <Ramisa> +1 +1 <Bert> +1 Resolved: We want to the define the following hierarchical taxonomies (backed by use cases), where again we might extend this list upon additional proposals): … * categories of personal data … * (personal data handling) purposes … * processing categories … * categories of data controllers, processors, recipients (optional) … * storage locations … * security measures (including e.g. anonymisation "levels", pseudonymisation) … * storage duration Stefano: compliance is not something that you can self-assess and assign to your case Harsh: some terms related to compliance such as transparence could be relevant to the group Axel: we need to define what needs to be defined in a machine-readable manner, for his minimalistic view this is not needed at this stage, but if there is a use case for it it can be included harsh: data subject rights are important, should this be included? Issue: do we need to formulate a notion of compliance in scope of the CG? <trackbot> Created ISSUE-2 - Do we need to formulate a notion of compliance in scope of the cg?. Please complete additional details at <[16]https://www.w3.org/community/dpvcg/track/ issues/2/edit>. [16] https://www.w3.org/community/dpvcg/track/issues/2/edit>. Issue: do we want to revisit a definition of "GDPR rights" in our definitions and taxonomies? <trackbot> Created ISSUE-3 - Do we want to revisit a definition of "gdpr rights" in our definitions and taxonomies?. Please complete additional details at <[17]https://www.w3.org/ community/dpvcg/track/issues/3/edit>. [17] https://www.w3.org/community/dpvcg/track/issues/3/edit>. <AxelPollleres> stefano: e.g. right to be forgotten, how can it be executed/enforced Simon: there could be ways to express already rights for example in terms of permissions using e.g. ODRL Javier: how do you want to collect the different items, one per page? Axel: we could think in terms of questions, that should be answered per use case, and give us a start Axel: need to run ... I would like to talk about next time on in how far in our use cases we have collected so far cover the aspects we have now agree upon, in terms of concrete questions that should be answred per use case. harsh: suggestion for having a small example to get people started Axel will try to do so Action: Axel to formulate a use case to exemplify what I proposed today :-) (categorization along the categories and terminology we agreed upon today) <trackbot> Created ACTION-24 - Formulate a use case to exemplify what i proposed today :-) (categorization along the categories and terminology we agreed upon today) [on Axel Polleres - due 2018-09-25]. <AxelPollleres> needed to run, sorry <AxelPollleres> thanks all! Bert ask whether there are more points to discuss, but this is it for today, next call in 2 weeks <harsh> thank you && good day : ) <Ramisa> Thanks Summary of action items 1. [18]Harsh: create a section about different terms on the wiki 2. [19]Axel to formulate a use case to exemplify what I proposed today :-) (categorization along the categories and terminology we agreed upon today) Summary of resolutions 1. [20]This is an initial non-comprehensive list of GDPR Terminology terms, we want to define/agree upon in DPVCG (we might extend this list upon additional proposals): … * agreed definition data controller … * agreed definition data processor … * agreed definition data recipient … * agreed definition data subject … * agreed definition consent 2. [21]We want to the define the following hierarchical taxonomies (backed by use cases), where again we might extend this list upon additional proposals): … * categories of personal data … * (personal data handling) purposes … * processing categories … * categories of data controllers, processors, recipients (optional) … * storage locations … * security measures (including e.g. anonymisation "levels", pseudonymisation) … * storage duration Summary of issues 1. [22]do we need to formulate a notion of compliance in scope of the CG? 2. [23]do we want to revisit a definition of "GDPR rights" in our definitions and taxonomies? Minutes manually created (not a transcript), formatted by Bert Bos's [24]scribe.perl version 2.49 (2018/09/19 15:29:32), a reimplementation of David Booth's [25]scribe.perl. See [26]CVS log. [24] https://dev.w3.org/2002/scribe2/scribedoc.html [25] https://dev.w3.org/2002/scribe/scribedoc.htm [26] https://dev.w3.org/cvsweb/2002/scribe2/
Received on Wednesday, 19 September 2018 16:19:37 UTC