- From: Bert Bos <bert@w3.org>
- Date: Wed, 19 Sep 2018 18:19:34 +0200
- To: public-dpvcg@w3.org
See also: https://www.w3.org/2018/09/18-dpvcg-minutes
[1]W3C
[1] https://www.w3.org/
– DRAFT –
Data Privacy Vocabularies and Controls Community Group Teleconference
18 September 2018
[2]Agenda [3]IRC log
[2] https://www.w3.org/mid/FF0D259C-CCAA-49D6-9AEB-9D259E0832A1@wu.ac.at
[3] https://www.w3.org/2018/09/18-dpvcg-irc
Attendees
Present
Bert, simonstey
Regrets
Chair
Bert
Scribe
stefano
Contents
* [4]Meeting minutes
1. [5]Roll call, select scribe, agenda
2. [6]Approval of last telcon's minutes
3. [7]Go through action items
4. [8]Harsh's mail on how to structure what we collected
so far
* [9]Summary of action items
* [10]Summary of resolutions
* [11]Summary of issues
Meeting minutes
Roll call, select scribe, agenda
Bert asks whether there are more items for the agenda, no items
added
Approval of last telcon's minutes
<simonstey> +1
No comments on the previous meeting's minutes
Go through action items
action item "Add some overview of SPECIAL use case(s)" for Bert
is half done
still in progress
<Bert> close action-9
<trackbot> Closed action-9.
Action Nr. 9: Axel talked to Stefan Dekker but the action is
not concluded yet
About Action 12: Simon has already worked at the requirements
templates some weeks ago
<Bert> action-12?
<trackbot> action-12 -- Simon Steyskal to Look over
requirements template -- due 2018-08-14 -- OPEN
<trackbot> [12]https://www.w3.org/community/dpvcg/track/
actions/12
[12] https://www.w3.org/community/dpvcg/track/actions/12
<simonstey> [13]https://www.w3.org/community/dpvcg/wiki/
Template_for_requirements
[13] https://www.w3.org/community/dpvcg/wiki/Template_for_requirements
The action has been discussed in a previous meeting, unclear
why still open
<Bert> close action-12
<trackbot> Closed action-12.
About Action 14: Axel still needs to follow up with contact
with IEEE 7012
About Action 17: Axel would like to decide what we want to
build a vocabulary for, this is listed in the charter, this
would be categories of data, purposes and processing
Axel would like people would clarify their thoughts on these 3
points, since these are core points at least for a start
It would be good to read the use cases in this light, so to
categorize it according to the three above-mentioned points
Axel is unsure about what more we need as far as requirements
are concerned, more than what we already have or could get from
what we have now
also interesting categorisation of Data Controllers, but this
is secondary
<simonstey> is data controller == data processor?
No, it is different
Stefano proposes to add storage location, security and time of
storage
Simon asks whether we want to talk about data processors as
well
<simonstey> [14]https://www.gdpreu.org/the-regulation/
key-concepts/data-controllers-and-processors/
[14] https://www.gdpreu.org/the-regulation/key-concepts/data-controllers-and-processors/
Axel proposes to close the list of categories and start
examining the use cases
About Action 18: Stefano had a look at one use case from Mydata
but more work needs to be done
<Bert> close action-22
<trackbot> Closed action-22.
Action 22: Nobody is going to the conference from the DECODE
project
<trackbot> Error finding '22'. You can review and register
nicknames at <[15]https://www.w3.org/community/dpvcg/track/
users>.
[15] https://www.w3.org/community/dpvcg/track/users>.
<AxelPollleres> PROPOSED: This is the initial requirements we
want to cover in DPVCG
<AxelPollleres> * GDPR Terminology:
<AxelPollleres> * agreed definition data controller
<AxelPollleres> * agreed definition data processor
<AxelPollleres> * agreed definition data recipient
<AxelPollleres> * agreed definition data subject
<AxelPollleres> * We want to define hierarchical taxonomies
(backed by use cases) of
<AxelPollleres> * categories of personal data
<AxelPollleres> * (personal data handling) purposes
<AxelPollleres> * processing categories
<AxelPollleres> * categories of data controllers, processors,
recipients (optional)
<AxelPollleres> * storage locations
<AxelPollleres> * security measures (incl. e.g. anonymisation
"levels")
<AxelPollleres> * storage duration
<harsh> no audio :(
<harsh> I'll type instead
<harsh> Should we be comprehensive about ALL terms in the
context of GDPR compliance? e.g. data source, consent & how it
was given, etc.
Javier: In Vienna there was a comment about anonymisation of
personal data
This might be included in the security category
Pseudoanonymisation is explicitly mentioned as security measure
in the GDPR
Stefano: consent should be covered for GDPR
Axel: we need to formalise consent, this is the reason why he
proposed the categories already mentioned
Stefano: I think we can start with what Axel proposes
Axel: I'd be happy to take it from there if we think that this
list is not enough to formalize consent (happy to open an issue
for that along with the proposal
Harsh's mail on how to structure what we collected so far
Harsh proposes to have a different section on the discussion
regarding terms such as consent, to have a place where the
different meaning are listed so they can be referred back to
This section would be on the wiki
Harsh is willing to start this section
Action: Harsh: create a section about different terms on the
wiki
SImon: we can explicitly indicate that the list could be
expanded in the future
<AxelPollleres> PROPOSED: This is an initial non-comprehensive
list of GDPR Terminology terms, we want to define/agree upon in
DPVCG (we might extend this list upon additional proposals):
<AxelPollleres> * agreed definition data controller
<AxelPollleres> * agreed definition data processor
<AxelPollleres> * agreed definition data recipient
<AxelPollleres> * agreed definition data subject
<AxelPollleres> * agreed definition consent
<simonstey> +1
<AxelPollleres> +1
<harsh> +1
<stefano> +1
<Bert> +1
<AxelPollleres> +1
<Ramisa> +1
harsh: should compliance be included?
Axel: the notion should be put in a separete proposal
<Javier> +1
Resolved: This is an initial non-comprehensive list of GDPR
Terminology terms, we want to define/agree upon in DPVCG (we
might extend this list upon additional proposals):
… * agreed definition data controller
… * agreed definition data processor
… * agreed definition data recipient
… * agreed definition data subject
… * agreed definition consent
<AxelPollleres> PROPOSED: We want to the define the following
hierarchical taxonomies (backed by use cases), where again we
might extend this list upon additional proposals):
<AxelPollleres> * categories of personal data
<AxelPollleres> * (personal data handling) purposes
<AxelPollleres> * processing categories
<AxelPollleres> * categories of data controllers, processors,
recipients (optional)
<AxelPollleres> * storage locations
<AxelPollleres> * security measures (including e.g.
anonymisation "levels", pseudonymisation)
<AxelPollleres> * storage duration
<AxelPollleres> +1
<harsh> +1
<simonstey> +1
<Javier> +1
<Ramisa> +1
+1
<Bert> +1
Resolved: We want to the define the following hierarchical
taxonomies (backed by use cases), where again we might extend
this list upon additional proposals):
… * categories of personal data
… * (personal data handling) purposes
… * processing categories
… * categories of data controllers, processors, recipients
(optional)
… * storage locations
… * security measures (including e.g. anonymisation "levels",
pseudonymisation)
… * storage duration
Stefano: compliance is not something that you can self-assess
and assign to your case
Harsh: some terms related to compliance such as transparence
could be relevant to the group
Axel: we need to define what needs to be defined in a
machine-readable manner, for his minimalistic view this is not
needed at this stage, but if there is a use case for it it can
be included
harsh: data subject rights are important, should this be
included?
Issue: do we need to formulate a notion of compliance in scope
of the CG?
<trackbot> Created ISSUE-2 - Do we need to formulate a notion
of compliance in scope of the cg?. Please complete additional
details at <[16]https://www.w3.org/community/dpvcg/track/
issues/2/edit>.
[16] https://www.w3.org/community/dpvcg/track/issues/2/edit>.
Issue: do we want to revisit a definition of "GDPR rights" in
our definitions and taxonomies?
<trackbot> Created ISSUE-3 - Do we want to revisit a definition
of "gdpr rights" in our definitions and taxonomies?. Please
complete additional details at <[17]https://www.w3.org/
community/dpvcg/track/issues/3/edit>.
[17] https://www.w3.org/community/dpvcg/track/issues/3/edit>.
<AxelPollleres> stefano: e.g. right to be forgotten, how can it
be executed/enforced
Simon: there could be ways to express already rights for
example in terms of permissions using e.g. ODRL
Javier: how do you want to collect the different items, one per
page?
Axel: we could think in terms of questions, that should be
answered per use case, and give us a start
Axel: need to run ... I would like to talk about next time on
in how far in our use cases we have collected so far cover the
aspects we have now agree upon, in terms of concrete questions
that should be answred per use case.
harsh: suggestion for having a small example to get people
started
Axel will try to do so
Action: Axel to formulate a use case to exemplify what I
proposed today :-) (categorization along the categories and
terminology we agreed upon today)
<trackbot> Created ACTION-24 - Formulate a use case to
exemplify what i proposed today :-) (categorization along the
categories and terminology we agreed upon today) [on Axel
Polleres - due 2018-09-25].
<AxelPollleres> needed to run, sorry
<AxelPollleres> thanks all!
Bert ask whether there are more points to discuss, but this is
it for today, next call in 2 weeks
<harsh> thank you && good day : )
<Ramisa> Thanks
Summary of action items
1. [18]Harsh: create a section about different terms on the
wiki
2. [19]Axel to formulate a use case to exemplify what I
proposed today :-) (categorization along the categories and
terminology we agreed upon today)
Summary of resolutions
1. [20]This is an initial non-comprehensive list of GDPR
Terminology terms, we want to define/agree upon in DPVCG
(we might extend this list upon additional proposals):
… * agreed definition data controller
… * agreed definition data processor
… * agreed definition data recipient
… * agreed definition data subject
… * agreed definition consent
2. [21]We want to the define the following hierarchical
taxonomies (backed by use cases), where again we might
extend this list upon additional proposals):
… * categories of personal data
… * (personal data handling) purposes
… * processing categories
… * categories of data controllers, processors, recipients
(optional)
… * storage locations
… * security measures (including e.g. anonymisation
"levels", pseudonymisation)
… * storage duration
Summary of issues
1. [22]do we need to formulate a notion of compliance in scope
of the CG?
2. [23]do we want to revisit a definition of "GDPR rights" in
our definitions and taxonomies?
Minutes manually created (not a transcript), formatted by
Bert Bos's [24]scribe.perl version 2.49 (2018/09/19
15:29:32), a reimplementation of David Booth's
[25]scribe.perl. See [26]CVS log.
[24] https://dev.w3.org/2002/scribe2/scribedoc.html
[25] https://dev.w3.org/2002/scribe/scribedoc.htm
[26] https://dev.w3.org/cvsweb/2002/scribe2/
Received on Wednesday, 19 September 2018 16:19:37 UTC