[minutes] 2018-09-18 dpvcg

See also: https://www.w3.org/2018/09/18-dpvcg-minutes


   [1]W3C

      [1] https://www.w3.org/

                             – DRAFT –
 Data Privacy Vocabularies and Controls Community Group Teleconference

18 September 2018

   [2]Agenda [3]IRC log

      [2] https://www.w3.org/mid/FF0D259C-CCAA-49D6-9AEB-9D259E0832A1@wu.ac.at
      [3] https://www.w3.org/2018/09/18-dpvcg-irc

Attendees

   Present
          Bert, simonstey

   Regrets

   Chair
          Bert

   Scribe
          stefano

Contents

     * [4]Meeting minutes
         1. [5]Roll call, select scribe, agenda
         2. [6]Approval of last telcon's minutes
         3. [7]Go through action items
         4. [8]Harsh's mail on how to structure what we collected
            so far
     * [9]Summary of action items
     * [10]Summary of resolutions
     * [11]Summary of issues

Meeting minutes

Roll call, select scribe, agenda

   Bert asks whether there are more items for the agenda, no items
   added

Approval of last telcon's minutes

   <simonstey> +1

   No comments on the previous meeting's minutes

Go through action items

   action item "Add some overview of SPECIAL use case(s)" for Bert
   is half done

   still in progress

   <Bert> close action-9

   <trackbot> Closed action-9.

   Action Nr. 9: Axel talked to Stefan Dekker but the action is
   not concluded yet

   About Action 12: Simon has already worked at the requirements
   templates some weeks ago

   <Bert> action-12?

   <trackbot> action-12 -- Simon Steyskal to Look over
   requirements template -- due 2018-08-14 -- OPEN

   <trackbot> [12]https://www.w3.org/community/dpvcg/track/
   actions/12

     [12] https://www.w3.org/community/dpvcg/track/actions/12

   <simonstey> [13]https://www.w3.org/community/dpvcg/wiki/
   Template_for_requirements

     [13] https://www.w3.org/community/dpvcg/wiki/Template_for_requirements

   The action has been discussed in a previous meeting, unclear
   why still open

   <Bert> close action-12

   <trackbot> Closed action-12.

   About Action 14: Axel still needs to follow up with contact
   with IEEE 7012

   About Action 17: Axel would like to decide what we want to
   build a vocabulary for, this is listed in the charter, this
   would be categories of data, purposes and processing

   Axel would like people would clarify their thoughts on these 3
   points, since these are core points at least for a start

   It would be good to read the use cases in this light, so to
   categorize it according to the three above-mentioned points

   Axel is unsure about what more we need as far as requirements
   are concerned, more than what we already have or could get from
   what we have now

   also interesting categorisation of Data Controllers, but this
   is secondary

   <simonstey> is data controller == data processor?

   No, it is different

   Stefano proposes to add storage location, security and time of
   storage

   Simon asks whether we want to talk about data processors as
   well

   <simonstey> [14]https://www.gdpreu.org/the-regulation/
   key-concepts/data-controllers-and-processors/

     [14] https://www.gdpreu.org/the-regulation/key-concepts/data-controllers-and-processors/

   Axel proposes to close the list of categories and start
   examining the use cases

   About Action 18: Stefano had a look at one use case from Mydata
   but more work needs to be done

   <Bert> close action-22

   <trackbot> Closed action-22.

   Action 22: Nobody is going to the conference from the DECODE
   project

   <trackbot> Error finding '22'. You can review and register
   nicknames at <[15]https://www.w3.org/community/dpvcg/track/
   users>.

     [15] https://www.w3.org/community/dpvcg/track/users>.

   <AxelPollleres> PROPOSED: This is the initial requirements we
   want to cover in DPVCG

   <AxelPollleres> * GDPR Terminology:

   <AxelPollleres> * agreed definition data controller

   <AxelPollleres> * agreed definition data processor

   <AxelPollleres> * agreed definition data recipient

   <AxelPollleres> * agreed definition data subject

   <AxelPollleres> * We want to define hierarchical taxonomies
   (backed by use cases) of

   <AxelPollleres> * categories of personal data

   <AxelPollleres> * (personal data handling) purposes

   <AxelPollleres> * processing categories

   <AxelPollleres> * categories of data controllers, processors,
   recipients (optional)

   <AxelPollleres> * storage locations

   <AxelPollleres> * security measures (incl. e.g. anonymisation
   "levels")

   <AxelPollleres> * storage duration

   <harsh> no audio :(

   <harsh> I'll type instead

   <harsh> Should we be comprehensive about ALL terms in the
   context of GDPR compliance? e.g. data source, consent & how it
   was given, etc.

   Javier: In Vienna there was a comment about anonymisation of
   personal data

   This might be included in the security category

   Pseudoanonymisation is explicitly mentioned as security measure
   in the GDPR

   Stefano: consent should be covered for GDPR

   Axel: we need to formalise consent, this is the reason why he
   proposed the categories already mentioned

   Stefano: I think we can start with what Axel proposes

   Axel: I'd be happy to take it from there if we think that this
   list is not enough to formalize consent (happy to open an issue
   for that along with the proposal

Harsh's mail on how to structure what we collected so far

   Harsh proposes to have a different section on the discussion
   regarding terms such as consent, to have a place where the
   different meaning are listed so they can be referred back to

   This section would be on the wiki

   Harsh is willing to start this section

   Action: Harsh: create a section about different terms on the
   wiki

   SImon: we can explicitly indicate that the list could be
   expanded in the future

   <AxelPollleres> PROPOSED: This is an initial non-comprehensive
   list of GDPR Terminology terms, we want to define/agree upon in
   DPVCG (we might extend this list upon additional proposals):

   <AxelPollleres> * agreed definition data controller

   <AxelPollleres> * agreed definition data processor

   <AxelPollleres> * agreed definition data recipient

   <AxelPollleres> * agreed definition data subject

   <AxelPollleres> * agreed definition consent

   <simonstey> +1

   <AxelPollleres> +1

   <harsh> +1

   <stefano> +1

   <Bert> +1

   <AxelPollleres> +1

   <Ramisa> +1

   harsh: should compliance be included?

   Axel: the notion should be put in a separete proposal

   <Javier> +1

   Resolved: This is an initial non-comprehensive list of GDPR
   Terminology terms, we want to define/agree upon in DPVCG (we
   might extend this list upon additional proposals):
   … * agreed definition data controller
   … * agreed definition data processor
   … * agreed definition data recipient
   … * agreed definition data subject
   … * agreed definition consent

   <AxelPollleres> PROPOSED: We want to the define the following
   hierarchical taxonomies (backed by use cases), where again we
   might extend this list upon additional proposals):

   <AxelPollleres> * categories of personal data

   <AxelPollleres> * (personal data handling) purposes

   <AxelPollleres> * processing categories

   <AxelPollleres> * categories of data controllers, processors,
   recipients (optional)

   <AxelPollleres> * storage locations

   <AxelPollleres> * security measures (including e.g.
   anonymisation "levels", pseudonymisation)

   <AxelPollleres> * storage duration

   <AxelPollleres> +1

   <harsh> +1

   <simonstey> +1

   <Javier> +1

   <Ramisa> +1

   +1

   <Bert> +1

   Resolved: We want to the define the following hierarchical
   taxonomies (backed by use cases), where again we might extend
   this list upon additional proposals):
   … * categories of personal data
   … * (personal data handling) purposes
   … * processing categories
   … * categories of data controllers, processors, recipients
   (optional)
   … * storage locations
   … * security measures (including e.g. anonymisation "levels",
   pseudonymisation)
   … * storage duration

   Stefano: compliance is not something that you can self-assess
   and assign to your case

   Harsh: some terms related to compliance such as transparence
   could be relevant to the group

   Axel: we need to define what needs to be defined in a
   machine-readable manner, for his minimalistic view this is not
   needed at this stage, but if there is a use case for it it can
   be included

   harsh: data subject rights are important, should this be
   included?

   Issue: do we need to formulate a notion of compliance in scope
   of the CG?

   <trackbot> Created ISSUE-2 - Do we need to formulate a notion
   of compliance in scope of the cg?. Please complete additional
   details at <[16]https://www.w3.org/community/dpvcg/track/
   issues/2/edit>.

     [16] https://www.w3.org/community/dpvcg/track/issues/2/edit>.

   Issue: do we want to revisit a definition of "GDPR rights" in
   our definitions and taxonomies?

   <trackbot> Created ISSUE-3 - Do we want to revisit a definition
   of "gdpr rights" in our definitions and taxonomies?. Please
   complete additional details at <[17]https://www.w3.org/
   community/dpvcg/track/issues/3/edit>.

     [17] https://www.w3.org/community/dpvcg/track/issues/3/edit>.

   <AxelPollleres> stefano: e.g. right to be forgotten, how can it
   be executed/enforced

   Simon: there could be ways to express already rights for
   example in terms of permissions using e.g. ODRL

   Javier: how do you want to collect the different items, one per
   page?

   Axel: we could think in terms of questions, that should be
   answered per use case, and give us a start

   Axel: need to run ... I would like to talk about next time on
   in how far in our use cases we have collected so far cover the
   aspects we have now agree upon, in terms of concrete questions
   that should be answred per use case.

   harsh: suggestion for having a small example to get people
   started

   Axel will try to do so

   Action: Axel to formulate a use case to exemplify what I
   proposed today :-) (categorization along the categories and
   terminology we agreed upon today)

   <trackbot> Created ACTION-24 - Formulate a use case to
   exemplify what i proposed today :-) (categorization along the
   categories and terminology we agreed upon today) [on Axel
   Polleres - due 2018-09-25].

   <AxelPollleres> needed to run, sorry

   <AxelPollleres> thanks all!

   Bert ask whether there are more points to discuss, but this is
   it for today, next call in 2 weeks

   <harsh> thank you && good day : )

   <Ramisa> Thanks

Summary of action items

    1. [18]Harsh: create a section about different terms on the
       wiki
    2. [19]Axel to formulate a use case to exemplify what I
       proposed today :-) (categorization along the categories and
       terminology we agreed upon today)

Summary of resolutions

    1. [20]This is an initial non-comprehensive list of GDPR
       Terminology terms, we want to define/agree upon in DPVCG
       (we might extend this list upon additional proposals):
       … * agreed definition data controller
       … * agreed definition data processor
       … * agreed definition data recipient
       … * agreed definition data subject
       … * agreed definition consent
    2. [21]We want to the define the following hierarchical
       taxonomies (backed by use cases), where again we might
       extend this list upon additional proposals):
       … * categories of personal data
       … * (personal data handling) purposes
       … * processing categories
       … * categories of data controllers, processors, recipients
       (optional)
       … * storage locations
       … * security measures (including e.g. anonymisation
       "levels", pseudonymisation)
       … * storage duration

Summary of issues

    1. [22]do we need to formulate a notion of compliance in scope
       of the CG?
    2. [23]do we want to revisit a definition of "GDPR rights" in
       our definitions and taxonomies?


    Minutes manually created (not a transcript), formatted by
    Bert Bos's [24]scribe.perl version 2.49 (2018/09/19
    15:29:32), a reimplementation of David Booth's
    [25]scribe.perl. See [26]CVS log.

     [24] https://dev.w3.org/2002/scribe2/scribedoc.html
     [25] https://dev.w3.org/2002/scribe/scribedoc.htm
     [26] https://dev.w3.org/cvsweb/2002/scribe2/

Received on Wednesday, 19 September 2018 16:19:37 UTC