Re: DPVCG personal data categories from EnterPrivacy

Hi Jason, we discussed this very issue in our last F2F meeting in 
December, and used an example similar to the one you provided (of a 
picture).

I agree that personal information is more relevant to privacy. However, 
I feel that it cannot be encapsulated or defined without first defining 
the personal data it contains or refers to (following from the 
definitions of data and information).
To that end, the dpvcg taxonomy provides terms describing personal data 
categories.

Additionally, the GDPR specifies "personal data" which is the focus is 
on "data" rather than "information".
So even if someone does collect a picture as a data source for facial 
features (how you look), but also extracts additional information you 
provide examples of - such as ethnicity, they are legally required to 
communicate this to the data subject.

The purpose of the taxonomy is to provide a way to refer to these 
discreet data categories - in this case, the picture and ethnicity.
A second task would be to then allow defining relationships between 
these data categories - such as picture is the source for ethnicity, 
which can capture the context of information you've elaborated in your 
reply.

IMHO, because there are an infinite combinations of linking data with 
each other, we should focus on providing a way to define the 
relationships rather than trying to reproduce a taxonomy of the universe.

Regards,
Harsh

On 17/02/19 5:28 AM, rjc@enterprivacy.com wrote:
> Thanks Harsh and thanks for inviting me to join the group. I do want to 
> say something, before you get much further, since it might help whether 
> and how you adopt or integrate this taxonomy.
> 
> I developed these categories of personal INFORMATION, not data, because 
> it suited my purpose in privacy by design. It may or may not suit your 
> purpose. I want to differentiate between information content and data.  
> A photo is a data element. But there could be a richness in information 
> in the photo. If it's a picture of a person, it could show ethnicity 
> information. It could show physical characteristics. It could show 
> medical and health conditions. I did some training and an FBI agent said 
> (of the photo I used as an example), they could probably determine where 
> it was taken. Not because of geotagging in the meta-data, but because of 
> the background in the photo.  A photo of a bank card would have Account 
> information. It probably also has Identifying information (name on the 
> bank card). Having a Gold card implies Credit information (a higher 
> relative credit over a non-Gold card holder). If it's an affinity card 
> (Delta Skymiles card for instance) it could show Preference information 
> (preference for Delta) and Behavioral Information (the holder travels 
> more that others).
> 
> Similarly, a name field (a data element) might have information about a 
> person's ethnicity. If it contains Reverend as an honorific it would 
> show Public Life (under my taxonomy). Dr? Professional Information. Ms 
> or Mrs? Sexual information (gender).
> 
> In my view, information, not data, is pertinent to determining risks to 
> people's privacy, hence why I use personal information rather than 
> personal data in my analysis. (I also have thoughts on the over emphasis 
> on "data" privacy as opposed to privacy, but that's a different 
> topic https://privacymaverick.com/?p=446)
> 
> I tell you all this, because if you start to try to map personal data 
> elements to my taxonomy of personal information, you're going to find 
> both many-to-many relationship AND you're going to find that the 
> relationships are context dependent.
> 
> Hope that helps.
> 
> Jason
> 
> .*.*.*.*.................................................................
> R. Jason Cronk                  | Juris Doctor
> Privacy and Trust Consultant    | IAPP Fellow of Information Privacy
> *Enterprivacy Consulting Group <http://www.enterprivacy.com/>*    | CIPT, CIPM, CIPP/US, PbD Ambassador
> /Privacy notices made simple: https://simpleprivacynotice.com 
> <https://simpleprivacynotice.com/>
> /.....................................................................
> 
> *Upcoming Training**
> *Privacy by Design Professional:Cyprus (April <https://enterprivacy.com/cyprus-training/>), Belarus - 
> English/Russian (July)
> Online (coming soon):https://privacybydesign.training  <https://privacybydesign.training/>
> 
> 
> 
>     ----- Original Message -----
>     From:
>     "Harshvardhan J. Pandit" <me@harshp.com>
> 
>     To:
>     "public-dpvcg" <public-dpvcg@w3.org>
>     Cc:
> 
>     Sent:
>     Sun, 17 Feb 2019 00:57:11 +0530
>     Subject:
>     DPVCG personal data categories from EnterPrivacy
>     Hi Fajar, Everyone.
> 
>     See the email below, where the creator of the EnterPrivacy data
>     categories has shared (attached) the spreadsheet containing the terms
>     and definitions.
>     I've updated the terms and definitions in the ontology on Github, where
>     each term has a label and attribution (rdfs:isDefinedBy) and definition
>     where possible. The spreadsheet has also been put in the Github repo.
> 
>     Moving forward, I want to do a few things, and would like to know what
>     you think about them.
> 
>     1) singular vs plural: I was confused if we should keep the terms in
>     their plural form or singular form - I prefer the singular from a
>     purely
>     philosophical point of view e.g. an ontology about animals will have a
>     class called Cat and not Cats.. The source (PDF) contains terms in the
>     plural because I think this is how we refer to them in daily life.
> 
>     2) clean up terms: some of the terms can be confusing on their own
>     without an achor to the context e.g. Account by itself is vague, but if
>     we see the hierarchy, it is under Finance. So I renamed it to
>     FinanceAccount. I think we need to go through each terms and clean them
>     similarly.
> 
>     3) Relationships between terms: this is tricky, and there are several
>     different types of relationships here. One type is part-of, such as
>     Account and Account Number, another is source, such as IPAddress and
>     Location. We need to identify such relationships, and also find a
>     way to
>     represent them in the ontology. We can create a separate ontology for
>     these, and keep the current one only as a taxonomy or a thesauri.
> 
>     Best,
>     Harsh
> 
>     P.S. Thanks to Mark for the connection and speeding this up, and thanks
>     to Jason for providing the data in a spreadsheet.
> 
> 
>     -------- Forwarded Message --------
>     Subject: Re: [subject] Categories of
>     Date: Fri, 15 Feb 2019 10:32:11 -0500
>     From: R. Jason Cronk <rjc@privacymaverick.com>
>     To: Mark Lizar <mark@openconsent.com>
>     CC: Harshvardhan J. Pandit <harshvardhan.pandit@adaptcentre.ie>
> 
> 
> 
>     Mark and Harsh,
> 
>     Please see attached. Hopefully this meets your needs. It looks like I'm
>     a member of the group now. I'll have to read through available
>     documentation to see what else the group is working on.
> 
>     I do want say I have several other categories/taxonomies I use that may
>     be beneficial, including
> 
>     Dan Soloves' Taxonomy of Privacy
>     Jaap-Henk Hoepman's  Control Strategies and Tactics
>     FAIR based Privacy Risk Analysis
>     and a few others of my own design
> 
>     Jason
> 
>     .*.*.*.*..................................................................
>     R. Jason Cronk                  | Juris Doctor
>     Privacy and Trust Consultant    | IAPP FIP, CIPT, CIPM, CIPP/US, PbD
>     Ambassador
>     *Enterprivacy Consulting Group <http://www.enterprivacy.com/>*    |
>     Author ofStrategic Privacy by Design
>     <https://iapp.org/store/books/a191a00000345yDAAQ/>
>     /Privacy notices made simple: https://simpleprivacynotice.com
>     <https://simpleprivacynotice.com/>
>     /.....................................................................
> 
>     *Upcoming Training**
>     *Privacy by Design Professional:Cyprus (April
>     <https://enterprivacy.com/cyprus-training/>), Belarus - English/Russian
>     (July)
>     Online (coming soon):https://privacybydesign.training
>     <https://privacybydesign.training/>
> 
> 
> 
>     ----- Original Message -----
>     From:
>     "Mark Lizar" <mark@openconsent.com>
> 
>     To:
>     "R. Jason Cronk" <rjc@privacymaverick.com>
>     Cc:
>     "Harshvardhan J. Pandit" <harshvardhan.pandit@adaptcentre.ie>
>     Sent:
>     Tue, 12 Feb 2019 17:02:19 +0000
>     Subject:
>     Re: [subject] Categories of
> 
> 
>     Thanks Jason,
> 
>     This is great !  I am cc’ing Harsh as he is managing the details.
>       If you could provide an attribution license to the W3C DPVC CG,
>       then this would enable them to use this as a starting point.
> 
>     If you could also provide the latest spreadsheet along with the
>     license, then we could use this as the starting point.    These
>     materials would then end up on the W3C wiki and we can iterate and
>     discuss it from there.
> 
>     As for the application to join the group, it was a bit tricky for
>     me, I think its pretty automated now.  If you have any issues
>     joining let me or better yet Harsh know and we can help.
> 
>     - Mark
> 
> 
>     On 12 Feb 2019, at 16:43, R. Jason Cronk
>     <rjc@privacymaverick.com <mailto:rjc@privacymaverick.com>> wrote:
> 
>     Mark,
> 
>     Thanks for reaching back out to me. Unfortunately, given that
>     I'm not in academia, there is no paper around this only my
>     infographics. You can find the latest version at
>     https://iapp.org/resources/article/categories-of-personal-data/
> 
>     Happy to offer an attribution only license.
> 
>     Jason
> 
>     P.S. I submitted a request to join though don't know how
>     actively I can participate.
> 
>     .*.*.*.*..................................................................
>     R. Jason Cronk                  | Juris Doctor
>     Privacy and Trust Consultant    | IAPP FIP, CIPT, CIPM,
>     CIPP/US, PbD Ambassador
>     *Enterprivacy Consulting Group <http://www.enterprivacy.com/>*
>         | Author ofStrategic Privacy by Design
>     <https://iapp.org/store/books/a191a00000345yDAAQ/>
>     /Privacy notices made simple: https://simpleprivacynotice.com
>     <https://simpleprivacynotice.com/>
>     /.....................................................................
> 
>     *Upcoming Training**
>     *Privacy by Design Professional:Cyprus (April
>     <https://enterprivacy.com/cyprus-training/>),
>     Belarus - English/Russian (July)
>     Online (coming soon):https://privacybydesign.training
>     <https://privacybydesign.training/>
> 
> 
> 
>     ----- Original Message -----
>     From:
>     "Mark Lizar" <mark@openconsent.com
>     <mailto:mark@openconsent.com>>
> 
>     To:
>     "R. Jason Cronk" <rjc@privacymaverick.com
>     <mailto:rjc@privacymaverick.com>>
>     Cc:
>     "Harshvardhan J. Pandit" <harshvardhan.pandit@adaptcentre.ie
>     <mailto:harshvardhan.pandit@adaptcentre.ie>>
>     Sent:
>     Tue, 12 Feb 2019 14:07:10 +0000
>     Subject:
>     Re: [subject] Categories of
> 
> 
>     Greeting Jason,
> 
>     Its been a little while since I was in touch.   I hope you
>     are doing well. I wanted to let you know that I have
>     submitted these categories to the W3C group -Data Privacy
>     Vocabulary and Controls WG, as the Kantara Initiative was
>     not standardising semantics.
> 
>     This W3C Group has asked me to reach out to you and invite
>     you to participate and to see if there is a) a paper that
>     supports these categories b) if there has been any
>     progression in this work.
> 
>     Here is a link to the CG
>     https://www.w3.org/community/dpvcg/,  for more information
>     you can ask me or Harsh (cc’d).
> 
>     Best Regards,
> 
>     Mark
> 
>     On 15 Aug 2017, at 20:10, R. Jason Cronk
>     <rjc@privacymaverick.com
>     <mailto:rjc@privacymaverick.com>> wrote:
> 
>     Mark,
>     Attached is the spreadsheet with the Categories of
>     Personal Information as I distributed on my infographic,
>     along with definitions and examples. Thank you for the
>     invite to participate. I will look into joining the
>     group, though my time is stretched thin at the moment,
>     so I'm not sure how much I can contribute.
>     Jason
>     --
> 
>     R. Jason Cronk, JD
>     IAPP Fellow of Information Privacy
>     CIPM, CIPT, CIPP/US, PbD Ambassador
>     *Privacy and Trust Consultant*
>     Enterprivacy Consulting Group
>     <http://www.enterprivacy.com/>
> 
>     [Upcoming Advanced Privacy by Design Workshops in
>     October:Atlanta
> 
>     <https://www.eventbrite.com/e/advanced-privacy-by-design-workshop-atlanta-ga-oct-2017-tickets-35888070184>]
> 
>     On 2017-08-15 13:30, Mark Lizar wrote:
> 
>     Hi Jason,
> 
>     (I am ccing this to the CISWG mailing list).
> 
>       Apologies for the delayed response, specification
>     work can move quite
>     slowly.
> 
>     I very much appreciate the re-use of the PI
>     Categories and the offer
>     to provide these in different formats, a spreadsheet
>     would be most
>     helpful for Consent Receipt specification work.
> 
>     We are discussing the use of these PI categories for
>     reference in the
>     work we are working on now.   Our intent is to use
>     these for PI
>     Categories as defined in ISO 29100 and not PII.  The
>     proposed use of
>     these PI Categories are currently being discussed
>     for use in purpose
>     specification for the creation of  consent receipts
>     and PII.  In this
>     regard,  I can confirm we will not represent these
>     categories as PII
>     categories.
> 
>     Lastly, we would like to invite you to the Kantara
>     CISWG workgroup so
>     you can see how we put this great work to use :-)
>       More information
>     about jointing can be found at
>     https://kantarainitiative.org/confluence/display/infosharing/Home [3
>     <https://kantarainitiative.org/confluence/display/infosharing/Home>]
>     where there is a link to join both the WG and the
>     mailing list.
> 
>     Kind Regards,
> 
>     Mark
> 
>     On 30 May 2017, at 11:25, R. Jason Cronk
>     <rjc@privacymaverick.com
>     <mailto:rjc@privacymaverick.com>>
>     wrote:
> 
>     Hi Mark,
> 
>     Feel free to use this PDF in it's original form
>     in any forum. As for
>     additional uses, please let me know if you'd
>     like a file with the
>     text of the categories and description so you
>     can  use it in
>     different formats. My only ask is that you use
>     the term "Personal
>     Information" rather than PII in reference to
>     this categorization. I
>     find the term PII has contextual limitations
>     because much of
>     personal information, which may be personal to
>     me, is not
>     identifying, i.e. my favorite color. Thus, in
>     discussions, using
>     "PII" immediately constrains the audience to a
>     limited set of
>     personal information..
> 
>     Also, I'm not sure what you mean by complete
>     reference is your
>     request below. Please clarify.
> 
>     --
>     R. Jason Cronk, JD
>     IAPP Fellow of Information Privacy
>     CIPM, CIPT, CIPP/US, PbD Ambassador
>     PRIVACY AND TRUST CONSULTANT
>     Enterprivacy Consulting Group [2
>     <http://www.enterprivacy.com/>]
> 
>     On 2017-05-29 05:22, WordPress wrote:
> 
>     From: Mark <mark@openconsent.com
>     <mailto:mark@openconsent.com>>
> 
>     Message Body:
>     Like your categories of personal information..
> 
>     We would like to use and reference it for
>     developing our PII
>     categories for an effort Called the Consent
>     Receipt at the Kantara
>     Initiative.
> 
>     Could you please provide us with a complete
>     reference for this and
>     perhaps even some formal permission to use
>     it ?
> 
>     Kind Regards,
> 
>     Mark
> 
>     --
>     This e-mail was sent from a contact form on
>     Enterprivacy
>     Consulting
>     Group (http://enterprivacy.com
>     <http://enterprivacy.com/>[1
>     <http://enterprivacy.com/>])
> 
> 
> 
> 
>     Links:
>     ------
>     [1]http://enterprivacy.com/
>     [2]http://www.enterprivacy.com/
>     [3]https://kantarainitiative.org/confluence/display/infosharing/Home
> 
> 
>     <information categories.ods>
> 
> 
>     <Untitled.png>
> 
> 
> 
> 

-- 
---
Harshvardhan J. Pandit
PhD Researcher
ADAPT Centre, Trinity College Dublin
https://harshp.com/

Received on Monday, 18 February 2019 03:59:24 UTC