Re: DPVCG personal data categories from EnterPrivacy from Mark@OC-2 on 2019-02-25 (public-dpvcg@w3.org from February 2019)

From: Mark@OC-2 <mark@openconsent.com>
Date: Mon, 25 Feb 2019 11:52:59 +0000
To: "Harshvardhan J. Pandit" <me@harshp.com>
Cc: rjc@enterprivacy.com, public-dpvcg <public-dpvcg@w3.org>
Message-Id: <C82D6497-1802-43B7-B88B-1688E976CA59@openconsent.com>
Greetings CG, 

Thanks  Harsh & Jason for driving this forward. This has been a long outstanding action which I have one day hoped would get to a point of discussion. 

Interestingly, I have been apart of some  and Identity Relationship Management Work Group, which produced this sort of Venn, they also came to this conclusion, that their are an infinite amount of data connections possible and that privacy is a key vector.  


Also, I was recently listening to this ODI (open date) v PI (private data) panel with Gus Hosein and Jenni Tennison <https://live.worldbank.org/data-privacy-open-data-getting-to-coexistence> -  in this discussion Gus also indicated that the privacy legal framework should define the relationships.  

To this end, I had this idea, that we should try starting with a clear set of defined relationship types. Relationship types are well defined n the GDPR,  perhaps these could be used to classify the type of relationships and the nature of the information flow first, along with the nature of the data flow, then the categories of purpose information  applied ? 

i.e. - Data Controller, Privacy Controller, Data Subject, Sub-controller - then direction of the information flow (data subject to data controller )  - then the information category e.g. - internal or historic. 

In terms of nature of privacy (or data flow). OpenConsent is producing a consent by design protocol and the direction and flow of information is critical to understand the nature of trust in the privacy relationship. i.e. if the Data Subject can first read and understand privacy (or surveillance policy) before providing personal data this indicates consent by design.   If the data controller first surveil’s the data subject and uses this data to engage with the subject of the data (AKA opt-out) this is surveillance by design. 

To this end, Is there a simple way we can test this approach out ? 

Perhaps, could we produce a list of relationship types in the GDPR, indicate the nature of processing - i.e. opt-in or out - then select the relationship from Jason’s categories, then test and see if this makes sense for all use cases ?  (Or some such similar process?) 

Best Regards,  

- Mark 

 

> On 18 Feb 2019, at 03:58, Harshvardhan J. Pandit <me@harshp.com> wrote:
> 
> Hi Jason, we discussed this very issue in our last F2F meeting in December, and used an example similar to the one you provided (of a picture).
> 
> I agree that personal information is more relevant to privacy. However, I feel that it cannot be encapsulated or defined without first defining the personal data it contains or refers to (following from the definitions of data and information).
> To that end, the dpvcg taxonomy provides terms describing personal data categories.
> 
> Additionally, the GDPR specifies "personal data" which is the focus is on "data" rather than "information".
> So even if someone does collect a picture as a data source for facial features (how you look), but also extracts additional information you provide examples of - such as ethnicity, they are legally required to communicate this to the data subject.
> 
> The purpose of the taxonomy is to provide a way to refer to these discreet data categories - in this case, the picture and ethnicity.
> A second task would be to then allow defining relationships between these data categories - such as picture is the source for ethnicity, which can capture the context of information you've elaborated in your reply.
> 
> IMHO, because there are an infinite combinations of linking data with each other, we should focus on providing a way to define the relationships rather than trying to reproduce a taxonomy of the universe.
> 
> Regards,
> Harsh
> 
> On 17/02/19 5:28 AM, rjc@enterprivacy.com <mailto:rjc@enterprivacy.com> wrote:
>> Thanks Harsh and thanks for inviting me to join the group. I do want to say something, before you get much further, since it might help whether and how you adopt or integrate this taxonomy.
>> I developed these categories of personal INFORMATION, not data, because it suited my purpose in privacy by design. It may or may not suit your purpose. I want to differentiate between information content and data.  A photo is a data element. But there could be a richness in information in the photo. If it's a picture of a person, it could show ethnicity information. It could show physical characteristics. It could show medical and health conditions. I did some training and an FBI agent said (of the photo I used as an example), they could probably determine where it was taken. Not because of geotagging in the meta-data, but because of the background in the photo.  A photo of a bank card would have Account information. It probably also has Identifying information (name on the bank card). Having a Gold card implies Credit information (a higher relative credit over a non-Gold card holder). If it's an affinity card (Delta Skymiles card for instance) it could show Preference information (preference for Delta) and Behavioral Information (the holder travels more that others).
>> Similarly, a name field (a data element) might have information about a person's ethnicity. If it contains Reverend as an honorific it would show Public Life (under my taxonomy). Dr? Professional Information. Ms or Mrs? Sexual information (gender).
>> In my view, information, not data, is pertinent to determining risks to people's privacy, hence why I use personal information rather than personal data in my analysis. (I also have thoughts on the over emphasis on "data" privacy as opposed to privacy, but that's a different topic https://privacymaverick.com/?p=446)
>> I tell you all this, because if you start to try to map personal data elements to my taxonomy of personal information, you're going to find both many-to-many relationship AND you're going to find that the relationships are context dependent.
>> Hope that helps.
>> Jason
>> .*.*.*.*.................................................................
>> R. Jason Cronk                  | Juris Doctor
>> Privacy and Trust Consultant    | IAPP Fellow of Information Privacy
>> *Enterprivacy Consulting Group <http://www.enterprivacy.com/ <http://www.enterprivacy.com/>>*    | CIPT, CIPM, CIPP/US, PbD Ambassador
>> /Privacy notices made simple: https://simpleprivacynotice.com <https://simpleprivacynotice.com/><https://simpleprivacynotice.com/ <https://simpleprivacynotice.com/>>
>> /.....................................................................
>> *Upcoming Training**
>> *Privacy by Design Professional:Cyprus (April <https://enterprivacy.com/cyprus-training/ <https://enterprivacy.com/cyprus-training/>>), Belarus - English/Russian (July)
>> Online (coming soon):https://privacybydesign.training <https://privacybydesign.training/> <https://privacybydesign.training/ <https://privacybydesign.training/>>
>>    ----- Original Message -----
>>    From:
>>    "Harshvardhan J. Pandit" <me@harshp.com <mailto:me@harshp.com>>
>>    To:
>>    "public-dpvcg" <public-dpvcg@w3.org <mailto:public-dpvcg@w3.org>>
>>    Cc:
>>    Sent:
>>    Sun, 17 Feb 2019 00:57:11 +0530
>>    Subject:
>>    DPVCG personal data categories from EnterPrivacy
>>    Hi Fajar, Everyone.
>>    See the email below, where the creator of the EnterPrivacy data
>>    categories has shared (attached) the spreadsheet containing the terms
>>    and definitions.
>>    I've updated the terms and definitions in the ontology on Github, where
>>    each term has a label and attribution (rdfs:isDefinedBy) and definition
>>    where possible. The spreadsheet has also been put in the Github repo.
>>    Moving forward, I want to do a few things, and would like to know what
>>    you think about them.
>>    1) singular vs plural: I was confused if we should keep the terms in
>>    their plural form or singular form - I prefer the singular from a
>>    purely
>>    philosophical point of view e.g. an ontology about animals will have a
>>    class called Cat and not Cats.. The source (PDF) contains terms in the
>>    plural because I think this is how we refer to them in daily life.
>>    2) clean up terms: some of the terms can be confusing on their own
>>    without an achor to the context e.g. Account by itself is vague, but if
>>    we see the hierarchy, it is under Finance. So I renamed it to
>>    FinanceAccount. I think we need to go through each terms and clean them
>>    similarly.
>>    3) Relationships between terms: this is tricky, and there are several
>>    different types of relationships here. One type is part-of, such as
>>    Account and Account Number, another is source, such as IPAddress and
>>    Location. We need to identify such relationships, and also find a
>>    way to
>>    represent them in the ontology. We can create a separate ontology for
>>    these, and keep the current one only as a taxonomy or a thesauri.
>>    Best,
>>    Harsh
>>    P.S. Thanks to Mark for the connection and speeding this up, and thanks
>>    to Jason for providing the data in a spreadsheet.
>>    -------- Forwarded Message --------
>>    Subject: Re: [subject] Categories of
>>    Date: Fri, 15 Feb 2019 10:32:11 -0500
>>    From: R. Jason Cronk <rjc@privacymaverick.com <mailto:rjc@privacymaverick.com>>
>>    To: Mark Lizar <mark@openconsent.com <mailto:mark@openconsent.com>>
>>    CC: Harshvardhan J. Pandit <harshvardhan.pandit@adaptcentre.ie <mailto:harshvardhan.pandit@adaptcentre.ie>>
>>    Mark and Harsh,
>>    Please see attached. Hopefully this meets your needs. It looks like I'm
>>    a member of the group now. I'll have to read through available
>>    documentation to see what else the group is working on.
>>    I do want say I have several other categories/taxonomies I use that may
>>    be beneficial, including
>>    Dan Soloves' Taxonomy of Privacy
>>    Jaap-Henk Hoepman's  Control Strategies and Tactics
>>    FAIR based Privacy Risk Analysis
>>    and a few others of my own design
>>    Jason
>>    .*.*.*.*..................................................................
>>    R. Jason Cronk                  | Juris Doctor
>>    Privacy and Trust Consultant    | IAPP FIP, CIPT, CIPM, CIPP/US, PbD
>>    Ambassador
>>    *Enterprivacy Consulting Group <http://www.enterprivacy.com/ <http://www.enterprivacy.com/>>*    |
>>    Author ofStrategic Privacy by Design
>>    <https://iapp.org/store/books/a191a00000345yDAAQ/ <https://iapp.org/store/books/a191a00000345yDAAQ/>>
>>    /Privacy notices made simple: https://simpleprivacynotice.com <https://simpleprivacynotice.com/>
>>    <https://simpleprivacynotice.com/ <https://simpleprivacynotice.com/>>
>>    /.....................................................................
>>    *Upcoming Training**
>>    *Privacy by Design Professional:Cyprus (April
>>    <https://enterprivacy.com/cyprus-training/ <https://enterprivacy.com/cyprus-training/>>), Belarus - English/Russian
>>    (July)
>>    Online (coming soon):https://privacybydesign.training <https://privacybydesign.training/>
>>    <https://privacybydesign.training/ <https://privacybydesign.training/>>
>>    ----- Original Message -----
>>    From:
>>    "Mark Lizar" <mark@openconsent.com <mailto:mark@openconsent.com>>
>>    To:
>>    "R. Jason Cronk" <rjc@privacymaverick.com <mailto:rjc@privacymaverick.com>>
>>    Cc:
>>    "Harshvardhan J. Pandit" <harshvardhan.pandit@adaptcentre.ie <mailto:harshvardhan.pandit@adaptcentre.ie>>
>>    Sent:
>>    Tue, 12 Feb 2019 17:02:19 +0000
>>    Subject:
>>    Re: [subject] Categories of
>>    Thanks Jason,
>>    This is great !  I am cc’ing Harsh as he is managing the details.
>>      If you could provide an attribution license to the W3C DPVC CG,
>>      then this would enable them to use this as a starting point.
>>    If you could also provide the latest spreadsheet along with the
>>    license, then we could use this as the starting point.    These
>>    materials would then end up on the W3C wiki and we can iterate and
>>    discuss it from there.
>>    As for the application to join the group, it was a bit tricky for
>>    me, I think its pretty automated now.  If you have any issues
>>    joining let me or better yet Harsh know and we can help.
>>    - Mark
>>    On 12 Feb 2019, at 16:43, R. Jason Cronk
>>    <rjc@privacymaverick.com <mailto:rjc@privacymaverick.com> <mailto:rjc@privacymaverick.com <mailto:rjc@privacymaverick.com>>> wrote:
>>    Mark,
>>    Thanks for reaching back out to me. Unfortunately, given that
>>    I'm not in academia, there is no paper around this only my
>>    infographics. You can find the latest version at
>>    https://iapp.org/resources/article/categories-of-personal-data/ <https://iapp.org/resources/article/categories-of-personal-data/>
>>    Happy to offer an attribution only license.
>>    Jason
>>    P.S. I submitted a request to join though don't know how
>>    actively I can participate.
>>    .*.*.*.*..................................................................
>>    R. Jason Cronk                  | Juris Doctor
>>    Privacy and Trust Consultant    | IAPP FIP, CIPT, CIPM,
>>    CIPP/US, PbD Ambassador
>>    *Enterprivacy Consulting Group <http://www.enterprivacy.com/ <http://www.enterprivacy.com/>>*
>>        | Author ofStrategic Privacy by Design
>>    <https://iapp.org/store/books/a191a00000345yDAAQ/ <https://iapp.org/store/books/a191a00000345yDAAQ/>>
>>    /Privacy notices made simple: https://simpleprivacynotice.com <https://simpleprivacynotice.com/>
>>    <https://simpleprivacynotice.com/ <https://simpleprivacynotice.com/>>
>>    /.....................................................................
>>    *Upcoming Training**
>>    *Privacy by Design Professional:Cyprus (April
>>    <https://enterprivacy.com/cyprus-training/ <https://enterprivacy.com/cyprus-training/>>),
>>    Belarus - English/Russian (July)
>>    Online (coming soon):https://privacybydesign.training <https://privacybydesign.training/>
>>    <https://privacybydesign.training/ <https://privacybydesign.training/>>
>>    ----- Original Message -----
>>    From:
>>    "Mark Lizar" <mark@openconsent.com <mailto:mark@openconsent.com>
>>    <mailto:mark@openconsent.com <mailto:mark@openconsent.com>>>
>>    To:
>>    "R. Jason Cronk" <rjc@privacymaverick.com <mailto:rjc@privacymaverick.com>
>>    <mailto:rjc@privacymaverick.com <mailto:rjc@privacymaverick.com>>>
>>    Cc:
>>    "Harshvardhan J. Pandit" <harshvardhan.pandit@adaptcentre.ie <mailto:harshvardhan.pandit@adaptcentre.ie>
>>    <mailto:harshvardhan.pandit@adaptcentre.ie <mailto:harshvardhan.pandit@adaptcentre.ie>>>
>>    Sent:
>>    Tue, 12 Feb 2019 14:07:10 +0000
>>    Subject:
>>    Re: [subject] Categories of
>>    Greeting Jason,
>>    Its been a little while since I was in touch.   I hope you
>>    are doing well. I wanted to let you know that I have
>>    submitted these categories to the W3C group -Data Privacy
>>    Vocabulary and Controls WG, as the Kantara Initiative was
>>    not standardising semantics.
>>    This W3C Group has asked me to reach out to you and invite
>>    you to participate and to see if there is a) a paper that
>>    supports these categories b) if there has been any
>>    progression in this work.
>>    Here is a link to the CG
>>    https://www.w3.org/community/dpvcg/ <https://www.w3.org/community/dpvcg/>,  for more information
>>    you can ask me or Harsh (cc’d).
>>    Best Regards,
>>    Mark
>>    On 15 Aug 2017, at 20:10, R. Jason Cronk
>>    <rjc@privacymaverick.com <mailto:rjc@privacymaverick.com>
>>    <mailto:rjc@privacymaverick.com <mailto:rjc@privacymaverick.com>>> wrote:
>>    Mark,
>>    Attached is the spreadsheet with the Categories of
>>    Personal Information as I distributed on my infographic,
>>    along with definitions and examples. Thank you for the
>>    invite to participate. I will look into joining the
>>    group, though my time is stretched thin at the moment,
>>    so I'm not sure how much I can contribute.
>>    Jason
>>    --
>>    R. Jason Cronk, JD
>>    IAPP Fellow of Information Privacy
>>    CIPM, CIPT, CIPP/US, PbD Ambassador
>>    *Privacy and Trust Consultant*
>>    Enterprivacy Consulting Group
>>    <http://www.enterprivacy.com/ <http://www.enterprivacy.com/>>
>>    [Upcoming Advanced Privacy by Design Workshops in
>>    October:Atlanta
>>    <https://www.eventbrite.com/e/advanced-privacy-by-design-workshop-atlanta-ga-oct-2017-tickets-35888070184 <https://www.eventbrite.com/e/advanced-privacy-by-design-workshop-atlanta-ga-oct-2017-tickets-35888070184>>]
>>    On 2017-08-15 13:30, Mark Lizar wrote:
>>    Hi Jason,
>>    (I am ccing this to the CISWG mailing list).
>>      Apologies for the delayed response, specification
>>    work can move quite
>>    slowly.
>>    I very much appreciate the re-use of the PI
>>    Categories and the offer
>>    to provide these in different formats, a spreadsheet
>>    would be most
>>    helpful for Consent Receipt specification work.
>>    We are discussing the use of these PI categories for
>>    reference in the
>>    work we are working on now.   Our intent is to use
>>    these for PI
>>    Categories as defined in ISO 29100 and not PII.  The
>>    proposed use of
>>    these PI Categories are currently being discussed
>>    for use in purpose
>>    specification for the creation of  consent receipts
>>    and PII.  In this
>>    regard,  I can confirm we will not represent these
>>    categories as PII
>>    categories.
>>    Lastly, we would like to invite you to the Kantara
>>    CISWG workgroup so
>>    you can see how we put this great work to use :-)
>>      More information
>>    about jointing can be found at
>>    https://kantarainitiative.org/confluence/display/infosharing/Home <https://kantarainitiative.org/confluence/display/infosharing/Home> [3
>>    <https://kantarainitiative.org/confluence/display/infosharing/Home <https://kantarainitiative.org/confluence/display/infosharing/Home>>]
>>    where there is a link to join both the WG and the
>>    mailing list.
>>    Kind Regards,
>>    Mark
>>    On 30 May 2017, at 11:25, R. Jason Cronk
>>    <rjc@privacymaverick.com <mailto:rjc@privacymaverick.com>
>>    <mailto:rjc@privacymaverick.com <mailto:rjc@privacymaverick.com>>>
>>    wrote:
>>    Hi Mark,
>>    Feel free to use this PDF in it's original form
>>    in any forum. As for
>>    additional uses, please let me know if you'd
>>    like a file with the
>>    text of the categories and description so you
>>    can  use it in
>>    different formats. My only ask is that you use
>>    the term "Personal
>>    Information" rather than PII in reference to
>>    this categorization. I
>>    find the term PII has contextual limitations
>>    because much of
>>    personal information, which may be personal to
>>    me, is not
>>    identifying, i.e. my favorite color. Thus, in
>>    discussions, using
>>    "PII" immediately constrains the audience to a
>>    limited set of
>>    personal information..
>>    Also, I'm not sure what you mean by complete
>>    reference is your
>>    request below. Please clarify.
>>    --
>>    R. Jason Cronk, JD
>>    IAPP Fellow of Information Privacy
>>    CIPM, CIPT, CIPP/US, PbD Ambassador
>>    PRIVACY AND TRUST CONSULTANT
>>    Enterprivacy Consulting Group [2
>>    <http://www.enterprivacy.com/ <http://www.enterprivacy.com/>>]
>>    On 2017-05-29 05:22, WordPress wrote:
>>    From: Mark <mark@openconsent.com <mailto:mark@openconsent.com>
>>    <mailto:mark@openconsent.com <mailto:mark@openconsent.com>>>
>>    Message Body:
>>    Like your categories of personal information..
>>    We would like to use and reference it for
>>    developing our PII
>>    categories for an effort Called the Consent
>>    Receipt at the Kantara
>>    Initiative.
>>    Could you please provide us with a complete
>>    reference for this and
>>    perhaps even some formal permission to use
>>    it ?
>>    Kind Regards,
>>    Mark
>>    --
>>    This e-mail was sent from a contact form on
>>    Enterprivacy
>>    Consulting
>>    Group (http://enterprivacy.com <http://enterprivacy.com/>
>>    <http://enterprivacy.com/ <http://enterprivacy.com/>>[1
>>    <http://enterprivacy.com/ <http://enterprivacy.com/>>])
>>    Links:
>>    ------
>>    [1]http://enterprivacy.com/ <http://enterprivacy.com/>
>>    [2]http://www.enterprivacy.com/ <http://www.enterprivacy.com/>
>>    [3]https://kantarainitiative.org/confluence/display/infosharing/Home <https://kantarainitiative.org/confluence/display/infosharing/Home>
>>    <information categories.ods>
>>    <Untitled.png>
> 
> -- 
> ---
> Harshvardhan J. Pandit
> PhD Researcher
> ADAPT Centre, Trinity College Dublin
> https://harshp.com/ <https://harshp.com/>
Attachments

text/html attachment: stored
image/png attachment: ppso-venn.png
application/pkcs7-signature attachment: smime.p7s
Received on Monday, 25 February 2019 11:54:34 UTC