Re: Privacy protection principles

Hi Kepeng,

Sorry for a tardy reply. As you point out OECD privacy principles is one of
the high level documents.
ISO/IEC 29100 also is a freely available document that goes into more
details.
Then, there are whole bunch of ISO/IEC 291** series to follow it up. e.g.,
ISO/IEC DIS 29134 Privacy Impact Assessment Guidelines.

Taking one of the existing principles (such as ISO/IEC 29100) and apply it
to a certain area would be good, though I feel "open web" might be a bit
too broad.

Best,

Nat

On Mon, Sep 26, 2016 at 11:55 PM Kepeng Li <kepeng.lkp@alibaba-inc.com>
wrote:

> Hi Sophie and Jose,
>
> Thanks for your feedback.
>
> In the TPAC meeting, the group tends not to define a privacy principles in
> W3C, but to find some detailed technologies to achieve the privacy
> principles, and provide enhancements to the current privacy questionnaires.
>
> I will check your materials in the links, and provide further inputs to
> the provacy questionnaires.
>
> Kind Regards
> Kepeng
>
> 发件人: KWASNY Sophie <Sophie.KWASNY@coe.int>
> 日期: Monday, 26 September, 2016 2:57 pm
> 至: Li Kepeng <kepeng.lkp@alibaba-inc.com>
> 抄送: John Moehrke <johnmoehrke@gmail.com>, "José M. del Álamo" <
> jmdela@dit.upm.es>, Nat Sakimura <sakimura@gmail.com>, Alan Chapell <
> achapell@chapellassociates.com>, "public-privacy (W3C mailing list)" <
> public-privacy@w3.org>, "chaals@yandex-team.ru" <chaals@yandex-team.ru>
> 主题: RE: Privacy protection principles
>
> Dear Kepeng, Dear All,
>
>
>
> Going down a little bit deeper into the privacy principles and providing a
> guidance which is more specific to the web sounds like a great initiative,
>
>
>
> My two cents would only consist in recalling that any list of privacy
> principles which will serve as a basis for that work, to be exhaustive –
> from whichever region of the world it is being looked at - should include a
> reference to the sole international instrument in the field which is
> legally binding. Convention 108 has been the backbone of the development of
> the European Union’s legal framework and development in a number of
> countries outside Europe. It now gathers 50 countries, 47 from Europe, 1
> from South America and 2 from Africa, (several other non-European
> countries, both from Africa and America, currently interested/being in the
> process of accession, no Asian one so far).
>
>
>
> The proposed revised Convention is accessible at:
> http://www.coe.int/t/dghl/standardsetting/dataprotection/CAHDATA/Consolidated%20version%20of%20the%20modernised%20convention%20108%20July%202016.pdf
>
>
>
> Kind regards,
>
> Sophie
>
> Sophie Kwasny
> Data Protection Unit
> COUNCIL OF EUROPE
> www.coe.int/dataprotection
>
>
>
> *From:* José M. del Álamo [mailto:jmdela@dit.upm.es <jmdela@dit.upm.es>]
> *Sent:* lundi 26 septembre 2016 09:43
> *To:* Kepeng Li
> *Cc:* John Moehrke; Nat Sakimura; Alan Chapell; public-privacy (W3C
> mailing list); chaals@yandex-team.ru
> *Subject:* Re: Privacy protection principles
>
>
>
> Dear Kepeng, all, I'll try to summarize below our previous experience on
> this matter.
>
>
>
> As far as I know there have been some approaches to try to go in more
> detail from high-level privacy/data protection principles (OECD, ISO, GDPR,
>  or other) to lower-detailed requirements closer to the technical domain.
>
>
>
> For example, the EU-funded PRIPARE project [1] developed an early
> catalogue of requirements from ISO29100 and EU GDPR principles. The idea
> was to move from the set of high-level principles into more ellaborated
> privacy guidelines and from there into a set of detailed technical
> requirements, in a process named as requirements operationalization. You
> can see the actual catalogue in the PRIPARE handbook [2], Annex B. Some
> other researchers have followed a similar path, and you can find, for
> example, a taxonomy of requirements refining the privacy goal
> 'transparency'. [5].
>
>
>
> As I said this was an early effort within a somehow small research
> project, and thus the catalogue requires further refinement, elaboration
> and consensus, but is an early step in our vision on how some of the
> privacy principles can be further detailed and how it is aligned with the
> risk-driven approaches [3], enabling a systematic approach to engineering
> privacy when developing information systems. Indeed, this vision was
> inspired by earlier works at W3C, for example, within the Accessibility
> domain [4].
>
>
>
> These are my 2 cents.
>
>
>
> Regards,
>
>
>
> Jose M. del Alamo
>
> Universidad Politecnica de Madrid
>
>
>
> [1] http://pripareproject.eu/
>
> [2]
> http://pripareproject.eu/wp-content/uploads/2013/11/PRIPARE-Methodology-Handbook-Final-Feb-24-2016.pdf
>
> [3] Notario, N. et al., PRIPARE: Integrating Privacy Best Practices into a
> Privacy Engineering Methodology, IEEE Security and Privacy Workshops (SPW),
> . doi: 10.1109/SPW.2015.22
>
> [4] Martin et al., Privacy Requirements Engineering: Valuable Lessons from
> Another Realm, 1st International Workshop on Evolving Security and Privacy
> Requirements Engineering - ESPRE2014, pp. 19-24. doi:
> 10.1109/ESPRE.2014.6890523
>
> [5] Meis, R. et al. A Taxonomy of Requirements for the Privacy Goal
> Transparency. In International Conference on Trust and Privacy in Digital
> Business. Springer International Publishing.
>
>
>
> 2016-09-20 3:03 GMT+02:00 Kepeng Li <kepeng.lkp@alibaba-inc.com>:
>
> I agree that from high level overview, my proposed privacy principles are
> quite similar to OECD privacy principles.
>
>
>
> I am wondering if we can go down a little bit deeper, and make each
> principle in more detail, and also make it specific to web.
>
>
>
> The goal is to make it as guidelines or best practices to achieve privacy
> principles in the open web environment..
>
>
>
> My document is still in the very early stage. I am just trying to find a
> way to move forward, to make it useful in some way..
>
>
>
> Thanks,
>
>
>
> Kind Regards
>
>
>
> Kepeng Li
>
> Alibaba
>
>
>
> *发件人**: *John Moehrke <johnmoehrke@gmail.com>
> *日期**: *Tuesday, 20 September, 2016 1:33 am
> *至**: *Li Kepeng <kepeng.lkp@alibaba-inc.com>
> *抄送**: *Nat Sakimura <sakimura@gmail.com>, Alan Chapell <
> achapell@chapellassociates.com>, "public-privacy (W3C mailing list)" <
> public-privacy@w3.org>, <chaals@yandex-team.ru>
> *主题**: *Re: Privacy protection principles
> *重发发件人**: *<public-privacy@w3.org>
> *重发日期**: *Tue, 20 Sep 2016 07:18:07 +0000
>
>
>
> I have a cross-reference between various standards on Privacy Principles.
> With linkage to them (where I am allowed)
>
> https://healthcaresecprivacy.blogspot.com/2015/04/privacy-principles.html
>
>
>
> John
>
>
> John Moehrke
> Principal Engineering Architect: Standards - Interoperability, Privacy,
> and Security
> CyberPrivacy – Enabling authorized communications while respecting Privacy
> M +1 920-564-2067
> JohnMoehrke@gmail.com
> https://www.linkedin.com/in/johnmoehrke
> https://healthcaresecprivacy.blogspot.com
> "Quis custodiet ipsos custodes?" ("Who watches the watchers?")
>
>
>
> On Mon, Sep 19, 2016 at 12:08 PM, Kepeng Li <kepeng.lkp@alibaba-inc.com>
> wrote:
>
> Hi Nat,
>
> > There are many well respected documents that have something very similar
> in them.
>
> Can you send the links of the mentioned similar documents?
>
> Thanks,
>
> Kind Regards
> Kepeng
>
> --------------------------
>
> 发件人:Nat Sakimura<sakimura@gmail.com>
> *日期：*15:28
> *添加收件人*Alan Chapell<achapell@chapellassociates.com>
> *输入主题*Re: Privacy protection principles
>
> Sorry, I have not been following the list lately so I am probably missing
> something, but what is the context around this document?
>
> There are many well respected documents that have something very similar
> in them. What are we creating yet another one?
>
> Nat
>
> 2016/09/19 午前3:15 "Alan Chapell" <achapell@chapellassociates.com>:
>
>
>
>
>
> Cheers,
>
>
>
> Alan Chapell
>
> Chapell & Associates
>
> 917 318 8440
>
>
>
>
>
> On 9/18/16, 12:49 PM, "Kepeng Li" <kepeng.lkp@alibaba-inc.com> wrote:
>
>
>
>
>
> Hi Chaals,
>
> Thanks for your edits. It is quite helpful.
>
> I made some further edits based on your proposed changes.
>
> About your embedded questions, we can discuss them during the PING meeting
> on Tuesday.
>
> Kind Regards
> Kepeng
>
> ------------------------------------------------------------------
> 发件人：<chaals@yandex-team.ru>
> 日 期：2016年09月16日 01:38:52
> 收件人：Kepeng Li<kepeng.lkp@alibaba-inc.com>; public-privacy@w3.org<
> public-privacy@w3.org>
> 主 题：Re: Privacy protection principles
>
> - runnegar@, tjwhalen@
>
> Hi Kepeng, all,
>
> I made a few minor edits, mostly shuffling things that seemed to belong in
> a different place, or trying to simplify the language.
>
> One of the things I did is change "privacy information" in some places to
> "private information", and in other places to "privacy-sensitive
> information".
>
> "privacy information" sounds wrong to me, but I am not sure what a better
> phrase would be.
>
> Feel free to over-write any of my edits....
>
> cheers
>
> Chaals
>
> 15.09.2016, 17:11, "Kepeng Li" <kepeng.lkp@alibaba-inc.com>:
> > Hi Christine, Tara and all,
> >
> > I just submitted an initial proposal for privacy protection principles:
> > https://www.w3.org/wiki/Privacy/Privacy_protection_principles
> >
> > I hope we can allocate some time in TPAC PING IG to discuss that, to see
> > if it is valuable to continue to work on this subject.
> >
> > Thanks and see you in TPAC!
> >
> > Kind Regards
> >
> > Kepeng Li
> > Alibaba
>
> --
> Charles McCathie Nevile - web standards - CTO Office, Yandex
> chaals@yandex-team.ru - - - Find more at http://yandex.com
>
>
>
>
>
>
>
-- 

Nat Sakimura

Chairman of the Board, OpenID Foundation