- From: Nat Sakimura <sakimura@gmail.com>
- Date: Tue, 27 Sep 2016 13:54:42 +0000
- To: Kepeng Li <kepeng.lkp@alibaba-inc.com>, KWASNY Sophie <Sophie.KWASNY@coe.int>
- Cc: John Moehrke <johnmoehrke@gmail.com>, José M. del Álamo <jmdela@dit.upm.es>, Alan Chapell <achapell@chapellassociates.com>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>, "chaals@yandex-team.ru" <chaals@yandex-team.ru>
- Message-ID: <CABzCy2BwVup=xf-corhMVzP-61=vEHfe5Y6ZFii9krHFER20sg@mail.gmail.com>
Hi Kepeng, Sorry for a tardy reply. As you point out OECD privacy principles is one of the high level documents. ISO/IEC 29100 also is a freely available document that goes into more details. Then, there are whole bunch of ISO/IEC 291** series to follow it up. e.g., ISO/IEC DIS 29134 Privacy Impact Assessment Guidelines. Taking one of the existing principles (such as ISO/IEC 29100) and apply it to a certain area would be good, though I feel "open web" might be a bit too broad. Best, Nat On Mon, Sep 26, 2016 at 11:55 PM Kepeng Li <kepeng.lkp@alibaba-inc.com> wrote: > Hi Sophie and Jose, > > Thanks for your feedback. > > In the TPAC meeting, the group tends not to define a privacy principles in > W3C, but to find some detailed technologies to achieve the privacy > principles, and provide enhancements to the current privacy questionnaires. > > I will check your materials in the links, and provide further inputs to > the provacy questionnaires. > > Kind Regards > Kepeng > > 发件人: KWASNY Sophie <Sophie.KWASNY@coe.int> > 日期: Monday, 26 September, 2016 2:57 pm > 至: Li Kepeng <kepeng.lkp@alibaba-inc.com> > 抄送: John Moehrke <johnmoehrke@gmail.com>, "José M. del Álamo" < > jmdela@dit.upm.es>, Nat Sakimura <sakimura@gmail.com>, Alan Chapell < > achapell@chapellassociates.com>, "public-privacy (W3C mailing list)" < > public-privacy@w3.org>, "chaals@yandex-team.ru" <chaals@yandex-team.ru> > 主题: RE: Privacy protection principles > > Dear Kepeng, Dear All, > > > > Going down a little bit deeper into the privacy principles and providing a > guidance which is more specific to the web sounds like a great initiative, > > > > My two cents would only consist in recalling that any list of privacy > principles which will serve as a basis for that work, to be exhaustive – > from whichever region of the world it is being looked at - should include a > reference to the sole international instrument in the field which is > legally binding. Convention 108 has been the backbone of the development of > the European Union’s legal framework and development in a number of > countries outside Europe. It now gathers 50 countries, 47 from Europe, 1 > from South America and 2 from Africa, (several other non-European > countries, both from Africa and America, currently interested/being in the > process of accession, no Asian one so far). > > > > The proposed revised Convention is accessible at: > http://www.coe.int/t/dghl/standardsetting/dataprotection/CAHDATA/Consolidated%20version%20of%20the%20modernised%20convention%20108%20July%202016.pdf > > > > Kind regards, > > Sophie > > Sophie Kwasny > Data Protection Unit > COUNCIL OF EUROPE > www.coe.int/dataprotection > > > > *From:* José M. del Álamo [mailto:jmdela@dit.upm.es <jmdela@dit.upm.es>] > *Sent:* lundi 26 septembre 2016 09:43 > *To:* Kepeng Li > *Cc:* John Moehrke; Nat Sakimura; Alan Chapell; public-privacy (W3C > mailing list); chaals@yandex-team.ru > *Subject:* Re: Privacy protection principles > > > > Dear Kepeng, all, I'll try to summarize below our previous experience on > this matter. > > > > As far as I know there have been some approaches to try to go in more > detail from high-level privacy/data protection principles (OECD, ISO, GDPR, > or other) to lower-detailed requirements closer to the technical domain. > > > > For example, the EU-funded PRIPARE project [1] developed an early > catalogue of requirements from ISO29100 and EU GDPR principles. The idea > was to move from the set of high-level principles into more ellaborated > privacy guidelines and from there into a set of detailed technical > requirements, in a process named as requirements operationalization. You > can see the actual catalogue in the PRIPARE handbook [2], Annex B. Some > other researchers have followed a similar path, and you can find, for > example, a taxonomy of requirements refining the privacy goal > 'transparency'. [5]. > > > > As I said this was an early effort within a somehow small research > project, and thus the catalogue requires further refinement, elaboration > and consensus, but is an early step in our vision on how some of the > privacy principles can be further detailed and how it is aligned with the > risk-driven approaches [3], enabling a systematic approach to engineering > privacy when developing information systems. Indeed, this vision was > inspired by earlier works at W3C, for example, within the Accessibility > domain [4]. > > > > These are my 2 cents. > > > > Regards, > > > > Jose M. del Alamo > > Universidad Politecnica de Madrid > > > > [1] http://pripareproject.eu/ > > [2] > http://pripareproject.eu/wp-content/uploads/2013/11/PRIPARE-Methodology-Handbook-Final-Feb-24-2016.pdf > > [3] Notario, N. et al., PRIPARE: Integrating Privacy Best Practices into a > Privacy Engineering Methodology, IEEE Security and Privacy Workshops (SPW), > . doi: 10.1109/SPW.2015.22 > > [4] Martin et al., Privacy Requirements Engineering: Valuable Lessons from > Another Realm, 1st International Workshop on Evolving Security and Privacy > Requirements Engineering - ESPRE2014, pp. 19-24. doi: > 10.1109/ESPRE.2014.6890523 > > [5] Meis, R. et al. A Taxonomy of Requirements for the Privacy Goal > Transparency. In International Conference on Trust and Privacy in Digital > Business. Springer International Publishing. > > > > 2016-09-20 3:03 GMT+02:00 Kepeng Li <kepeng.lkp@alibaba-inc.com>: > > I agree that from high level overview, my proposed privacy principles are > quite similar to OECD privacy principles. > > > > I am wondering if we can go down a little bit deeper, and make each > principle in more detail, and also make it specific to web. > > > > The goal is to make it as guidelines or best practices to achieve privacy > principles in the open web environment.. > > > > My document is still in the very early stage. I am just trying to find a > way to move forward, to make it useful in some way.. > > > > Thanks, > > > > Kind Regards > > > > Kepeng Li > > Alibaba > > > > *发件人**: *John Moehrke <johnmoehrke@gmail.com> > *日期**: *Tuesday, 20 September, 2016 1:33 am > *至**: *Li Kepeng <kepeng.lkp@alibaba-inc.com> > *抄送**: *Nat Sakimura <sakimura@gmail.com>, Alan Chapell < > achapell@chapellassociates.com>, "public-privacy (W3C mailing list)" < > public-privacy@w3.org>, <chaals@yandex-team.ru> > *主题**: *Re: Privacy protection principles > *重发发件人**: *<public-privacy@w3.org> > *重发日期**: *Tue, 20 Sep 2016 07:18:07 +0000 > > > > I have a cross-reference between various standards on Privacy Principles. > With linkage to them (where I am allowed) > > https://healthcaresecprivacy.blogspot.com/2015/04/privacy-principles.html > > > > John > > > John Moehrke > Principal Engineering Architect: Standards - Interoperability, Privacy, > and Security > CyberPrivacy – Enabling authorized communications while respecting Privacy > M +1 920-564-2067 > JohnMoehrke@gmail.com > https://www.linkedin.com/in/johnmoehrke > https://healthcaresecprivacy.blogspot.com > "Quis custodiet ipsos custodes?" ("Who watches the watchers?") > > > > On Mon, Sep 19, 2016 at 12:08 PM, Kepeng Li <kepeng.lkp@alibaba-inc.com> > wrote: > > Hi Nat, > > > There are many well respected documents that have something very similar > in them. > > Can you send the links of the mentioned similar documents? > > Thanks, > > Kind Regards > Kepeng > > -------------------------- > > 发件人:Nat Sakimura<sakimura@gmail.com> > *日期:*15:28 > *添加收件人*Alan Chapell<achapell@chapellassociates.com> > *输入主题*Re: Privacy protection principles > > Sorry, I have not been following the list lately so I am probably missing > something, but what is the context around this document? > > There are many well respected documents that have something very similar > in them. What are we creating yet another one? > > Nat > > 2016/09/19 午前3:15 "Alan Chapell" <achapell@chapellassociates.com>: > > > > > > Cheers, > > > > Alan Chapell > > Chapell & Associates > > 917 318 8440 > > > > > > On 9/18/16, 12:49 PM, "Kepeng Li" <kepeng.lkp@alibaba-inc.com> wrote: > > > > > > Hi Chaals, > > Thanks for your edits. It is quite helpful. > > I made some further edits based on your proposed changes. > > About your embedded questions, we can discuss them during the PING meeting > on Tuesday. > > Kind Regards > Kepeng > > ------------------------------------------------------------------ > 发件人:<chaals@yandex-team.ru> > 日 期:2016年09月16日 01:38:52 > 收件人:Kepeng Li<kepeng.lkp@alibaba-inc.com>; public-privacy@w3.org< > public-privacy@w3.org> > 主 题:Re: Privacy protection principles > > - runnegar@, tjwhalen@ > > Hi Kepeng, all, > > I made a few minor edits, mostly shuffling things that seemed to belong in > a different place, or trying to simplify the language. > > One of the things I did is change "privacy information" in some places to > "private information", and in other places to "privacy-sensitive > information". > > "privacy information" sounds wrong to me, but I am not sure what a better > phrase would be. > > Feel free to over-write any of my edits.... > > cheers > > Chaals > > 15.09.2016, 17:11, "Kepeng Li" <kepeng.lkp@alibaba-inc.com>: > > Hi Christine, Tara and all, > > > > I just submitted an initial proposal for privacy protection principles: > > https://www.w3.org/wiki/Privacy/Privacy_protection_principles > > > > I hope we can allocate some time in TPAC PING IG to discuss that, to see > > if it is valuable to continue to work on this subject. > > > > Thanks and see you in TPAC! > > > > Kind Regards > > > > Kepeng Li > > Alibaba > > -- > Charles McCathie Nevile - web standards - CTO Office, Yandex > chaals@yandex-team.ru - - - Find more at http://yandex.com > > > > > > > -- Nat Sakimura Chairman of the Board, OpenID Foundation
Received on Tuesday, 27 September 2016 13:55:25 UTC