Hi David,
You bring up an interesting point and just the right time (for me at least)
> On 7 Oct 2016, at 17:12, David Singer <singer@apple.com> wrote:
>
> I don’t think security and privacy are the same, and it’s confusing to have them in the same set of questions.
I have been thinking about this issue a lot lately and its something that we are assessing in terms of the consent receipt specification at Kantara in the Consent & Information Sharing WG.
There is the issue about the security of the personal and personal information, which I am aware, not being a security specialist may be a dichotomy I am myself making.
But, I have proposed to the WG that is doing this work that we add the PII confidentiality levels from NIST, to the specification. From my point of view, an individual should be able to tell a data controller that the PII being disclosed is highly confidential. IN this context then, the data controller, from my non-specialist point of view, would then have a greater responsibility to secure the the PII in storage, transit and disclosure.
In this context - it can be confusing, but, I am wondering if you might have an opinion on wether or not this is an appropriate method for creating a security expectation in a privacy enhancing context. ?
Kind Regards,
Mark