- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Mon, 8 Oct 2012 00:39:14 -0700
- To: "public-tracking@w3.org Working Group" <public-tracking@w3.org>
During the Amsterdam F2F, I took on an action to update the text on minimization so that it refers to data collected per context rather than the party nature of the collector, since minimization is applied long after the interaction in which a given server might have been a first or third party. The WD text said 6.1.2.2 Data Minimization and Transparency A third party MUST ONLY retain information for a Permitted Use for as long as is reasonably necessary for that use. Third parties MUST make reasonable data minimization efforts to ensure that only the data necessary for the permitted use is retained. A third party MUST provide public transparency of their data retention period. The third party MAY enumerate each individually if they vary across Permitted Uses. Once the period of time for which you have declared data retention for a given use, the data MUST NOT be used for that permitted use. After there are no remaining Permitted Uses for given data, the data must be deleted or rendered unlinkable. but appears to have been updated since then to say 6.1.1.2 Data Minimization and Transparency Data retained by a party for permitted uses MUST be limited to the data reasonably necessary for such permitted uses, and MUST be retained no longer than is reasonably necessary for such permitted uses. Third parties MUST make reasonable data minimization efforts to ensure that only the data necessary for the permitted use is retained. A third party MUST provide public transparency of their data retention period. The third party MAY enumerate each individually if they vary across Permitted Uses. Once the period of time for which you have declared data retention for a given use has expired, the data MUST NOT be used for that permitted use. After there are no remaining Permitted Uses for given data, the data must be deleted or rendered unlinkable. However, now that I've had sufficient sleep and can see that this section is inside third-party compliance, I believe that the change to the first sentence is sufficient to cover my concern. Thanks! But, while I am here, I suggest the paragraph be tweaked as follows for consistency: Data retained by a party for permitted uses MUST be limited to the data reasonably necessary for such permitted uses, and MUST be retained no longer than is reasonably necessary for such permitted uses. A third party MUST make reasonable data minimization efforts to ensure that only data necessary for each permitted use is retained. A third party MUST provide public transparency of their data retention period for each permitted use. Once a retention period for a given use has expired, the data MUST NOT be used for that permitted use; when there are no remaining permitted uses for some data, that data MUST either be deleted or rendered unlinkable. Cheers, ....Roy
Received on Monday, 8 October 2012 07:39:37 UTC