ACTION-297: Update minimization text

During the Amsterdam F2F, I took on an action to update the text on
minimization so that it refers to data collected per context rather
than the party nature of the collector, since minimization is applied
long after the interaction in which a given server might have been
a first or third party.

The WD text said

   6.1.2.2 Data Minimization and Transparency

   A third party MUST ONLY retain information for a Permitted Use for as long
   as is reasonably necessary for that use. Third parties MUST make
   reasonable data minimization efforts to ensure that only the data
   necessary for the permitted use is retained. A third party MUST provide
   public transparency of their data retention period. The third party MAY
   enumerate each individually if they vary across Permitted Uses. Once the
   period of time for which you have declared data retention for a given use,
   the data MUST NOT be used for that permitted use. After there are no
   remaining Permitted Uses for given data, the data must be deleted or
   rendered unlinkable.

but appears to have been updated since then to say

   6.1.1.2 Data Minimization and Transparency

   Data retained by a party for permitted uses MUST be limited to the
   data reasonably necessary for such permitted uses, and MUST be
   retained no longer than is reasonably necessary for such permitted
   uses. Third parties MUST make reasonable data minimization efforts
   to ensure that only the data necessary for the permitted use is
   retained. A third party MUST provide public transparency of their
   data retention period. The third party MAY enumerate each individually
   if they vary across Permitted Uses. Once the period of time for which
   you have declared data retention for a given use has expired, the
   data MUST NOT be used for that permitted use. After there are no
   remaining Permitted Uses for given data, the data must be deleted
   or rendered unlinkable.

However, now that I've had sufficient sleep and can see that this
section is inside third-party compliance, I believe that the change
to the first sentence is sufficient to cover my concern. Thanks!

But, while I am here, I suggest the paragraph be tweaked as follows
for consistency:

   Data retained by a party for permitted uses MUST be limited to the
   data reasonably necessary for such permitted uses, and MUST be
   retained no longer than is reasonably necessary for such permitted
   uses. A third party MUST make reasonable data minimization efforts
   to ensure that only data necessary for each permitted use is
   retained. A third party MUST provide public transparency of their
   data retention period for each permitted use. Once a retention
   period for a given use has expired, the data MUST NOT be used for
   that permitted use; when there are no remaining permitted uses for
   some data, that data MUST either be deleted or rendered unlinkable.

Cheers,

....Roy

Received on Monday, 8 October 2012 07:39:37 UTC