Re: Retention with grace period (ACTION-266)

On 10/26/12 12:05 PM, Rigo Wenning wrote:
> Ian, 
> do you mean full sharing would be possible within the 6 weeks? We 
> can have very few restrictions, but we can require that all copies 
> shared have also to be deleted within the 6 weeks. 
> I think there should be no limit to aggregation and de-
> identification within the 6 weeks so that they can keep the 
> statistical data. 
> Nice idea, will give me some heat in Europe. We should run it by 
> Walter to test how much heat. 

For the sake of clarity, I think Ian's proposal has a lot of merit.
Theoretically speaking it doesn't matter whether genuine
aggregation/de-identification or deletion takes place before or by the
end of such a grace period.

Practically speaking, true anonimisation done right is not easy and so
far this group has not reached consensus yet (that I am aware of) on
what should constitute minimum standards to do so. Likewise destruction
of data tends to be less easy in practice, especially with backups
floating around.

So for now I would be more in favour of Ian's original proposal, with
the added requirement that given the transient nature of this data it
should not be backed up at all.

As soon as we get to a credible minimum standard for anonimisation, I
don't think it would be reasonable not to equate such a process with
deletion. I'd like to stick to the no-backup requirement though, because
it would give an incentive to start anonimising as soon as possible.

It should also be clear that the six weeks is a maximum, not a minimum,
but I assume that can be fixed by a few minor edits.



Received on Friday, 26 October 2012 12:11:25 UTC