June Change Proposal, service provider => implementation partner

The definition of service provider in the June draft is not
adequate to describe what is commonly known as data processors
in the EU or business associates in HIPAA.  As a result, the
spec as written actually forbids a party from sharing data
amongst its own services and contractors even if the data
remains under the party's control.  For example, it would
forbid a contractor (not an employee) from looking at a logfile,
would forbid an independent auditor from looking at any of
the data records, and would forbid multiple service providers
from working together with a common data set.  It also presumes
that existing contracts will be rewritten.  And the SP term
itself is confusing.

Existing text in Sec 2:
============================
An outsourced service provider is considered to be the same
party as its client if the service provider:

 1. acts only as a data processor on behalf of the client;
 2. ensures that the data can only be accessed and used as
    directed by that client;
 3. has no independent right to use or share the data except
    as necessary to ensure the integrity, security, and correct
    operation of the service being provided; and
 4. has a contract in place that outlines and mandates these
    requirements.
============================


Replacement:
============================
Most sites, services, or resources on the Web involve
multiple parties that process the data received in a given
interaction.  For example, the parties involved during an
interaction might include domain name services, network access
points, content distribution networks, load balancing services,
security filters, cloud platforms, and software-as-a-service
providers.  Likewise, additional parties might be engaged after
an interaction, such as when services or contractors are used
to perform specialized data analysis or records retention.

For the data received in a given network interaction, a party
is considered to be an "implementation partner" if it

  (1) processes the data on behalf of another party;

  (2) ensures that the data is only retained, accessed, and
      used as directed by that party;

  (3) has no independent right to use the data other than as
      aggregated and anonymous counts (e.g., for monitoring
      service integrity, load balancing, capacity planning, or
      billing); and,

  (4) has a contract in place with that party which is consistent
      with the above limitations.
============================


and then use the term where needed ...

Existing text in Sec 2:
============================
A third party is any party other than a first party, service provider, or the user.

Whether a party is a first or third party is determined within and limited to a specific network interaction.
============================

Replacement:
============================
Within the context of a specific network interaction, a third party is any party other than the user, the first party, or a party acting as an implementation partner for the first party.
============================


Existing text in Sec 4:
============================
The first party MUST NOT pass information about this network interaction to third parties who could not collect the data themselves under this standard. Information about the transaction MAY be passed on to service providers acting on behalf of the first party
============================

Replacement:
============================
A first party and its implementation partners MUST NOT pass information about this network interaction to third parties who could not collect the data themselves under this standard.
============================


and after the existing text in Sec 5:
============================
The third party MAY nevertheless collect, use, and retain such information for the set of permitted uses described below. Further, parties MAY collect, use, and retain such information in order to comply with applicable laws, regulations, and judicial processes.
============================

Add:
============================
A party acting as an implementation partner for a third party is subject to the same constraints as that third party, except that the data it collects on behalf of that third party MAY be shared with that third party.
============================

....Roy

Received on Tuesday, 25 June 2013 11:18:17 UTC