RE: Action 368 - Definition of Service Provider/Data Processor

Based on comments from last week's call, I've edited the proposed definition for Service Provider/Data Processor and added the beginnings of some non-normative text.  Edits and additions are in italics.

Action 368 - Definition of Service Provider/Data Processor

Normative

A Data Processor is any party, in a specific network interaction, that both operates on behalf of the entity for which it is working (business associate) and meets the following conditions:
- Data that is collected and/or retained is separated by both technical means and organizational process, AND
- Uses and shares data only as directed by the business associate, AND
- Enters into a contract with a business associate that outlines and mandates these requirements.

A Data Processor is subject to the same restrictions as the business associate.  If a Data Processor were to violate any of these conditions, it will then be a third party.  Data processors may merge and use data for the purposes of security or fraud prevention.

Non-Normative

Data processors may use data collected for the proper management and administration of the business associate.  Similar allowances are made for data processors under European Union law, the U.S Health Insurance Portability and Accountability Act (HIPAA) and the U.S. Gramm-Leach-Bliley Act.


From: Chris Pedigo [mailto:CPedigo@online-publishers.org]
Sent: Wednesday, February 27, 2013 10:36 AM
To: Tracking Protection Working Group
Cc: Peter Swire
Subject: Action 368 - Definition of Service Provider/Data Processor

Hello all, I worked with Vinay Goel to come up with a definition of Service Provider/Data Processor.  We also solicited feedback from Justin Brookman and Rigo Wenning.  Below is the normative text that we ultimately decided upon.  One of the discussions centered around whether service providers or data processors should be allowed to utilize the Permitted Uses.  We decided not to include that language, because it would not fly in the EU and because it does not appear to be common practice among service providers in the US.  Finally, I am still gathering feedback from my member companies.  So, while expect this language will work for publishers, I am reserving the right to come back with tweaks.  Looking forward to today's call and the ensuing discussion.

Action 368 - Definition of Service Provider/Data Processor

A Data Processor is any party, in a specific network interaction, that both operates on behalf of another party and meets the following conditions:
- Data that is collected and/or retained is separated by both technical means and organizational process, AND
- Uses and shares data only as directed by that other party, AND
- Enters into a contract with the other party that outlines and mandates these requirements.

A Data Processor is subject to the same restrictions as the other party.  If a Data Processor were to violate any of these conditions, it will then be a third party.


Chris Pedigo
VP, Government Affairs
Online Publishers Association
(202) 744-2967

Received on Wednesday, 6 March 2013 16:13:29 UTC