- From: Walter van Holst <walter.van.holst@xs4all.nl>
- Date: Wed, 05 Nov 2014 17:59:51 +0100
- To: David Singer <singer@apple.com>
- Cc: Justin Brookman <jbrookman@cdt.org>, Tracking Protection Working Group <public-tracking@w3.org>
On 2014-11-05 17:15, David Singer wrote: > > There is something a little odd about adding a retention requirement > to a specification which, on the face of it, is trying to minimize the > amount of data retained. Like I wrote before: this should not be construed as a retention requirement and frankly I find it mind-boggling that it has been read as such. > Audit-ability could as easily be process rather than data based, > couldn’t it? An auditor could check what processes and procedures are > defined, and that they are followed in practice. Anyone who has ever been in the remote vicinity of EDP audits will tell you that audits are first and foremost about process and if they are data based, they focus on data on the execution of the processes and not so much on the data itself. Because the data is at best relevant to a pure financial audit, which still would be worthless if the data cannot be relied on because the processes for maintaining its integrity weren't in place. When it comes to auditing whether data has or hasn't been shared the data itself is beyond useless because you can never tell who has had access to it. That's what process logs are for. Genuinely puzzled here, Walter P.S. Am again unable to attend the call.
Received on Wednesday, 5 November 2014 17:00:20 UTC