Re: ISSUE-235 (Auditability requirement for security)

On Tue, October 21, 2014 23:22, Justin Brookman wrote:
> No one spoke up for maintaining this language either on the list or on
> last week’s call; if anyone wants to make a pitch for maintaining this
> or other auditability language, please do so; otherwise, we’ll adopt
> Jack’s proposal to remove the sentence.

Catching up with the WG.

And yes, I feel that it strongly contributes to the compliance
standard's credibility if any access and use of data retained under
permitted uses is auditable. I would be fine by restricting its
auditability to data protection and/or consumer rights regulators or
similar governmental entities.

If you commit to limiting your use of certain personal data for
certain circumscribed purposes, you create a burden of proof for
yourself that you have indeed done so. Audit requirements can only be
helpful in that regard.



Received on Wednesday, 22 October 2014 09:39:19 UTC