W3C home > Mailing lists > Public > public-tracking@w3.org > October 2014

Re: ISSUE-235 (Auditability requirement for security)

From: Justin Brookman <jbrookman@cdt.org>
Date: Wed, 22 Oct 2014 11:15:51 -0400
Cc: Amy Colando <acolando@microsoft.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-Id: <DD023496-2992-4291-AEB8-73C269F921CC@cdt.org>
To: Walter van Holst <walter.van.holst@xs4all.nl>
Walter, I don’t think anyone objects to the idea of auditability in theory, but I think there are questions about what that means in the specification.  If a DPA has the legal authority to require certain evidence or documentation from a data controller, then it does so — this standard cannot grant or deprive any consumer protection authority of those rights.  What do you want this standard to require — that companies prepare some sort of documentation in advance of a request?  That they architect their systems in ways that can be comprehended by a regulator?  I think there was agreement that a general requirement of “auditability” was confusing and certainly not testable, but if you have a more concrete suggestion in mind, I think people would be open-minded.

On Oct 22, 2014, at 5:38 AM, Walter van Holst <walter.van.holst@xs4all.nl> wrote:

> On Tue, October 21, 2014 23:22, Justin Brookman wrote:
>> No one spoke up for maintaining this language either on the list or on
>> last week’s call; if anyone wants to make a pitch for maintaining this
>> or other auditability language, please do so; otherwise, we’ll adopt
>> Jack’s proposal to remove the sentence.
> Catching up with the WG.
> And yes, I feel that it strongly contributes to the compliance
> standard's credibility if any access and use of data retained under
> permitted uses is auditable. I would be fine by restricting its
> auditability to data protection and/or consumer rights regulators or
> similar governmental entities.
> If you commit to limiting your use of certain personal data for
> certain circumscribed purposes, you create a burden of proof for
> yourself that you have indeed done so. Audit requirements can only be
> helpful in that regard.
> Regards,
> Walter
Received on Wednesday, 22 October 2014 15:16:40 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:24 UTC