Re: ISSUE-235 (Auditability requirement for security)

For those who donít feel like visiting the wiki, Walter has proposed to retain the auditability requirement, and to clarify with the following language:

In this context auditable is typically understood that there are sufficient records available of access and use of data retained that a third-party auditor would have a reasonable level of confidence that the data retained is exclusively used for the permitted uses or that  breaches of this can be detected ex-post. A good yardstick of the level of confidence would be a similar level of confidence required for the organisation's financial records. 

</walter>

I donít have any great insight into the manner in which companies typically document their access and use of tracking databases, but Iíd welcome opinions on whether this would represent a marginal burden to companies.

On Oct 29, 2014, at 7:59 AM, Walter van Holst <walter.van.holst@xs4all.nl> wrote:

> On 2014-10-22 17:40, Justin Brookman wrote:
> 
>> I do not have a general notion of what an auditor would consider to be
>> auditable, so why donít you propose specific text (doesnít have to be
>> in the next 20 minutes!) for the group to consider.
> 
> I have put a proposal underneath Vincent's in the wiki:
> 
> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Remove_auditable_security_requirement
> 
> Sadly, I'm very unlikely to be able to attend today's call. Feedback by mail, either on- or off-list would be much appreciated.
> 
> Regards,
> 
> Walter

Received on Wednesday, 29 October 2014 19:01:46 UTC