Re: [pmrm] FW: Draft Summary Nov 17 ANSI VTAG privacy con call

[Gail Magnuson <gail.magnuson@gmail.com>]

Michael and all,

I really like the concept of 'translating principles into methods' for the PMRM. 

I had to do some thinking and reading about how each of the following related to the PMRM: 

• the PIA comment below from Lauren fit into this statement and the PMRM, as well as
• the recommendations for changing the EU Data Protection Directive recently presented to the EU Council 
• the Privacy By Design principles from Ann Cavoukian, Ph.D.'s www.privacybydesign.ca and the many white papers of implementations and best practices.

What I arrived upon, is that the recommendations before the EU Council contain clarification of and additional principles; the Privacy By Design contains principles and examples/best practices of implementing the principles; the PIA is a detailed practice for carrying out the principles that may or may not (given Lauren's comments) be the most effective way of balancing privacy and innovation.

I would like to think that the PMRM is comprehensive and is well enough thought out to translate all of the principles into methods! 

My task as assigned by Michael was to point us in the direction of some privacy implementations and some privacy and business use cases that might get us started on our journey. I think that one source of assistance is Privacy by Design and another source is the privacy focus on the Smart Grid.

PbD and PMRM complementary activities:

One way to confirm that PMRM is comprehensive and can translate principles into methods is to examine the implementations that have utilized the Privacy By Design principles and compare their implementations (perhaps by creating a privacy use case) against the services in the PMRM to confirm their comprehensiveness. In other words, did the privacy implementations include all of the services identified in PMRM or did the implementations include services that were not in the PMRM?. Naturally there would also need to be a short exercise to map the PbD principles themselves to PMRM to confirm that PMRM has embraced them within the services. 

If one goes to the PbD website you will find a series of smart grid examples, with an implementation architecture, that is relatively complete from a smart grid perspective. These are found in a series of white papers and FAQs.

In addition there are other white papers that address other industries that deal with sensitive information.

Other Smart Grid Initiatives:

Between the NIST Smart Grid initiative; the work that has been done in the Netherlands to respond to early privacy and security issues; The work (I believe) that Alexander Dix in Germany is doing with PbD; Perhaps other PEV (electrical vehicle) implementations in California; Denmark and Israel; there might be enough examples of privacy implementations to test out the completeness of PMRM without having to amass (at least initially) all of the use cases into one repository before we begin to work on PMRM itself.

Best, Gail

  

On Fri, Nov 26, 2010 at 4:26 PM, Michael Willett <mwillett@nc.rr.com> wrote:

FYI: Notice the important distinction in the paragraph below:

 

 “Distinction should be made between principles and methods for protecting privacy”

 

That could be the ‘mantra’ of the PMRM TC, which focuses

on translating principles INTO “methods” (read: Services)!

 

In this context, “methods” may even be understood to mean the mechanisms

used to realize a given Service.

 

Michael

 

From: Saadat, Lauren [mailto:Lauren.Saadat@DHS.GOV]
Sent: Tuesday, November 23, 2010 12:44 PM
To: IDSPPRIVACY@MAILLIST.ANSI.ORG
Subject: Re: Draft Summary Nov 17 ANSI VTAG privacy con call

 

Our apologies that we were unable to make the call last week and that these comments are coming in a bit late.  If there is still room for consideration, we offer the following for ANSI Input for Draft Recommendations for current and potential future ISO work

(Document(s):  ISO/TMB/PSC N0051):

 

While we certainly support the implementation of PIAs as a best practice and in accordance with our laws, we’re concerned about the proposal to establish the PIA as a privacy standard.  Distinction should be made between principles and methods for protecting privacy.  PIAs, like privacy by design, which is mentioned later in the notes, are just one method of implementing privacy principles.  Principles should provide a concept to abide by and can be implemented through various means.  Including specific methods as principles might create precedence for other methods, (independent DPAs, for example) to be established as standards as well.   Additionally, we’re concerned that incorporating a specific method, such as PIAs or privacy by design, into a principle will limit possibilities for further innovation of future methods of privacy protection. 

 

Additionally, could you please add Nicole McGhee, copied here, to the listserv for this group? 

 

Thanks,

 

Lauren Saadat

Director, International Privacy Policy

DHS Privacy Office

703-235-0773

From: owner-idspprivacy@MAILLIST.ANSI.ORG [mailto:owner-idspprivacy@MAILLIST.ANSI.ORG] On Behalf Of James McCabe
Sent: Thursday, November 18, 2010 3:13 PM
To: IDSPPRIVACY@MAILLIST.ANSI.ORG
Subject: Draft Summary Nov 17 ANSI VTAG privacy con call

 

Dear ANSI virtual TAG privacy members,

 

Attached is a summary of our con call yesterday.

 

Best regards,

 

Jim McCabe
Senior Director, Consumer Relations and IDSP
American National Standards Institute
25 West 43^rd Street, 4^th Floor
New York, NY  10036  U.S.A.
1-212-642-8921; Fax: 1-212-840-2298
jmccabe@ansi.org

 

--
Gail Ann Magnuson
Mobile: 1.704.232.5648
Residence: Cleveland Ohio

Mailing Address
P.O. Box 271
Sapphire, NC 28774