The PMRM TC has been accepted as a formal liaison to ISO/IEC Joint Technical Committee 1, Subcommittee 27, Security Techniques, Working Group 5, Identity Management and Privacy Technologies – ISO/IEC/JTC1SC27/WG5. Our TC Principal Liaison is PMRM TC Secretary Gershon Janssen. In addition to me, other liaisons are Michele Drgon and Gail Magnuson. I represented the PMRM liaisons at the SC27/WG5 meetings in Berlin, October 30 to November 3. The primary goals were to understand the work underway in WG5 relevant to the PMRM specification and to determine how our PMRM fits into the ISO privacy standards landscape and work plan. The next SC27/WG5 meeting will be held in Wuhan, China, April 2018
The work underway in the full SC27 is listed at the ISO Website: https://www.iso.org/committee/45306/x/catalogue/p/0/u/1/w/0/d/0
The ISO standards development process is very structured and initiating and moving the PMRM v1.0 CS02 (“PMRM”) specification through that process would be a multi-year effort, requiring very active participation by OASIS/PMRM TC liaisons and support from WG5 expert liaisons and national body participants. However, based on the Berlin WG5 meeting, there are a number of areas where the PMRM TC could undertake TC activities more quickly that could establish linkages between the PMRM and existing ISO/IEC standards and the new work underway in WG5. Our goals would to advance the adoption of the PMRM and contribute to improved privacy/data protection service delivery in light of new regulations such as the EU’s General Data Protection Regulation (GDPR).
These ideas will be included as part of the agenda for discussion at the next PMRM TC meeting on December 12, 2017:
· Align specific ISO standards and Technical Reports (and potentially ITU-T, NIST documents as well) with the PMRM in a PMRM TC Committee Note. For example, a Committee Note could illustrate how these standards and documents align with the PMRM tasks.
· Consider revision to the PMRM CS02 to align with terminology used in ISO/IEC 29100 Privacy Framework. For example, review PMRM CS02 to determine if there are inconsistencies with current specification (e.g., PII is universally used rather than PI; PII Principal in place of Data Subject; ISO definitions for privacy principles, etc.).
· Review the running use case examples in CS02 to determine if they can be improved for consistency with important new privacy regulatory developments, particularly the GDPR.
· Consider writing a Committee Note establishing how the PMRM can support GDPR compliance.
· Explore whether it would be possible and productive to propose the PMRM as an ISO Publicly Available Specification (PAS). Under this process, approved PAS submitters such as OASIS can request balloting and approval of an OASIS specification by ISO national bodies to become adopted as an ISO/IEC standard.
Chair, PMRM TC