OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

oasis-charter-discuss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Question on the Scope of Proposed PbD-SE TC


Hei.
I read with interest about the proposed chartering of the OASIS PbD-SE TC.
It was unclear to me if this TC will include in the scope of the charter the definition of a process and format for including “Privacy Considerations” in OASIS technical specifications.
Including Security Considerations in technical specification has become a common requirement in a number of industry standards groups including IETF, for internet standards. The suggestion to create a similar requirement for “Privacy Considerations” has been proposed recently. Given that the consideration of privacy assessment findings related to the internet and web infrastructure is of considerable importance to the continued trust in our digital market place, the proposal for required “Privacy Considerations” makes sense. But what would the process be to conduct this assessment? What would be the recommended format for such a section?
It would make sense to have this as a high priority for this proposed OASIS TC, with the resulting recommendations to be considered by the OASIS management as actionable changes to the OASIS specification format and directives for creation of OASIS specifications.
The process, a Specification Privacy Assessment (SPA), would consist of a light-weight PIA, targeted for specification creation. The steps would include:
  1. Identify privacy principles and underlying privacy safeguarding requirements applicable to the scope of the specification.
  2. Outline data flow between internal components defined by specification.
  3. Outline data flow model between the internal components of specification and interactions of external components through associated format, interface or protocol used by the specification.
  4. Outline the threats created by these data flows for instances where a privacy control mechanism can be introduced to safeguard data protection. Document these in the privacy considerations section of the specification.
  5. Does the specification collect, utilize, store, transfer, manage information that could identify a person? Document these in the privacy considerations section of the specification.
  6. Does the standard collect, utilize, store, transfer, manage information that could identify a network connected device? Document these in the privacy considerations section of the specification.
  7. Document in the privacy considerations section of the specification specific approaches, beyond the privacy controls in #4, that will enhance privacy such as limits on collection, limits for retention, rules for secure transfer, rules for limiting identification or obsfuscation.
The “Privacy Considerations” section in a specification might include the following content:
What do you all think?
Frank Dawson
Nokia, Director Information Privacy Standards
 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]