OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pbd-se message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: PROPOSED AGENDA - PbD-SE TC - 17 April 2013

Privacy by Design Documentation for Software Engineers (PbD-SE) TC
17 April 2013, 1:30-3:00 PM EST / 19.30-21.00 CET

* Call-In Information: 

Conference Reference: 147385
Participant Access Code: 9793565 #
 
Dial in numbers:
- North America:
877-385-4099 + Conference Access Code
 
- Overseas Locations provided with the exception of Greece:
International Access Code + 800-8358-7111 + Conference Access Code

For your convenience, all referenced documents are attached.

* PROPOSED DRAFT AGENDA

1. Call to Order 

2. New Business / Approval of Agenda 

3. New Regular meeting Time / Day

- Proposal is 3rd week of the month on Wednesday from 1.30 - 3.00 EST.

4. Approval of Previous Meeting Minutes

- Draft meeting minutes of the 20 March 2013 TC meeting
https://www.oasis-open.org/committees/document.php?document_id=48834&wg_abbrev=pbd-se

5. Update on Outreach Activities (Dawn, John) 

6. Feedback on discussion documents circulated last meeting (Dawn, Commissioner, John)

7. Update on privacy engineering guidance and information resources/tools (Dawn)

8. Assignment of New Roles/Activities 

9. Adjourn

---

Regards,

Gershon Janssen
DRAFT MINUTES
Privacy by Design Documentation for Software Engineers (PbD-SE) TC Meeting
20 March 2013, 1:30-3:00 PM EST / 18.30-20.00 CET

Scribe: Gershon Janssen

0. Roll call 

Meeting Attendees:

Members:
Ann Cavoukian
Gershon Janssen
Dawn Jutla
Sander Fieten
Harry Rhodes
John Sabo
Peter Brown
Stuart Shapiro
Kevin MacDonald
Fred Carter
Michelle Chibba

Observers:
Colin Wallis


This meeting quorates.

1. New Business / Agenda review

The agenda was adopted.


2. Approval of Previous Meeting

URL: https://www.oasis-open.org/committees/document.php?document_id=48462&wg_abbrev=pbd-se

John moved to approve the minutes of the 20 February 2013 meeting. Seconded by Ann. The motion was approved by unanimous consent.


3. Review of privacy engineering guidance and information resources/tools

* Purpose Specification (Privacy by Default) resources
Fred explains Purpose Specification from the document ?PBD Privacy as Default - Purpose Specificity Best Practices?, URL: https://www.oasis-open.org/committees/document.php?document_id=48619&wg_abbrev=pbd-se

The document provides an overview and summary of current best practices in Privacy by Default (data minimization) principle.

The following points were made during the discussion:

- In the Global Privacy Standard (GPS) from 2006 data minimization was introduced. The TC might consider using that as a ?ideal? standard / gold standard as a Privacy Policy. The TC likes the idea as the document was created with global agreement.

Action Item: Upload Global Privacy Standard (GPS) from 2006 in the TC document repository.

- It was noted that there are layers of applicability to the GPS; it?s a good template to use, but will not cover all situations. Layering of applicability is related to stake holders; reason is that specifying the purpose to collect starts as a business policy. Use retention and disclose limitation relate to this as well.

- This notion was echoed by TC members, though, businesses can relate more easily to PbD principles which set the framework at a high level, as you can promise privacy assurance. It?s basically an easier sell when using PbD; the purpose specification principle is very needed. Also engineering people who translate to code need to understand the principle as well.

- A case was brought forward were people had trouble with architecting a default setting when a user has several choices -- basically let the user make the choice. 

There is a distinction between default upfront and just accepting it versus no default setting presented at all. Literature shows the user will not choose; they will go with the default ? the user will not turn their minds to it, even if stated really explicit.

The explicit aspect is important overall; being able to comprehend and understand is really important as these policies are normally difficult.


The TC hopes to go through all the PbD principles during the various TC meetings.

* Ad hoc working group on use case template (update)
See: PbD-SE Privacy Use Case Template, URL: https://www.oasis-open.org/committees/document.php?document_id=48568&wg_abbrev=pbd-se

The ad hoc working group has been working on a use case template in the few weeks.

The current result is 2 draft documents: the template document and an example of using the template.

The draft template document is basically a rationale for how a template supports the charter of the TC. Use cases are important so they can be organized in appropriate categories.

The template builds on the model from the OASIS PMRM specification.

John talks the TC through the template.

The following points were made during the discussion:

- It might be useful to add the PMRM privacy processes and services / privacy control points to the template, making it easier for going to UML models.

- Is there a way to streamline the implementation of the template through automation? E.g. a tool with stored definitions / taxonomies that allows one to select items such as data flows, regulations, etc. from drop down menus.


The TC likes the template and agreed to use it.


* Illustrative software engineering practices
See: Mapping of PbD Principles to UML Analysis Model, URL: https://www.oasis-open.org/committees/document.php?document_id=48560&wg_abbrev=pbd-se

Dawn talks the TC through the UML Analysis Model.

Although none of the members in the TC have a strong preference for UML, the basic argument for using it is that lots of software engineers use it.

The following points were made during the discussion:

- The document presents a modular approach for identification of data flows and implementation against those data flows.

The TC likes the document very much and will further study on and validation of the document is required.


4. Assignment of Roles/Activities 
The TC agrees to the following follow-up activities / action items.

All TC members are invited to work on these and participate. For some items members already volunteered to work on them.


* Modify and enhance the draft use case template with the services / privacy control points and circulate a next revision to the TC.

--> John and Dawn agreed to work on a next revision.

* Iterate through the draft use case template to refine it

* Test the use case template to see how it works

--> Colin Wallis might have a test case.

* Validation and feedback on the UML Analysis Model

--> Dawn and Peter to speak about this.


5. Adjourn
* European Identity Conference 2013
OASIS has been on the program of the popular and successful European Identity Conferences in Munich in the last couple of year.

This year the conference will take place from May 14 till May 17 2013 in Munich/Germany.

OASIS CEO Laurent Lisca is planned to keynote at the plenary meeting and will most likely reference to the PbD-SE work. 

John, Dawn, Stuart and Gershon are working on a pre-conference workshop. This workshop will take place on 14 May 2013. The idea is to use the PbD-SE Privacy Use Case Template during the workshop.


Meeting adjourned at 3.00 PM EST.

Attachment: DRAFT AGENDA - OASIS PBD SE TC Apr 17.doc
Description: MS-Word document

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]