My PMRM TC Comments + Responses: revised

["Michael Willett" <mwillett@nc.rr.com>]

PMRM TC members –

 

Below are my suggested responses to 3 of the Comments we received

during the open review of our PMRM/Methodology document.

 

Other suggested responses on the additional Comments

will be forwarded.

 

Reviewing these responses is the Agenda for our next telecom,

re-scheduled to Thursday, 20 Sept.

 

Michael    

 

*******************************    revised   *****************************************************************************

 

My assigned Comments:

 

4, line 337-348, p17:  Task 8 should be structured as a decomposition of the Actors identified in Task 5.  Most may not decompose.  But several will decompose into multiple Roles. 

 

7, line 494, p 22: Both Monitoring and Audit are expected (as they are referenced in the description of Enforcement), but they are not specified.

 

Suggested solution (from Peter): In addition to Validation PI and Certification of credentials, I suggest that there is are separate validations (Monitoring and Audit) necessary to ensure that the processes are carried out as specified in the Agreement.

 

8, line 533: Another service consideration for Enforcement that needs to be addressed is Jurisdictional Environment.  The best of contracts may not be enforceable in certain venues.  And the dispute over venue may have significant bearing over what rights and duties the parties have regarding use and protection of PI and PII.  Even the definitions of PI and PII will vary.  Because data can so easily migrate across jurisdictional boundaries, rights cannot be protected without explicit specification of what boundaries apply.

 

…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….

 

Suggested edits:

 

4: 

Task 5 is – Identify Actors 

Objective            Identify actors having operational privacy responsibilities.

Definition           An actor is a data subject or a human or a non-human agent interacting with PI managed by a System within a Privacy Domain.

                                A “domain” covers both physical areas (such as a customer site or home) and logical areas (such as a wide-area network or cloud computing environment) that are subject to the control of a particular domain owner.

 

Task 8 is - Identify roles and responsibilities within a domain

Objective            For any given use case, identify the roles and responsibilities assigned to specific actors within a specific privacy domain

Rationale            Any individual or position may carry multiple roles and responsibilities and these need to be distinguishable, particularly as many functions involved in processing of PI are assigned to a person or other actor, according to explicit roles and authority to act, rather to a person or actor as such.

 

On first reading, “identify the roles and responsibilities assigned to specific actors” does what the Commenter is asking, mainly:

 

     “decomposition of the Actors … into multiple Roles”. Note the Rationale: “individual or position may carry multiple roles”.

     That certainly implies decomposition into Roles.

 

     My suggestion:

 

      - first, avoid adding any bulky verbiage that would only obfuscate the simple issue.

 

      - change the phrase “individual or position” into “Actor”, since Actors were referenced in the Objective.

         add Actor to the Task 8 title: “Identify Actor roles and responsibilities within a domain”.   

 

7:

 

 

As the astute Commenter noted, the terms “audit” and “monitor” appear in the definition:

 

   

ENFORCEMENT

Initiate response actions, policy execution, and recourse when audit controls and monitoring indicate that an Actor or System does not conform to defined policies or the terms of a permission (agreement)

Monitor and respond to audited exception conditions

 

I had hoped that ‘monitor’ would be self-evident, but recall that we ‘absorbed’ the Audit function

into the collective Service definitions. So, I propose that two new definitions be added to the Glossary:

   - Audit Controls: processes designed to provide reasonable assurance regarding the effectiveness and efficiency of operations

     and compliance with applicable laws and regulations.

                     - Monitor: to observe the operation of processes and to indicate when exception conditions occur.

 

I think that adding the definitions resolves the Comment.           

 

8:

 

 

essence of the Comment – “Enforcement (across) Jurisdictional Environments”.

 

     The first sentence of our PMRM doc is:

 

         “(PMRM) addresses the reality of today’s networked, interoperable capabilities, applications and devices

        and the complexity of managing personal information (PI) across legal, regulatory and policy environments in interconnected domains.”

 

         Later in the doc:  “… achieve compliance across policy, system, and ownership boundaries.”

 

         And later: 

 

               “In addition, multiple jurisdictions, inconsistent and often-conflicting laws, regulations, business practices, and consumer preferences,

together create huge barriers to online privacy management and compliance. It is unlikely that these barriers will diminish in any significant way,

especially in the face of rapid technological change and innovation and differing social and national values, norms and policy interests.

The Privacy Management Reference Model and Methodology therefore provides policymakers, program and business managers, system architects

and developers with a tool to improve privacy management and compliance in multiple jurisdictional contexts while also supporting capability delivery and business objectives.”

 

       My point: We have more than sufficiently acknowledged that multiple jurisdictions create challenges (for enforcement etc).

        The PMRM is a tool to help systematically attack the problem; but, no easy/automatic solution.

 

        But, to be responsive, we can do the following 2 things:  

 

          - add the word ‘jurisdictional’ to the first list above:    “… across legal, regulatory, jurisdictional, and policy environments”

 

          - use the Commenter’s own words (slightly edited). Insert the following sentence/paragraph somewhere in the  non-normative discussion, in

             amongst the multiple ‘jurisdictional’ references we have already made:

 

             “The best of agreements may not be enforceable in certain jurisdictions.  And the dispute over jurisdiction may have significant bearing over what rights and duties the Actors

             have regarding use and protection of PI and PII.  Even the definitions of PI and PII will vary.  Because data can so easily migrate across jurisdictional boundaries,

            rights cannot be protected without explicit specification of what boundaries apply.”