I agree with Colin's points. I do not think it makes sense to simply hand a pile of documents to someone and tell them to figure it out.
We need to have a document for privacy that states requirements for a Kantara-certified service. E.g IAWG Service Provider Criteria document doesn't just point to NIST 800-63 for different LOAs and tell IDPs to go do that. Also, the SPC document incorporates more than just legal requirements. For example, there is no legal requirement that IDP be an independently managed entity, but there is such a requirement for LOA 3 Kantara certification:
671 AL3_CO_ESM#070 Independent management and operations
672 Demonstrate that, for the purposes of providing the specified service, its
673 management and operational structures are distinct, autonomous, have discrete
674 legal accountability, and operate according to separate policies, procedures, and
675 controls.
Once we have a set of normative requirements for privacy, assessors need a document that they can use to determine whether requirements are being met. FICAM assessor guidance provides some of that, but unless Kantara adopts it and puts the Kantara name on the document, it's simply a FICAM suggestion.
At the moment, I know how to build an IDP that complies with Service Provider Criteria but not what privacy requirements need to be built in or how I would be assessed against those requirements. I think that's the document set we need.
Anna
Anna Slomovic
Chief Privacy Officer
Equifax
1010 N. Glebe Road, Suite 500
Arlington, VA 22205
O: 703.888.4620
C: 703.254.9656
_______________________________________________ WG-P3 mailing list WG...@kantarainitiative.orghttp://kantarainitiative.org/mailman/listinfo/wg-p3
+1
Sincerely,
Myisha
Myisha Frazier-McElveen
Manager | Technology Risk
Deloitte and Touche LLP
Tel/Direct: +571 -814-6619 | Mobile: +1 571-814-0911
mfrazier...@deloitte.com | www.deloitte.com
Please consider the environment before printing.
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the
intended recipient, you should delete this message.
v.E.1
Rich Furr
Head, Global Regulatory Affairs, Policy & Compliance
SAFE-BioPharma Assn - The Biopharmaceutical & Healthcare Identity Management Standard
Cell: 704-575-1680
Office: 980-236-7576
SAFE-BioPharma
SAFE-BioPharma
SAFE-BioPharma
Many of you know that I tend to be somewhat skeptical/heretical regarding many things. I often wonder just how many actual citizen inquiries there really are/have been or is the issue driven mainly by the legal profession that stands to make significant fees from awards if they can find a breach and really exploit it. There seems to me to be a fairly significant vested cadre out there whose interest would tend toward very restrictive privacy policies. I have said before that I hope that Kantara moves forward with policies that offer protection to the extent needed but not to the extent that we stifle technical advancement and more ubiquitous use of the Kantara framework. Okay, down from the soapbox and thanks for listening. I do hope we can come out the end of this with tangible guidance that meets multiple goals and I believe that we will.
I have been following this debate with interest.
We have a great opportunity here NOT to re-invent the wheel AND to key off an international framework that has already been developed AND endorsed by National Leaders. It provides us with a system that sets out the standards for a company to be recognised as having appropriate cross border data transfer rules and standards for the independent third party accountability agents to which those companies are accountable.
The standards for independent third party accountability agents are particularly relevant for this work by WG-P3.
I am referring to the APEC Privacy Framework, the APEC Cross-border Privacy Enforcement Arrangement and the APEC Cross-Border Privacy Rules System.
They are the result of concerted effort by the APEC economies since 2003 in the APEC Data Privacy Working Group in which I have participated.
· The APEC Privacy Framework was endorsed in final form by APEC Ministers in 2005 and is available online at http://publications.apec.org/publication-detail.php?pub_id=390.
· The Cross-border Privacy Enforcement Framework (CPER) is described at http://www.apec.org/Groups/Committee-on-Trade-and-Investment/Electronic-Commerce-Steering-Group/Cross-border-Privacy-Enforcement-Arrangement.aspx. This provides the international backstop regulator enforcement behind the accountability agent.
· Both of these support the APEC Cross-Border Privacy Rules (CBPR) System.
APEC Ministers endorsed the principal documents of the APEC Privacy Pathfinder in November 2011 in Honolulu, Hawaii. Subsequently, APEC Leaders also committed to implement the CBPR System “to reduce barriers to information flows, enhance consumer privacy, and promote interoperability across regional data privacy regimes.”
The APEC CBPR system was also referred to by the US President in the Consumer Privacy Bill of Rights that he released on 23 February (p32).
The actual source documents have not yet been promulgated well by APEC, but they are available online in the APEC Meeting Document Database at http://aimp.apec.org/MDDB/Pages/search.aspx?setting=ListMeeting&DateRange=2011/09/01%2C2011/09/end&Name=24th%20Electronic%20Commerce%20Steering%20Group%20Meeting%202011. This link sets out the meeting papers for the meeting of the 24th Electronic Commerce Steering Group Meeting in September 2011.
Set out below is an extract from the meeting documents for that meeting. These are the final documents for the CBPR as endorsed by APEC Leaders. The third document in the table, the APEC Cross-Border Privacy Rules (CBPR) System – Accountability Agent Recognition Criteria is probably the most relevant to the WG, but the other documents and the links above provide the context.
I would suggest that the group consider very seriously the synergy, momentum and time saving that might be gained by drawing from these materials or even developing an arrangement that can be part of the CBPR and so gain international recognition.
Regards
Malcolm Crompton
Managing Director
Information Integrity Solutions Pty Ltd
ABN 78 107 611 898
2011/SOM3/ECSG/012 | P | APEC Cross-Border Privacy Rules (CBPR) System – Policies, Rules and Guidelines | 2011/09/21 | |
2011/SOM3/ECSG/014 | P | APEC Cross-Border Privacy Rules (CBPR) System – Intake Questionnaire | 2011/09/21 | |
2011/SOM3/ECSG/015 | P | APEC Cross-Border Privacy Rules (CBPR) System – Accountability Agent Recognition Criteria | 2011/09/21 | |
2011/SOM3/ECSG/016 | P | APEC Cross-Border Privacy Rules (CBPR) System – Program Requirements for Use by Accountability Agents | 2011/09/21 | |
2011/SOM3/ECSG/018 | P | APEC Cross-Border Privacy Rules (CBPR) System - Workplan for the Development of a Directory of CBPR Certified Organizations and APEC-Recognized Accountability Agents | 2011/09/21 |
<image001.gif>
109.7 KB
2011/SOM3/ECSG/014
P
APEC Cross-Border Privacy Rules (CBPR) System – Intake Questionnaire
2011/09/21
<image002.gif>
256.5 KB
2011/SOM3/ECSG/015
P
APEC Cross-Border Privacy Rules (CBPR) System – Accountability Agent Recognition Criteria
2011/09/21
<image002.gif>
246.0 KB
2011/SOM3/ECSG/016
P
APEC Cross-Border Privacy Rules (CBPR) System – Program Requirements for Use by Accountability Agents
2011/09/21
<image002.gif>
287.0 KB
2011/SOM3/ECSG/018
P
APEC Cross-Border Privacy Rules (CBPR) System - Workplan for the Development of a Directory of CBPR Certified Organizations and APEC-Recognized Accountability Agents
2011/09/21
<image002.gif>
145.5 KB
From: wg-p3-...@kantarainitiative.org [mailto:wg-p3-...@kantarainitiative.org] On Behalf Of Rich Furr
Sent: Friday, 24 February 2012 7:14 AM
To: Frazier-mcelveen, Myisha (US - Arlington); David L. Wasley; Anna Slomovic/Equifax
Cc: Patrick Curry; Kantara P3 WG
Subject: Re: [WG-P3] REMINDER!! P3WG Telecon Thursday 23 Feb 2012 8h PT / 11h ET / 16h UTC
All,
Sorry that I was also not able to prrticipate fully but was having major home network issues and also am recovering (nicely) from a procedure to stent both my iliac arteries so I missed both the OASIS TC call which is also a conflict with P3 and most of the P3 call.
I truly do not want to start a drawn out email exchange on what follows, BUT, Into all these discussions I wanted to insert a plea for reasonableness moving forward. I see that Shin forwarded a couple interesting links earlier this morning and am getting sort of leery of the entire issue of privacy and the possible effects on internet/cloud or whatever other buzz word we attach to this space. I know that the NSTIC is also being careful of this whole realm as well.
My concern is simple. I have been the privacy contact for SAFE-BioPharma for the past 4 years. I wrote (with some rather expensive legal assistance our privacy policy under which we are DoC safe harbor certified for the EU. This same policy of course applies here in the US. We have tens of thousands of digital identities out in use and our coverage will increase significantly moving forward into healthcare. My concern is the in the four years that I have been the privacy contact and during which we have had our policy posted on our website I can count the number of inquiries we have had on the fingers of no hands — we have NOT had one inquiry!!! Granted we are a somewhat special case, and I will admit that during the development of same I had some rather interesting conversations with the German Works Council rep from one of our member companies re privacy of EU citizen PII.
Many of you know that I tend to be somewhat skeptical/heretical regarding many things. I often wonder just how many actual citizen inquiries there really are/have been or is the issue driven mainly by the legal profession that stands to make significant fees from awards if they can find a breach and really exploit it. There seems to me to be a fairly significant vested cadre out there whose interest would tend toward very restrictive privacy policies. I have said before that I hope that Kantara moves forward with policies that offer protection to the extent needed but not to the extent that we stifle technical advancement and more ubiquitous use of the Kantara framework. Okay, down from the soapbox and thanks for listening. I do hope we can come out the end of this with tangible guidance that meets multiple goals and I believe that we will.
Thanks for indulging
Rich Furr
Head, Global Regulatory Affairs, Policy & Compliance
SAFE-BioPharma Assn - The Biopharmaceutical & Healthcare Identity Management Standard
Cell: 704-575-1680
Office: 980-236-7576
<image003.png> SAFE-BioPharma
<image004.png> SAFE-BioPharma
<image005.png> SAFE-BioPharma
<image006.png>
_______________________________________________
On the other hand, there may be so many frameworks out there that it might be time simply to choose one and ‘get with the program’. It is at least something to be contemplated.
Interestingly, Appendix B to the Whitehouse privacy blueprint attempts a reconciliation table between APEC, the OECD 1980 Guidelines and some US DHS principles. It should not have ignored the new draft EU Regulation if it wanted to be genuinely inclusive.
Malcolm