[WG-P3] REMINDER!! P3WG Telecon Thursday 23 Feb 2012 8h PT / 11h ET / 16h UTC

[Anna Ticktin]

DIAL-IN:

LINE  A

* Skype:+99051000000481

* US Dial-In: +1-805-309-2350 | Conference ID: 402-2737

DATE:

Thursday 23 Feb 2012

TIME:

8h PT / 11h ET / 16h UTC

AGENDA:

1. Administrative:

Roll Call

Motion for minutes approval: 09 Feb 2012

(To review notes from last week's adhoc : 16 Feb 2012)

Open call for P3 Secretary nominations

Agenda confirmation

Action item review: 

Ad hoc meeting with Bob Gelman on Privacy Assessment Criteria 
Review of potential NSTIC proposal - Overcome By Events - see Kantara staff note 

2.  Privacy Assessment Criteria 
 http://kantarainitiative.org/confluence/display/p3wg/Privacy+Assessment+Criteria+%28PAC%29  

[1] Review of proposed framework  (see attached)
Editor's discussion on comments to date. 
Next Steps 

3. Review of IAWG Report Additional Requirements for CSPs: US Federal Privacy Criteria 

[2] Recommendation to Leadership Council  (see attached)

4. Munich F2F 

5.AOB 

Adjourn 

[1]

[Colin Wallis]

Folks
 
I have (as may some others) a call conflict at this time (with the OASIS Trust elevation TC).
I'll try to join at some stage.
Colin S: thanks for your efforts. Greatly appreciated.
In case I'm not on the call to say this, I have 3 main main comments about the proposed PAC framework.
 
1) There seems to be an ongoing confusion between 'requirements' and 'assessment' of the requirements to determine if they are (partially, or fully) met.  There is no clearer example of this if you look at the title of Part 1, then look at the intended audience for Part 1 in Section 6.  Requirements have either been made explicit (as they have been in the normative references in mentioned in Part 2), or they appear in applicable laws. 
 
I do not believe the *primary* intention of this doc was to draw out the requirements from legislation or fed privacy criteria, useful as this might be.  I thought the *primary* purpose was to guide assessors on where and how to look for compliance with the requirements - how they have been (partially or fully) met.  Example (remembering I an *not* a privacy expert..so apologies in advance for strangling..) : Consent. We might advise the assessors to look for a policy note on the front web page, and check it for readability. Then suggest they use the said service to determine if the notice is repeated when an attribute is about to be passed to a third party, check how the user would give that consent, (radio button?/ some other way e.g. a user agent?). 
 
2) Section 6: Sure, Federation component suppliers, IdPs etc will make use of the assessor guidelines, just as today, vendors use the SAML eGov Profile test plan (the test used to see if the requirement are met) to modify their products, rather than going to the SAML eGov Implementation Profile where the requirements live.  The test plan is not designed as a way for a developer to tick off the features in his product are present, but that is an unfortunate outcome of making an 'assessor guiidelines' public.
 
3)Section 3: Exclusions. I do not agree with restricting the scope to IdPs only. What benefit are we offering the end user if the IDP is doing a great privacy aware/compliant job but the Fed broker or RP is crap?   It may be that in some trust frameworks a business decision may be made to restrict the scope of the assessors to IDPs (as FICAM has sort of done so far), but the PAC should self enforce such a restriction and leave everyone involved, with no guidance.

Now, I may well be mistaken and maybe I have not understood the objective correctly. If so, please please shoot me down! A double check with the ARB/IAWG about what they expect will put the matter to rest.
 
Cheers
Colin
 

---

From: annat...@me.com
Date: Wed, 22 Feb 2012 17:49:35 -0800
To: wg...@kantarainitiative.org
CC: patric...@federatedbusiness.org
Subject: [WG-P3] REMINDER!! P3WG Telecon Thursday 23 Feb 2012 8h PT / 11h ET / 16h UTC

[2]

_______________________________________________ WG-P3 mailing list WG...@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-p3

[Anna Slomovic/Equifax]

I agree with Colin's points. I do not think it makes sense to simply hand a pile of documents to someone and tell them to figure it out.

 

We need to have a document for privacy that states requirements for a Kantara-certified service. E.g IAWG Service Provider Criteria document doesn't just point to NIST 800-63 for different LOAs and tell IDPs to go do that. Also, the SPC  document incorporates more than just legal requirements. For example, there is no legal requirement that IDP be an independently managed entity, but there is such a requirement for LOA 3 Kantara certification:

 

671 AL3_CO_ESM#070 Independent management and operations

672 Demonstrate that, for the purposes of providing the specified service, its

673 management and operational structures are distinct, autonomous, have discrete

674 legal accountability, and operate according to separate policies, procedures, and

675 controls.

 

Once we have a set of normative requirements for privacy, assessors need a document that they can use to determine whether requirements are being met. FICAM assessor guidance provides some of that, but unless Kantara adopts it and puts the Kantara name on the document, it's simply a FICAM suggestion.

 

At the moment, I know how to build an IDP that complies with Service Provider Criteria but not what privacy requirements need to be built in or how I would be assessed against those requirements. I think that's the document set we need.

 

Anna

 

Anna Slomovic

Chief Privacy Officer

Equifax

1010 N. Glebe Road, Suite 500

Arlington, VA 22205

O: 703.888.4620

C: 703.254.9656

---

This message contains information from Equifax Inc. which may be confidential and privileged. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e- mail postm...@equifax.com.

[David L. Wasley]

Yes.  That is exactly what we (I anyway) tried to suggest on our joint conference call several months ago.

The FICAM TFPAP states privacy principles.  The IAWG Federal Privacy Requirements restates those principles.  The FICAM "Privacy Guidelines" document suggests a number of questions that assessors might ask when evaluating compliance with the principles.  None of that provides concrete statements that an assessor must use.

What Colin and Anna describe would bring the issues down to earth.  It would not be easy since there are so many possibilities and different use case constraints as well as, currently, technology constraints.  

Reality should also involve RP responsibilities at some point...

David

_______________________________________________ WG-P3 mailing list WG...@kantarainitiative.orghttp://kantarainitiative.org/mailman/listinfo/wg-p3

[Frazier-mcelveen, Myisha (US - Arlington)]

+1

 

Sincerely,

Myisha

 

Myisha Frazier-McElveen

Manager | Technology Risk

Deloitte and Touche LLP

Tel/Direct: +571 -814-6619 | Mobile: +1 571-814-0911

mfrazier...@deloitte.com | www.deloitte.com

 

 

Please consider the environment before printing.

 

 

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message.

Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.

v.E.1

[Rich Furr]

All,

Sorry that I was also not able to prrticipate fully but was having major home network issues and also am recovering (nicely) from a procedure to stent both my iliac arteries so I missed both the OASIS TC call which is also a conflict with P3 and most of the P3 call.

I truly do not want to start a drawn out email exchange on what follows, BUT, Into all these discussions I wanted to insert a plea for reasonableness moving forward.  I see that Shin forwarded a couple interesting links earlier this morning and am getting sort of leery of the entire issue of privacy and the possible effects on internet/cloud or whatever other buzz word we attach to this space.  I know that the NSTIC is also being careful of this whole realm as well.

My concern is simple.  I have been the privacy contact for SAFE-BioPharma for the past 4 years.  I wrote (with some rather expensive legal assistance our privacy policy under which we are DoC safe harbor certified for the EU.  This same policy of course applies here in the US.  We have tens of thousands of digital identities out in use and our coverage will increase significantly moving forward into healthcare.  My concern is the in the four years that I have been the privacy contact and during which we have had our policy posted on our website I can count the number of inquiries we have had on the fingers of no hands — we have NOT had one inquiry!!!  Granted we are a somewhat special case, and I will admit that during the development of same I had some rather interesting conversations with the German Works Council rep from one of our member companies re privacy of EU citizen PII.

Many of you know that I tend to be somewhat skeptical/heretical regarding many things.  I often wonder just how many actual citizen inquiries there really are/have been or is the issue driven mainly by the legal profession that stands to make significant fees from awards if  they can find a breach and really exploit it.  There seems to me to be a fairly significant vested cadre out there whose interest would tend toward very restrictive privacy policies.  I have said before that I hope that Kantara moves forward with policies that offer protection to the extent needed but not to the extent that we stifle technical advancement and more ubiquitous use of the Kantara framework.  Okay, down from the soapbox and thanks for listening.  I do hope we can come out the end of this with tangible guidance that meets multiple goals and I believe that we will.

Thanks for indulging

Rich Furr

Head, Global Regulatory Affairs, Policy & Compliance

SAFE-BioPharma Assn - The Biopharmaceutical & Healthcare Identity Management Standard

Cell: 704-575-1680

Office:  980-236-7576

  SAFE-BioPharma

  SAFE-BioPharma

  SAFE-BioPharma

[Joni Brennan]

Hi Rich,

I hope that you are on the mend!  It sounds like you are.  Best of luck in recovery! See more after the excerpt below...
 

Many of you know that I tend to be somewhat skeptical/heretical regarding many things.  I often wonder just how many actual citizen inquiries there really are/have been or is the issue driven mainly by the legal profession that stands to make significant fees from awards if  they can find a breach and really exploit it.  There seems to me to be a fairly significant vested cadre out there whose interest would tend toward very restrictive privacy policies.  I have said before that I hope that Kantara moves forward with policies that offer protection to the extent needed but not to the extent that we stifle technical advancement and more ubiquitous use of the Kantara framework.  Okay, down from the soapbox and thanks for listening.  I do hope we can come out the end of this with tangible guidance that meets multiple goals and I believe that we will.

I wanted to touch briefly here on the approach that I believe P3 reached consensus for on today's call.  The concept entails a kind of phased approach regarding specific Privacy Criteria for compliance.  Phase 1 capture what we (collective we) know needs to be fulfilled in terms of compliance (this is set by governments, regulators etc).  That phase is the starting point.  Phase 2 starts to approach the stretch goals and predictions. 

For example:
We know X must be done to satisfy regulations today.  Additionally, we predict (based on research and discussion with stakeholders) that Y will become a regulation / best practice in the future.  So orgs would do well to do X and Y if they can today.  But today only X is required. 

What this approach does is allow for current practices and technologies to comply with the regulations of today... but it starts to position the next steps as to the direction we believe privacy regulation and best practices will push toward in the future.  This approach is meant NOT to create barriers - but a hard line on what's needed RIGHT NOW for compliance ---- and then starts to drive the discussions and developments toward the future regulations and constraints a particular jurisdiction or vertical might have. 

I hope that sets a bit of the tone discussed today which faces your simple concern. 

Thanks,

 =Joni

[Malcolm Crompton]

I have been following this debate with interest.

 

We have a great opportunity here NOT to re-invent the wheel AND to key off an international framework that has already been developed AND endorsed by National Leaders.  It provides us with a system that sets out the standards for a company to be recognised as having appropriate cross border data transfer rules and standards for the independent third party accountability agents to which those companies are accountable. 

 

The standards for independent third party accountability agents are particularly relevant for this work by WG-P3.

 

I am referring to the APEC Privacy Framework, the APEC Cross-border Privacy Enforcement Arrangement and the APEC Cross-Border Privacy Rules System.

 

They are the result of concerted effort by the APEC economies since 2003 in the APEC Data Privacy Working Group in which I have participated.

 

·         The APEC Privacy Framework was endorsed in final form by APEC Ministers in 2005 and is available online at http://publications.apec.org/publication-detail.php?pub_id=390.

 

·         The Cross-border Privacy Enforcement Framework (CPER) is described at http://www.apec.org/Groups/Committee-on-Trade-and-Investment/Electronic-Commerce-Steering-Group/Cross-border-Privacy-Enforcement-Arrangement.aspx.  This provides the international backstop regulator enforcement behind the accountability agent.

 

·         Both of these support the APEC Cross-Border Privacy Rules (CBPR) System.   

 

APEC Ministers endorsed the principal documents of the APEC Privacy Pathfinder in November 2011 in Honolulu, Hawaii.  Subsequently, APEC Leaders also committed to implement the CBPR System “to reduce barriers to information flows, enhance consumer privacy, and promote interoperability across regional data privacy regimes.”

 

The APEC CBPR system was also referred to by the US President in the Consumer Privacy Bill of Rights that he released on 23 February (p32).

 

The actual source documents have not yet been promulgated well by APEC, but they are available online in the APEC Meeting Document Database at http://aimp.apec.org/MDDB/Pages/search.aspx?setting=ListMeeting&DateRange=2011/09/01%2C2011/09/end&Name=24th%20Electronic%20Commerce%20Steering%20Group%20Meeting%202011.  This link sets out  the meeting papers for the meeting of the 24^th Electronic Commerce Steering Group Meeting in September 2011.

 

Set out below is an extract from the meeting documents for that meeting.  These are the final documents for the CBPR as endorsed by APEC Leaders.  The third document in the table, the APEC Cross-Border Privacy Rules (CBPR) System – Accountability Agent Recognition Criteria is probably the most relevant to the WG, but the other documents and the links above provide the context.

 

I would suggest that the group consider very seriously the synergy, momentum and time saving that might be gained by drawing from these materials or even developing an arrangement that can be part of the CBPR and so gain international recognition.

 

Regards

 

Malcolm Crompton

 

Managing Director

Information Integrity Solutions Pty Ltd

ABN 78 107 611 898

 

T:  +61 407 014 450

 

MCro...@iispartners.com 

www.iispartners.com

 

 

2011/SOM3/ECSG/012 Catalogue Record	P	APEC Cross-Border Privacy Rules (CBPR) System – Policies, Rules and Guidelines	2011/09/21	109.7 KB
2011/SOM3/ECSG/014 Catalogue Record	P	APEC Cross-Border Privacy Rules (CBPR) System – Intake Questionnaire	2011/09/21	256.5 KB
2011/SOM3/ECSG/015 Catalogue Record	P	APEC Cross-Border Privacy Rules (CBPR) System – Accountability Agent Recognition Criteria	2011/09/21	246.0 KB
2011/SOM3/ECSG/016 Catalogue Record	P	APEC Cross-Border Privacy Rules (CBPR) System – Program Requirements for Use by Accountability Agents	2011/09/21	287.0 KB
2011/SOM3/ECSG/018 Catalogue Record	P	APEC Cross-Border Privacy Rules (CBPR) System - Workplan for the Development of a Directory of CBPR Certified Organizations and APEC-Recognized Accountability Agents	2011/09/21	145.5 KB

[Robin Wilton]

I agree. There's a lot to be gained from studying the APEC model. However, I also think that, good as it is, it is unlikely to displace the investment in doing things differently, in and between the EU and the US... So the big challenge is to take a step back and see if there's a viable "translation table" between those three systems - APEC, the emerging EU revisions, and the even newer US consumer privacy proposals.

R

Sent from my iPod

<image001.gif> 109.7 KB

2011/SOM3/ECSG/014 Catalogue Record

P

APEC Cross-Border Privacy Rules (CBPR) System – Intake Questionnaire

2011/09/21

<image002.gif> 256.5 KB

2011/SOM3/ECSG/015 Catalogue Record

P

APEC Cross-Border Privacy Rules (CBPR) System – Accountability Agent Recognition Criteria

2011/09/21

<image002.gif> 246.0 KB

2011/SOM3/ECSG/016 Catalogue Record

P

APEC Cross-Border Privacy Rules (CBPR) System – Program Requirements for Use by Accountability Agents

2011/09/21

<image002.gif> 287.0 KB

2011/SOM3/ECSG/018 Catalogue Record

P

APEC Cross-Border Privacy Rules (CBPR) System - Workplan for the Development of a Directory of CBPR Certified Organizations and APEC-Recognized Accountability Agents

2011/09/21

<image002.gif> 145.5 KB

 

 

 

 

From: wg-p3-...@kantarainitiative.org [mailto:wg-p3-...@kantarainitiative.org] On Behalf Of Rich Furr
Sent: Friday, 24 February 2012 7:14 AM
To: Frazier-mcelveen, Myisha (US - Arlington); David L. Wasley; Anna Slomovic/Equifax
Cc: Patrick Curry; Kantara P3 WG
Subject: Re: [WG-P3] REMINDER!! P3WG Telecon Thursday 23 Feb 2012 8h PT / 11h ET / 16h UTC

 

All,

 

Sorry that I was also not able to prrticipate fully but was having major home network issues and also am recovering (nicely) from a procedure to stent both my iliac arteries so I missed both the OASIS TC call which is also a conflict with P3 and most of the P3 call.

 

I truly do not want to start a drawn out email exchange on what follows, BUT, Into all these discussions I wanted to insert a plea for reasonableness moving forward.  I see that Shin forwarded a couple interesting links earlier this morning and am getting sort of leery of the entire issue of privacy and the possible effects on internet/cloud or whatever other buzz word we attach to this space.  I know that the NSTIC is also being careful of this whole realm as well.

 

My concern is simple.  I have been the privacy contact for SAFE-BioPharma for the past 4 years.  I wrote (with some rather expensive legal assistance our privacy policy under which we are DoC safe harbor certified for the EU.  This same policy of course applies here in the US.  We have tens of thousands of digital identities out in use and our coverage will increase significantly moving forward into healthcare.  My concern is the in the four years that I have been the privacy contact and during which we have had our policy posted on our website I can count the number of inquiries we have had on the fingers of no hands — we have NOT had one inquiry!!!  Granted we are a somewhat special case, and I will admit that during the development of same I had some rather interesting conversations with the German Works Council rep from one of our member companies re privacy of EU citizen PII.

 

Many of you know that I tend to be somewhat skeptical/heretical regarding many things.  I often wonder just how many actual citizen inquiries there really are/have been or is the issue driven mainly by the legal profession that stands to make significant fees from awards if  they can find a breach and really exploit it.  There seems to me to be a fairly significant vested cadre out there whose interest would tend toward very restrictive privacy policies.  I have said before that I hope that Kantara moves forward with policies that offer protection to the extent needed but not to the extent that we stifle technical advancement and more ubiquitous use of the Kantara framework.  Okay, down from the soapbox and thanks for listening.  I do hope we can come out the end of this with tangible guidance that meets multiple goals and I believe that we will.

 

Thanks for indulging

 

 

Rich Furr

Head, Global Regulatory Affairs, Policy & Compliance

SAFE-BioPharma Assn - The Biopharmaceutical & Healthcare Identity Management Standard

Cell: 704-575-1680

Office:  980-236-7576

<image003.png>  SAFE-BioPharma

<image004.png>  SAFE-BioPharma

<image005.png>  SAFE-BioPharma

<image006.png>

 

 

 

 

 

_______________________________________________

[Malcolm Crompton]

On the other hand, there may be so many frameworks out there that it might be time simply to choose one and ‘get with the program’.  It is at least something to be contemplated.

 

Interestingly, Appendix B to the Whitehouse privacy blueprint attempts a reconciliation table between APEC, the OECD 1980 Guidelines and some US DHS principles.  It should not have ignored the new draft EU Regulation if it wanted to be genuinely inclusive.

 

Malcolm

[Robin Wilton]

Be fair... the White House has only just caught up with the EU's 1995 Principles...

<ducks smartly behind sofa>

;-)

Sent from my iPod