See also: IRC log
<renato> Chair will be Marco
<scribe> chair: Marco_Cassasa_Mont
<spreibus> ?
<renato> Rigo on the call yet?
sure
<scribe> scribenick: rigo
Pete Bramhall presenting Project Encore
OECD principles, about organizations handing privacy
in EU it is part of human right, a much wider set of thing, remaining in control of who knows what about you
which leads to informational self determination
PB: it is large area, kind of
boiling the ocean
... encore is trying to handle trust and consensus on data
handling and privacy preservation
slide 4 a couple of examples. Individuals really care and are concerned
slide5: organizations partly care
about privacy
... risk of not gaining the economic efficiency (privacy
roadblock)
... also a differentiater, better privacy, happier
customer
... but most strive for regulation compliance. Increasing
awareness that privacy is a liability, cost of remedies
... governments have different view: have strange view of
things, sometimes doing it wrong but funding htings like
Encore
http://www.privacyinternational.org/article.shtml?cmd%5b347%5d=x-347-559597 for the PI ranking
PB: Law and Regulation =>
Directive 95/46 translated into UK law
... Information Commissioner, are the regulator, but also
making codes of best practices
consent definition
the role of consent is central
The overall vision of this project is to
make giving consent as reliable and
easy as turning on a tap…
scribe: mostly giving consent
implicitly, mean consent to be something very specific, precise
and limited goes right to the backend of enterprise services
that can deal with it
... needs to be easy for the enterprise to respect privacy and
cost effective
... make sure that consents that were given will be honored,
also revoking should be respect, All has to be reliable and
vigurous
... not solved yet, most of the time giving consent is given
before you know what will happen, mostly ok
... but e.g. in an ehealth scenario that may be tricky, may be
want to come back to the decision to allow
... revokation and change have to be enabled => life cycle
management of consent
PB: give enterprises the ability
to manage privacy in a convenient and cost effective way
... meaningful information for individuals, restore
confidence
... Encore project setup reported
... Partners
slide 16: Overview slide with all flows, very interdisciplinary work. start left bottom
scribe: doing awareness
campaigns
... policy regulation, best practices, standards, does not mean
necessarily new regulation,
... in order to make all that easy the enablers come into play,
fitting those enablers into systems and paradigms
deliverables:
•
•
•
•
Technical architectures and prototypes
Regulatory recommendations
Proposals for compliance and certification
Taxonomy and requirements formalisation
compliance scheme that measures effectiveness of protections and correctness
Encore has done case study on first three challenges, not on the techno challenges yet
there is no legal right to privacy in UK unless you are a celebrity
consent has to be provided to be able to legally process data, but handy exceptions
limited right to revoke consent, Commissioners finds it ambiguous
there isn't any effective legal codification
no ownership of data
HT: ownership of data, there is
no concept of ownership of data in other countries, still under
debate within privacy scholars, difficult to claim ownership on
data
... typically data relevant to privacy is not only generated by
you
PB: what the issue is not the data, but the association of data.
DC: University degree can removed years after, so University can revoke
PB: external stakeholders are businesses and individuals
business challenges:
some buy in, some don't
quote:
“I know when I did my training one of the
things I was told was that processing under
consent is what the desperate resort to”
user challenges:
(usability, understandability)
technology challenges:
obligations, e.g. notifications, how to make them personalized
how to make them respected in very large orgs
various degrees of riguor applied adapted to the situation
scribe: cloud computing: in many jurisdictions notion of data controller that makes sure that data processors are complying with the requirements of data protection
is this done in real world? Somewhat
how to keep track of all copies
policy matching and individuals preferences into a single system, how to bring this into machine language, make it executable
how to enforce, to prevent that it can be broken, there is some major crypto needed
linking reputation to the initial consent, how can you revoke back all along the chain
Encore based on three case studies, have nearly finished first one Enhanced employee data sharing
biobanks less actors, better organized, long jeopardy issues at hand
oh zakim, reparse :)
assisted living, share some data not other data
rich area, terms of engagement with external partners
current status:
Case Study 1 complete
<scribe> ongoing:
Taxonomy and Formalisation work
Compliance process
Technical Architecture D2.1
picture with lots of arrows and pipes
already simplified
going for another 18 month
more information on
http://www.twitter.com/encore_project
<spreibus> thanks, Pete, very interesting presentation
http://www.encore-project.info/newsletters/newsletter01/EnCoReJuly2010.htm
SP: working on similar projects: technical insights, what language using
PB: looking into extending XACML
framework, incorporate a number of extension
... whatever the outcome is, to be useful, we need agreement
what we want to solve, and what is the best way
we hope to contribute to that discussion
DC: nobody owns personal: but
there are artefacts in real world, and those are owned by
institutions, University, driving license
... some aspects of PII that have an owner issue
PB: legal problem is larger than
that,
... good example is IP personal data?
some people think it is others think it is not, IP addresses should be randomly generated and assigned
<spreibus> to complement my earlier question: I'm currently investigating the ability to enforce data protection with information flow control -- very deeply down on the rechnical side
<spreibus> some thoughts into how technical approaches into enforcing consent needs combining with empirical evidence what users actually want to see enforced: http://www.cl.cam.ac.uk/research/dtg/privacy-calculus/
other end of the spectrum is that IP is unique identifier
PB: is an ocean boiling
problem
... ownership rather on a right to use data
DC: types of data and ontology to classify them
PB: may be a way forward
<spreibus> imho, taxonomies are a good idea, but not close enough to the data handling processes to have some real impact
PB: if you try to produce categories it will be out of date before you can publish
<spreibus> are IP addresses personal data? even the P3P spec did acknowledge they are
<spreibus> that was more than three years ago
<spreibus> at the W3C Privacy Workshop in Summer at Vodafone, the privacy implications of IPv6 were mentioned
RW: Ontology may have a core
SP: ontologies and taxonomies and academic stuff is far too high level to have imipact in reality
for the decision of data is processed or not
scribe: must be drilled down
deeply into the technical level, control of information flow,
but this may be too complex, it has to fit business
... good to have enforcement, but have to think about what
people want to have enforced
health data vs other data, security of data
DC: slide 28 using XACML for enforcement, but all goes into a single decision point. How is all merged, how are all systems are using the same language, user using the same language
<spreibus> I second that -- combining policies is a very tricky thing. And I have the feeling there are many instances we need merging of policies
PB: on merging: Suggest download the document and discuss deeply, How assume all systems use the same language. Are more interested in process compatibilities than in the overlap of technology itself
only going to work if trust is sufficiently transitive is going through the system
scribe: would be ideal to have
vigurous enforcement, but this is holy gral
... business process, certification research
... how outcome has been reached rather than how to achieve the
outcome
is not as ambitious, trying to produce something that is reasonably usable in a reasonable amount of time
have explored definition of Encore compliant systems. All other system dealing with PII should also be encore compliant, not necesarily absolutely equal
DC: TAS3 also interested in measuring compliance, have to cooperate
SP: we can't achieve everything at a time, What is your feeling, how fast can we see something in the wild
PB: the best is a feeling: If we can ?? they and their customers will get the benefit in a year or so, the patients and also the clinical researchers that are using the system
the secondary it is rather in the assisted living area, in UK major transition in health care sector. Moving more into independent care service providers
lead to a complex informatics environment, coming 3 categories
local authorities, team looking more generally into informatics models. standards procurement templates, These kind of things iwll find their way into procurement specifications
scribe: more widely, businesses that want an encore logo, will take a while
SP: on the web?
<david> Although we cannot do everything at once, TAS3 plans to have open source code that will enforce multiple policies in different languages and resolve conflicts between them
PB: industrial companies, the
first of those have large consultancies that will use the
knwoledge
... could well be that it is taken up this way
I suggest to hear the SWIFTS project next
<renato> URL for SWIFTS?
<spreibus> bye
renato, will provide on hte mailing list
<renato> ok
This is scribe.perl Revision: 1.135 of Date: 2009/03/02 03:52:20 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Found ScribeNick: rigo Inferring Scribes: rigo Default Present: +44.122.333.aaaa, spreibus, +358.504.87aabb, Carine, Rigo, Hannes, Ashok_Malhotra, Marco, Pete_Bramhall, David_Chadwick, +1.207.756.aacc, Eric_Brunner_Williams Present: +44.122.333.aaaa spreibus +358.504.87aabb Carine Rigo Hannes Ashok_Malhotra Marco Pete_Bramhall David_Chadwick +1.207.756.aacc Eric_Brunner_Williams WARNING: No meeting title found! You should specify the meeting title like this: <dbooth> Meeting: Weekly Baking Club Meeting Agenda: http://www.w3.org/Policy/pling/wiki/2010-09-14 Got date from IRC log name: 14 Sep 2010 Guessing minutes URL: http://www.w3.org/2010/09/14-pling-minutes.html People with action items:[End of scribe.perl diagnostic output]