ACTION-368: Work on updated "service provider"/"processor" definition (with vinay)

Text proposed by Chris Pedigo on March 6th:
http://lists.w3.org/Archives/Public/public-tracking/2013Mar/0057.html

Action 368 - Definition of Service Provider/Data Processor

Normative

A Data Processor is any party, in a specific network interaction, that both operates on behalf of the entity for which it is working (business associate) and meets the following conditions:
- Data that is collected and/or retained is separated by both technical means and organizational process, AND
- Uses and shares data only as directed by the business associate, AND
- Enters into a contract with a business associate that outlines and mandates these requirements.

A Data Processor is subject to the same restrictions as the business associate. If a Data Processor were to violate any of these conditions, it will then be a third party. Data processors may merge and use data for the purposes of security or fraud prevention.

Non-Normative

Data processors may use data collected for the proper management and administration of the business associate. Similar allowances are made for data processors under European Union law, the U.S Health Insurance Portability and Accountability Act (HIPAA) and the U.S. Gramm-Leach-Bliley Act.