– DRAFT –
Data Privacy Vocabularies and Controls Community Group Teleconference
12 February 2019
<AxelPollleres> gimme a second, dialing.
<AxelPollleres> scribe vounteers?
<stefano> I need to leave in ~35 min
<AxelPollleres> PROPOSED: approve minutes from last call https://www.w3.org/2019/01/22-dpvcg-minutes
<harsh> +1
<Eva_Bud> +1
+1
<Fajar> +1
Resolved: approve minutes from last call https://www.w3.org/2019/01/22-dpvcg-minutes
<Ramisa> +1
Action: write an email to Michael Markevich on ACTION-6 and whether he still plans to join.
<trackbot> Error finding 'write'. You can review and register nicknames at <https://www.w3.org/community/dpvcg/track/users>.
Action: Axel to write an email to Michael Markevich on ACTION-6 and whether he still plans to join
<trackbot> Created ACTION-62 - Write an email to michael markevich on action-6 and whether he still plans to join [on Axel Polleres - due 2019-02-19].
<AxelPollleres> ACTION-11, ACTION-19 saved for later, when we have a first stable version.
<AxelPollleres> close ACTION-29
<trackbot> Closed ACTION-29.
actions?
<AxelPollleres> ACTION-33 still continued
Harsh and Fajar are taking over ACTION-34
<AxelPollleres> Mark just joined
Mark: looked at categories for purposes and description definition, looking at the scope
… e.g. data types are definitively in scope
… sector categories as well, UK define the core business purpose as a key activity
… good item to define what's expected from a company
i.e., the core sector + purpose + core business purpose could be a good indicator of the purpose
… This could be a good discussion point for the WG
<AxelPollleres> Mark, ACTION-33: definition of about core business (purpose) plus processing give a description of what purpose is.
<AxelPollleres> close ACTION-37 (Axel finished it)
<AxelPollleres> close ACTION-37
<trackbot> Closed ACTION-37.
Harsh created a github repository, he can transfer the ownership to the WG: https://github.com/dpvcg
… Harsh can add people to the repository, he just needs the github username
<AxelPollleres> ACTION-52: we can just use harsh's repo https://github.com/dpvcg
<trackbot> Notes added to ACTION-52 Ask bert about w3c github repository action from august and create a github under w3c for dpvcg.
<AxelPollleres> close ACTION-52
<trackbot> Closed ACTION-52.
<AxelPollleres> Every let harsh know their github username.
<AxelPollleres> close ACTION-56
<trackbot> Closed ACTION-56.
<AxelPollleres> close ACTION-57
<trackbot> Closed ACTION-57.
<AxelPollleres> ACTION-59 ... mail https://lists.w3.org/Archives/Public/public-dpvcg/2019Feb/0008.html
Eva doubts the criteria for data protection assessment from edpb can be used for the vocabularies
… but she will send an email with the info
<AxelPollleres> close ACTION-59
<trackbot> Closed ACTION-59.
<AxelPollleres> https://lists.w3.org/Archives/Public/public-dpvcg/2019Feb/att-0008/2017-10-04_wp248_rev01_Guidelines_on_DPIA_updated.pdf
Axel: can we standardise the restrictions or measures of security ?
Mark: Low/high risks... Regulators say this cannot be standardise, but I think the criteria can be
<AxelPollleres> Mark: we can't really standardise what is low or high risk
<Eva_Bud> the only criterion useful for vocabulary from my point of view would be the data categories themselves, since they are key to detect whether sensitive information may be involved in the processing
e.g. in UK the number of employees impacts the high risks
also interesting (e.g. in Canada?) not only if it's risk, but what the risks are
Eva: It's always context dependent
… depends of the process you have, which data, people involved....
… it's something that we also have partially in our vocabularies, e.g. with data categories
<AxelPollleres> criteria can hardly be standardized, except maybe partially in the data categories
<AxelPollleres> close ACTION-61
<trackbot> Closed ACTION-61.
<AxelPollleres> ACTION-60 continued
Axel presents a presentation summarising the status: see https://lists.w3.org/Archives/Public/public-dpvcg/2019Feb/0005.html
<MarL> Hi..
<Bert> Axel's slides
Axel summarises the timeline and some numbers (#telcos, etc.)
… Having a F2F on march or april might be good
… We could maybe do it in Vienna again, or Dublin
<Bert> +1 to a ftf, no pref for location
<Eva_Bud> +1 to f2f, but depends on time/date, no pref on location
Fajar: I cannot do it in these months
Action: Bert to set up doodle preferrred dates for F2F in second half of MArch or first half of April
<trackbot> 'Bert' is an ambiguous username. Please try a different identifier, such as family name or username (e.g., bbos, bertv).
Action: bbos to set up doodle preferred dates for F2F in second half of MArch or first half of April
<trackbot> Created ACTION-63 - Set up doodle preferred dates for f2f in second half of march or first half of april [on Bert Bos - due 2019-02-19].
<Eva_Bud> having trouble with sound and connection again, sorry
<Eva_Bud> :(
Axel continues the presentation of the slides with the status of the DPVCG vocabularies, in particular personal data categories, purposes and processing, as they were discussed actively
… we need how to connect the dots
… "A personal Data Category is undergoing specified processing by a specific data controller and/or ? for a particular purpose, based on a specific legal ground, with (optionally?) transferred to some recipient specified security measures and restrictions (e.g. storage locations and storage durations)."
… all "boxes" are already in some vocabularies e.g. SPECIAL, while others such as legal grounds or security measures are rather new
… we also discussed (Axel, Harsh, Fajar, Javier) that maybe we need to restrict the purpose to certain business activity/sector
… also Personal data Categories may be subdivided into sensitive data categories
… As for the Personal Data categories, there is a proposal by Harsh and Fajar to start with the initial proposal by the Enterprise Consulting group
… In addition we have more categories for the uses cases, the SPECIAL categories and more from the special categories, GDPR article 9 and 4
… The proposal is to use the Enterprise Consulting group as the anchor, and map the other onto it
<Eva_Bud> connection gone Nirwana again, sigh
Mark: I talked to them, we iterated on this (e.g. on inference data), I think it's CC
… I can invite them to the WG
Action: Mark to reach out to enterprivacy.com on whether we can use their categories as a starting point, check License, and invite them to our working group.
<trackbot> Created ACTION-64 - Reach out to enterprivacy.com on whether we can use their categories as a starting point, check license, and invite them to our working group. [on Mark Lizar - due 2019-02-19].
<harsh> Paper for the personal data categories - D. J. Solove, ‘A Taxonomy of Privacy’, Social Science Research Network, Rochester, NY, SSRN Scholarly Paper ID 667622, Feb. 2005. und
Axel: the plan is that Harsh and Fajar can work on this and come with a first version within a month
<stefano> I am very sorry I need to leave, will try to catch up from minutes
Axel: As for purposes, we had initial categories of purposes during the last F2F
https://www.w3.org/community/dpvcg/wiki/Purposes_for_handling_Personal_Data
… see bottom of the page
… The plan is to integrate the different approaches (Axel and Javier)
… The question was if we need to include business sectors
<Eva_Bud> we don't hear anything, let us know when you have specific things for us please
Mark: Hyperledger (content on the blockchain)... they spend several months to look at country codes
<AxelPollleres> Mark: Hyperledger work on consent on Blockchain, looking at business codes and suggest to use financial industry codes GICS would be appropriate.
Mark: It makes sense to use global industry and sector classification GICS, updated in 2017
… I would recommend that
… when a company registers, e.g. in UK, they are assigned one code
… there are multiple versions, the global ID seems to be the best option
… the most interoperable
<AxelPollleres> Mark: GICS code is driven by financial services, global, would make sense as astarting point.
Axel: are there mapping from the other codes to GICS?
MArk: no that I know
Axel: this could be something to do
<harsh> https://opencorporates.com/
Issue: Are there mappings to GICS from other coding systems NAICS/NACE/ISIC ...
<trackbot> Created ISSUE-10 - Are there mappings to gics from other coding systems naics/nace/isic .... Please complete additional details at <https://www.w3.org/community/dpvcg/track/issues/10/edit>.
Mark: I would recommend to have a look also to opencorporate.com
… it's not global, it's local + ?
Axel: The next discussion was about legal grounds, we agreed to keep it separated
<Eva_Bud> we see the slides but we still dont hear anything :( Eva plans on continuing on this legal "taxonomy" though
Axel: we don't have a taxonomy but the picture from Eva
<Eva_Bud> Axel, can you make an action for me to tend further to this?
Axel: As for processing, we have worked less, we have some starting points but we need more work
Action: Eva and Bud to further elaborate on legal grounds taxonomy
<trackbot> Created ACTION-65 - And bud to further elaborate on legal grounds taxonomy [on Eva Schlehahn - due 2019-02-19].
Axel: someone volunteering for the processing category?
Harsh: I have added some terms from the GDPR
Axel: The main point is to structure it
Harsh: I can do, but I might need someone to review
<Eva_Bud> Bud and I can review
Ramisa: I can help a bit
Action: Harsh to look into structuring Processing categories, Ramisa, Bud, Eva to help/review.
<trackbot> Created ACTION-66 - Look into structuring processing categories, ramisa, bud, eva to help/review. [on Harshvardhan Pandit - due 2019-02-19].
<Eva_Bud> just trying to reconnect to webex, no luck so far
<Eva_Bud> :)
Axel: As for data controllers/recipients...
… we have some ideas on the country of the recipients, some initial pointers from SPECIAL, and maybe the possibility to add a sticky policy
Action: Javier to look into Data controllers and recipients taxonomy with help of Piero, Axel
<trackbot> Created ACTION-67 - Look into data controllers and recipients taxonomy with help of piero, axel [on Javier D. Fernández - due 2019-02-19].
Axel: Javier and I can continue on that
… with the help of Piero
Axel: Last points are storage location/duration, security measures...
… but maybe we can leave them now and focus on the first issues
Harsh: Myself and Mark can look at the forms of consent
Mark: +1
Action: Harsh looking into Consent elements and types with help of Mark
<trackbot> Created ACTION-68 - Looking into consent elements and types with help of mark [on Harshvardhan Pandit - due 2019-02-19].
Axel: Then maybe we can leave the storage and security opened as an issue
Issue: taxonomies on storrage locations and restrictions as well as security measues and restrictions still undefined.
<trackbot> Created ISSUE-11 - Taxonomies on storrage locations and restrictions as well as security measues and restrictions still undefined.. Please complete additional details at <https://www.w3.org/community/dpvcg/track/issues/11/edit>.
<AxelPollleres> All actions of today ideally done in a month.
26th at 16:00?
<Eva_Bud> 26th would be fine
<AxelPollleres> regrets form harsh, but Mark can report.
<AxelPollleres> Goal: progress on actions from today and decidfe for antoher F2F date and location.
Axel: Harsh, let us know if F2F is OK in Dublin, or you can travel elsewhere
<AxelPollleres> AOB?
Mark: Maybe a good place is a privacy conference in May, Germany
<Eva_Bud> if you plan f2f, can you make a doodle?
Mark: I will provide more info
<AxelPollleres> Merk: EIC (european identity conference) in May ... in Germany might be a good space for us to meet/be present.
<harsh> @Eva I think Bert has an action to create a doodle?
<Eva_Bud> ok
Action: Mark to report on EIC conference next time
<harsh> ACTION-63
<trackbot> Created ACTION-69 - Report on eic conference next time [on Mark Lizar - due 2019-02-19].
<trackbot> ACTION-63: Bert Bos to Set up doodle preferred dates for f2f in second half of march or first half of april -- due 2019-02-19 -- OPEN
bye!
<AxelPollleres> adjourned
<Ramisa> thanks, bye
<AxelPollleres> (I always forget the command :-))