– DRAFT –
Data Privacy Vocabularies and Controls Community Group Teleconference
18 September 2018
Bert asks whether there are more items for the agenda, no items added
<simonstey> +1
No comments on the previous meeting's minutes
action item "Add some overview of SPECIAL use case(s)" for Bert is half done
still in progress
<Bert> close action-9
<trackbot> Closed action-9.
Action Nr. 9: Axel talked to Stefan Dekker but the action is not concluded yet
About Action 12: Simon has already worked at the requirements templates some weeks ago
<Bert> action-12?
<trackbot> action-12 -- Simon Steyskal to Look over requirements template -- due 2018-08-14 -- OPEN
<trackbot> https://www.w3.org/community/dpvcg/track/actions/12
<simonstey> https://www.w3.org/community/dpvcg/wiki/Template_for_requirements
The action has been discussed in a previous meeting, unclear why still open
<Bert> close action-12
<trackbot> Closed action-12.
About Action 14: Axel still needs to follow up with contact with IEEE 7012
About Action 17: Axel would like to decide what we want to build a vocabulary for, this is listed in the charter, this would be categories of data, purposes and processing
Axel would like people would clarify their thoughts on these 3 points, since these are core points at least for a start
It would be good to read the use cases in this light, so to categorize it according to the three above-mentioned points
Axel is unsure about what more we need as far as requirements are concerned, more than what we already have or could get from what we have now
also interesting categorisation of Data Controllers, but this is secondary
<simonstey> is data controller == data processor?
No, it is different
Stefano proposes to add storage location, security and time of storage
Simon asks whether we want to talk about data processors as well
<simonstey> https://www.gdpreu.org/the-regulation/key-concepts/data-controllers-and-processors/
Axel proposes to close the list of categories and start examining the use cases
About Action 18: Stefano had a look at one use case from Mydata but more work needs to be done
<Bert> close action-22
<trackbot> Closed action-22.
Action 22: Nobody is going to the conference from the DECODE project
<trackbot> Error finding '22'. You can review and register nicknames at <https://www.w3.org/community/dpvcg/track/users>.
<AxelPollleres> PROPOSED: This is the initial requirements we want to cover in DPVCG
<AxelPollleres> * GDPR Terminology:
<AxelPollleres> * agreed definition data controller
<AxelPollleres> * agreed definition data processor
<AxelPollleres> * agreed definition data recipient
<AxelPollleres> * agreed definition data subject
<AxelPollleres> * We want to define hierarchical taxonomies (backed by use cases) of
<AxelPollleres> * categories of personal data
<AxelPollleres> * (personal data handling) purposes
<AxelPollleres> * processing categories
<AxelPollleres> * categories of data controllers, processors, recipients (optional)
<AxelPollleres> * storage locations
<AxelPollleres> * security measures (incl. e.g. anonymisation "levels")
<AxelPollleres> * storage duration
<harsh> no audio :(
<harsh> I'll type instead
<harsh> Should we be comprehensive about ALL terms in the context of GDPR compliance? e.g. data source, consent & how it was given, etc.
Javier: In Vienna there was a comment about anonymisation of personal data
This might be included in the security category
Pseudoanonymisation is explicitly mentioned as security measure in the GDPR
Stefano: consent should be covered for GDPR
Axel: we need to formalise consent, this is the reason why he proposed the categories already mentioned
Stefano: I think we can start with what Axel proposes
Axel: I'd be happy to take it from there if we think that this list is not enough to formalize consent (happy to open an issue for that along with the proposal
Harsh proposes to have a different section on the discussion regarding terms such as consent, to have a place where the different meaning are listed so they can be referred back to
This section would be on the wiki
Harsh is willing to start this section
Action: Harsh: create a section about different terms on the wiki
SImon: we can explicitly indicate that the list could be expanded in the future
<AxelPollleres> PROPOSED: This is an initial non-comprehensive list of GDPR Terminology terms, we want to define/agree upon in DPVCG (we might extend this list upon additional proposals):
<AxelPollleres> * agreed definition data controller
<AxelPollleres> * agreed definition data processor
<AxelPollleres> * agreed definition data recipient
<AxelPollleres> * agreed definition data subject
<AxelPollleres> * agreed definition consent
<simonstey> +1
<AxelPollleres> +1
<harsh> +1
<stefano> +1
<Bert> +1
<AxelPollleres> +1
<Ramisa> +1
harsh: should compliance be included?
Axel: the notion should be put in a separete proposal
<Javier> +1
Resolved: This is an initial non-comprehensive list of GDPR Terminology terms, we want to define/agree upon in DPVCG (we might extend this list upon additional proposals):
… * agreed definition data controller
… * agreed definition data processor
… * agreed definition data recipient
… * agreed definition data subject
… * agreed definition consent
<AxelPollleres> PROPOSED: We want to the define the following hierarchical taxonomies (backed by use cases), where again we might extend this list upon additional proposals):
<AxelPollleres> * categories of personal data
<AxelPollleres> * (personal data handling) purposes
<AxelPollleres> * processing categories
<AxelPollleres> * categories of data controllers, processors, recipients (optional)
<AxelPollleres> * storage locations
<AxelPollleres> * security measures (including e.g. anonymisation "levels", pseudonymisation)
<AxelPollleres> * storage duration
<AxelPollleres> +1
<harsh> +1
<simonstey> +1
<Javier> +1
<Ramisa> +1
+1
<Bert> +1
Resolved: We want to the define the following hierarchical taxonomies (backed by use cases), where again we might extend this list upon additional proposals):
… * categories of personal data
… * (personal data handling) purposes
… * processing categories
… * categories of data controllers, processors, recipients (optional)
… * storage locations
… * security measures (including e.g. anonymisation "levels", pseudonymisation)
… * storage duration
Stefano: compliance is not something that you can self-assess and assign to your case
Harsh: some terms related to compliance such as transparence could be relevant to the group
Axel: we need to define what needs to be defined in a machine-readable manner, for his minimalistic view this is not needed at this stage, but if there is a use case for it it can be included
harsh: data subject rights are important, should this be included?
Issue: do we need to formulate a notion of compliance in scope of the CG?
<trackbot> Created ISSUE-2 - Do we need to formulate a notion of compliance in scope of the cg?. Please complete additional details at <https://www.w3.org/community/dpvcg/track/issues/2/edit>.
Issue: do we want to revisit a definition of "GDPR rights" in our definitions and taxonomies?
<trackbot> Created ISSUE-3 - Do we want to revisit a definition of "gdpr rights" in our definitions and taxonomies?. Please complete additional details at <https://www.w3.org/community/dpvcg/track/issues/3/edit>.
<AxelPollleres> stefano: e.g. right to be forgotten, how can it be executed/enforced
Simon: there could be ways to express already rights for example in terms of permissions using e.g. ODRL
Javier: how do you want to collect the different items, one per page?
Axel: we could think in terms of questions, that should be answered per use case, and give us a start
Axel: need to run ... I would like to talk about next time on in how far in our use cases we have collected so far cover the aspects we have now agree upon, in terms of concrete questions that should be answred per use case.
harsh: suggestion for having a small example to get people started
Axel will try to do so
Action: Axel to formulate a use case to exemplify what I proposed today :-) (categorization along the categories and terminology we agreed upon today)
<trackbot> Created ACTION-24 - Formulate a use case to exemplify what i proposed today :-) (categorization along the categories and terminology we agreed upon today) [on Axel Polleres - due 2018-09-25].
<AxelPollleres> needed to run, sorry
<AxelPollleres> thanks all!
Bert ask whether there are more points to discuss, but this is it for today, next call in 2 weeks
<harsh> thank you && good day : )
<Ramisa> Thanks