07:25:49 RRSAgent has joined #dpvcg 07:25:49 logging to https://www.w3.org/2019/04/04-dpvcg-irc 07:28:10 are we having a webex call as well? 07:29:22 no webex. 07:31:30 simonstey has joined #dpvcg 07:31:39 can you call again harsh? 07:31:58 calling 07:35:34 unfortunately, the opensuse distribution f'cked up the ekiga package. That means I have no H.323 implementation 07:41:21 have to restart now, CU 07:42:52 a32 says Security of Processing 07:43:28 scribe: simonstey 07:43:34 elmar has joined #dpvcg 07:43:36 scribe: simon steyskal 07:43:43 scribenick: simonstey 07:43:53 present+ 07:44:05 present+ 07:44:05 Fajar has joined #dpvcg 07:44:06 present+ 07:44:20 Ramisa has joined #dpvcg 07:44:38 axelpolleres: overall ontology was inspired by the image sent around by axel 07:45:04 ... it shows the anchor points 07:45:40 ... [axel explains the individual top concepts] 07:45:45 Meeting: DPVCG ftf day 1 07:46:32 ... if you comment on which articles are involved we may want to amend their definition 07:47:07 ... for now we have several top concepts (for data controller we dont have a respective property yet) 07:47:43 q+ 07:47:47 javier: for properties you have domain/range, for classes the type hierarchy 07:47:49 rigo has joined #dpvcg 07:48:16 ... a list of related terms, the source ontology 07:49:13 ... for each of the terms you should also note the date it was added (e.g. 4.4 for today) 07:52:42 axelpolleres: the idea of having a single ontology is that this allows for easier integration 07:54:56 PROPOSED: We will use http://www.w3.org/ns/priv as the main namespace, if avialable, otherwise https://w3id.org/priv/ 07:54:57 [discussing namespace issues] 07:56:29 simonstey: "main ns" as in only ns, or as in base namespace 07:57:10 axelpolleres: we want to get a stable version out 07:57:49 Bud: Privacy vs. Protection? 07:58:56 ... I prefer protection over privacy, as privacy comes more from "invading personal space" and data protection is more broader 07:59:11 mark: what about data protection for privacy? 07:59:28 axelpolleres: this affects the ns discussion if we change that 07:59:59 ... well the group was always called data PRIVACY voc. ... 08:00:14 bud: wait.. I thought it's protection 08:00:58 ... data protection protects both article 7 and 8 of the european [?] 08:01:13 ... but only art. 7 is about privacy 08:02:11 ... in the communities I'm involved in, they always use data protection 08:02:46 axelpolleres: there was this other working group/workshop martin kunze attended 08:02:51 ... that mentioned privacy 08:04:25 mark: it's a very weird topic.. but the GDPR uses both protection and privacy 08:04:37 axelpolleres: maybe not fix the ns acronym to priv yet 08:05:50 bud: what's the scope of e.g. the legal basis part? 08:06:11 ... should it be internationally also? 08:06:33 axelpolleres: I outlined that in the gdoc document 08:06:46 ... https://docs.google.com/document/d/1Z3Eb5rZjrdWcE5u5o0CYzA_LPyGaTqmg84ecGve_ZLA/edit 08:07:09 s/"https://docs.google.com/document/d/1Z3Eb5rZjrdWcE5u5o0CYzA_LPyGaTqmg84ecGve_ZLA/edit"// 08:07:43 axelpolleres: I suggest dpv as the main namespace (for now at least) 08:07:45 PROPOSED: We will use http://www.w3.org/ns/dpv as the main namespace, standing for data privacy vocabulary, if avialable, otherwise https://w3id.org/dpv/ 08:08:05 +1 08:08:05 +1 08:08:06 +1 08:08:07 +1 08:08:07 +! 08:08:09 +1 08:08:11 Javier has joined #DPVCG 08:08:14 +1 08:08:17 +1 08:08:26 +0 08:08:47 bud has joined #dpvcg 08:08:49 RESOLVED: We will use http://www.w3.org/ns/dpv as the main namespace, standing for data privacy vocabulary, if avialable, otherwise https://w3id.org/dpv/ 08:10:00 ns/dpv is available on w3id.org 08:10:13 https://github.com/perma-id/w3id.org 08:10:20 axelpolleres: do we wan't to have subns or just one ns? 08:11:02 ... we'll discuss that later on 08:11:04 I propose for separation of contexts for each of the core categories - purposes, processing, legal basis, etc. 08:11:05 ISSUE: decide later whether we need sub-namespaces for different subtaxonomies 08:11:06 Created ISSUE-13 - Decide later whether we need sub-namespaces for different subtaxonomies. Please complete additional details at . 08:11:32 axelpolleres: this was my input wrt. base ontology 08:12:34 harsh: we didn't cover recipients at all 08:12:44 ... only location and purposes 08:13:00 axelpolleres: [gives example] 08:13:56 ... I didn't put the articles next to the terms (maybe someone who's more familiar with the GDPR could add them) 08:14:19 ... i.e. the article that defines them 08:15:00 bud: controller is 4.7, 4.9 is recipient, 4.10 is 3rdparty 08:15:26 Mark has joined #dpvcg 08:17:01 data subject is also A4.1 08:17:21 identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly 08:19:26 Discussion on whether we should rename the properties for class XYZ "hasXYZ" 08:20:13 Simonstey: arguing that hsXYZ is a common convention for ObjectProperties 08:20:14 Also benefits inverse properties - hasXYZ <--> isXYZof 08:20:56 simonstey: we might have to change the names of properties to make them different from the class names 08:21:29 ... e.g. dpv:purpose <-> dpv:Purpose only differs in the lower/uppercase P 08:21:52 ... which is a problem for languages where there isn't a lower/upper case (i.e. chinese) 08:22:02 PROPOSED: use "hasXYZ" (and "isXYZof" in case we need inverses) as property names convention 08:22:08 +1 08:22:18 +1 08:22:54 PROPOSED: use "hasXYZ" (and "isXYZof" in case we need inverses) as property names convention for ObjectProperties to avoid clashes with (Object-)Class names 08:22:58 +! 08:22:59 +1 08:23:00 +1 08:23:02 +1 08:23:12 0 08:23:19 +1 08:23:32 +1 08:23:55 RESOLVED: use "hasXYZ" (and "isXYZof" in case we need inverses) as property names convention for ObjectProperties to avoid clashes with (Object-)Class names 08:24:50 +q 08:25:16 ack harsh 08:25:35 harsh: legal ground should be called legal basis (that's used by the GDPR too) 08:25:50 [everyone nodds] 08:26:43 harsh: at the start we discussed technicalorganisationalmeasures 08:27:40 bud: the main means involved in the GDPR are technical&organ. measures 08:28:34 axelpolleres: I would prefer to have small groups for the individual sessions 08:28:46 ... and maybe discuss them tmrw then together 08:29:20 ... the ordering was purely based on getting the groups together according to the indicated interests 08:29:51 axelpolleres: what vocabs do we have to fit in for defining consent? 08:30:08 ... i would imagine the action (what triggered the consent request) 08:30:32 ... basically, I want to know how to hook the whole thing into the main vocab 08:31:03 harsh: when working on the consent receipt it covers all the points mentioned 08:31:34 mark: one of the big issues wrt. consent receipt is e.g., involved other parties (delegation), 08:32:28 ... I think we should make a table in the spreadsheet, where we'll capture terms relevant on describing how consent was received 08:32:48 ... the state of consent (it changes) 08:33:00 ... how does it relate to practice (how people use it) 08:33:15 ... (missing the 2nd order mentioned by mark) 08:34:42 mark: it's very difficult to talk about consent without talking about notice 08:35:01 ... identity, notice, receipt are the main parts 08:35:19 s/receipt/recipient/ 08:37:31 axelpolleres: before we start the coffee break 08:37:37 ... are we all on the same page? 08:37:43 ... is github in sync with wiki? 08:38:36 yes 08:38:37 Purposes consolidation: https://docs.google.com/document/d/15pGTjVJLj2lP2x4njcwJo4aGjeGdi0y-_ppxZaoV8xU/edit# 08:38:45 harsh: e.g. purposes on github reflect the results of our last discussion on purposes 08:39:39 Purposes discussion: https://docs.google.com/document/d/15pGTjVJLj2lP2x4njcwJo4aGjeGdi0y-_ppxZaoV8xU/edit?usp=sharing 08:39:42 ... the github repos are linked to from the wiki pages 08:41:44 mark: I think we need to clarify what's standardizable 08:42:28 ... it's a w3c group, but we are working on stuff related to the GDPR 08:42:40 ... i.e. international scope vs. eu scope 08:42:51 Put on tomorrow's agenda the Internet scope/wider scope of the group. 08:42:53 ... we should clarify/discuss this 08:43:45 Harsh/Mark: GDPR is a good stepping stone, covering many also non-european use cases, but maybe not. 08:44:49 ACTION: put internet scope/wider scope on the agenda tomorrow. 08:44:49 Error finding 'put'. You can review and register nicknames at . 08:45:04 ACTION: Axel to put internet scope/wider scope on the agenda tomorrow. 08:45:05 Created ACTION-81 - Put internet scope/wider scope on the agenda tomorrow. [on Axel Polleres - due 2019-04-11]. 08:46:03 harsh: maybe declare everything as OWL/SKOS/RDFS 08:47:27 https://www.w3.org/ns/odrl/2/ODRL22.ttl 08:47:34 HArsh's proposal: We declare all our concepts/terms as owl:classes, skos:Concepts and rdfs:classes. 08:48:12 We could represent the hierarchy as either skos or OWL... i.e. we could have a .owl version of the vob and a .skos version? 08:48:28 example: ODRL 2.2 has this model https://www.w3.org/TR/odrl-model/ 08:48:42 "All new classes (rdfs:Class, owl:Class), properties (rdf:Property, owl:ObjectProperty), and instances (owl:NamedIndividual) must also be defined as a skos:Concept. Appropriate rdfs:domain and rdfs:range should also be defined for classes." 08:50:25 Counter-proposal: only have a RDFS ontology (do we need the complexity of OWL?) 08:52:55 "Similarly, SKOS does not assume that hierarchical relations are by default irreflexive. In many thesaurus guidelines, it is prohibited to have a concept broader than itself. However, in specific cases beyond classical thesauri, some reflexive skos:broader statements may occur. Consider the conversion of an existing RDFS/OWL ontology into a SKOS concept scheme. In such a case, it is legitimate that every rdfs:subClassOf statement will be re-interpreted[CUT] 08:53:07 However, rdfs:subClassOf is a reflexive property, which means that for every class C, the statement C rdfs:subClassOf C is true [OWL]. In this case every concept would therefore have itself among its broader concepts. 08:53:16 https://www.w3.org/TR/skos-primer/#sechierarchy 08:53:29 [discussing SKOS/RDFS/OWL] 08:54:07 https://www.w3.org/TR/skos-primer/#secskosspecialization 08:54:50 [from ireland]: do we need disjoint? 08:54:58 PROPOSED: we use rdfs:subClassOf/subProrpertyOf for modeling hierarchies, instead of the weaker formalism of SKOS 08:55:00 +1 08:55:04 +1 08:55:08 +0 08:55:15 +1 08:55:19 +1 08:55:20 +1 08:55:29 +1 08:55:30 0 08:55:37 RESOLVED: we use rdfs:subClassOf/subProrpertyOf for modeling hierarchies, instead of the weaker formalism of SKOS 08:56:18 ISSUE: we may want to add a non-normative comment in the spec that/how the taxonomy can be used as SKOS. 08:56:18 Created ISSUE-14 - We may want to add a non-normative comment in the spec that/how the taxonomy can be used as skos.. Please complete additional details at . 08:56:58 in case we need disjointness, we use OWL. 08:57:05 simonstey: or SHACL, depending on the use case ;) 08:58:22 axelpolleres: one thing we haven't talked about yet was on how to describe the provenance of the terms we use 08:58:35 harsh: currently we use rdfs:isDefinedBy 08:59:20 ... from the terms of the gdpr we reference the respective IRIs 08:59:33 s/IRIs/articles 09:01:54 simonstey: if you resolve the IRI you get the definition of the term 09:02:06 harsh: seeAlso? 09:02:15 provenance: we use rdfs:isdefinedby for the source (e.g. articles of the GDPR),and use rdfs:comment for documenting justifications. 09:02:58 for examples, we can use vann:example (in case needed) 09:04:13 good resource for what to use: https://dgarijo.github.io/Widoco/doc/bestPractices/index-en.html 09:06:53 [rdfs:comment and/or dc(terms):description discussion] 09:07:02 COFFEE BREAK 09:14:28 https://stackoverflow.com/questions/28723029/can-i-mix-skos-properties-with-rdfs-properties-to-define-a-class SKOS<->OWL<->RDFS 09:14:56 simonstey: how to connect to the polycom system with facetime? 09:16:01 Suggestions: since from the breakouts we will likely go to lunch directly: let's reconvene in plenary at 14:00 CEST 09:18:34 secondly: I will open to more chatrooms and invite rrsagent.... 1) #dpvcg_purpose 2) #dpvcg_consent 09:19:32 ... done, please pick a scribe in each breakout! 09:26:32 axelpolleres has joined #dpvcg 09:29:23 https://lists.w3.org/Archives/Public/public-dpvcg/2019Feb/0026.html 09:30:59 harsh has joined #dpvcg 09:41:23 axelpolleres has joined #dpvcg 09:48:11 https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051 09:58:05 axelpolleres has joined #dpvcg 10:02:22 elmar has joined #dpvcg 10:10:18 axelpolleres has joined #dpvcg 10:32:21 axelpolleres has joined #dpvcg 10:39:29 fajar has joined #dpvcg 10:55:06 ACTION: Fajar to compile the owl file for the NACE r2 codes. 10:55:07 Created ACTION-82 - Compile the owl file for the nace r2 codes. [on Fajar Ekaputra - due 2019-04-11]. 10:55:18 (needed for purposes) 10:56:23 axelpolleres has joined #dpvcg 11:19:35 rigo has joined #dpvcg 11:47:03 axelpolleres has joined #dpvcg 11:50:43 Summary of the Purpose breakout: we essentially consolidated the hierarchy we started with last time and extended it with a context mechanism to scope the purpose, for instance to activities that belong to a certain business sector, identified by NACE codes. 11:56:36 After lunch parallel sessions: 11:56:38 • Processing Categories: *Simon*, Javier, Fajar, Bud 11:56:38 • Security constraints & Storage constraints: *Axel*, Harsh, Mark, Bert, Ramisa 11:56:54 Ready for video link 11:59:41 us too! 12:03:34 Ramisa has joined #dpvcg 12:08:50 topic: breakout TechnicalOrganisationalMeasures 12:16:56 Mapping between GDPR and ISO27k (11-2016) https://www.iso27001security.com/ISO27k_GDPR_mapping_release_1.pdf 12:17:04 (GDPR art. 45 item 8 says for the list of EU-like countries to look out for lists published in the Official Journal.) 12:17:31 Do we have a link for this list? If not, we should create an Action for it. 12:19:25 Mark: recital 71, 75 12:19:39 Mark: Article 10, Article 6.1 12:19:44 A30-g 12:19:53 ... Article 30g, 32.1 12:20:21 https://gdpr-info.eu/art-32-gdpr/ 12:20:25 Art. 32 "Security of processing" 12:20:33 https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1465452422595&uri=CELEX:32016R0679 12:25:55 More relevant articles: R78, R83, A32 12:30:07 https://docs.google.com/document/d/1Z3Eb5rZjrdWcE5u5o0CYzA_LPyGaTqmg84ecGve_ZLA/edit# 12:48:02 List of (technical or organisation) measures vs list of risks: which of the two is the primary key? 13:25:00 this depends on whether you want to use it for risk assessment or legal assessment 13:26:05 in the latter case, organisational measures have to correspond to a risk, but in practice they don't and thus you just get a list of n+1 organisational measures 13:31:42 [ rdfs:comment "bblala"] 13:32:44 use Objectproperties only and use this trick to use comments. 13:36:11 3 alternatives: 13:36:22 [rdfs:comment "bblala"] 13:36:36 [ dpv:standardFollowed URI] 13:36:38 rigo has joined #dpvcg 13:36:40 URI 13:42:29 Be back after break 13:42:54 we muted you for now. 13:43:23 reconvene 16:05 13:43:26 W.r.t. svl:EULike, there is a list of current countries on https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en 13:45:08 ACTION: HArsh, (with the help/review) of Axel, put results of the TechnicalOrganisationalMeasures session to thespreadsheet. 13:45:08 Error finding 'HArsh,'. You can review and register nicknames at . 13:45:27 ACTION: Harsh to (with the help/review) of Axel, put results of the TechnicalOrganisationalMeasures session to thespreadsheet 13:45:28 Created ACTION-83 - (with the help/review) of axel, put results of the technicalorganisationalmeasures session to thespreadsheet [on Harshvardhan Pandit - due 2019-04-11]. 14:07:58 Legal Basis: *Bud*, Harsh, Ramisa, Mark 14:09:30 Personal Data Categories: Axel, *Fajar*, Bert, Javier 14:12:53 axelpolleres has joined #dpvcg 14:12:59 axelpolleres has left #dpvcg 14:15:15 axelpolleres has joined #dpvcg 14:16:20 Ramisa has joined #dpvcg 14:16:23 .... type join #dpvcg_data 14:16:40 Javier has joined #dpvcg 14:23:27 elmar has joined #dpvcg 14:23:47 https://webprotege.stanford.edu/#projects/4658d8e1-588e-4847-90c1-6118eabac007/edit/Classes username: dpvcg password: DMdYx2i9Yg6s 14:52:12 axelpolleres: for the personal data categories, you can take up the P3P 1.1 data schema, which is properly internationalised 14:52:44 Would @rigo be able to answer a question we (legal basis) are stuck at in the IRC? 14:52:52 * rigo 14:53:35 sure thing, they also can skype me in 14:55:16 What's your skype ID? Mine is coolharsh55 14:58:36 (got it, thanks) 15:02:54 ISSUE: personal Data cateories collected might be collected in an approximate manner (e.g. age vs. age range), should we provide a mechanism in the vocabulary to distinguish this? 15:02:54 Created ISSUE-15 - Personal data cateories collected might be collected in an approximate manner (e.g. age vs. age range), should we provide a mechanism in the vocabulary to distinguish this?. Please complete additional details at . 15:04:27 fajar has joined #dpvcg 15:05:26 Should personal data categories should be modelled using SKOS, using broader and narrower? dpv:Age skos:broader dpv:AgeRange 15:05:44 Also works for specific Location vs generic Location 15:14:25 Should we open an issue for the level of granularity we would add in the end? e.g. whether we want to go doen to a level of detail allowing to specify that FiveFactor model is used? 15:14:42 we will come bakc to the other room for the wrap-up session. 15:23:05 axelpolleres has joined #dpvcg 15:23:45 RRSAgent, make minutes v2 15:23:45 I have made the request to generate https://www.w3.org/2019/04/04-dpvcg-minutes.html Bert 15:23:59 RRSAgent, make logs public 15:24:03 Each session summarize: 1) summarize your status 2) Can you wrap up what you have with actioning 1-2 people to wrap it up for a first version or do you need another breakout or plenary? 15:25:23 topic: 1) PersonalData 15:25:53 fajar: some more information on description to be added, properties for derivation and sensitivity added. 15:28:10 Harsh: rarther use superclasses than attributes for "derived" and for "sensitive"? 15:34:09 summary personal data: 15:34:09 * Personal Categories: 15:34:10 * descriptions not finished 15:34:11 * derived/sensitive data categories: subclasses or attributes? 15:34:11 * Inferred/Derived needs to be sorted 15:34:24 Mark has joined #DPVCG 15:34:29 Notes: Derived data are properties that are automatically calculated and set on a document during a session save. An example of derived data is the size of some (e.g. binary) property of a node. Such derived data might have to be stored on the node itself. 15:34:38 topic: 2) Legal Basis (Bud) 15:34:54 Ramisa has joined #dpvcg 15:35:09 Consent, explicit consent, article 9 explicit consent are different :-) 15:36:56 does not need another breakout session for a first version, e.g. concrete mechanism to refer to contracts is not yet solved. 15:37:34 topic: 3) Technical & Organisational Measures 15:39:22 Axel: I think I could wrap this up for a first version for review. 15:40:18 Note: we have the spreadsheet of terms and definitions for personal data 15:40:28 ACTION: Fajar to create a first version of Personal data complete ontology. 15:40:28 Created ACTION-84 - Create a first version of personal data complete ontology. [on Fajar Ekaputra - due 2019-04-11]. 15:40:39 shared in the mailing list 15:40:55 ACTION: Axel to create first version of complete TechnicalOrgaMeasures 15:40:55 Created ACTION-85 - Create first version of complete technicalorgameasures [on Axel Polleres - due 2019-04-11]. 15:41:50 2) first version is already there, HArsh will clean it up 15:42:07 ACTION: harsh to clean first complete version of legal basis 15:42:08 Created ACTION-86 - Clean first complete version of legal basis [on Harshvardhan Pandit - due 2019-04-11]. 15:42:34 topic: 4) Processing Categories 15:43:50 still open, we will continue tomorrow, Simon, Bud, Elmar, Axel can try to wrap it up tomorrow. 15:44:40 discussion on automated or semi-automatic processing, scale, systematic monitoring, --> high risk processing from GRPD. 15:45:01 .... deterministic or blackbox 15:45:07 (Javier reported) 15:45:36 topic: 5) Purposes 15:46:06 Elmar: good starting point, main focus on scoping context e.g. by sector (for he moment supporting NACE) 15:46:44 q+ 15:49:35 GICS: https://en.wikipedia.org/wiki/Global_Industry_Classification_Standard 15:49:38 ack harsh 15:49:41 Mark: GICS, hyperledger ISIC... 15:49:51 ... we should use a global one. 15:51:14 ACTION: Mark to make a proposal alternatively use GICS instead of NACE. 15:51:15 Created ACTION-87 - Make a proposal alternatively use gics instead of nace. [on Mark Lizar - due 2019-04-11]. 15:51:32 topic: 6) Consent 15:52:09 about 50% ready. needs another session (Bud, Mark, Harsh) 15:52:32 On Category of controller -- here is a record that list multiple industry codes --> https://opencorporates.com/companies/gb/07698434 15:53:12 and GICS is not one of them 15:53:14 (There are too many industry classification systems...) 15:53:14 85.52: Cultural education (UK SIC Classification 2007) 85.52: Cultural education (European Community NACE Rev 2) 8542: Cultural education (UN ISIC Rev 4) 15:57:32 Agenda for tomorrow 15:57:33 * session: consent 15:57:34 * session: processing categories 15:57:36 ----- 15:57:37 * process for new terms and feedback 15:57:39 * timeline 15:57:40 finish drafts (who, by when?) 15:57:42 review (who, by when?) 15:57:43 publish 15:57:44 advertise 15:57:45 feedback cycle 15:58:19 start tomorrow 9:30 15:58:46 RRSAgent, make minutes v2 15:58:46 I have made the request to generate https://www.w3.org/2019/04/04-dpvcg-minutes.html Bert 16:02:19 axelpolleres has joined #dpvcg