– DRAFT –
DPVCG ftf day 1
04 April 2019
<harsh> are we having a webex call as well?
<axelpolleres> no webex.
can you call again harsh?
<harsh> calling
<rigo> unfortunately, the opensuse distribution f'cked up the ekiga package. That means I have no H.323 implementation
<rigo> have to restart now, CU
<harsh> a32 says Security of Processing
axelpolleres: overall ontology was inspired by the image sent around by axel
… it shows the anchor points
… [axel explains the individual top concepts]
… if you comment on which articles are involved we may want to amend their definition
… for now we have several top concepts (for data controller we dont have a respective property yet)
javier: for properties you have domain/range, for classes the type hierarchy
… a list of related terms, the source ontology
… for each of the terms you should also note the date it was added (e.g. 4.4 for today)
axelpolleres: the idea of having a single ontology is that this allows for easier integration
<axelpolleres> PROPOSED: We will use http://www.w3.org/ns/priv as the main namespace, if avialable, otherwise https://w3id.org/priv/
[discussing namespace issues]
simonstey: "main ns" as in only ns, or as in base namespace
axelpolleres: we want to get a stable version out
Bud: Privacy vs. Protection?
… I prefer protection over privacy, as privacy comes more from "invading personal space" and data protection is more broader
mark: what about data protection for privacy?
axelpolleres: this affects the ns discussion if we change that
… well the group was always called data PRIVACY voc. ...
bud: wait.. I thought it's protection
… data protection protects both article 7 and 8 of the european [?]
… but only art. 7 is about privacy
… in the communities I'm involved in, they always use data protection
axelpolleres: there was this other working group/workshop martin kunze attended
… that mentioned privacy
mark: it's a very weird topic.. but the GDPR uses both protection and privacy
axelpolleres: maybe not fix the ns acronym to priv yet
bud: what's the scope of e.g. the legal basis part?
… should it be internationally also?
axelpolleres: I outlined that in the gdoc document
… https://docs.google.com/document/d/1Z3Eb5rZjrdWcE5u5o0CYzA_LPyGaTqmg84ecGve_ZLA/edit
s/"https: //docs.google.com/document/d/1Z3Eb5rZjrdWcE5u5o0CYzA_LPyGaTqmg84ecGve_ZLA/edit"//
axelpolleres: I suggest dpv as the main namespace (for now at least)
<axelpolleres> PROPOSED: We will use http://www.w3.org/ns/dpv as the main namespace, standing for data privacy vocabulary, if avialable, otherwise https://w3id.org/dpv/
<Bert> +1
<elmar> +1
<axelpolleres> +1
<Fajar> +1
<harsh> +!
<harsh> +1
<Javier> +1
<Ramisa> +1
+0
Resolved: We will use http://www.w3.org/ns/dpv as the main namespace, standing for data privacy vocabulary, if avialable, otherwise https://w3id.org/dpv/
<harsh> ns/dpv is available on w3id.org
<harsh> https://github.com/perma-id/w3id.org
axelpolleres: do we wan't to have subns or just one ns?
… we'll discuss that later on
<harsh> I propose for separation of contexts for each of the core categories - purposes, processing, legal basis, etc.
Issue: decide later whether we need sub-namespaces for different subtaxonomies
<trackbot> Created ISSUE-13 - Decide later whether we need sub-namespaces for different subtaxonomies. Please complete additional details at <https://www.w3.org/community/dpvcg/track/issues/13/edit>.
axelpolleres: this was my input wrt. base ontology
harsh: we didn't cover recipients at all
… only location and purposes
axelpolleres: [gives example]
… I didn't put the articles next to the terms (maybe someone who's more familiar with the GDPR could add them)
… i.e. the article that defines them
bud: controller is 4.7, 4.9 is recipient, 4.10 is 3rdparty
<harsh> data subject is also A4.1
<harsh> identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly
<axelpolleres> Discussion on whether we should rename the properties for class XYZ "hasXYZ"
<axelpolleres> Simonstey: arguing that hsXYZ is a common convention for ObjectProperties
<harsh> Also benefits inverse properties - hasXYZ <--> isXYZof
simonstey: we might have to change the names of properties to make them different from the class names
… e.g. dpv:purpose <-> dpv:Purpose only differs in the lower/uppercase P
… which is a problem for languages where there isn't a lower/upper case (i.e. chinese)
<axelpolleres> PROPOSED: use "hasXYZ" (and "isXYZof" in case we need inverses) as property names convention
<harsh> +1
+1
<axelpolleres> PROPOSED: use "hasXYZ" (and "isXYZof" in case we need inverses) as property names convention for ObjectProperties to avoid clashes with (Object-)Class names
<axelpolleres> +!
<elmar> +1
<axelpolleres> +1
<Fajar> +1
<Bert> 0
+1
<Ramisa> +1
Resolved: use "hasXYZ" (and "isXYZof" in case we need inverses) as property names convention for ObjectProperties to avoid clashes with (Object-)Class names
harsh: legal ground should be called legal basis (that's used by the GDPR too)
[everyone nodds]
harsh: at the start we discussed technicalorganisationalmeasures
bud: the main means involved in the GDPR are technical&organ. measures
axelpolleres: I would prefer to have small groups for the individual sessions
… and maybe discuss them tmrw then together
… the ordering was purely based on getting the groups together according to the indicated interests
axelpolleres: what vocabs do we have to fit in for defining consent?
… i would imagine the action (what triggered the consent request)
… basically, I want to know how to hook the whole thing into the main vocab
harsh: when working on the consent receipt it covers all the points mentioned
mark: one of the big issues wrt. consent receipt is e.g., involved other parties (delegation),
… I think we should make a table in the spreadsheet, where we'll capture terms relevant on describing how consent was received
… the state of consent (it changes)
… how does it relate to practice (how people use it)
… (missing the 2nd order mentioned by mark)
mark: it's very difficult to talk about consent without talking about notice
… identity, notice, recipient are the main parts
axelpolleres: before we start the coffee break
… are we all on the same page?
… is github in sync with wiki?
<harsh> yes
<elmar> Purposes consolidation: https://docs.google.com/document/d/15pGTjVJLj2lP2x4njcwJo4aGjeGdi0y-_ppxZaoV8xU/edit#
harsh: e.g. purposes on github reflect the results of our last discussion on purposes
<elmar> Purposes discussion: https://docs.google.com/document/d/15pGTjVJLj2lP2x4njcwJo4aGjeGdi0y-_ppxZaoV8xU/edit?usp=sharing
harsh: the github repos are linked to from the wiki pages
mark: I think we need to clarify what's standardizable
… it's a w3c group, but we are working on stuff related to the GDPR
… i.e. international scope vs. eu scope
<axelpolleres> Put on tomorrow's agenda the Internet scope/wider scope of the group.
mark: we should clarify/discuss this
<axelpolleres> Harsh/Mark: GDPR is a good stepping stone, covering many also non-european use cases, but maybe not.
Action: put internet scope/wider scope on the agenda tomorrow.
<trackbot> Error finding 'put'. You can review and register nicknames at <https://www.w3.org/community/dpvcg/track/users>.
Action: Axel to put internet scope/wider scope on the agenda tomorrow.
<trackbot> Created ACTION-81 - Put internet scope/wider scope on the agenda tomorrow. [on Axel Polleres - due 2019-04-11].
harsh: maybe declare everything as OWL/SKOS/RDFS
https://www.w3.org/ns/odrl/2/ODRL22.ttl
<axelpolleres> HArsh's proposal: We declare all our concepts/terms as owl:classes, skos:Concepts and rdfs:classes.
<axelpolleres> We could represent the hierarchy as either skos or OWL... i.e. we could have a .owl version of the vob and a .skos version?
<harsh> example: ODRL 2.2 has this model https://www.w3.org/TR/odrl-model/
<harsh> "All new classes (rdfs:Class, owl:Class), properties (rdf:Property, owl:ObjectProperty), and instances (owl:NamedIndividual) must also be defined as a skos:Concept. Appropriate rdfs:domain and rdfs:range should also be defined for classes."
<harsh> Counter-proposal: only have a RDFS ontology (do we need the complexity of OWL?)
"Similarly, SKOS does not assume that hierarchical relations are by default irreflexive. In many thesaurus guidelines, it is prohibited to have a concept broader than itself. However, in specific cases beyond classical thesauri, some reflexive skos:broader statements may occur. Consider the conversion of an existing RDFS/OWL ontology into a SKOS concept scheme. In such a case, it is legitimate that every rdfs:subClassOf statement will be re-interpreted[CUT]
However, rdfs:subClassOf is a reflexive property, which means that for every class C, the statement C rdfs:subClassOf C is true [OWL]. In this case every concept would therefore have itself among its broader concepts.
https://www.w3.org/TR/skos-primer/#sechierarchy
[discussing SKOS/RDFS/OWL]
https://www.w3.org/TR/skos-primer/#secskosspecialization
[from ireland]: do we need disjoint?
<axelpolleres> PROPOSED: we use rdfs:subClassOf/subProrpertyOf for modeling hierarchies, instead of the weaker formalism of SKOS
<harsh> +1
<Fajar> +1
<axelpolleres> +0
<Javier> +1
<elmar> +1
<Ramisa> +1
+1
<Bert> 0
Resolved: we use rdfs:subClassOf/subProrpertyOf for modeling hierarchies, instead of the weaker formalism of SKOS
Issue: we may want to add a non-normative comment in the spec that/how the taxonomy can be used as SKOS.
<trackbot> Created ISSUE-14 - We may want to add a non-normative comment in the spec that/how the taxonomy can be used as skos.. Please complete additional details at <https://www.w3.org/community/dpvcg/track/issues/14/edit>.
<axelpolleres> in case we need disjointness, we use OWL.
simonstey: or SHACL, depending on the use case ;)
axelpolleres: one thing we haven't talked about yet was on how to describe the provenance of the terms we use
harsh: currently we use rdfs:isDefinedBy
… from the terms of the gdpr we reference the respective articles
simonstey: if you resolve the IRI you get the definition of the term
harsh: seeAlso?
<axelpolleres> provenance: we use rdfs:isdefinedby for the source (e.g. articles of the GDPR),and use rdfs:comment for documenting justifications.
<harsh> for examples, we can use vann:example (in case needed)
<harsh> good resource for what to use: https://dgarijo.github.io/Widoco/doc/bestPractices/index-en.html
[rdfs: comment and/or dc(terms):description discussion]
COFFEE BREAK
https://stackoverflow.com/questions/28723029/can-i-mix-skos-properties-with-rdfs-properties-to-define-a-class SKOS<->OWL<->RDFS
<rigo> simonstey: how to connect to the polycom system with facetime?
<axelpolleres> Suggestions: since from the breakouts we will likely go to lunch directly: let's reconvene in plenary at 14:00 CEST
<axelpolleres> secondly: I will open to more chatrooms and invite rrsagent.... 1) #dpvcg_purpose 2) #dpvcg_consent
<axelpolleres> ... done, please pick a scribe in each breakout!
https://lists.w3.org/Archives/Public/public-dpvcg/2019Feb/0026.html
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051
Action: Fajar to compile the owl file for the NACE r2 codes.
<trackbot> Created ACTION-82 - Compile the owl file for the nace r2 codes. [on Fajar Ekaputra - due 2019-04-11].
<axelpolleres> (needed for purposes)
<axelpolleres> Summary of the Purpose breakout: we essentially consolidated the hierarchy we started with last time and extended it with a context mechanism to scope the purpose, for instance to activities that belong to a certain business sector, identified by NACE codes.
<axelpolleres> After lunch parallel sessions:
<axelpolleres>
… •
… Processing Categories: *Simon*, Javier, Fajar, Bud
<axelpolleres>
… •
… Security constraints & Storage constraints: *Axel*, Harsh, Mark, Bert, Ramisa
<harsh> Ready for video link
<axelpolleres> us too!
<harsh> Mapping between GDPR and ISO27k (11-2016) https://www.iso27001security.com/ISO27k_GDPR_mapping_release_1.pdf
<Bert> (GDPR art. 45 item 8 says for the list of EU-like countries to look out for lists published in the Official Journal.)
<harsh> Do we have a link for this list? If not, we should create an Action for it.
<axelpolleres> Mark: recital 71, 75
<axelpolleres> Mark: Article 10, Article 6.1
<harsh> A30-g
<axelpolleres> ... Article 30g, 32.1
<harsh> https://gdpr-info.eu/art-32-gdpr/
<Bert> Art. 32 "Security of processing"
<Bert> https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1465452422595&uri=CELEX:32016R0679
<harsh> More relevant articles: R78, R83, A32
<axelpolleres> https://docs.google.com/document/d/1Z3Eb5rZjrdWcE5u5o0CYzA_LPyGaTqmg84ecGve_ZLA/edit#
<Bert> List of (technical or organisation) measures vs list of risks: which of the two is the primary key?
<rigo> this depends on whether you want to use it for risk assessment or legal assessment
<rigo> in the latter case, organisational measures have to correspond to a risk, but in practice they don't and thus you just get a list of n+1 organisational measures
<axelpolleres> [ rdfs:comment "bblala"]
<axelpolleres> use Objectproperties only and use this trick to use comments.
<axelpolleres> 3 alternatives:
<axelpolleres> [rdfs:comment "bblala"]
<axelpolleres> [ dpv:standardFollowed URI]
<axelpolleres> URI
<harsh> Be back after break
<axelpolleres> we muted you for now.
<axelpolleres> reconvene 16:05
<Bert> W.r.t. svl:EULike, there is a list of current countries on https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
Action: HArsh, (with the help/review) of Axel, put results of the TechnicalOrganisationalMeasures session to thespreadsheet.
<trackbot> Error finding 'HArsh,'. You can review and register nicknames at <https://www.w3.org/community/dpvcg/track/users>.
Action: Harsh to (with the help/review) of Axel, put results of the TechnicalOrganisationalMeasures session to thespreadsheet
<trackbot> Created ACTION-83 - (with the help/review) of axel, put results of the technicalorganisationalmeasures session to thespreadsheet [on Harshvardhan Pandit - due 2019-04-11].
<axelpolleres> Legal Basis: *Bud*, Harsh, Ramisa, Mark
<axelpolleres> Personal Data Categories: Axel, *Fajar*, Bert, Javier
<axelpolleres> .... type join #dpvcg_data
<elmar> https://webprotege.stanford.edu/#projects/4658d8e1-588e-4847-90c1-6118eabac007/edit/Classes username: dpvcg password: DMdYx2i9Yg6s
<rigo> axelpolleres: for the personal data categories, you can take up the P3P 1.1 data schema, which is properly internationalised
<harsh> Would @rigo be able to answer a question we (legal basis) are stuck at in the IRC?
<harsh> * rigo
<rigo> sure thing, they also can skype me in
<harsh> What's your skype ID? Mine is coolharsh55
<harsh> (got it, thanks)
Issue: personal Data cateories collected might be collected in an approximate manner (e.g. age vs. age range), should we provide a mechanism in the vocabulary to distinguish this?
<trackbot> Created ISSUE-15 - Personal data cateories collected might be collected in an approximate manner (e.g. age vs. age range), should we provide a mechanism in the vocabulary to distinguish this?. Please complete additional details at <https://www.w3.org/community/dpvcg/track/issues/15/edit>.
<harsh> Should personal data categories should be modelled using SKOS, using broader and narrower? dpv:Age skos:broader dpv:AgeRange
<harsh> Also works for specific Location vs generic Location
<axelpolleres> Should we open an issue for the level of granularity we would add in the end? e.g. whether we want to go doen to a level of detail allowing to specify that FiveFactor model is used?
<axelpolleres> we will come bakc to the other room for the wrap-up session.
<axelpolleres> Each session summarize: 1) summarize your status 2) Can you wrap up what you have with actioning 1-2 people to wrap it up for a first version or do you need another breakout or plenary?
<axelpolleres> fajar: some more information on description to be added, properties for derivation and sensitivity added.
<axelpolleres> Harsh: rarther use superclasses than attributes for "derived" and for "sensitive"?
<axelpolleres> summary personal data:
<axelpolleres> * Personal Categories:
<axelpolleres> * descriptions not finished
<axelpolleres> * derived/sensitive data categories: subclasses or attributes?
<axelpolleres> * Inferred/Derived needs to be sorted
<Mark> Notes: Derived data are properties that are automatically calculated and set on a document during a session save. An example of derived data is the size of some (e.g. binary) property of a node. Such derived data might have to be stored on the node itself.
<axelpolleres> Consent, explicit consent, article 9 explicit consent are different :-)
<axelpolleres> does not need another breakout session for a first version, e.g. concrete mechanism to refer to contracts is not yet solved.
<axelpolleres> Axel: I think I could wrap this up for a first version for review.
<harsh> Note: we have the spreadsheet of terms and definitions for personal data
Action: Fajar to create a first version of Personal data complete ontology.
<trackbot> Created ACTION-84 - Create a first version of personal data complete ontology. [on Fajar Ekaputra - due 2019-04-11].
<harsh> shared in the mailing list
Action: Axel to create first version of complete TechnicalOrgaMeasures
<trackbot> Created ACTION-85 - Create first version of complete technicalorgameasures [on Axel Polleres - due 2019-04-11].
<axelpolleres> 2) first version is already there, HArsh will clean it up
Action: harsh to clean first complete version of legal basis
<trackbot> Created ACTION-86 - Clean first complete version of legal basis [on Harshvardhan Pandit - due 2019-04-11].
<axelpolleres> still open, we will continue tomorrow, Simon, Bud, Elmar, Axel can try to wrap it up tomorrow.
<axelpolleres> discussion on automated or semi-automatic processing, scale, systematic monitoring, --> high risk processing from GRPD.
<axelpolleres> .... deterministic or blackbox
<axelpolleres> (Javier reported)
<axelpolleres> Elmar: good starting point, main focus on scoping context e.g. by sector (for he moment supporting NACE)
<harsh> GICS: https://en.wikipedia.org/wiki/Global_Industry_Classification_Standard
<axelpolleres> Mark: GICS, hyperledger ISIC...
<axelpolleres> ... we should use a global one.
Action: Mark to make a proposal alternatively use GICS instead of NACE.
<trackbot> Created ACTION-87 - Make a proposal alternatively use gics instead of nace. [on Mark Lizar - due 2019-04-11].
<axelpolleres> about 50% ready. needs another session (Bud, Mark, Harsh)
<Mark> On Category of controller -- here is a record that list multiple industry codes --> https://opencorporates.com/companies/gb/07698434
<Mark> and GICS is not one of them
<Bert> (There are too many industry classification systems...)
<Mark> 85.52: Cultural education (UK SIC Classification 2007) 85.52: Cultural education (European Community NACE Rev 2) 8542: Cultural education (UN ISIC Rev 4)
<axelpolleres> Agenda for tomorrow
<axelpolleres> * session: consent
<axelpolleres> * session: processing categories
<axelpolleres> -----
<axelpolleres> * process for new terms and feedback
<axelpolleres> * timeline
<axelpolleres> finish drafts (who, by when?)
<axelpolleres> review (who, by when?)
<axelpolleres> publish
<axelpolleres> advertise
<axelpolleres> feedback cycle
<axelpolleres> start tomorrow 9:30
Failed: s/"https://docs.google.com/document/d/1Z3Eb5rZjrdWcE5u5o0CYzA_LPyGaTqmg84ecGve_ZLA/edit"//
Succeeded: s/receipt/recipient/
Succeeded: s/IRIs/articles