W3C

– DRAFT –
DPVCG ftf day 1

04 April 2019

Meeting minutes

<harsh> are we having a webex call as well?

<axelpolleres> no webex.

can you call again harsh?

<harsh> calling

<rigo> unfortunately, the opensuse distribution f'cked up the ekiga package. That means I have no H.323 implementation

<rigo> have to restart now, CU

<harsh> a32 says Security of Processing

axelpolleres: overall ontology was inspired by the image sent around by axel
… it shows the anchor points
… [axel explains the individual top concepts]
… if you comment on which articles are involved we may want to amend their definition
… for now we have several top concepts (for data controller we dont have a respective property yet)

javier: for properties you have domain/range, for classes the type hierarchy
… a list of related terms, the source ontology
… for each of the terms you should also note the date it was added (e.g. 4.4 for today)

axelpolleres: the idea of having a single ontology is that this allows for easier integration

<axelpolleres> PROPOSED: We will use http://‌www.w3.org/‌ns/‌priv as the main namespace, if avialable, otherwise https://‌w3id.org/‌priv/

[discussing namespace issues]

simonstey: "main ns" as in only ns, or as in base namespace

axelpolleres: we want to get a stable version out

Bud: Privacy vs. Protection?
… I prefer protection over privacy, as privacy comes more from "invading personal space" and data protection is more broader

mark: what about data protection for privacy?

axelpolleres: this affects the ns discussion if we change that
… well the group was always called data PRIVACY voc. ...

bud: wait.. I thought it's protection
… data protection protects both article 7 and 8 of the european [?]
… but only art. 7 is about privacy
… in the communities I'm involved in, they always use data protection

axelpolleres: there was this other working group/workshop martin kunze attended
… that mentioned privacy

mark: it's a very weird topic.. but the GDPR uses both protection and privacy

axelpolleres: maybe not fix the ns acronym to priv yet

bud: what's the scope of e.g. the legal basis part?
… should it be internationally also?

axelpolleres: I outlined that in the gdoc document
https://‌docs.google.com/‌document/‌d/‌1Z3Eb5rZjrdWcE5u5o0CYzA_LPyGaTqmg84ecGve_ZLA/‌edit

s/"https: //docs.google.com/document/d/1Z3Eb5rZjrdWcE5u5o0CYzA_LPyGaTqmg84ecGve_ZLA/edit"//

axelpolleres: I suggest dpv as the main namespace (for now at least)

<axelpolleres> PROPOSED: We will use http://‌www.w3.org/‌ns/‌dpv as the main namespace, standing for data privacy vocabulary, if avialable, otherwise https://‌w3id.org/‌dpv/

<Bert> +1

<elmar> +1

<axelpolleres> +1

<Fajar> +1

<harsh> +!

<harsh> +1

<Javier> +1

<Ramisa> +1

+0

Resolved: We will use http://‌www.w3.org/‌ns/‌dpv as the main namespace, standing for data privacy vocabulary, if avialable, otherwise https://‌w3id.org/‌dpv/

<harsh> ns/dpv is available on w3id.org

<harsh> https://‌github.com/‌perma-id/‌w3id.org

axelpolleres: do we wan't to have subns or just one ns?
… we'll discuss that later on

<harsh> I propose for separation of contexts for each of the core categories - purposes, processing, legal basis, etc.

Issue: decide later whether we need sub-namespaces for different subtaxonomies

<trackbot> Created ISSUE-13 - Decide later whether we need sub-namespaces for different subtaxonomies. Please complete additional details at <https://‌www.w3.org/‌community/‌dpvcg/‌track/‌issues/‌13/‌edit>.

axelpolleres: this was my input wrt. base ontology

harsh: we didn't cover recipients at all
… only location and purposes

axelpolleres: [gives example]
… I didn't put the articles next to the terms (maybe someone who's more familiar with the GDPR could add them)
… i.e. the article that defines them

bud: controller is 4.7, 4.9 is recipient, 4.10 is 3rdparty

<harsh> data subject is also A4.1

<harsh> identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly

<axelpolleres> Discussion on whether we should rename the properties for class XYZ "hasXYZ"

<axelpolleres> Simonstey: arguing that hsXYZ is a common convention for ObjectProperties

<harsh> Also benefits inverse properties - hasXYZ <--> isXYZof

simonstey: we might have to change the names of properties to make them different from the class names
… e.g. dpv:purpose <-> dpv:Purpose only differs in the lower/uppercase P
… which is a problem for languages where there isn't a lower/upper case (i.e. chinese)

<axelpolleres> PROPOSED: use "hasXYZ" (and "isXYZof" in case we need inverses) as property names convention

<harsh> +1

+1

<axelpolleres> PROPOSED: use "hasXYZ" (and "isXYZof" in case we need inverses) as property names convention for ObjectProperties to avoid clashes with (Object-)Class names

<axelpolleres> +!

<elmar> +1

<axelpolleres> +1

<Fajar> +1

<Bert> 0

+1

<Ramisa> +1

Resolved: use "hasXYZ" (and "isXYZof" in case we need inverses) as property names convention for ObjectProperties to avoid clashes with (Object-)Class names

harsh: legal ground should be called legal basis (that's used by the GDPR too)

[everyone nodds]

harsh: at the start we discussed technicalorganisationalmeasures

bud: the main means involved in the GDPR are technical&organ. measures

axelpolleres: I would prefer to have small groups for the individual sessions
… and maybe discuss them tmrw then together
… the ordering was purely based on getting the groups together according to the indicated interests

axelpolleres: what vocabs do we have to fit in for defining consent?
… i would imagine the action (what triggered the consent request)
… basically, I want to know how to hook the whole thing into the main vocab

harsh: when working on the consent receipt it covers all the points mentioned

mark: one of the big issues wrt. consent receipt is e.g., involved other parties (delegation),
… I think we should make a table in the spreadsheet, where we'll capture terms relevant on describing how consent was received
… the state of consent (it changes)
… how does it relate to practice (how people use it)
… (missing the 2nd order mentioned by mark)

mark: it's very difficult to talk about consent without talking about notice
… identity, notice, recipient are the main parts

axelpolleres: before we start the coffee break
… are we all on the same page?
… is github in sync with wiki?

<harsh> yes

<elmar> Purposes consolidation: https://‌docs.google.com/‌document/‌d/‌15pGTjVJLj2lP2x4njcwJo4aGjeGdi0y-_ppxZaoV8xU/‌edit#

harsh: e.g. purposes on github reflect the results of our last discussion on purposes

<elmar> Purposes discussion: https://‌docs.google.com/‌document/‌d/‌15pGTjVJLj2lP2x4njcwJo4aGjeGdi0y-_ppxZaoV8xU/‌edit?usp=sharing

harsh: the github repos are linked to from the wiki pages

mark: I think we need to clarify what's standardizable
… it's a w3c group, but we are working on stuff related to the GDPR
… i.e. international scope vs. eu scope

<axelpolleres> Put on tomorrow's agenda the Internet scope/wider scope of the group.

mark: we should clarify/discuss this

<axelpolleres> Harsh/Mark: GDPR is a good stepping stone, covering many also non-european use cases, but maybe not.

Action: put internet scope/wider scope on the agenda tomorrow.

<trackbot> Error finding 'put'. You can review and register nicknames at <https://‌www.w3.org/‌community/‌dpvcg/‌track/‌users>.

Action: Axel to put internet scope/wider scope on the agenda tomorrow.

<trackbot> Created ACTION-81 - Put internet scope/wider scope on the agenda tomorrow. [on Axel Polleres - due 2019-04-11].

harsh: maybe declare everything as OWL/SKOS/RDFS

https://‌www.w3.org/‌ns/‌odrl/‌2/‌ODRL22.ttl

<axelpolleres> HArsh's proposal: We declare all our concepts/terms as owl:classes, skos:Concepts and rdfs:classes.

<axelpolleres> We could represent the hierarchy as either skos or OWL... i.e. we could have a .owl version of the vob and a .skos version?

<harsh> example: ODRL 2.2 has this model https://‌www.w3.org/‌TR/‌odrl-model/

<harsh> "All new classes (rdfs:Class, owl:Class), properties (rdf:Property, owl:ObjectProperty), and instances (owl:NamedIndividual) must also be defined as a skos:Concept. Appropriate rdfs:domain and rdfs:range should also be defined for classes."

<harsh> Counter-proposal: only have a RDFS ontology (do we need the complexity of OWL?)

"Similarly, SKOS does not assume that hierarchical relations are by default irreflexive. In many thesaurus guidelines, it is prohibited to have a concept broader than itself. However, in specific cases beyond classical thesauri, some reflexive skos:broader statements may occur. Consider the conversion of an existing RDFS/OWL ontology into a SKOS concept scheme. In such a case, it is legitimate that every rdfs:subClassOf statement will be re-interpreted[CUT]

However, rdfs:subClassOf is a reflexive property, which means that for every class C, the statement C rdfs:subClassOf C is true [OWL]. In this case every concept would therefore have itself among its broader concepts.

https://‌www.w3.org/‌TR/‌skos-primer/#sechierarchy

[discussing SKOS/RDFS/OWL]

https://‌www.w3.org/‌TR/‌skos-primer/#secskosspecialization

[from ireland]: do we need disjoint?

<axelpolleres> PROPOSED: we use rdfs:subClassOf/subProrpertyOf for modeling hierarchies, instead of the weaker formalism of SKOS

<harsh> +1

<Fajar> +1

<axelpolleres> +0

<Javier> +1

<elmar> +1

<Ramisa> +1

+1

<Bert> 0

Resolved: we use rdfs:subClassOf/subProrpertyOf for modeling hierarchies, instead of the weaker formalism of SKOS

Issue: we may want to add a non-normative comment in the spec that/how the taxonomy can be used as SKOS.

<trackbot> Created ISSUE-14 - We may want to add a non-normative comment in the spec that/how the taxonomy can be used as skos.. Please complete additional details at <https://‌www.w3.org/‌community/‌dpvcg/‌track/‌issues/‌14/‌edit>.

<axelpolleres> in case we need disjointness, we use OWL.

simonstey: or SHACL, depending on the use case ;)

axelpolleres: one thing we haven't talked about yet was on how to describe the provenance of the terms we use

harsh: currently we use rdfs:isDefinedBy
… from the terms of the gdpr we reference the respective articles

simonstey: if you resolve the IRI you get the definition of the term

harsh: seeAlso?

<axelpolleres> provenance: we use rdfs:isdefinedby for the source (e.g. articles of the GDPR),and use rdfs:comment for documenting justifications.

<harsh> for examples, we can use vann:example (in case needed)

<harsh> good resource for what to use: https://‌dgarijo.github.io/‌Widoco/‌doc/‌bestPractices/‌index-en.html

[rdfs: comment and/or dc(terms):description discussion]

COFFEE BREAK

https://‌stackoverflow.com/‌questions/‌28723029/‌can-i-mix-skos-properties-with-rdfs-properties-to-define-a-class SKOS<->OWL<->RDFS

<rigo> simonstey: how to connect to the polycom system with facetime?

<axelpolleres> Suggestions: since from the breakouts we will likely go to lunch directly: let's reconvene in plenary at 14:00 CEST

<axelpolleres> secondly: I will open to more chatrooms and invite rrsagent.... 1) #dpvcg_purpose 2) #dpvcg_consent

<axelpolleres> ... done, please pick a scribe in each breakout!

https://‌lists.w3.org/‌Archives/‌Public/‌public-dpvcg/‌2019Feb/‌0026.html

https://‌ec.europa.eu/‌newsroom/‌article29/‌item-detail.cfm?item_id=623051

Action: Fajar to compile the owl file for the NACE r2 codes.

<trackbot> Created ACTION-82 - Compile the owl file for the nace r2 codes. [on Fajar Ekaputra - due 2019-04-11].

<axelpolleres> (needed for purposes)

<axelpolleres> Summary of the Purpose breakout: we essentially consolidated the hierarchy we started with last time and extended it with a context mechanism to scope the purpose, for instance to activities that belong to a certain business sector, identified by NACE codes.

<axelpolleres> After lunch parallel sessions:

<axelpolleres>
… •
… Processing Categories: *Simon*, Javier, Fajar, Bud

<axelpolleres>
… •
… Security constraints & Storage constraints: *Axel*, Harsh, Mark, Bert, Ramisa

<harsh> Ready for video link

<axelpolleres> us too!

breakout TechnicalOrganisationalMeasures

<harsh> Mapping between GDPR and ISO27k (11-2016) https://‌www.iso27001security.com/‌ISO27k_GDPR_mapping_release_1.pdf

<Bert> (GDPR art. 45 item 8 says for the list of EU-like countries to look out for lists published in the Official Journal.)

<harsh> Do we have a link for this list? If not, we should create an Action for it.

<axelpolleres> Mark: recital 71, 75

<axelpolleres> Mark: Article 10, Article 6.1

<harsh> A30-g

<axelpolleres> ... Article 30g, 32.1

<harsh> https://‌gdpr-info.eu/‌art-32-gdpr/

<Bert> Art. 32 "Security of processing"

<Bert> https://‌eur-lex.europa.eu/‌legal-content/‌EN/‌TXT/?qid=1465452422595&uri=CELEX:32016R0679

<harsh> More relevant articles: R78, R83, A32

<axelpolleres> https://‌docs.google.com/‌document/‌d/‌1Z3Eb5rZjrdWcE5u5o0CYzA_LPyGaTqmg84ecGve_ZLA/‌edit#

<Bert> List of (technical or organisation) measures vs list of risks: which of the two is the primary key?

<rigo> this depends on whether you want to use it for risk assessment or legal assessment

<rigo> in the latter case, organisational measures have to correspond to a risk, but in practice they don't and thus you just get a list of n+1 organisational measures

<axelpolleres> [ rdfs:comment "bblala"]

<axelpolleres> use Objectproperties only and use this trick to use comments.

<axelpolleres> 3 alternatives:

<axelpolleres> [rdfs:comment "bblala"]

<axelpolleres> [ dpv:standardFollowed URI]

<axelpolleres> URI

<harsh> Be back after break

<axelpolleres> we muted you for now.

<axelpolleres> reconvene 16:05

<Bert> W.r.t. svl:EULike, there is a list of current countries on https://‌ec.europa.eu/‌info/‌law/‌law-topic/‌data-protection/‌data-transfers-outside-eu/‌adequacy-protection-personal-data-non-eu-countries_en

Action: HArsh, (with the help/review) of Axel, put results of the TechnicalOrganisationalMeasures session to thespreadsheet.

<trackbot> Error finding 'HArsh,'. You can review and register nicknames at <https://‌www.w3.org/‌community/‌dpvcg/‌track/‌users>.

Action: Harsh to (with the help/review) of Axel, put results of the TechnicalOrganisationalMeasures session to thespreadsheet

<trackbot> Created ACTION-83 - (with the help/review) of axel, put results of the technicalorganisationalmeasures session to thespreadsheet [on Harshvardhan Pandit - due 2019-04-11].

<axelpolleres> Legal Basis: *Bud*, Harsh, Ramisa, Mark

<axelpolleres> Personal Data Categories: Axel, *Fajar*, Bert, Javier

<axelpolleres> .... type join #dpvcg_data

<elmar> https://‌webprotege.stanford.edu/#projects/‌4658d8e1-588e-4847-90c1-6118eabac007/‌edit/‌Classes username: dpvcg password: DMdYx2i9Yg6s

<rigo> axelpolleres: for the personal data categories, you can take up the P3P 1.1 data schema, which is properly internationalised

<harsh> Would @rigo be able to answer a question we (legal basis) are stuck at in the IRC?

<harsh> * rigo

<rigo> sure thing, they also can skype me in

<harsh> What's your skype ID? Mine is coolharsh55

<harsh> (got it, thanks)

Issue: personal Data cateories collected might be collected in an approximate manner (e.g. age vs. age range), should we provide a mechanism in the vocabulary to distinguish this?

<trackbot> Created ISSUE-15 - Personal data cateories collected might be collected in an approximate manner (e.g. age vs. age range), should we provide a mechanism in the vocabulary to distinguish this?. Please complete additional details at <https://‌www.w3.org/‌community/‌dpvcg/‌track/‌issues/‌15/‌edit>.

<harsh> Should personal data categories should be modelled using SKOS, using broader and narrower? dpv:Age skos:broader dpv:AgeRange

<harsh> Also works for specific Location vs generic Location

<axelpolleres> Should we open an issue for the level of granularity we would add in the end? e.g. whether we want to go doen to a level of detail allowing to specify that FiveFactor model is used?

<axelpolleres> we will come bakc to the other room for the wrap-up session.

<axelpolleres> Each session summarize: 1) summarize your status 2) Can you wrap up what you have with actioning 1-2 people to wrap it up for a first version or do you need another breakout or plenary?

1) PersonalData

<axelpolleres> fajar: some more information on description to be added, properties for derivation and sensitivity added.

<axelpolleres> Harsh: rarther use superclasses than attributes for "derived" and for "sensitive"?

<axelpolleres> summary personal data:

<axelpolleres> * Personal Categories:

<axelpolleres> * descriptions not finished

<axelpolleres> * derived/sensitive data categories: subclasses or attributes?

<axelpolleres> * Inferred/Derived needs to be sorted

<Mark> Notes: Derived data are properties that are automatically calculated and set on a document during a session save. An example of derived data is the size of some (e.g. binary) property of a node. Such derived data might have to be stored on the node itself.

2) Legal Basis (Bud)

<axelpolleres> Consent, explicit consent, article 9 explicit consent are different :-)

<axelpolleres> does not need another breakout session for a first version, e.g. concrete mechanism to refer to contracts is not yet solved.

3) Technical & Organisational Measures

<axelpolleres> Axel: I think I could wrap this up for a first version for review.

<harsh> Note: we have the spreadsheet of terms and definitions for personal data

Action: Fajar to create a first version of Personal data complete ontology.

<trackbot> Created ACTION-84 - Create a first version of personal data complete ontology. [on Fajar Ekaputra - due 2019-04-11].

<harsh> shared in the mailing list

Action: Axel to create first version of complete TechnicalOrgaMeasures

<trackbot> Created ACTION-85 - Create first version of complete technicalorgameasures [on Axel Polleres - due 2019-04-11].

<axelpolleres> 2) first version is already there, HArsh will clean it up

Action: harsh to clean first complete version of legal basis

<trackbot> Created ACTION-86 - Clean first complete version of legal basis [on Harshvardhan Pandit - due 2019-04-11].

4) Processing Categories

<axelpolleres> still open, we will continue tomorrow, Simon, Bud, Elmar, Axel can try to wrap it up tomorrow.

<axelpolleres> discussion on automated or semi-automatic processing, scale, systematic monitoring, --> high risk processing from GRPD.

<axelpolleres> .... deterministic or blackbox

<axelpolleres> (Javier reported)

5) Purposes

<axelpolleres> Elmar: good starting point, main focus on scoping context e.g. by sector (for he moment supporting NACE)

<harsh> GICS: https://‌en.wikipedia.org/‌wiki/‌Global_Industry_Classification_Standard

<axelpolleres> Mark: GICS, hyperledger ISIC...

<axelpolleres> ... we should use a global one.

Action: Mark to make a proposal alternatively use GICS instead of NACE.

<trackbot> Created ACTION-87 - Make a proposal alternatively use gics instead of nace. [on Mark Lizar - due 2019-04-11].

6) Consent

<axelpolleres> about 50% ready. needs another session (Bud, Mark, Harsh)

<Mark> On Category of controller -- here is a record that list multiple industry codes --> https://‌opencorporates.com/‌companies/‌gb/‌07698434

<Mark> and GICS is not one of them

<Bert> (There are too many industry classification systems...)

<Mark> 85.52: Cultural education (UK SIC Classification 2007) 85.52: Cultural education (European Community NACE Rev 2) 8542: Cultural education (UN ISIC Rev 4)

<axelpolleres> Agenda for tomorrow

<axelpolleres> * session: consent

<axelpolleres> * session: processing categories

<axelpolleres> -----

<axelpolleres> * process for new terms and feedback

<axelpolleres> * timeline

<axelpolleres> finish drafts (who, by when?)

<axelpolleres> review (who, by when?)

<axelpolleres> publish

<axelpolleres> advertise

<axelpolleres> feedback cycle

<axelpolleres> start tomorrow 9:30

Summary of action items

  1. put internet scope/wider scope on the agenda tomorrow.
  2. Axel to put internet scope/wider scope on the agenda tomorrow.
  3. Fajar to compile the owl file for the NACE r2 codes.
  4. HArsh, (with the help/review) of Axel, put results of the TechnicalOrganisationalMeasures session to thespreadsheet.
  5. Harsh to (with the help/review) of Axel, put results of the TechnicalOrganisationalMeasures session to thespreadsheet
  6. Fajar to create a first version of Personal data complete ontology.
  7. Axel to create first version of complete TechnicalOrgaMeasures
  8. harsh to clean first complete version of legal basis
  9. Mark to make a proposal alternatively use GICS instead of NACE.

Summary of resolutions

  1. We will use http://‌www.w3.org/‌ns/‌dpv as the main namespace, standing for data privacy vocabulary, if avialable, otherwise https://‌w3id.org/‌dpv/
  2. use "hasXYZ" (and "isXYZof" in case we need inverses) as property names convention for ObjectProperties to avoid clashes with (Object-)Class names
  3. we use rdfs:subClassOf/subProrpertyOf for modeling hierarchies, instead of the weaker formalism of SKOS

Summary of issues

  1. decide later whether we need sub-namespaces for different subtaxonomies
  2. we may want to add a non-normative comment in the spec that/how the taxonomy can be used as SKOS.
  3. personal Data cateories collected might be collected in an approximate manner (e.g. age vs. age range), should we provide a mechanism in the vocabulary to distinguish this?
Minutes manually created (not a transcript), formatted by Bert Bos's scribe.perl version 2.49 (2018/09/19 15:29:32), a reimplementation of David Booth's scribe.perl. See CVS log.

Diagnostics

Failed: s/"https://docs.google.com/document/d/1Z3Eb5rZjrdWcE5u5o0CYzA_LPyGaTqmg84ecGve_ZLA/edit"//

Succeeded: s/receipt/recipient/

Succeeded: s/IRIs/articles