DPVCG Meeting Call

13 OCT 2021


:, beatriz, georg, harsh, julian, paul

Meeting minutes

DPV Personal Data Category naming

see https://github.com/w3c/dpv/issues/27

Changing PersonalDataCategory to PersonalData --> big change, needs to be taken up with all on mailing list

for prefixing or suffixing concepts ; proposal is Historical --> HistoricalData

georg: related to issue regarding whether the naming should also reflect whether something is personal data, after anonymising, etc.

paul: what is the origin of these names?

harsh: EnterPrivacy taxonomy, and in SPECIAL there were separate vocabs for each concept e.g. personal data category

harsh: a better example is perhaps Location as personal data, but also relevant in recipient and data storage where it is a separate concept

Two options we have: separate vocabularies - to minimise compatibility issues, we can move just the personal data categories; OR add prefix/suffix to data categories

beatriz: both are fine

paul: one single vocab would be preferable

georg: one single vocab is the selling point / attraction for DPV

julian: one view or vocab is preferable

We have option to prefix PD as a suggestion

georg: Do we limit this to PD or also expand with other requests such as EyeColourDataSensitive?

harsh: only for PD, for sensitive we have subclass

No objections to prefixing with PD

Should DPV provide Constraints/Permissions/Prohibitions?

See https://github.com/w3c/dpv/issues/18

See https://github.com/EBISPOT/DUO

beatriz: would be better to use ODRL since it has rights and constraints handling by design and purpose

harsh: there is value in lightweight concepts, which can be further expressed using ODRL

We consider this of interest, and needing further thought. Beatriz will be the technical evaluator to express critique.

Personal data characteristics: collection method (direct, inferred), sensitivity, (pseudo-)anonymisation

Collection method (direct, inferred) -> is of interest; propose concepts for review

Sensitivity - proposal to have this as subclass of PersonaDataCategory and parent class of SpecialCategories

georg: are they the same? see. Rec 10

harsh: they should be different, Sensitive is a larger set, e.g. EDPB considers Location as sensitive but it is not Special

agreement that Sensitivity can be added to DPV

Anonymisation and Pseudo-anonymisation (along with levels, methods) are in interest. As in anonymised and pseudo-anonymised data. To provide concepts for review.

Technology / Implementation details e.g. storage mechanism, use of cookies

Agreement that this is of interest, and should be added

Proposal is to have a separate concept for technology (or technological implementation) for associating how something else in DPV is implemented e.g. data storage in cloud storage or database

Privacy Policy and related concepts

see https://lists.w3.org/Archives/Public/public-dpvcg/2021Oct/0003.html for sources and SotA

see https://lists.w3.org/Archives/Public/public-dpvcg/2021Oct/0005.html for spreadsheet with concept proposals by Georg

(shared screen by Georg showing mind map of privacy policy concepts)

concepts being discussed - publishing data, duration (start and end of effect) can be represented using DCT or DCAT as relevant

georg: how to number/identify specific personal data handling instances in a privacy policy

We stop the discussion here due to time limits.

Next Meeting

We will meet again on WED OCT-27 13:00 WEST / 14:00 CEST

Discussion will take place asynchronously on the mailing list / elsewhere meanwhile

Minutes manually created (not a transcript), formatted by scribe.perl version 136 (Thu May 27 13:50:24 2021 UTC).