IRC log of dpvcg on 2022-09-28

Timestamps are in UTC.

17:31:05 [RRSAgent]
RRSAgent has joined #dpvcg
17:31:05 [RRSAgent]
logging to
17:31:08 [harsh]
ScribeNick: harsh
17:31:14 [harsh]
Meeting: DPVCG Meeting Call
17:31:18 [harsh]
Chair: harsh
17:31:29 [harsh]
Present: harsh, beatriz, georg, delaram, paul
17:31:33 [harsh]
Date: 28 SEP 2022
17:31:42 [harsh]
17:33:14 [harsh]
Previous minutes ->
17:33:48 [harsh]
Topic: dpv-legal external vocabs
17:34:43 [harsh]
Bert Van Nuffelen suggested using EU vocabularies as an authoritative source for concepts currently in DPV-LEGAL. Namely countries and EU membership.
17:34:54 [harsh]
See for the issue and discussion.
17:35:36 [harsh]
Given that the EU vocabularies are authoritative and well-maintained, we decide to remove these concepts from DPV-LEGAL and use the ones from EU instead.
17:36:03 [harsh]
This means rewriting most of concepts to use EUvoc IRIs, e.g. for expressing laws and authorities and other sources.
17:37:19 [harsh]
If there are other authoritative vocabularies, then alignment is simple given that they all use ISO 3166 codes for countries.
17:38:05 [harsh]
Topic: ISO 27560 Consent Record
17:38:27 [harsh]
The standard is closing towards stability, with an expected publication date of June 2023.
17:38:57 [harsh]
Once the schema is relatively stable and consensus is reached, DPV will provide a guide on creating consent records based on 27560, along with providing the relevant 'schema' and vocabulary.
17:39:48 [harsh]
An example of how using DPV can be used for the current draft is here -
17:39:52 [harsh]
Topic: Rules
17:40:12 [harsh]
We discussed the need (and limitation) for simple mechanisms to express rules over DPV defined information.
17:40:47 [harsh]
The proposal is to have `hasRule` as a relation that takes a target `Rule`, which may be of type `Permission`, `Prohibition`, and `Obligation`. For anything more, we refer to external vocabularies such as ODRL.
17:41:30 [harsh]
These rules can be associated with any /block/ such as PDH's. If they have to be applied over single concepts, e.g. to say data category Identifier is prohibited, then it is tricky to express this.
17:42:14 [harsh]
Because using triple notations, there are two sets of information here - 1) `hasPersonalData Identifier`; and 2) `hasRule Prohibited`.
17:43:35 [harsh]
Alternative is to provide specific relations, e.g. as `hasProhibition [ hasPersonalData Identifier ]` - which is still the same solution with a less elegant expression, no explicit notation of the /rule/, and requires creating such relations for every type of rule.
17:44:19 [harsh]
Paul has asked for examples (e.g. mailing list) for how the proposed rule expression will work. The next meeting will discuss the examples and decide on rule expression.
17:45:30 [harsh]
Topic: Right Exercise
17:46:16 [harsh]
Rights can be of two types - `ActiveRight` which means some action must be taken to exercise it, and `PassiveRight` which means no action needs to be taken as it is always under exercise.
17:46:54 [harsh]
Examples are GDPR (D)SAR or Data Portability being active rights, while right to privacy is a passive (and fundamental) right.
17:47:10 [harsh]
We therefore focus on how to exercise active rights.
17:48:17 [harsh]
georg raised an interesting question - if some information is needed to exercise right, this should be indicated in the notice/record. The appropriate legal basis for this would be legal obligation.
17:51:00 [harsh]
We discussed the use-cases for rights, and tried to identify the key information / concepts.
17:51:16 [harsh]
We have `Right` and `hasRight` in DPV. We need a way to indicate how/where to exercise that right.
17:51:39 [harsh]
This can be through a relation `isExercisedAt` that points to some resource or link where the right exercise can be requested or performed.
17:52:32 [harsh]
To express what is needed for this, such as some information (e.g. email) or technical measure (e.g. authentication) - a PDH instance can be used which provides the framework for describing purposes, processing, personal data, entities associated.
17:53:51 [harsh]
To indicate who made the request, which may not always be the data subject but an authorised party, the relations `isMadeBy` and `isMadeTo` were discussed.
17:54:08 [harsh]
Note - we have `isIndicatedBy` which can be reused here with a complement as `isIndicatedTo`
17:54:51 [harsh]
To indicate the data subject whose right is being exercised, the existing `hasDataSubject` can be used. As with consent, it may not be necessary to always duplicate informatoin on who indicated and who the data subject if they are the same.
17:55:28 [harsh]
A single access point for rights can handle multiple rights. This can be indicated by using `hasRight` with all the rights.
17:57:22 [harsh]
To indicate the scope of the request, e.g. a specific purpose or personal data, or a temporal duration, `hasScope` and `Scope` can be used.
17:58:26 [harsh]
An open question is how to express the authorisation (relation or information) between Data Subject and the request initiator. We may need to establish a way for these relationships and information.
18:00:06 [harsh]
Rights exercises have stages/events. There is a request by the data subject, then an acknowledgement by the controller, then a response.
18:00:28 [harsh]
Response may be successul exercise of the right, and may contain additional information and/or actions such as download data or view a page.
18:00:51 [harsh]
Response may be failure to exercise right with justification, or an intermediary stage asking for more information or authentication.
18:01:13 [harsh]
An open question for requests - how to express data should be in a specific format, e.g. PDF.
18:01:31 [harsh]
An open question - how to express where information should be communicated, e.g. via emails.
18:01:49 [harsh]
We will circulate ideas/proposals/discussions via the mailing list, and take this up again next week.
18:01:53 [harsh]
Topic: Next meeting
18:04:03 [harsh]
We will meet again in 1 week, on OCT-15 13:00 WEST / 14:00 CEST.
18:04:17 [harsh]
Topics will be Rules and Rights Exercise, with other items on agenda and AOB.
18:04:20 [harsh]
rrsagent, publish minutes v2
18:04:20 [RRSAgent]
I have made the request to generate harsh
18:04:26 [harsh]
rrsagent, make logs world-visible
18:04:52 [harsh]
rrsagent, bye
18:04:52 [RRSAgent]
I see no action items