DPVCG Meeting Call

19 SEP 2022


beatriz, georg, harsh, paul

Meeting minutes

Previous minutes

paul: Working on using DPV and DPCat for ROPA-based tools, with a questionnaire to understand uses. Will share with DPVCG when ready for feedback.

Use-cases, Requirements, and Examples

see email https://lists.w3.org/Archives/Public/public-dpvcg/2022Oct/0003.html

These will be moved to the main repo, along with additional functionality that links examples in the tables for relevant concepts within specs

Discussion on rules

See previous minutes for reference and overview

georg: Where should the rules be expressed? Does everything (e.g. each PersonalDataHandling) have to be explicitly declared as permission and prohibition?

harsh: Default is that something is permitted which we implicitly are using currently, so we can explicitly say something is not permitted. But for contexts such as recording a decision for consent, you can explicitly denote permissions and prohibitions to reflect what the user has expressed to indicate a complete decision from choices. Though typically a record only contains the decision rather than all choices.

See beatriz's email - https://lists.w3.org/Archives/Public/public-dpvcg/2022Oct/0006.html regarding creating equivalent ODRL policies for rules expressed in DPV

Since there are no specific queries regarding rules, we accept them for inclusion within the spec.

DPV v1 release

We had invited comments until OCT-15, and we received a few major as well as minor comments. Most have been address (ref. mailing list and GitHub issues), with some still pending - such as dpv-tech and Cloud computing concepts.

However, no issues identified that are 'blocking' the release.

We discussed and set NOV-15 as the date for release, to have it published in time for dissemination before the christmas break and to indicate 'stability' in the current work while continuing to enhance it.

We discussed what is 'missing' from the current set of concepts in DPV, namely - rights, data breaches, and data transfers. We agreed that rather than wait to finish these concepts, we will continue with the v1 release, and add them as per their condition at the time.

For example, if the concepts have been accepted, they will be added while documentation may be pending. If the concepts are still being explored, a note to the effect and their proposed status will be added (e.g. appendix). This is to indicate that while the concepts are not present in the spec, they are being worked upon.

Exercising Rights

See email - https://lists.w3.org/Archives/Public/public-dpvcg/2022Oct/0004.html regarding concepts representing exercising of rights, responses, status, and provenance of activities.

We will take this up in the next meeting specifically to go over the examples. In this meeting, we discussed the concepts regarding exercising rights.

beatriz has proposed - https://github.com/w3c/dpv/issues/63 to add `RightExemption` as a concept to represent the cases where a right cannot be fulfilled

We discussed and agreed on the term `RightNonFulfilmentJustification` as a type of `Justification` to indicate why a right could not be fulfilled. This is to avoid the phrase "right exemption" which would be interpreted as saying an exemption to providing the right.

In cases where the right cannot be fulfilled, the appropriate status (e.g. RightNotFulfilled) and a justification (i.e. RightNonFulfilmentJustification) would be used. Examples from beatriz's list include (Art.13/Art.14/etc.) - Data subject already has been provided this information, Confidentiality breach, and so on.

Additional discussion and notes

Systematic and extensive evaluation of personal aspects relating to natural persons - from GDPR's DPIA 35.3a can be a list of SKOS concepts that suggest what other concepts are relevant to interpret this (complex) concept. Need to figure out how to provide such a list.

DPV-PD - adding CriminalOffense as subtype of Criminal

DPV-GDPR - adding Proportionality, SystematicExtensiveEvaluationOfPersonalAspects

Risk - New category of consequences related to ConsequenceOnDataSecurity and new category for ConsequenceForDataSubject and ImpactOnDataSubject

OrgMeasure - new concepts for reviewing validity, effectiveness, etc. - with specific types for ReviewImpactAssessmentConformance and ReviewImpactAssessmentAdequacy ; adding ConsultationWithDataSubjectRepresentative for DPIA

Lawfulness as a specific compliance sub type for legal compliance, with types Lawful, Unlawful, and LawfulnessUnknown ; with variations for GDPR as GDPRLawfulness, GDPRCompliant, and so on

ConformanceStatus as a specific type to indicate conformance (as distinct from compliance), with types Conformant and NonConformant

DPIA outcomes in terms of processing recommendations as DPIARecommendsProcessingContinue and DPIARecommendsProcessingNotContinue

DPIA adherence expressed as DPIAConformity with specific types

Next Meeting

We will meet again in 1 week, on OCT-26 WED 13:00 WEST / 14:00 CEST

Topics will be continued discussion on rights, with specifically focusing on the examples shared on mailing list and representing GDPR's rights

Minutes manually created (not a transcript), formatted by scribe.perl version 192 (Tue Jun 28 16:55:30 2022 UTC).