15:55:26 <RRSAgent> RRSAgent has joined #dpvcg
15:55:26 <RRSAgent> logging to https://www.w3.org/2022/11/02-dpvcg-irc
15:55:33 <harsh> ScribeNick: harsh
15:55:37 <harsh> Meeting: DPVCG Meeting Call
15:55:40 <harsh> Chair: harsh
15:55:50 <harsh> Present: harsh, paul, georg, beatriz, delaram
15:55:57 <harsh> Date: 02 NOV 2022
15:56:12 <harsh> Agenda: https://lists.w3.org/Archives/Public/public-dpvcg/2022Oct/0013.html
15:56:21 <harsh> Previous minutes -> https://www.w3.org/2022/10/26-dpvcg-minutes.html
15:56:38 <harsh> Topic: Purpose refinements
15:56:50 <harsh> (this is a continued topic, please refer to previous minutes for details)
15:57:58 <harsh> The larger question we discussed asked - How do we help DPV users select the correct purpose(s). The most we can do without specifying the validity of purposes for use would be to provide better descriptions that clarify the meaning and intent behind defining that concept.
15:58:29 <harsh> An adopter then can compare the descriptions to select one that fits their use-case the best, or in cases there are multiple - select them all.
15:58:59 <harsh> Georg and Paul will be taking a look at the existing descriptions to identify what needs to be improved.
15:59:04 <harsh> Topic: Exercising Rights
15:59:18 <harsh> (this is a continued topic, please refer to previous minutes for details)
16:00:52 <harsh> Last week we discussed the core concepts for Rights Exercise and the associated concepts.
16:01:15 <harsh> Beatriz shared further work for implementing these for GDPR rights - see mail https://lists.w3.org/Archives/Public/public-dpvcg/2022Nov/0000.html
16:01:43 <harsh> The broader approach is to consider Rights Exercise as a process that takes some input (e.g. from Data Subject) and produces some output (e.g. from Data Controller).
16:02:26 <harsh> We analysed specific GDPR rights (A.13-A.22, A-7) to identify these inputs and outputs, and how to represent them using DPV concepts.
16:03:13 <harsh> When information is to be provided to the data subject, such as for A.13-A.15, this is in the form of a notice. We create specific variations for notices associated with requirements of A.13, A.14, A.15.
16:04:02 <harsh> For data required to be provided regarding scope, `dpv:hasPersonalDataHandling` is capable of expressing specific patterns such as types of personal data, purposes, legal basis, and so on.
16:04:31 <harsh> Similarly, for specifying what will be provided in return, the term `dpv:MakeAvailable` regarding processing and personal data is used - such as for Data Portability and copy of personal data.\
16:05:13 <harsh> This approach enables asking for specific personal data (or specifying options) for specific purposes tied to Rights Exercise, such as Identity Verification.
16:16:53 <harsh> For expressing metadata about the request, DCMI DCT and PROV-O vocabularies are reused. For example, timestamp is expressed using `dct:date` and activity agent is indicated using `prov:wasAssociatedWith`.
16:17:48 <harsh> The proposed statuses associated with rights exercises have been moved to a generalised `RequestStatus` concept to allow their use in any request - making them broader than rights.
16:19:35 <harsh> For expressing Data Portability outputs, which has a special case of providing personal data as a dataset, the DCAT vocabulary will be reused e.g. as `dcat:Dataset` with metadata such as URL it is available at using `dcat:landingPage` and format using `dct:format`.
16:21:26 <harsh> For cases where a confirmation of processing is to be provided, this is done using `PersonalDataHandling`, and e.g. where no data is being processed, this means returning an empty list that indicates no personal data is being processed.
16:22:40 <harsh> For indicating cases where there is a fee or complex information regarding validity or criteria or constraints, `dpv:hasPolicy` is used to provide information, which can be in machine-readable format using e.g. `odrl:Policy`. This can include cases such as a fee being charged for information (e.g. based on amount of data).
16:23:13 <harsh> For providing information about cases where a Right Exercise could not be fulfilled, the existing `hasJustification Justification` concepts are to be reused.
16:23:44 <harsh> However, rather than modelling them as `RightNonFulfilmentJustification`, as originally proposed, we broaden the scope for Justifications to be associated with anything e.g. compliance, conformance, risk.
16:26:34 <harsh> We discussed on how these should be provided, and where they should be situated. We concluded that we will collect Justifications, and then group them based on usefulness. For example, some justifications would be _valid_ for Rights Exercises, some for Accountability measures, and so on.
16:27:08 <harsh> The Justifications will be provided as part of the risk extensions, since they also relate to the organisational notion of risk management.
16:29:05 <harsh> Topic: Next Meeting
16:29:20 <harsh> We will meet again on NOV-09 13:00 WET / 14:00 CET.
16:29:40 <harsh> Topics for discussion will be Purpose refinements (continued), and final comments on Right Exercise.
16:29:51 <harsh> Paul and Georg will be leading the purpose refinement discussion.
16:30:01 <harsh> Harsh and Beatriz will be leading the rights exercise discussion.
16:30:21 <harsh> Harsh will update DPV based on what has been discussed today, and push the changes online.
16:30:31 <harsh> rrsagent, publish minutes v2
16:30:31 <RRSAgent> I have made the request to generate https://www.w3.org/2022/11/02-dpvcg-minutes.html harsh
16:30:35 <harsh> rrsagent, set logs world-visible
16:31:13 <harsh> rrsagent, bye
16:31:13 <RRSAgent> I see no action items