Privacy/TPWG/Change Proposal Remove auditable security requirement

From W3C Wiki
< Privacy‎ | TPWG

Remove auditability requirement from security section

Proposal from Jack Hobaugh; issue-235.

Remove text

From "Reasonable Security" section: Third parties SHOULD ensure that the access and use of data retained for permitted uses is auditable.

Add explanatory non-normative text

Proposal by Walter van Holst

To "Reasonable Security" section add:

For the purposes of this recommendation, auditable is understood as having sufficient records of access and use of data retained such that an independent auditor would have a reasonable level of confidence that the data retained is exclusively used for the permitted uses or that breaches of this can be detected ex-post. For example, an auditor might use a similar level of confidence to that required for the organization's financial records.