OASIS Privacy Management Reference Model (PMRM) TC Meeting

8 September 2010


1. Call to Order and Welcome

Michael Willett (convener) called the meeting to order at 11 AM Eastern and welcomed all the participants.

2. Roll Call

The roll call included 12/16 of the voting members. (Majority votes required only 7 voting members to be in attendance). The attendees were:

Sara Biyabani / ? / Guest
Andrea Caccia / AITI-Associazione Italiana Tesorieri de Im... / Group Member
Tony Pham / Bank of America / Group Member
John Sabo / CA Technologies / Group Member
John Moehrke / GE Healthcare* / Group Member
Patrick Pyette / Impriva / Guest
Peter Brown / Individual / Group Member
Gershon Janssen / Individual / Group Member
Gail Magnuson / Individual / Group Member
Gary Roboff / Individual / Group Member
Michael Willett / Individual / Group Member
Trey Tubbs / Jericho Systems Corporation / Group Member
Thomas Hardjono / M.I.T. / Group Member
Diana Graski / National Center for State Courts* / Group Member
Peter Alterman / National Institutes of Health / Group Member
Erika McCallister / NIST* / Group Member
Robin Cover / OASIS * / Group Member
Dee Schur / OASIS * / Group Member
Jonathan Geater / Thales e-Security / Group Member
Mike Davis / VA / Guest
Suzanne Gonzales-Webb / VA / Guest
David Staggs / VA / Guest
Bill Tabor / WidePoint Corporation / Group Member

3. Nominations for Chair/Co-Chairs.

Michael Willett indicated that he and John Sabo had been nominated for Co-Chairs and requested any additional nominations. No new nominations were mentioned.

4. Election of Chair/Co-Chairs.

Michael Willett sought confirmation from Robin Cover as to the voting procedure. Robin clarified that if there were no other nominations, Michael should ask for motion to unanimously accept the nominations of Michael Willett and John Sabo as Co-Chairs. Gary Roboff made this motion and Bill Tabor seconded it. All members voted in favor. There were no opposing votes.

5. Welcome from OASIS Staff. Includes a short overview of the OASIS Technical Committee Process, the OASIS IPR Policy, the TC Charter, and the tools available to the Technical Committee Members.

Robin Cover, Director of Information Services at OASIS walked through the business processes that would govern the activities within this TC. He was standing in for Mary McRae, Director of Standards Development and Technical Committee Administrator at OASIS, who was unavailable due to travel. Robin advised that he had also set up an online conferencing chat room for this meeting.

Robin drew attention to three sets of policy, procedure and rules documents for the TC to follow:

- The OASIS Intellectual Property Rights Policy: This policy governs the TC work and can be found at http://www.OASIS-open.org/who/intellectualproperty.php. This TC operates under the non-assertion mode. The expectation is that there is not likely to be a lot of patentable actions within this TC.

- The Technical Committee Policy: This policy is more relevant to this TC. This document governs the TC process, such as matters of voting membership, how to advance any Specs along etc., and can be found at http://www.OASIS-open.org/committees/process.php. The TC chairs are responsible for the due diligence related to this policy as well as the editor of the Spec.

- OASIS Templates & Guidelines: All mature Specs go into the OASIS library within which is also templates to guide development of Specs. There is also a checklist for operations when submitting work for approval and QA. The OASIS templates can be found at http://docs.OASIS-open.org/templates/. Other templates include the TC Public Page Template, the TC FAQ Template, TC Administration Request Forms, Naming Conventions (if you are using XML namespaces etc.) and Conformance Guidelines. There is also commentary on the TC process documented in the TC Handbook.

Robin will send the links for these three principle resources to the email list. It also can be found on the OASIS website under IPR Policies/TC Process & Templates.

Robin then moved on to the second part of his presentation regarding the PMRM TC Charter and the Call-for-Participation documents. These documents can be found at http://www.OASIS-open.org/committees/pmrm/charter.php and http://lists.OASIS-open.org/archives/pmrm/201007/msg00000.html respectively. The document that defines the direction and scope of the TC is the TC Charter that is posted on the TC homepage. Additional information is found in the Call-for-Participation document. This information is not necessarily part of the TC charter proper but provides more background on the TC, including work to be contributed by ISTPA, for interested parties.

Robin continued his presentation by urging the TC, when publishing links, to try to use the public link which is http://www.OASIS-open.org/committees/tc_home.php?wg_abbrev=pmrm. The URI for the TC homepage is http://www.OASIS-open.org/apps/org/workgroup/pmrm/. Additionally, the roster for the TC can be found at http://www.OASIS-open.org/apps/org/workgroup/pmrm/members/roster.php while the public roster is at http://www.OASIS-open.org/committees/membership.php?wg_abbrev=pmrm.

Other resources available to the TC include a discussion list which is publically archived and can be found at http://lists.OASIS-open.org/archives/pmrm/. If the TC is in need of a wiki as a "scratch pad,", one can be requested and this link would be at http://wiki.OASIS-open.org/pmrm/. A soaphub web conference tool can be used, such as was used at this meeting, and that link would consistently be http://webconf.soaphub.org/conf/room/pmrm. The tool supports queue management, chat history etc. and does not require a download or plug-in. Finally, a JIRA issue management tracking tool is available upon request which can be found at

http://tools.OASIS-open.org/issues/secure/Dashboard.jspa. (A comment from the floor endorsed JIRA as a good tool to use).

In closing, Robin welcomed new members and thanked existing members for "stepping up to the plate." He emphasized that the PMRM and privacy should be of interest to anyone who does business. He said that he had high hopes for the deliverables of the TC.

John Sabo then thanked Dee Schur for the great job that she had done on the Members Section for IDtrust. He wanted those on the call to know that the IDtrust Members Section has a budget, as a portion of the OASIS dues goes to support the Members Section. The Members Section is very viable and the Steering Committee will use the budget, albeit small, to support requests for needs that have been identified by the TC members. John then sought confirmation from Dee as to whether she was specifically going to work with this TC.

Dee Schur confirmed that she, Robin Cover and Carol Geyer were on staff to assist the TC efforts and that significant outreach work had already been done for this TC. She was glad to have a "nice nucleus" of members thus far and was still talking to other companies. Michael Willett thanked her for the recruitment efforts as the results were clearly reflected in the attendance at this meeting. Dee emphasized that a lot of background work is going on to identify relevant groups and companies and if anyone had any names of suggested companies, please send them to her. It is not even necessary to have contact information for these companies. Dee then thanked Gail Magnuson for her own incredible outreach efforts for this TC.

6. (Optional) Review of the TC Charter & 7. (Optional) Discussion of Contributed Work

John Sabo discussed the highlights of the TC charter and provided a recap about what the TC was trying to accomplish. ISTPA has developed the Privacy Management Reference Model 2.0 that the ISTPA Board voted to contribute to the OASIS PMRM TC. He then asked Jamie Lewis (OASIS lawyer) whether additional actions needed to be taken. Jamie Lewis advised John that the ISTPA work should be either sent to the TC list (or put into the OASIS Repository and an email sent directing TC members to the document) indicating that the work is being contributed by ISTPA and therefore it is usable by the TC when developing any deliverables.

John next explained that the ISTPA PMRM 2.0 looks at privacy from an operational perspective vs. a policy perspective. The ISTPA PRM 2.0 is a framework-level reference model - not a specification to meet any privacy policy or Fair Information Practice - for those who work on the operational implementation side of privacy. PMRM 2.0 addresses privacy requirements at a service level and functional level as well as the explicit relationship between security and privacy services (e.g. confidentiality and encryption services have a specific place in the reference model).

The deliverables of the TC are well-defined. Other areas to be developed will be considered but the OASIS Privacy Management Reference Model is the primary deliverable. The TC will also be developing use cases scoping, for instance, the healthcare/HIT and cloud computing scenarios as well as a methodology for expressing these use cases.

The original PMRM TC charter includes the importance of liaison relationships to the TC. The Kantara Initiative (http://kantarainitiative.org/) has a Privacy Policy Working Group and they have requested a formal representative into the PMRM TC. Additionally, de jure standards organizations like ISO and ITU have also expressed interest. John will be presenting about the PMRM at the ISO conference at the end of the month.

The TC charter has been agreed to by the Proposers and is in place.

Michael Willett urged TC members to browse through the charter - "or read it in earnest" - because a lot of work has been done thus far. John Sabo explained that contributions will help to advance this existing reference model work and Michael Willett shared that some of the liaison organizations have indicated that they have documents to contribute.

8. (Optional) Adoption of Standing Rules.

Michael Willett asked the members if there were any standing rules to consider, but no comments were submitted from the floor.

9. (Optional) Assignment of Responsibilities.

Michael Willett indicated that a TC secretary and editors were needed - particularly for the development of the use cases.

10. (Optional) Creation of Subcommittees.

Michael Willett explained that subcommittees would be created, when appropriate, in support of the creation of use cases and the development of the PMRM.

11. Confirmation of Meeting Schedule.

Michael Willett led the discussion regarding the meeting schedule and sought confirmation regarding a tool that was available to merge available meeting dates/times from members. Robin Cover explained that the tool was available in the event the TC membership could not reach consensus on the call. The tool seemed to be particularly helpful in the event of time zone-related clashes of schedules. John Sabo suggested that monthly teleconferences could be set up for the formal meetings as a starting point and additional informal meetings could occur in between the formal meetings, if necessary. No voting would be done at the informal meetings. The TC membership agreed that the formal meetings would take place on the

2nd Thursday of each month at 11:00 EST

Therefore, the next formal meeting of the PMRM TC will be on October 14th, 2010 at 11:00 PM EST. CA Technologies has contributed the phone bridge so the same dial-in number will be used each month.

Toll Free Dialin (US & Canada): (866) 376-6162
International Dialin Number: +1 (660) 422-5140
Conference Code: 017 643 4820
Chat: http://webconf.soaphub.org/conf/room/pmrm

John stated that we should plan on enough time at these meetings to address the organizational management issues so please get familiar with the ISTPA PMRM 2.0 and the PMRM TC charter prior to the next meeting. Also, any suggestions regarding subcommittees should be discussed via the email discussion list.

The minutes from these meetings will be posted and they will be approved at the next meeting.

Additionally, the IDtrust Members meeting, hosted by the World Bank, is taking place on September 27-28th in Washington DC. OASIS is making space available on September 29th for individual TC meetings for members who are in Washington to attend the conference. Therefore, an informal meeting of the PMRM TC is being proposed for 9:00 AM EST on September 29th. The purpose would be to discuss the TC. The location will be the same as the IDtrust Members meeting and PMRM TC members are urged to RSVP to John Sabo. Gail Magnuson suggested that a conference bridge be established which Dee Schur confirmed would be set up. Via webchat, Bill Tabor posted the link to information about the IDtrust Members Meeting which is http://events.OASIS-open.org/home/idm/2010/schedule.

12. Adjourn.

Prior to adjourning, Michael Willett asked if there were any other issues.

John Sabo then addressed the voting members of the TC regarding the Kentara Initiative's request for a formal representative between their Privacy Policy Working Group and the PMRM TC. They are not formally affiliated with OASIS. Abbe Barber, of Bank of America, had asked that Susan Landau (formally with Sun, active with Liberty Alliance and now at Radcliff publishing a book) be the formal representative. Kentara has asked that her individual membership ($300) be paid for OASIS/IDtrust. Via webchat, Robin Cover posted the link to the OASIS Liaison Policy which is http://www.OASIS-open.org/committees/liaison_policy.php. A motion was made to do this and Gary Roboff seconded it. Gershon Janssen suggested that OASIS already had a representative to the Kentara Initiative - Bob Sunday - and that maybe OASIS would decide that this new membership to Kentara was unnecessary. John Sabo mentioned that the question would be whether Bob Sunday had bandwidth to be both a representative to Kentara as well as their representative to OASIS. Dee Schur clarified that these were two separate scenarios. Peter Brown suggested that an amended motion be made to recognize a formal representative from Kentara; however, he thought that covering the cost of that representative might not be the right motion within this TC. Dee confirmed that the issue of funding the Kentara representative would be put on the Steering Committee agenda for later that afternoon. Therefore a new motion was made to propose a liaison relationship with the Kentara Initiative and to propose that the Steering Committee address the funding of Susan Landau as that representative. Gary Roboff seconded the motion. All votes were in favor. There were no dissenting votes.