OASIS Privacy Management Reference Model (PMRM) TC Meeting

MINUTES

OASIS Privacy Management Reference Model (PMRM) TC Meeting

13 January 2011

REGULAR MEETING

AGENDA:

1. Call to Order and Welcome

Michael Willett (convener) called the meeting to order at 11 AM Eastern and welcomed all the participants.

2. Roll Call

3. Approval of Minutes from formal PMRM TC meeting: 9 Dec 2010

Approval of the Minutes was deferred until the next meeting on 10 Feb.

4. Expressing Use Cases: review John S draft proposal (see John’s e-mail)

5. Review Action Items (see previous Minutes)

6. Timeline and Work Plan

7. Reports from any liaison members

8. Other Business

9. Adjourn

DISCUSSION:

- Michele: Has not had a chance to meet with Gail M yet; will connect re: Smart Grid Use Cases and the use of John’s “recursive analysis methodology”.

- Michele: Working on the “current PIA landscape” item; tough to do. ACTION: Any/everyone should send Michele any existing PIAs to:

- John S: PMRM Recursive Analysis Methodology for Use Cases (see Draft):

• Needed: reference model for actually building a system; issues:
• How to identify a structure for requirements geared toward architects?
• How to marry policy to operational controls? Eg, lots of PIA. How to address the conversion?
• Mapping policy to life cycle approach? Ex: Interoperability between jurisdictions (for example: social networks).
• Use Case analysis: could benefit from a graphical structure (UML or simple graphics)
• John then went though the several stages of the Methodology.

- Stuart: PIA under Step 1?

- John S: PIA stop at analysis boundary; not all of Step 2.

- Stuart: Maybe not have PIA in Step 1, but rather Accountability Review; ie, system requirements.

- PIA in Step 2 is just a particular format for a risk analysis.

- John S: We need to begin to collect selected definitions; eg, touch point.

- Controls (definition?), step 3: Follows from Step 2: Requirements.

- Stuart: Steps 1-3 = good privacy systems engineering; now made systematic with the PMRM. Step 4 is the novelty.

- Suzanne: Domain analysis model (HL7), uses UML. May not be/contain a PIA? Yes: risk analysis at the end. Some HL7 work is still on-going.

- John S: Is the HL7 work public? Yes; can be shown in a limited fashion.

- Peter Brown: How much detail in the Methodology? Reference model = high level, but Use Case can get low level. Look at other models for display; eg, diagrams, not just UML.

- Michele: Example – smart grid Use Case, cloud side. Suzanne/Gail?

- John S (to Peter): Abstraction Model use case level.

- John S: ID Trust meeting: Face to Face in London, 10-12 Oct. Theme: Cloud computing and Trust. Could meet the PMRM TC (informally) on Wednesday, 12 Oct, in person?

- John S: Toronto meeting: may not happen; move to the London meeting.

- Stuart: Use Cases – tackling “Do Not Track = technology that enables users to opt out of third-party web tracking, including behavioral advertising”. High-potential commercial value.

- John S: Need a champion for each Use Case. Which Use Case has higher visibility? eg, Do Not Track: Govt push, but impacts the commercial sector.

- Discussion of the Action Items re: champion(s) of the Use Cases. See revised Action Items doc, to be distributed.

- Willett will check on use of the OASIS wiki.

Adjourned: 12:10 PM Eastern

Next Meeting 10 February 2011

As the PMRM TC meetings are the 2nd Thursday of each month at 11:00 EST, the next meeting will be:

10 February 2011 at 11:00 EST

Toll Free Dial-in (US & Canada): (866) 376-6162
International Dial-in Number: +1 (660) 422-5140
Conference Code: 017 643 4820
Chat: