Levels of Protection (W5E)
Session Topic: Levels of Protection (W5E)
Convener: Mary Rundle
Notes-taker(s): Iain Henderson
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Challenge: How do we foster a standard around degrees of rigour required around identity and data sharing.
We would like to enable data to flow internationally, and reduce friction in volunteered information sharing.
Previous paper published on legal aspects of levels of protection:
- Architected around 4 levels.
- Works for discloser and recipient.
- Draws on OECD, EU, other prior work and principles.
- 1 = lightweight protection (language like 'should), 4 = heavy duty (language = must).
- Onward data transfer is pulled out as an area of specific focus.
- Technology not specified at that stage
Todays discussion is aimed at the technical side, building on Mary's prior work and paper on the legal aspects of this issue:
Problem - technology changes really quickly
Potential help:
3 separate security accreditation (bring them together)
Fundamentals:
- Flexibility, not prescriptive
- Auditability and oversight, varies by level
Issue: What about the PDEC scenario, how do levels of protection apply if/ when the individual uses a personal data service (i.e. not going to set about using ISO standards or accreditation)
Could a rating system or reputation management system help?
Should decisions be made based on type of data (categories)?
Is 4 levels granular enough?
Is contract law usable/ necessary? Wrapped in a trust framework?
What's the role of federations?
Work being done by Kantara Information Sharing Workgroup on standard agreements is relevant (equivalent of Creative Commons for sharing information, standard agreements in human, lawyer and machine readable forms)
Will there be a proliferation of trust frameworks?
Is this really a user experience issue.
It really requires a user-centered design process