Meeting minutes
Resolution of previous minutes
No comments on concepts or prior discussions. They will be added to DPV.
Risk Consequences
The current list of consequences is based on terms identified from various ISO and ENISA documents. There wasn't an authoritative list of terms.
julian raised the question of whether these terms are authoritative, or should be segmented based on their source (e.g. ISO terminology)
harsh thinks these terms are commonly used, have various forms based on domain and language, and DPV should provide them as an opinionated list
If in the future there is an authoritative list, we can adopt that. Otherwise we continue to add terms based on having authoritative sources (e.g. mentioned in a document)
The terms have not been structured into a hierarchy yet. They are only indicative of potential consequeces, and how to categorise them. For example, Data Breach does not always lead to "damage", but should be considered to lead to this consequence given the high potential.
The classification is intended to provide helpful guidance and to be useful in assessing consequences and impacts.
Proposed Guides
Currently, there is only one guidance document related to DPV (for OWL2).
Similar guides should be provided for other serialisations, i.e. /Using DPV with RDFS and SKOS/ as well as a /Note on DPV Serialisations/.
Application specific guides should also be provided that explain how DPV is helpful towards implementing specific information systems.
There is existing work (harsh's recent paper) on DPIA that can be used as a /Guide for GDPR's DPIA using DPV/.
Similarly, Paul, Rob, and Harsh's paper (DPCat) on ROPA can be used to create /Guide for GDPR's ROPA using DPV/
In addition, a /Guide for Consent Records using DPV/ would be helpful given this is a common use of DPV. The guide can be updated for conformance with ISO/IEC 27560 once it has reached a mature stage.
Other guides the participants discussed as being helpful - Subject Access Requests, Data Breach, Privacy Notices (generate, represent), Controller-Processor Agreements, Data Transfer Agreements, Rights Request Tools (implementation), Document analysis using DPV as a controlled vocabulary for NLP, Organisational Management & Overview of Processoes (e.g. track activity status), and focus on other legal bases (E.g. contract)
For these, volunteers are invited to provide material and contributions. Outputs from H2020 projects (e.g. TRAPEZE, SmashHit) will also be useful to create such guides.
Additional Concepts
The concepts `SyntheticData` and `ObservedData` have been added to personal data taxonomy reflecting their increasing use and usefulness in documents.
The concept `DataPublishedByDataSubject` has been added as a type of `DataSource`. The group discussed other forms of data sources, such as distinguishing when data is directly provided by the data subject, is observed, or is derived from existing data.
Instead of duplicating concepts (e.g. data subjects, processing operations), the guidance is to specify the entity or manner as data source, i.e. directly use `ThirdParty` or `DataSubject`, with the processing operation providing indication of how, i.e. `collect`, `observe`, etc.
Since data published by the data subject is the only one not possible to be represented using existing concepts, we have added this to the list of data sources.
Risk Ontology
We have some risk concepts in DPV (main vocab), a risk extension that provides risk levels, assessment techniques, and methodologies.
ISO vocabularies (amongst other risk related ones) describe several more concepts associated with risk, such as assessment, identification, analysis, and so on.
The group discussed and has agreed that these concepts are useful, and it would be beneficial to provide these in the form of a "lightweight ontology".
The aim of this would be to provide a representation of these concepts, and to utilise them as organisational measures where relevant.
For example, the term `RiskEvaluation` is a concept, and can be an activitity, or a management policy. The ontology would focus only on providing these abstrat concepts and relationships, which can then be utilised in varied ways (e.g. provenance, logs, plans, policies) as required in contextual use-cases.
Next Meeting
We will meet again in 1 week WED 13 AUG 13:00 WEST / 14:00 CEST