Meeting minutes
Repository: w3c/dpv
Meeting notes are available at - https://
purl for this meeting: https://
iainHenderson - working at JLINC on creating user-side agreements that can be used to provide or permit use of data by the individual rather than having unilateral terms offered by organisations. DPV concepts would be useful to represent the information in these, and for the creation of common patterns similar to how CC by works for licenses in terms of being well known and easy to understand effects (paraphrased)
IEEE P7012 Standard for Machine Readable Personal Privacy Terms https://
data breach / incident concepts
<ghurlbot> Issue 100 Proposal to add (security) Incident Reporting concepts (coolharsh55) scope, concepts
<ghurlbot> Issue 64 Provide concepts for Data Breach (coolharsh55) concepts, todo, help-wanted
see https://
paul: reviewing the concepts in the spreadsheet - okay for data breach
harsh: have added the incident response concepts from the email to the spreadsheet below the data breach concepts
harsh: they are a generalisation of the breach concepts to (general) incidents, with some specific data breach concepts to be continued
harsh: the proposal is to have the incident and breach concepts within the risk extension to reflect its context (as they are often accompanied with risk assessments)
harsh: the GDPR specific concepts such as notification requirements would go in the GDPR extension
paul: seems okay
harsh: will update the data breach guidance document to reflect these concepts, and share with the group for reviewing next week
ACTION: Add Incident concepts and update Data Breach concepts
ACTION: Update Data Breach guide with Incident concepts
Proposed change to include Non-Personal Data
harsh: gb, get #99
<ghurlbot> Issue 99 Proposal to change DPV scope to include Non-Personal Data (coolharsh55)
harsh: One additional response received on mailing list from Pat McBennett - see https://
… Response is in favour of the change, and prefers option 1 - continuation of namespace IRI with change in concept definitions.
Risk Management concepts
harsh: see #74
<ghurlbot> Issue 74 Add Risk Management concepts from ISO 31000 series (coolharsh55)
harsh: see https://
paul: the concepts at the end are also included in the proposal?
harsh: those are the additional concepts from ISO risk vocabulary that do not fit within our simplified 'risk assessment framework', but they are provided in case someone else needs to use them
With delaram not present today, we defer this topic to next week.
ACTION: delaram, harsh to review risk management concepts
DGA Extension
harsh: gb, get #62
<ghurlbot> Issue 62 Add DGA/eIDAas entities (coolharsh55)
harsh: beatriz shared the email with questions on mailing list, see https://
… harsh replied with suggestions, see https://
beatriz: georg mentioned for Data Intermediary to have separate concepts for Holders and Subjects. To clarify the interpretation of "for" vs "on behalf of" and how the entity should be named. To be taken up when georg is present.
beatriz: Any interest in the group to align concepts between GDPR and DGA? For example, the Intermediary as a Controller or a Processor?
harsh: I think this is possible, since both are separate roles, e.g. the Intermediary can be delcared as a Controller using hasDataController
beatriz: Modeling SME - should we also model 'Micro Enterprises'?
… we would need a legal definition (or use of the term) - which the EU 2003 regulation has http://
RESOLUTION: MicroEnterprise has been proposed and accepted as a type of organisation
beatriz: in DGA, the public sector bodies are mentioned which we have in DPV, so we need a definition for private sector. Georg has also asked about modeling public/private sector in DPV. We already have a Sector concept.
harsh: The Sector concept is best left for the area or domain, as used by the controlled vocabularies such as NACE. For these, we have three types of bodies - public, private, and third (voluntary, charity, other). We model these as types of organisation. The existing concepts will get restructured under these.
ACTION: Reorganise the Organisation types to include Public and Private Sector types. For the third type, we can use NonProfit sector.
beatriz: For the purposes of 'Support Informed Consent Choices' - how to model these?
harsh: as discussed in the email, this is not supoprt as an ongoing activity, but rather as a measure taken alongside other existing interactions - such as the providing of advice within a notice. So we can have these as specific purposes (see email).
beatriz: will discuss with georg for the rest of the concepts.
ACTION: beatriz and georg to review DGA concepts