Draft Notes – PMRM TC Meeting, May 10 2016
With the Special Majority Vote to approvePrivacy Management Reference Model and Methodology (PMRM) Version 1.0 CSPRD04 as Committee Specification 02, there was a discussion about next steps and potential initiatives for the TC to improve awareness of the PMRM and promote adoption.
General Discussion
· John Sabo spoke with Ann Cavoukian, co-chair of the PbD-SE TC, who indicated interest in stronger liaison between our two committees. With adequate planning, she would be supportive of hosting a joint workshop at Ryerson University in Toronto, focusing on the PMRM as a tool to analyze use cases in support of Privacy by Design.
· John mentioned that development of a “tool” to help make PMRM more practical for adoption would be valuable.
· Nico Notario noted that with PRIPARE deliverables completed, there is focus on developing tools in support of privacy engineering.
· Gail Magnuson suggested that we determine how to share work in progress with ISACA, IEEE, etc., for example getting Oasis to reach out to these organizations and supporting positioning the PMRM as a formal OASIS standard.
ISO and Related Work
Antonio Kung reported on several areas of interest to the PMRM TC:
· The PRIPARE methodology handbook is now finalized and a press release was issued in March 2016 (http://pripareproject.eu/). I would like to thank OASIS for having helped us in this.
· EIP-SCC (European Innovation Platform on Smart Cities and Communities - see https://eu-smartcities.eu/) includes an initiative called Citizen Centric Approach to Data- Privacy by Design (https://eu-smartcities.eu/content/citizen-centric-approach-data-privacy-design) a first webinar on privacy in smart cities took place on April 28th (https://vimeo.com/164693066). A second webinar will take place on May 12th at 12.00 CET where PMRM will be mentioned. There will be a workshop on privacy during the EIP-SCC general assembly on May 24th in Eindhoven (https://eu-smartcities.eu/generalassembly16/).
· Here are some developments in ISO SC27/WG5 related to privacy and privacy engineering
o A study period on privacy in IOT has started
o A study period on privacy in smart cities is on-going
o I have proposed a new work item proposal for a technical report: privacy engineering.
o ISO WG9 on big data is undertaking the standardization ISO-20547 of Big data reference architecture. I believe it is based on the work of NIST. Part 4 of the standard: security and privacy fabric will be developed by SC27/WG5.
o I see an interest in creating a liaison between ISO SC27/WG5 and OASIS to allow the promotion and integration of PMRM in the ISO context. Since I am active in SC27/WG5, I could help. For instance, I see a benefit in organizing a presentation of PMRM and even proposing an ISO study on the integration of PMRM into the ISO landscape. John Sabo said he would work with Antonio to develop a presentation and explore next steps with ISO.
Communication, Outreach and Announcements
Options were discussed for PMRM outreach:
· to IAPP, EU and other Privacy Organizations...e.g. a press release
· to Data Protection Authorities, FTC
· to CPOs and DPOs
· include the PMRM in various global presentations
· Gail Magnuson is drafting an article that includes various privacy engineering tools and techniques and asked that members send her any initiatives that they are aware of. Shealso willrequest from the Ponemon Institute release of a document demonstratingPMRM use by the Institute and/or to be used potentially as an example for the team developing the tool
· Integrate or relate the PMRM into other standards and methods and other initiatives such as PbD, PRIPARE, ISO (Privacy Engineering Framework), ISACA,
IEEE, NIST, MITRE, Credential and PrismaCloud, W3C, OGC, others
· Privacy Engineers and Tools Development:
o Relate the PMRM to the emerging role of the Privacy Engineer
o Relate the PMRM to the emerging integration of privacy engineering tools into the IT development processes
o Find PhD candidates to develop the tool using the PMRM and the standards as part of his/her thesis