-
Notifications
You must be signed in to change notification settings - Fork 27
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
2c6ad3e
commit 2c42f2a
Showing
3 changed files
with
210 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| 14:54:20 <RRSAgent> RRSAgent has joined #dpvcg | ||
| 20:09:03 <harsh> Scribe: harshPandit | ||
| 20:09:23 <harsh> ScribeNick: harsh | ||
| 14:55:03 <harsh> repo: w3c/dpv | ||
| 14:55:13 <harsh> Meeting: DPVCG Meeting Call | ||
| 14:55:18 <harsh> Present: harshPandit, tyttiRintamaki, paulRyan, georgKrog, danielDoherty, delaramGolpayegani | ||
| 14:55:18 <harsh> Regrets: julianFlake | ||
| 14:55:22 <harsh> Date: 20 AUG 2024 | ||
| 14:55:26 <harsh> Agenda: https://www.w3.org/events/meetings/0e21485e-d959-4f78-930a-bd66650adace/20240820T133000/ | ||
| 14:55:31 <harsh> Meeting minutes: https://w3id.org/dpv/meetings | ||
| 14:55:35 <harsh> purl for this meeting: https://w3id.org/dpv/meetings/meeting-2024-08-20 | ||
| 14:55:18 <harsh> Topic: Intro | ||
| 14:55:18 <harsh> danielDoherty: Doing masters at Trinity College Dublin, working with Delaram and using AIRO to represent Bias and have a proposal to integrate them in to DPV | ||
| 14:55:18 <harsh> Topic: Legal Basis | ||
| 20:10:04 <ghurlbot> https://github.com/w3c/dpv/issues/111 -> Issue 111 Model information about legal bases (by coolharsh55) | ||
| 14:55:18 <harsh> Subtopic: Fields | ||
| 14:55:18 <harsh> harshPandit: (recap of legal basis concepts discussed in previous meeting) We have consent type concepts and statuses, we need something similar for other legal basis. Discussed concepts for contract, legitimate interest, legal obligation, official authority, public and vital interest. | ||
| 14:55:18 <harsh> georgKrog: (responding the legitimate interest statuses associated with declared/uncdeclared and objected) According to CNIL, Legitimate Interest must be declared at point of processing and not in privacy policy which is separate and hidden. This means Legitimate interest must be declared to the data subject. | ||
| 14:55:18 <harsh> harshPandit: Along with expanding DPV fields, I have also gone through mapping these fields to the ISO 27560 consent record fields so that the same record can be used for recording other legal bases | ||
| 14:55:18 <harsh> georgKrog: legal basis fields are needed, propose to go through specific GDPR agreements e.g. Controller-Processor agreement and then we look at other contracts later on. | ||
| 14:55:18 <harsh> Subtopic: Agreements as Legal Basis | ||
| 14:55:18 <harsh> harshPandit: Agreements like Controller-Processor are not defined as legal measure, we have modelled it as org-measure | ||
| 14:55:18 <harsh> georgKrog: should be modelled as legal basis as it is used as such e.g. by processor | ||
| 14:55:18 <harsh> paulRyan: we don't use them as a legal basis for Processors in ROPA | ||
| 14:55:18 <harsh> harshPandit: so if we model these as legal basis, then all legal agreement becomes legal basis? | ||
| 14:55:18 <harsh> paulPandit: yes, if they are used as such (Georg agrees) | ||
| 14:55:18 <harsh> harshPandit: Okay, understood. So the controller-processor agreement is used as a legal basis by the processor to process data. And we want to model this. We have to view these as separate from GDPR A6 legal basis as we have broadened the scope to any data or technology, so the legal basis will also have to reflect these e.g. software license to use tech. We can separate out legal basis for processing personal data, from agreements between entities, and legal basis to use technologies | ||
| 14:55:18 <harsh> harshPandit: are there similar agreements in AI Act? e.g. provider to deployer? That we should model as legal basis? | ||
| 14:55:18 <harsh> delaramGolpayegani: the AI Act doesn't explicitly specify legal basis but has obligations between the actors | ||
| 14:55:18 <harsh> harshPandit: okay, so for the AI Act, I expect the market to evolve contracts and licenses etc. to use AI and other technologies. This means they would also need to be treated as legal basis. | ||
| 14:55:18 <harsh> harshPandit: So the question for our existing concepts is whether to combine GDPR A6 legal basis with Data Processing Agreements or keep them separate? | ||
| 14:55:18 <harsh> \ discussion agreed that having a separate list of GDPR A6 aligned legal basis would be beneficial to distinguish between processing personal data and other types of legal basis | ||
| 14:55:18 <harsh> \ discussion on contract concepts proposed - okay to continue with these | ||
| 14:55:18 <harsh> \ discussion on contract statuses - georg suggested different termination types which are TBD later | ||
| 14:55:18 <harsh> Topic: Risk Taxonomy | ||
| 20:10:04 <ghurlbot> https://github.com/w3c/dpv/issues/181 -> Issue 181 Refine RISK taxonomy into a single consistent hierarchy (by coolharsh55) | ||
| 14:55:18 <harsh> Subtopic: Structure | ||
| 14:55:18 <harsh> harshPandit: (describing the new structure from last meeting where there is a singular risk taxonomy) After conversation with Rob Brennan who helped with the risk taxonomy modelling, the new taxonomy structure now has the CIA infosec triad as it is familiar to security professionals. The other groups of impact such as societal etc. are still present. | ||
| 14:55:18 <harsh> delaramGolpayegani: the distinction between societal and individual is not clear - there seem to be overlapping in concepts e.g. privacy? | ||
| 14:55:18 <harsh> harshPandit: could be, though the intent is to separate issues that affect society at large or affect only a particular individual | ||
| 14:55:18 <harsh> \ group to discuss risk taxonomy further to refine it | ||
| 14:55:18 <harsh> Subtopic: Move Fee to DPV | ||
| 14:55:18 <harsh> harshPandit: the concept `Fee` in the risk/impact taxonomy seems out of place as no one would model _fee_ as an impact or state that it is the consequence or risk of something. Propose this be moved to main DPV spec, and a relation be provided `hasFee` to associate the fee. This will allow it to be used e.g. with services or rights exercises to indicate the payment of a fee | ||
| 14:55:18 <harsh> delaramGolpayegani: how would payments for other matters be indicated? | ||
| 14:55:18 <harsh> harshPandit: there are concepts such as `Renumeration` and `Compensation` in the risk taxonomy that would be appropriate for such payments | ||
| 14:55:18 <harsh> \ discussed and agreed to move Fee | ||
| 14:55:18 <harsh> Subtopic: Rights Impact | ||
| 20:10:04 <ghurlbot> https://github.com/w3c/dpv/issues/184 -> Issue 184 Add Rights Impact concepts for each Right (by coolharsh55) | ||
| 14:55:18 <harsh> delaramGolpayegani: from AI Act perspective, it would be helpful to have rights and health and safety risk | ||
| 14:55:18 <harsh> harshPandit: yes, though for specific rights, we will create specific concepts in the context of the right. So for EU fundamental rights, this will be in the EU Rights extension - where for each concept we create an `ImpactOn...` concept associated with that right. | ||
| 14:55:18 <harsh> harshPandit: rather than directly stating something is a violation of a right, we use the generic impact concept, and then provide additional specific concepts - such as preventing exercise of a right, and then at the extreme end state a right violation as a concept. So there is clarity and appropriate concepts needed to accurately represent what has taken place - as whether something is a rights violation can be complex legal investigation. | ||
| 14:55:18 <harsh> \ okay to continue for now with the current concepts, and to discuss later about how to model these | ||
| 14:55:18 <harsh> Topic: DPIA concepts | ||
| 20:10:04 <ghurlbot> https://github.com/w3c/dpv/issues/183 -> Issue 183 Represent activities where DPIA is required in EU-GDPR (by coolharsh55) | ||
| 14:55:18 <harsh> tyttiRintamaki: working on identifying new concepts to be added to DPV based on processes that require a DPIA, will share with the group. To be discussed soon - next week likely. | ||
| 14:55:18 <harsh> Topic: AI Bias proposal | ||
| 20:10:04 <ghurlbot> https://github.com/w3c/dpv/issues/182 -> Issue 182 Adding AI bias concepts (by DelaramGlp) | ||
| 14:55:18 <harsh> danielDoherty: bias taxonomy extracted from ISO 24027, there are bias concepts and fairness metrics. Also used AI Ontology (AIO) based on NIST which have types of biases such as computational and data bias. For MSc work these are applied in a risk management context, and how they map to fundamental rights violations or harms to fundamental rights. | ||
| 14:55:18 <harsh> harshPandit: this is a good detailed proposal, thank you for that. The ISO concepts can be added as it as they are based in authoritative source - though the terms may be renamed to fit the DPV naming style. | ||
| 14:55:18 <harsh> harshPandit: Do we also add discrimination concepts as counterparts to bias? E.g. there are specific types of bias which are 'risk sources'. The effect of this bias would be discrimination based on the topic of the bias e.g. `GenderBias` would lead to `GenderDiscrimination`. | ||
| 14:55:18 <harsh> \ yes this makes sense and should be added by delaram & georg | ||
| 14:55:18 <harsh> Topic: Next Meeting | ||
| 16:03:29 <harsh> \ next meeting will be in 1 week on TUESDAY 27 August at 13:30 WEST / 14:40 CEST. Agenda will be continuation of today's topics with any updates on github/mailing list and AOB. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.