[WG-InfoSharing] Issue with terms and referencing terms;

mary hodder hodder at gmail.com
Thu Mar 24 13:09:29 CDT 2016

So this has come up in IDESG and in other standards NIST has done, and also
with other orgs where we've looked at their documents.

On the one hand, the FTC recognizes PII as a term of art that means
something legally and is definable.  On the other hand, IDESG and the other
orgs I've seen have taken to calling it:

Personal Information instead of PII (spelled out).  The reason is that they
recognize that PII is a term of art for some but not others, and because
depending in context, some personal information becomes identifiable, and
out of context or aggregated and collapsed, it's not (so) identifiable.

So they/we wanted users of the documents to have to think about context,
think about what may be perceived as personal to the user, and so the
definition for now (we are in the midst of a definitions review and
expansion for better defs and a few more terms):

"Personal information" broadly means any information about or linked to a
user <https://wiki.idesg.org/wiki/index.php?title=IDEF_Glossary_USERS> that
is collected, used, transmitted, or stored in or by digital identity
management functions

I think Personal Information is better because it implies context, verses
data which is inert without context or use. However, data as the most basic
bits, and in some ways we do want to be as basic as that.

However, in the W3C Tracking (DNT) effort, they use this to get at the
problem, although do not use PII or PI or user data or anything.. they just
say "data":

[quote] Data Minimization, Retention and Transparency

Data collected by a party for permitted uses must be minimized to the data
reasonably necessary for such permitted uses. Such data must not be
retained any longer than is proportionate to, and reasonably necessary for,
such permitted uses. A party must not rely on unique identifiers if
alternative solutions are reasonably available.

A party must publicly describe definite time periods for which data
collected for permitted uses are retained. The party may enumerate
different retention periods for different permitted uses. Data must not be
used for a permitted use once the data retention period for that permitted
use has expired. After there are no remaining permitted uses for given
data, the data must be deleted or permanently de-identified
. No Personalization

A party that collects data for a permitted use must not use that data to
alter a specific user's online experience, except as specifically permitted
below.  [end quote]

I think their thinking has value because they are a bunch of smart folks
wrestling with similar issues.


On Thu, Mar 24, 2016 at 10:15 AM, Mark Lizar - OCG <
m.lizar at openconsentgroup.com> wrote:

> Hi All,
> As I am editing the spec at the moment, I have come across a couple of
> issues with terms.  github issue #27
> <https://github.com/KantaraInitiative/CISWG/issues/27>
> First, as we no longer need to put the spec work forward to a standard
> development organisation to create a specification standard candidate I
> think its important to have all terms in the spec so that it is usable
> without having to reference external documents.
> Second, we have used the term PII as defined in IS0 29100, to refer to the
> consent grantee, or data subject.  It has occurred to me that the consent
> grantee doesn’t necessarily have to be identified, to provide both personal
> data and consent.  As well, we are working on consent centric focus and not
> necessarily an the basis that all consents require personal identifiable
> information.
> The ISO definition is
> "personally identifiable information PII
> any information (a) that can be used to identify the person to whom such
> information pertains, (b) from which such information can be derived, or
> (c) that is or might be directly or indirectly linked to a natural person.
> NOTE To determine whether a PII principal is identifiable, account should
> be taken of all the means which can reasonably be used by the entity
> holding the data, or by any other party, to identify that individual. “
> In this regard, I am wondering if moving to the term* personal data*
> would be suffice instead?
> Mark Lizar
> Executive Director
> Open Consent Group
> Email: m.lizar at openconsentgroup.com
> Mobile: +447738382658
> Twitter: @smartopian
> _______________________________________________
> WG-InfoSharing mailing list
> WG-InfoSharing at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-infosharing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-infosharing/attachments/20160324/e525903f/attachment-0001.html>

More information about the WG-InfoSharing mailing list