W3C

DPVCG Meeting Call

22 MAY 2024

Attendees

Present
delaramGolpayegani, georgKrog, iainHenderson, julianFlake, paulRyan, steveHickman, victorLopez
Regrets
alexJarju, beatrizEsteves, tyttiRintamaki
Chair
harsh
Scribe
harsh, harshPandit

Meeting minutes

Meeting minutes: https://w3id.org/dpv/meetings

purl for this meeting: https://w3id.org/dpv/meetings/meeting-2024-05-22

Updated Readme

harsh: the README.md for the github repo has been updated - https://github.com/w3c/dpv/blob/dev/README.md

20: 10:04 <ghurlbot> Issue 144 Update README.md for v2 (by coolharsh55)

profile metadata

<ghurlbot> Issue 141 Add Profile vocabulary metadata (by coolharsh55)

harsh: added profile metadata in RDF that describes that we have a HTML spec, RDF files, primer, guide, etc.

Risk extension

Incidents

<ghurlbot> Issue 100 Proposal to add (security) Incident Reporting concepts (by coolharsh55)

harsh: added the incident concepts discussed in previous meeting to the risk extension, where data breach is a form of incident and is described using the incident concepts.

GDPR Data Breach

<ghurlbot> Issue 64 Provide concepts for Data Breach (by coolharsh55)

harsh: The data breach requirements from GDPR are provided in the EU GDPR extension.

<ghurlbot> Issue 103 Guide for Data Breach (by coolharsh55)

harsh: The guide for GDPR data breach has been copied over, and needs to be updated for incident concepts

Risk Assessment

<ghurlbot> Issue 104 Re-evaluate Risk Assessment concepts (by coolharsh55)

harsh: Added the risk assessment concepts as discussed previously - risk and mitigation measure is in DPV, risk extension provides concepts to model threat and vulnerability. Also includes generic risk controls.

steveHickman: will you add more controls?

harsh: yes, but only focusing on structure, broad concepts - otherwise link to MITRE CVE which is an established body of work

Risk Management

<ghurlbot> Issue 74 Add Risk Management concepts from ISO 31000 series (by coolharsh55)

steveHickman: involved in institution for privacy design which have an operational design for doing this e.g. risk controls

harsh: do we need to distinguish between risk management plan, methodology, etc.?

delaramGolpayegani: should also look into ISO AI Risk management guidelines

harsh: then let's look into this next month so we do general and AI risk together to ensure they are consistent

delaramGolpayegani: lots of interest in ai risk management

harsh: what we want to enable is supporting discovery and mitigation of risk using our concepts, so we can check whether our concepts support this or not

conclusion of discussions - we discuss risk management later together with AI risk management, rest are okay for v2

HumanInvolvement

<ghurlbot> Issue 108 Revise Automation and HumanInvolvement concepts (by coolharsh55)

steveHickman: (question from last meeting) shouldn't revert concepts be modelled as subsets of correct concepts

steveHickman: reversion is a more specific form of correction so this should be a hierarchy; alternatively, is it possible to revert without it being a correction - if, for example, both the current and prior values are correct and you just want to do a comparison?

harsh: correction if defined as changing the output can include reversion, however the intent is to distinguish when the human or another body supplies the value (correction) versus where it doesn't and relies on the previous value (reversion)

discussion conclusion: agreed that for now we leave them separate and investigate whether they should be aligned; add a comment to this effect inviting inputs

Consent Controls

<ghurlbot> Issue 115 Add Measures for Obtain, Withdraw, etc. for Consent and other Actions (by coolharsh55)

Discussed and accepted as these are needed for practioners, no alternative proposal or clear objections provided at this moment

Tech extension

hasIntendedUse

<ghurlbot> Issue 85 Specify 'business process' or 'service goal' in DPV-Tech (by coolharsh55)

harsh: e.g. database has many features but our intended use is only store and access control

harsh: can also help distinguish between what the provider declare as intended use and what is the intended use of the organisation

steve: would this help distinguish between what are all the capabilities of a system and what is the intended use of it

harsh: yes

steve: would this intended use be declared at the start or derived from all the uses?

harsh: both can be done e.g. declare initially then check if uses are aligned with intended use - deviation can be used to update the intended use or flag problems

discussion conclusion - okay to use this

Cloud concepts

<ghurlbot> Issue 47 ecifying "Cloud Computing" in DPV-TECH (by coolharsh55)

discussion conclusion - okay to continue with proposed restructuring

DPV v2

harsh: this concludes all issues currently listed under DPV v2 milestone https://github.com/w3c/dpv/milestone/4

harsh: next step is to write the documentation for the changed concepts, and then review it - needs volunteers

volunteers - paul, georg, julian (only after May end), delaram (only for AI and AI Act)

Next meeting

The next meeting will be in 1 week on WED 29 May 14:00 WEST / 15:00 CEST. Agenda will focus on DPV v2 planning and release.

Minutes manually created (not a transcript), formatted by scribe.perl version 217 (Fri Apr 7 17:23:01 2023 UTC).