W3C

DPVCG Meeting Call

24 SEP 2024

Attendees

Present
beatrizEsteves, harshPandit, julianFlake, julioHernandez, paulRyan, tyttiRintamaki
Regrets
delaramGolpayegani, georgKrog
Chair
-
Scribe
harsh, harshPandit

Meeting minutes

Repository: w3c/dpv

Meeting minutes: https://w3id.org/dpv/meetings

purl for this meeting: https://w3id.org/dpv/meetings/meeting-2024-09-24

AOB items

DPIA concepts by Tytti

Machine-actionable rights work by Beatriz, Harsh

Bias concepts

<ghurlbot> Issue 182 Adding AI bias concepts (by coolharsh55)

harsh: Daniel has updated the bias concept definition based on ISO definitions, and these will be added to RISK extension. There are also other ontologies that provide a larger corpus of bias concepts and this work has overlap with them. The distinguishing factor here is that our concepts are based on the ISO definitions and are grouped from the ISO standard, and the other concepts are from NIST and other sources. So in the HTML documentation we will be adding a note to this effect.

ACTION: Add bias concepts to RISK with a note to external source

Discrimination concepts

<ghurlbot> Issue 190 [Concept]: Discrimination Concepts in RISK (by coolharsh55)

harsh: Initially we proposed/discussed that there will be a corresponding discrimination concept for each bias concept. However, this does not make sense as there are bias concepts such as Statistical Bias which would lead to Statistical Discrimination. Instead, we want a separate curated category for discriminations such as gender, sex, race and so on.

Rights Impact concepts

<ghurlbot> Issue 184 Add Rights Impact concepts for each Right (by coolharsh55)

Discussed these concepts to model impacts. No comments objections to proceeding with adding these concepts to the RISK extension, and then using these along with specific /Impact on X Right concepts to indicate how a right was impacted.

ACTION: Add rights impact concepts to RISK

ACTION: Create impact concept for each right in EU and GDPR extensions

Risk Taxonomy

<ghurlbot> Issue 181 Refine RISK taxonomy into a single consistent hierarchy (by coolharsh55)

harsh: based on previous discussion, the risk taxonomy was consolidated into a single taxonomy and the adopter has the option to choose what role that concept takes within the use-case i.e. as a RiskSource or Risk or Consequence or Impact. The problem with this is that there is no guidance or suggestion as Delaram pointed out last time - which makes it difficult to use this taxonomy.

harsh: The proposal here is to tag each concept with what it could be used as i.e. as Potential Risk Source or Potential Risk and so on. With this, the adopter has a way to identify which concepts are likely to be risk sources, or see what roles a concept can take within use-cases. In the HTML documentation, this would then be a table for each concept and the roles it can take.

julianFlake: clarify this is consistent with previous approach and that it is non-normative - more like a guide.

paulRyan,: agree with going ahead

tyttiRintamaki: agree with going ahead

julioHernandez: agree with going ahead

<ghurlbot> Issue 138 Add CIA model to Tech/Org measures (by coolharsh55)

harsh: additionally, we also have the CIA infosec model to indicate whether the concept is within the Confidentiality, Integrity, Availability dimensions. And we also plan to do the same categorisatino for TOMs

ACTION: Annotate Risk taxonomy concepts with roles and generate docs

Alignment with ODRL

<ghurlbot> Issue 130 Alignment with ODRL (by coolharsh55)

beatrizEsteves: no comms from ODRL CG regarding joint meeting at W3C TPAC. Once I finish that work re. ODRL update we can have a meeting within DPV first and then we share it with ODRL. I will present something here in DPVCG, and then present it to ODRL CG.

harsh: Does that mean we define DPV as a profile of ODRL? How do we do that?

beatrizEsteves: talked with Renato - chair of ODRL CG, who mentioned it is possible to do this as a joint report by both CG. Though this would require a new namespace.

harsh: AFAIK the W3C publishing process is tied to the WG/CG and there isn't a way to indicate a report was authored by more than one group. It might mean we have to publish two reports - one by each group, and then within the group indicate that its a joint report.

harsh: for the new IRI for concepts / namespace following ODRL best practices, we can reuse the DPV namespace e.g. w3id.org/dpv/odrl

harsh: So to implement such a profile, we would have to define the DPV concepts as operands, constraints, assets, etc. However, there is a problem where we have odrl:Agreement and other types - which in DPV are legal basis e.g. Contract and which would then be both operands and policy types in ODRL. I think this is disallowed?

beatrizEsteves: yes, this means we will have to create new concepts.

harsh: then these concepts would be distinct from those present in DPV and will only be present in the profile - not a problem

harsh: we have a project where Julio is also working on using DPV and ODRL together. We can start a process to create such as profile. Would be good for you two to meet and discuss this.

ACTION: Create a mapping between DPV and ODRL concepts

Machine-Actionable Rights

<ghurlbot> Issue 191 Create a guide for Machine-Actionable Rights (by coolharsh55)

beatrizEsteves: submitted a paper to JURIX based on my PhD work for using DPV and ODRL to exercise and manage rights; see https://besteves4.github.io/dpv-rights-exercising/

harsh: would be good to put this back into the DPVCG as a guide or spec for managing/exercising rights - the (pure) ODRL stuff might be better documented in the ODRL CG rather than in a DPV report

beatrizEsteves: yes, also the document contains some new examples

harsh: these are good, though we should change the hasScope in example to hasProcess as the notion of Scope here is about the legal interpretation rather than technically limiting something - we have Process to create modular parts within a process or service.

beatrizEsteves: in the guide, it also shows how to associate policy using odrl:hasPolicy e.g. payment and how much it is, and it has lifecycle concepts for rights exercise. It uses DCAT v3 DatasetSeries to show which came first, last, etc.

harsh: send as draft which we add to DPVCG, then we continue working on this within DPVCG

ACTION: Add the rights exercise guide/spec to DPVCG repo

DPIA concepts for DPV

<ghurlbot> Issue 183 https://github.com/w3c/dpv/issues/183 (by coolharsh55)

tyttiRintamaki: new concepts identified from analysis of DPIA requirements by Data Protection Authorities - have the term, parent, definition, and source. When proposing the new concepts, should I include the text from DPA document where the concepts came from?

beatriz: would be helpful to see the source

ACTION: Provide DPIA concepts to DPVCG for review

Next Meeting

next meeting will be in 1 week on TUESDAY 01 October at 13:30 WEST / 14:40 CEST. Agenda will be selecting the next set of items/issues on GitHub with any updates on github/mailing list and AOB.

Summary of action items

  1. Add bias concepts to RISK with a note to external source
  2. Add rights impact concepts to RISK
  3. Create impact concept for each right in EU and GDPR extensions
  4. Annotate Risk taxonomy concepts with roles and generate docs
  5. Create a mapping between DPV and ODRL concepts
  6. Add the rights exercise guide/spec to DPVCG repo
  7. Provide DPIA concepts to DPVCG for review
Minutes manually created (not a transcript), formatted by scribe.perl version 217 (Fri Apr 7 17:23:01 2023 UTC).