Meeting minutes
Repository: w3c/dpv
Agenda: https://
Meeting minutes: https://
Persistent ID for current minutes: https://
Note change in meeting link
intro: Jess working on engineering on Solid for personal data stores, focusing on consent management
v2.2
milestone https://
changelog
HarshPandit: full changelog draft https://
RISK: Lose vs Loss
<ghurlbot> Issue 368 [FIX]: Typo on Reputational Risks concepts codes starting with Lose (by csarven)
HarshPandit: Last meeting we agreed on using core Noun + "Loss" prefix e.g. CredibilityLoss and ReputationLoss.
GeorgKrog: Should be ReputationalLoss
PaulRyan: Agreed
GeorgKrog: There is Damage or Harm and then you have to prove that a Damage has led to Loss, and action that caused Damage has a causal link to the Loss (this differs across Jurisdictions)
agreed to continue with v2.2
ACTION: Change RISK concept to ReputationalLoss
Damage/Harms taxonomy
GeorgKrog: We should try to build a better taxonomy for damages e.g. Discrimination can be damage
HarshPandit: But that's more of a sometimes type relation because discrimation leads to something like loss of opportunity or psychological impact which you then show in court as damage
GeorgKrog: https://
HarshPandit: Even though ICO calls this a "harms taxonomy", not all of these are harms
GeorgKrog: How will practioners understand how to use the DPV taxonomy?
HarshPandit: We need a guide for general Risk assessment and then additionally how to use this in the guides for DBIA and DPIA
GeorgKrog: We don't have much support for liability. We have rights taxonomy and liability from rights breaches, but we need other liability beyond contract ...
GeorgKrog: Why should DPV help formulate that because an action led to an event, you experiened some kind of consequence. Then you need to write a letter to the organsiation claiming how you suffered damages.
HarshPandit: This can be done two ways - 1) you simply tell the controller what happend (with DPV concepts) or 2) you ask your lawyer to send a legally written letter asserting damages where you write about legal frameworks and what is the threshold that has been reached -- which is the same as you would in courts.
MarkLizar: We have been looking for ways to have the users pass on liability back to the organisation (paraphrased). This goes beyond the bounds of data protection.
Beta Release
agree to publish as beta release with time period until SEP-15
Beta release will be published whenever the current round of fixes and changelog are completed
AI Agents
<ghurlbot> Issue 197 Model `Agent` and `LegalAgent` (by ghurlbot)
HarshPandit: propose we add the concepts so there is a vocabulary to use, and later we can finalise the definitions and relationships as we get normative/authoritative sources. We will have working definitions, but we are mostly allowing people to represent that they are doing something or using this concept (AI Agent). We will add a note to this effect.
DelaramGolpayegani: +1
GeorgKrog: +1
ACTION: Add AI Agent concepts as discussed
AI Model Development Phases
<ghurlbot> Issue 294 AI Model Development Phases (by coolharsh55)
HarshPandit: Last time we discussed taking lifecycle concepts from 5338 which are already in DPV and then creating phases aligned with that
DelaramGolpayegani: In VAIR the concepts came from 22989
ACTION: Delaram to look at ISO 5338 and 22989 to develop lifecycle stages/phases concepts
HarshPandit: We want to have coverage in terms of the concepts like we did for Training which became a processing operation and then there can be a TrainingProcess where this is involved, some input data, and the output is a trained model.
Locations
<ghurlbot> Issue 341 Add Location concepts to PD extension e.g. Home, Work (by coolharsh55)
<ghurlbot> Issue 342 Add Location concepts to TECH extension e.g. Device, App (by coolharsh55)
HarshPandit: We have location concepts that are personal data, so they go in PD extension. We have locations that can be used to store data e.g. devices, so they go in TECH extension. However, we also discussed other locations which are needed to represent things such as train stations and airports where e.g. a CCTV is deployed. Even if this location is the person's location i.e. the person is at the airport, the concept cannot be modelled as personal data directly always.
HarshPandit: options 1) namespace within Location e.g. /loc/xyz or 2) we don't provide this in DPV
GeorgKrog: What could be the use-case for this?
HarshPandit: E.g. you go to the airport and there are cameras there, how do you describe the location airport or a school where the camera is? Its a different concept to state the person was at the airport (person's location) from the airport as a location. So a taxonomy of such places would be helpful -- these are directly relevant to represent DPIA necessary activities and high risk AI system deployments.
MarkLizar: Take a picture of the camera sign to show where is ther camera.
discussion to be continued next time
Next Meeting
The next meeting will be on AUG-27 Thursday 13:30WEST/14:30CEST
Agenda will be finalising DPV v2.2 beta release, and starting work on v2.3 -- with a preference to identify topics for discussion where materials/arguments exist and so that we can revist what needs to be done for them.
Calendar link for meetings
GeorgKrog: issues finding calendar meeting link
ACTION: ensure meeting link is accessible or can be easily figured out
ACTION: Harsh will send email to ask if there are other issues / affected people