Not completely on topic, but Adrian: have you seen the ToSBack2 project from ISOC?

https://tid.isoc.org/confluence/display/TOSBACK2/ToSBack2+Home

I have not plunged into the abyss of reading the documentation... but I suspect that they have created a functional ontology for privacy policies that enables the analysis engine to do cross-version comparison. That might save some thinking work about how to slice and dice then represent the policies...

just a thought.

andrew.

Andrew Hughes CISM CISSP 
Independent Consultant
In Turn Information Management Consulting

o  +1 650.209.7542
m +1 250.888.9474
1249 Palmer Road,
Victoria, BC V8P 2H8
AndrewHughes3000@gmail.com 
ca.linkedin.com/pub/andrew-hughes/a/58/682/
Identity Management | IT Governance | Information Security 


On Sat, Mar 12, 2016 at 4:42 AM, James Hazard <james.g.hazard@gmail.com> wrote:
Running, but as a first cut:

http://www.commonaccord.org/index.php?action=source&file=Dx/Acme/03-Policies/03-Automatted-Privacy_v0.md

On Fri, Mar 11, 2016 at 10:29 PM, Adrian Gropper <agropper@healthurl.com> wrote:
Thanks, for sharing this. From my strictly consumer perspective, here's what I would do with this:
  1. Start a Standard Privacy Notice workgroup in Kantara with a narrow charter to classify and label privacy notices.
  2. Make the Automattic Policy the first label and post it the way we would a CC or OSI license.
  3. Publish a DRY Privacy Notice Best Practice that would incorporate a labeled privacy notice BY REFERENCE and list only the exceptions, if any to the referenced policy.
  4. Add CommonAccord to this as an option for describing only the exceptions.
  5. Suggest standardized formatting for the exceptions right down to the fonts and colors.

My guess is that the world can get by with only 5 or so of these baseline privacy notice labels to serve, for example:

  • blogs, (Automattic)
  • merchants, (Vendor)
  • things, (Robot)
  • medical services, (HIPAA)
  • directories (Dating)

In addition, I would classify each privacy notice into one of three classes depending on the kind of API they provide:

Class 1: Service will not see your data. You are in sole control of the API.

Class 2: Service will see your data but the API you control has all of the data available in reral-time.

Class 3: Service will see your data but there's limited or no API access.

I've described these three classes in http://thehealthcareblog.com/blog/2016/02/22/apple-and-the-3-kinds-of-privacy-policies/

The result would be that Kantara privacy notices would look like: Automattic_2 or HIPAA_3 and people would mostly pay attention only to the exceptions.

Adrian


On Fri, Mar 11, 2016 at 12:31 PM, Eve Maler <eve@xmlgrrl.com> wrote:
On today's call, I mentioned a cool privacy policy I ran across when I downloaded this app:


The app costs $4.99, and I carefully looked at the policy and decided I was very willing to pay money -- and they were making the tradeoff very worthwhile. They based the policy closely on this (both are CC-licensed -- hooray for DRY content!):


BTW, the app is awesome too.

Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl


_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma




--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma




--
@commonaccord

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma