<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><font size="+1"><font face="Lucida Grande">Your summary today was
great Andrew.</font></font></p>
<p><font size="+1"><font face="Lucida Grande">I am not arguing about
the disclosure of thin data. We already voted on
unauthenticated mandatory disclosure, weeks ago (or at least
it feels like weeks ago). Lets please move on. We are
debating this yet again, because people keep asking, is thin
data personal? </font></font><font size="+1"><font
face="Lucida Grande"><font size="+1"><font face="Lucida
Grande"> [lots of people missed the last call]</font></font>
The answer is yes (IMHO). Does that mean it cannot be
disclosed? The answer is no. Does the proportionality
principle apply? Yes. Have we already gone through this?
Yes. Can we come back to it? Yes, but hopefully only if we
have to.....we will have to when we get to data elements.</font></font><br>
</p>
cheers Stephanie<br>
<font size="+1">PS a fundamental problem here is that people try to
categorize information that in their view should be disclosed, as
not personal information. This fight has gone on for years over
IP address, for instance. The important question is not actually
whether it is personal data or not, it is "do you need to disclose
it to make things work?"....and if the answer is yes then you try
to mitigate the disclosure and try to keep it minimized to what is
absolutely required. Hence the PIA, which should employ both data
minimization and the test in the proportionality principle as
techniques to evaluate data elements.<br>
A good and really simple example is a phone number. IS it
personal info? (the telcos fought for years, trying to claim they
owned it and it was not personal). Obviously it pertains to you,
people feel strongly that it is personal (culturally relative of
course but...) and yet if noone ever learns your number your phone
won't ever receive a call. That does not mean you have to
disclose it everywhere.....only where necessary. And it should
mean that it does not have to follow you everywhere, but that is
becoming increasingly hard to manage....<br>
<br>
By the way, informed consent is not the same as transparency
requirements. Transparency requirements are exactly that....you
have to be transparent about what you are doing with data. Let us
not conflate that with consent.<br>
<br>
I will quit now and stop trying to answer questions. I would like
to humbly suggest, however, that we have a real shortage of basic
understanding of how data protection law works and is
interpreted. If there is a data protection law expert that folks
might listen to, we should hire that person to advise us. It
might save a lot of time.<br>
<br>
<br>
</font>
<div class="moz-cite-prefix">On 2017-05-31 16:00, Andrew Sullivan
wrote:<br>
</div>
<blockquote
cite="mid:20170531200013.czq5ebz2grzxq7kr@mx4.yitter.info"
type="cite">
<pre wrap="">Hi,
On Wed, May 31, 2017 at 03:20:59PM -0400, Stephanie Perrin wrote:
</pre>
<blockquote type="cite">
<pre wrap="">That does not mean we need to protect it, it means we have to examine it in
terms of DP law. May I repeat the suggestion that Canatacci made in
Copenhagen in response to a question.....(I forget the precise question he
was asked, sorry). If you want to figure out whether you have to protect
something or not, do a privacy impact assessment.
</pre>
</blockquote>
<pre wrap="">
As I think I've said more than once in this thread, I think we _have_
done that assessment and I think the answers are obvious and I think
therefore that there is nothing more to say about this principle in
respect of thin data:
- the data is either necessary for the operation of the system
itself or else necessary for distributed operation and
troubleshooting on the Internet.
- the data does not expose identifying information about anyone,
except in rather strained examples where the identifying
information is already completely available via other means.
What more is one supposed to do?
Best regards,
A
</pre>
</blockquote>
<br>
</body>
</html>