Define PrimaryPurpose field

[dturnerx]

PrimaryPurpose field: This is an undefined term. It is unclear how this field should be used. (On a legal point: under data minimisation principles, should data be collected for secondary purposes? I suspect that the concept of a hierarchy of purposes would not hold much water.)

[PrivacyCDN]

I disagree. There is a hierarchy of purposes. Some data is collected inevitably because of the technology (browser header info for example). This is collected on landing. Some data will be collected because it is necessary to provide a service or because of regulation (booking a flight requires the collect of PNR data for ticket issuance & international security requirements, credit card info for payment and so on). This is collected, presumably after notice. Finally, there is data collection or use that is optional (can we send your marketing, or do you want to fill out a survey. This last will require an opt-in or affirmative button click. That's at least three tiers of collection with differing notice/consent expectations.

I note that all of this is a separate issue with the phrase (secondary use). In health for example that often refers to health data used for health research that may be collected regardless of initial consent and notice for research purposes.

[andrewhughes3000]

@PrivacyCDN any suggestions on a path forward to resolve the issue?

[PrivacyCDN]

My first inclination is to suggest that a data model would provide a toolset for specifying purposes and their characteristics. If the articulation of a data model is put off to v2, we may be able to do it another way, in prose and diagrams. If we weren't virtual and had access to a room I'd suggest an old fashioned affinity diagram bashing session.

[smartopian]

Seems that guidance is needed here, but we purposely kept this a bit vague so we had room to define how to specify purpose. The shining is that if its not a core purpose/primary purpose then its a secondary purpose. This is important because there is a requirement for people to be able to withdraw secondary purposes in context but not withdraw the entire consent.

But, we haven’t thought through what that means for multiple purposes. (Not sure we need to) arguably to know if this works we need to nail down the receipt taxonomy. i.e. each service can have multiple purpose categories and then does the primary purpose (or not) field sit at the category level (which we have now) - personally I think its correct as is -but - maybe an affinity diagram will help?

On 1 Jun 2017, at 03:28, John Wunderlich notifications@github.com wrote:

My first inclination is to suggest that a data model would provide a toolset for specifying purposes and their characteristics. If the articulation of a data model is put off to v2, we may be able to do it another way, in prose and diagrams. If we weren't virtual and had access to a room I'd suggest an old fashioned affinity diagram bashing session.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/89#issuecomment-305371661, or mute the thread https://github.com/notifications/unsubscribe-auth/AGPq58EusTXXivWSNG9KiyRcdMdXgHOQks5r_iHBgaJpZM4Nr-Eh.

[linnhege]

We use the PrimaryPurpose field to separate between consent that is to given up front (login, account creation) and consent that is given contextually. Just my two cents :)

[dturnerx]

@linnhege - can you elaborate on what you mean by "consent that is given contextually". Specifically, what does this look like in practice?

[PrivacyCDN]

And one last thing to remind people. That is the term 'Secondary Use'. In my experience, this is NOT related to secondary purposes. It is most usually used in a medical setting to access and use data for research that was not collected with a research purpose. My suggested buckets of purposes are:

Bucket 1: Technical necessity. The sole purpose here is to collect/user information for the necessary functioning of a system. e.g. Browser Header Information

Bucket 2: Primary service. The purpose(s) that identify the minimum information that can be collected/used to fulfill the requirements of the service on offer. e.g. User name and password to register on a site

Bucket 3: Other services (to avoid the confusing 'secondary'). The purpose(s) that identify information requested but not required for the service on offer. e.g. a consent directive to allow secondary marketing to the user.

Each of the above buckets could contain a list of 'standard' purposes.

John Wunderlich,

Sent frum a mobile device, Pleez 4give speling erurz

"...a world of near-total surveillance and endless record-keeping is likely to be one with less liberty, less experimentation, and certainly far less joy..." A. Michael Froomkin

---

From: dturnerx notifications@github.com Sent: Friday, June 2, 2017 3:21:37 PM To: KantaraInitiative/CISWG Cc: John Wunderlich; Mention Subject: Re: [KantaraInitiative/CISWG] Define PrimaryPurpose field (#89)

@linnhegehttps://github.com/linnhege - can you elaborate on what you mean by "consent that is given contextually". Specifically, what does this look like in practice?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/KantaraInitiative/CISWG/issues/89#issuecomment-305886465, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ADTJ9n5ZGWGgp0s8npaZfWSfue3UPKF2ks5sAGDBgaJpZM4Nr-Eh.

--

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

[maryhodder]

Bucket 3 should also include 'derived' data which is part of the gdpr requirements and if a company derives something for a purpose or to a conclusion, depending, it can have consequences for purposes as well as other categories such as whether something is sensitive personal data.

On Fri, Jun 2, 2017 at 1:41 PM, John Wunderlich notifications@github.com wrote:

And one last thing to remind people. That is the term 'Secondary Use'. In my experience, this is NOT related to secondary purposes. It is most usually used in a medical setting to access and use data for research that was not collected with a research purpose. My suggested buckets of purposes are:

Bucket 1: Technical necessity. The sole purpose here is to collect/user information for the necessary functioning of a system. e.g. Browser Header Information

Bucket 2: Primary service. The purpose(s) that identify the minimum information that can be collected/used to fulfill the requirements of the service on offer. e.g. User name and password to register on a site

Bucket 3: Other services (to avoid the confusing 'secondary'). The purpose(s) that identify information requested but not required for the service on offer. e.g. a consent directive to allow secondary marketing to the user.

Each of the above buckets could contain a list of 'standard' purposes.

John Wunderlich,

Sent frum a mobile device, Pleez 4give speling erurz

"...a world of near-total surveillance and endless record-keeping is likely to be one with less liberty, less experimentation, and certainly far less joy..." A. Michael Froomkin

---

From: dturnerx notifications@github.com Sent: Friday, June 2, 2017 3:21:37 PM To: KantaraInitiative/CISWG Cc: John Wunderlich; Mention Subject: Re: [KantaraInitiative/CISWG] Define PrimaryPurpose field (#89)

@linnhegehttps://github.com/linnhege - can you elaborate on what you mean by "consent that is given contextually". Specifically, what does this look like in practice?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/ KantaraInitiative/CISWG/issues/89#issuecomment-305886465, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ ADTJ9n5ZGWGgp0s8npaZfWSfue3UPKF2ks5sAGDBgaJpZM4Nr-Eh.

--

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/89#issuecomment-305903839, or mute the thread https://github.com/notifications/unsubscribe-auth/ACGyUHt71VPsEDo8MI_fL6JqGT2zKA-dks5sAHNfgaJpZM4Nr-Eh .

[PrivacyCDN]

See my recent comment on issue #96 included consent for core services vs optional consents. Is Primary Purpose functional equivalent to 'those purposes that are minimally required to deliver the core service'?

[RupertGravesDIC]

If the service requires the purpose then it requires the purpose, whether it is minimally or not. Hence all purposes work in parallel (aside from some niche cases e.g. healthcare research). The underlying issue is whether purpose scope (intentionally) expands beyond what is necessary to provide the service, i.e. purpose creep. I would suggest that this can be tested normatively using ISO 29100 data privacy principles by considering whether a hypothesis definiton would change in different privacy contexts.