Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Third Party Disclosure Fields #112

Open
smartopian opened this issue Oct 19, 2017 · 0 comments
Open

Third Party Disclosure Fields #112

smartopian opened this issue Oct 19, 2017 · 0 comments

Comments

@smartopian
Copy link

smartopian commented Oct 19, 2017
edited
Loading

There is some confusion around the term 3rd party, as the GDPR, which was written after this field was first defined, the GDPR defines 3rd party and Data Processor separately in Article (4) - In my opinion 3rd party is poorly defined as its a generic term, authorised or not.

This topic also goes to the core of what this work group has worked to define in information sharing. I.e - the expllicit terms for the individual sharing personal data with another party -

Whats clear is that some of our terms for our fields in terms of sharing may need to be better defined.

3rd party (IMO) is a very broad field name and generically could include a recipient as well as a processor, or some un-authorised processor , or eve legislatively authorised parties.

Disclosure is also a very broad term which could be interpreted to include Information Sharing i.e. Data portability.

To this end, I think we should see if we can clarify these field definitions and terms and or plan to iterate on them in v1.2 - covering wether or not a 3rd party is also a recipient, and wether or disclosure includes both includes data portability as well as regulatory disclosure.

Currently in the spec we have:

Beyond changing 3rd Party to Data Processor

Third Party Disclosure

  • Indicates if the PII Controller is disclosing PII to a third party.

Propose change: - Indicates if the PII Controller is disclosing PII to a third party processor.

  • Possible values are TRUE or FALSE. MUST

Third Party Name

  • The name or names of the third party the PII Processor may disclose the PII to.MUST be supplied if Third Party Disclosure IS TRUE. MUST if Third Party Disclosure is TRUE

Proposed Change:

  • The name or names of the PII Processors the PI is being disclose to .MUST be supplied if Third Party Disclosure IS TRUE. MUST if Third Party Disclosure is TRUE

Additional issues to consider raising (depending on clarity above)- questions of wether or not
3rd Party - contact - MUST/SHOULD include address/contact as a May, as well as privacy point of contact?

Should - The Data types being disclosed ?

Also a field for providing data types required for disclosure for sensitive data sharing - a field for interop with eternal services.

Also - consider adding - information sharing field ---> 'Disclosed on behalf of Data Subject' (information sharing) - Data portability. be a field for v1.2 ?
@smartopian smartopian changed the title Third Party Disclosure Fields - (still being drafted) Third Party Disclosure Fields (in draft) Oct 19, 2017
@smartopian smartopian changed the title Third Party Disclosure Fields (in draft) Third Party Disclosure Fields Oct 26, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@smartopian