TAS3_D6p1_v1p0.pdf (deprecated)

TAS3 Requirements: Privacy, Governance and Contractual Options Accepted by European Commission in June 2009. Executive Summary: TAS3 is designed to provide a secure and trusted architecture that is compliant with applicable privacy requirements. TAS3 goes beyond traditional privacy by design to include design of privacy in not only in the technical design, but also in business processes, organizational policies and in a privacy enabling contractual framework from the outset. The TAS3 architecture thus combines the four elements of technology, business, policy and legal requirements to provide a privacy-enabled ecosystem. The focus of this deliverable is to identify the privacy requirements that are set forth in the European Directive and national implementations that support the fundamental right of privacy. TAS3 D6.2, which sets forth the Contractual and Policy Frameworks, will incorporate and build on these requirements. . As part of this design approach we also review the “7 laws of embedded identity”, as developed by Information and Privacy Commissioner Ann Cavoukian in furtherance of Kim Cameron’s first published seven Laws of Identity. The purpose of this deliverable is to translate the broad legal requirements related to privacy and governance into concepts that can provide technical and organizational guidance. Annex 1 provides a comparative review of the major instruments on which EU privacy law is founded as well as the laws of countries in which TAS3 may take place. From those documents common principles are distilled. The deliverable then maps the application of those principles and related terms of art to new technologies to illustrate the challenges that are emerging. Then, before concentrating on the specific requirements of the Directive, we review emerging global and EU trends in accountability and accountable systems. More detailed legal requirements are then identified and cross-referenced to TAS3 functions and practices (Summarized in Annex 3). Finally an overview of requirements and their operational relevance is given.. This document represents the beginning of an iterative process, which will continue throughout the TAS3 project by way of refinement and supplement. Apart from tracking changes in actual law and the application of existing law, more detailed research will be performed related to relevant sectoral laws, which may also impact privacy requirements (e.g. employee privacy rights; regulations impacting electronic health records).

TAS3_D6p1_v1p0.pdf — PDF document, 283Kb