Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [802SEC] Fwd: IMPORTANT AND TIME DEPENDENT -- Information Request to IEEE-SA Sponsors - Please reply by 06 October 2017



Greetings to all,
   While at the IEEE BoD meeting last June, one of the booths that I visited was one that was concerned with GDPR (General Data Protection Regulation).  They handed out a flyer (attached) that provides the insight to why we are being asked the questions.
The General Data Protection Regulation, also known as GDPR, is
a new directive that will take effect on May 25th, 2018. The aim
of the GDPR is to protect and empower individuals from privacy
and data breaches in an increasingly data-driven world. As a
result, individuals will have more control over their online
presence and personal information. The responsibility of keeping
data secure applies to IEEE. We are required to carefully review
and redesign our privacy policies and every single business
process that touches personal data.

To Paul's first question of the day - Yes, I can prepare a response on behalf of 802 as requested.

I asked David Ringle, as I got a separate request from him for this same information, if I needed to spread this email to all of the Computer Societies Sponsors and WGs, and his response was as follows:
 
Hi Jon,
The email was sent to all Sponsor Representatives (liaisons); it was not sent to WG Chairs.
Regards,
Dave

The Sponsor Representatives (Liaisons) that he is referring to is a role within MyProject on the PARs that are active.

In parallel with the email from David Ringle, as noted in the email a meeting was held with the IEEE Staff Program Managers and they are all tasked to gain as much information by the deadline (Oct 6) as they can, and so we have seen Kat Bennett reach out to the WG Chairs that she works with (Adrian, Glenn, Rich, and Steve),  and ask the same basic questions, and that is why Steve is asking if the WG should respond separately.

I have also been contacted by Jonathan Goldberg who would like to talk with me tomorrow afternoon about this same topic in respect to his role as our 802 contact and he may have also contacted the WGs he works with..

The other WG chairs that have not yet been contacted yet, may be contacted later.

So, the question of the day is what info are we collecting and how are we collecting it and how do we keep it safe and how do we dispose of it when we no longer need it.

The GDPRTaskforce will undoubtedly be contacting us again to tell us how to improve on what our processes are, and a change will be required to meet the May 25th 2018 deadline.

The Reference listed in the attachment ""GDPR: Getting Ready for the New EU General Data Protection Regulation""
provides some insight into what is being done.  I note that this was started in May 2016, but we are starting the end of Sept 2017....

I see no benefit to try to critic the form that was sent.  Rather I will respond the best I can, and they can take that information to the task force and if they need some clarification, they will have to come back with better questions.

If you have input you want to see included in our response, I would be happy for your contribution.
I will add this to the agenda for Oct 3, 2017, but I may or may not be able to call in..I will be on the road and not sure of the cellphone coverage.  I will try to post my proposed response late on Oct 2 or Early Oct 3 before I leave my office.  If you have any specific information you want to ensure is included, I will need it by COB Friday (Sept 29th AOE).

Regards,
Jon





-----------------------------------------------------------------------------
Jon Rosdahl                 Engineer, Senior Staff
office: 801-492-4023      Qualcomm Technologies, Inc.
cell:   801-376-6435      10871 North 5750 West
                                   Highland, UT 84003

A Job is only necessary to eat!

A Family is necessary to be happy!!

On Wed, Sep 27, 2017 at 3:33 PM, Pat Thaler <000006d722d423ba-dmarc-request@ieee.org> wrote:
Most of the things are common across 802 - all the items I mentioned are common except for the IEEE 802.3 paper attendance record.

I think we should compile one report with the common items plus any WG specific items. 

One area is interim meeting registrations. For 802.1 and 802.3, most interim meetings are hosted and the host handles registration. In that case, there is no contact between the registration and the IEEE systems/data so nothing to report? For wireless meeting registrations, is info handling the same as for plenaries?



On Wed, Sep 27, 2017 at 1:48 PM, Paul Nikolich <paul.nikolich@att.net> wrote:
Steve,

I don't think that's feasible because each group handles data a little bit differently.  If you have detailed questions , please direct them to Yvette and Markus (copied here).

I did ask Jon Rosdahl to coordinate.  Let's see what Jon has to say after he has time to think about it.

Regards,

--Paul

------ Original Message ------
From: "Steve Shellhammer" <sshellha@qti.qualcomm.com>
Cc:
Sent: 9/27/2017 4:02:40 PM
Subject: Re: [802SEC] Fwd: IMPORTANT AND TIME DEPENDENT -- Information Request to IEEE-SA Sponsors - Please reply by 06 October 2017

Paul,

 

                Can 802 provide one response to this request versus responses from each individual working group?

 

Thanks,

Steve

 

From: ***** IEEE 802 Executive Committee List ***** [mailto:STDS-802-SEC@ieee.org] On Behalf Of Benjamin A. Rolfe
Sent: Wednesday, September 27, 2017 12:19 PM
To: STDS-802-SEC@LISTSERV.IEEE.ORG
Subject: Re: [802SEC] Fwd: IMPORTANT AND TIME DEPENDENT -- Information Request to IEEE-SA Sponsors - Please reply by 06 October 2017

 

While Pat is completely correct that the information provided in the document is incomplete and raises many questions, Paul may be able to clarify, but I believe at this time the "task force" is asking only for us to provide specifically what information we collect, retain and use, and the various systems involved.   I read it that the task force is supposed to use this information and, we might *assume*, provide us with procedural guidance and requirements for compliance with the regulatory requirements at some point between now and the regulations taking effect.

If we wish to list all the flaws in the document, that will take quite some time.  Speculation on what irrational and impossible to comply with procedures the task force might come up with is likewise likely to take some time. While both may be entertaining, neither seems productive. What seems productive to me is give them information on how we conduct our business as completely and accurately as possible, see what they do, and then whinge about the resul then :-).

 

 

On 9/27/2017 12:04 PM, Adrian Stephens wrote:

Hello Pat,

Please see below...

Sincerely,
 
Adrian Stephens
IEEE 802.11 Working Group Chair
mailto: adrian.p.stephens@ieee.org
Phone: +447342178905
Skype: adrian_stephens

On 2017-09-27 08:52, Pat Thaler wrote:

The information sheet provided is flawed. It has the requirement:

"Consent

· Must be explicit for sensitive data"

It defines Personal Data, but not sensitive data so it impossible to know whether one is meeting that requirement.

 

It asks about whether information is passed to a third party. 

F2F collects information as part of registration and they collect data as part of that. Also, registration uses RegOnline.

One can enter a password to import data from the past registration so data is retained from meeting to meeting. It isn't clear that there is any mechanism to get your data removed.

I think you ask the meeting planners,  who have administrative access to this data.

Registration requires an SA pin - is it used to access data from IEEE servers?

No.  In the past the registration system confirmed username/password and discovered and retained SA pin.
Now,  the SA pin is an input field that ~90% of registrants manage to enter correctly.

 

IMAT system captures attendance data. Working group officers download the data so have access to it.

 

IEEE 802.3 collects names and affiliation on paper to record partial participation since IMAT doesn't support that.

 

Names and affiliation are published in minutes. They aren't removable - in this case, we have legitimate legal reasons for not providing the "right to be forgotten."

 

MyBallot comment databases contain ballot pool member classification, email and phone as well as name and affiliation.  It is visible on line to Sponsor officers (Sponsor chair and vice-chairs at least - I can see it for all 802 sponsor ballots), WG chair and delegates. These volunteers can also download it in a CSV that includes name, classification, affiliation and email address

 

Information for commenters (name, affiliation, email and phone)  is included when downloading comments and distributed to editors as part of the comment database to enable comment resolution.

 

That's all I can think of offhand.

 

Regards,

Pat

 

On Wed, Sep 27, 2017 at 10:59 AM, Benjamin A. Rolfe <ben@blindcreek.com> wrote:

According to the "any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc."  we need also report manual operations  where we require personal information be provided even though it is not recorded, e.g. badge pickup where an attendee may must use a passport or other iD with a photo.  Is meeting attendance "personal" information? I don't know, so maybe we should include that this is recorded in imat and let the task force figure out if it's "personal" or not.  Not sure if this is what they are asking for, but better be too complete than to risk being incomplete.
 
B




On 9/27/2017 5:44 AM, Clint Chaplin wrote:

I can tell right now that data is collected as part of the meeting registration process and the meeting fee payment system.  As of now, that includes Authorize.net and RegOnline services.

 

On Wed, Sep 27, 2017 at 3:20 AM, paul.nikolich <paul.nikolich@att.net> wrote:

 

-------- Original message --------

From: Dave Ringle <d.ringle@ieee.org>

Date: 9/26/17 9:44 PM (GMT-05:00)

To: std-liaison-reps <std-liaison-reps@IEEE.ORG>

Cc: Yvette Ho Sang <y.hosang@IEEE.ORG>, Markus Plessel <m.plessel@IEEE.ORG>, Matt Ceglia <m.j.ceglia@IEEE.ORG>

Subject: IMPORTANT AND TIME DEPENDENT -- Information Request to IEEE-SA Sponsors - Please reply by 06 October 2017

 

IEEE-SA Sponsors,

 

As you may be aware, the European Union (EU) adopted the General Data Protection Regulation (GDPR) on 14 April 2016, which addresses collection and use of personal data. Similar regulations are being implemented in countries outside the EU. The GDPR will go into effect on 25 May 2018 and IEEE has to meet the requirements of the regulation by that date. 

 

In order to determine how our volunteers collect and use personal data, we will need to know what mechanisms/systems/applications are being used to collect or download personal data, where that personal data is sent, how it is used, and what retention is in place. IEEE is asking its standards development groups to provide that information so that it can determine what system or process changes may need to be implemented to meet the GDPR requirements.

 

An information sheet is attached to help you understand the regulation. Your IEEE Staff Program Manager will contact you in an effort to obtain the needed information. We will need your response by

​06​ 

October 2017

 

Thank you for your assistance in our effort to be compliant.

 

Regards,

 

 

 

Yvette  Ho Sang, MBA, ARM

Director, IPR and Risk Mgmt

IEEE Standards Association

Mobile: +1 732 690 9863

 

Fostering technological innovation and excellence for the benefit of humanity.

 

---------- This email is sent from the 802 Executive Committee email reflector. This list is maintained by Listserv.



 

--

Clint Chaplin
Principal Standards Engineer
Samsung Research America

---------- This email is sent from the 802 Executive Committee email reflector. This list is maintained by Listserv.

 

---------- This email is sent from the 802 Executive Committee email reflector. This list is maintained by Listserv.

 

---------- This email is sent from the 802 Executive Committee email reflector. This list is maintained by Listserv.


---------- This email is sent from the 802 Executive Committee email reflector. This list is maintained by Listserv.

 

---------- This email is sent from the 802 Executive Committee email reflector. This list is maintained by Listserv.

---------- This email is sent from the 802 Executive Committee email reflector. This list is maintained by Listserv.
---------- This email is sent from the 802 Executive Committee email reflector. This list is maintained by Listserv.

---------- This email is sent from the 802 Executive Committee email reflector. This list is maintained by Listserv.

---------- This email is sent from the 802 Executive Committee email reflector. This list is maintained by Listserv.

Attachment: 2017 GDPR Flyer.pdf
Description: Adobe PDF document