Friday, July 30, 2010

Healthcare should join OASIS Privacy Management Reference Model (PMRM)

This is the latest effort to focus on understanding the requirements of Privacy Controls, and buildin a reference model to manage privacy policies and support enforcement. I have added my name to the group, but because of OASIS rules of membership classification I get no mention as I am only an "Individual Member" and not an "Institutional Member".  I am disappointed that I have been unable to convince other healthcare organizations to bring healthcare needs to this group. I think healthcare is an especially critical and yet complex problem. That is to say that I want the needs of healthcare to be known, but don't have any expectation that they will be solved for years. But if they are not known by this group then they could very well go down pathways that healthcare can't follow, such as DRM.
OASIS has announced the creation of a new Privacy Management Reference
Model (PMRM) Technical Committee. It's principal objective is to "develop
and articulate a Privacy Management Reference Model that describes a set
of broadly-applicable data privacy and security requirements and a set
of implementable Services and interactions for fulfilling those
requirements.  The first meeting of the PMRM TC will be held as a
teleconference on September 08, 2010. Institutional member companies
approving the TC charter include CA, ISTPA, NIST, American Bar
Association, WidePoint Corporation, and Information Card Foundation.
The PMRM TC is expected to be of interest to privacy policy makers,
privacy and security consultants, auditors, IT systems architects and
designers of systems that collect, store, process, use, share, transport
across borders, exchange, secure, retain or destroy Personal Information.

The TC will accept as input the existing ISTPA Privacy Management
Reference Model v2.0
-- a structure for resolving privacy policy
requirements into operational controls and implementations -- developed
by the International Security, Trust and Privacy Alliance (ISTPA). It
is anticipated that this document will be contributed to the TC for
further elaboration and standardization at OASIS.

Specific goals of the TC are to: (1) Define a set of operationally-
focused privacy requirements
which can serve as a reference for
evaluating options for designing and implementing operational privacy
controls. These requirements will constitute a useful working set of
'privacy guidelines', which can both serve as general guidance, and as
a feature set against which the PMRM and any implementation can be
tested. (2) Define a structured format for describing privacy managementServices, and identify categories of functions that may be used in
defining and executing the Services. (3) Define a set of privacy
management Services
to support and implement the privacy requirements
at a functional level. These Services will include some capabilities
that are typically implicit in privacy practices or principles (such
as policy management or interaction), but that are necessary if
information systems and processes are to be made privacy configurable
and compliant. (4) Establish an explicit relationship between securityrequirements and supporting security services (such as confidentiality,
integrity and availability services) and the privacy management Services.
... More
See also the OASIS Privacy Management Reference Model (PMRM) TC public web page: