some minutes ago (R) came in with a cap-form in his hand 
and presented this form to me and another assurer ...
 
as far as i know, an assurer is allowed to show the contents of a 
cap-form only to an arbitrator, when he acts in an arbitration case 
and he needs the data from the cap for his ruling (there are some 
other cases, but this will not fit in this case)

... to keep the privacy of applicants data, i have to file a dispute 
against <name> (<email address>) ...

Before: Arbitrator UlrichSchroeter (A), Respondent: Bjoern E (R), Claimant: Dirk A (C), Case: a20100304.1

History Log

Discovery

I did not happen to witness the occasion mentioned on 4th of March.

I also refuse to comment on this case in any further way as its init was
inappropriately handled to the disadvantage of the respondent.

I request the respondent to be changed from <R's name> to CAcert
Community, specifically any common party, as named by the arbitrator, to
achieve a general ruling in this case. Assurers showing CAP forms to
fellow assurers in case of inconsitencies appears to be common practice
and <R's name>, being personally known to me, does not fit in here
as a single respondent, even if it be for reasons of POC.

before I can come to a global ruling I want to investigate typical situations, that may happen on a recuring basis.

A 2nd privacy issue appeared at Cebit booth 2 days later on Friday, 5th of March. I've also requested infos about that issue.

From my knowledge, Bjoern wasn't as long as an assurer before ... probably he started his experience a few days ago, as it come to my knowledge, that Martin invited him to come to Cebit.

As the named issues happens more often on events than expected, this issue is a general purpose, but needs to be identified analyzed and named once. Therefor I've started the request to each participient to describe it individualy what happens, what he has seen, what info he gets, to get an overview how privacy is affected and how such situations probably can be prevented (if a privacy issue occured - thus I didn't get yet covered except thru the named dispute filing, but this dispute filing didn't include the special info what privacy info has been transfered ....)

To get this case to a broader audience, I first need to start what I've got thru the dispute filing, and thus was the case happened with the participient Bjoern and Martin and other assurers.

I had a short interview with Bjoern outside the Cebit hall 2 and described him my intentions to handle this case. But thus can only work, as long as I got all the infos needed as requested, to describe a "typical situtation" that happens at big events or other assurance events with more than one assurer.

So here again:
What does happen ?
Please describe the course of event as you've perceived it as detailed as possible.
Which info did you cover from the CAP form in question?
Name ? Email Address ? DoB ?

Those detailed infos are for the purpose describing formal a situation that may happen from time to time in one or another way assurers are under education, or in training situations, also in situations confronted with an unusal document and so on.

The request to discard Bjoern from Respondent at this moment I have to reject until I have enough infos to bring this case to the next higher level - a global view in the progress of this case.

Maybe it was a bad idea, to use Bjoern as a respondent in this case, so I've accepted you as an experienced Assurer
to assist Bjoern in this case.

We will all be required to work together after this Arbitration, so I ask you to maintain a positive and helpful spirit at all times! Thus means, we have to walk thru this case step by step. First starting with investigations what realy happens.

Intermediate Ruling

Discovery II

Deliberation

At big events, where more than one Assurer assures an Assuree, the group of Assurers consists of Senior Assurers, Experienced Assurers and Assurers who started with Assuring others, the so called unexperienced Assurers. The latter group asks often Senior- and Experienced Assurers about problems with names and DoB and how they can handle this.

Following AP 7. Privacy limits the access to the members information in the following way: The Member's information can be accessed under these circumstances:

AP 7. Privacy also says: Information is collected ... It is used secondarily for training, testing, administration and other internal purposes.

CAP forms has an addtl. clause: "... and request the CAcert Assurer (identified below) to verify me according to CAcert Assurance Policy" This clause is to read as "I (the Assuree) hereby allow you to handle with my privacy data according to AP" If this controlled passing of privacy data handling is given to all Assurers at an event, the secondarily issue of AP 7. Privacy about training and testing is no problem as the Assuree allowed the Assurer to work with the privacy data in a way AP allows it.

What other purpose can be read for "training" and "testing" ? if there exists a problem with the data of a user and an unexperienced Assurer asks an Experienced Assurer about such a case ?

In situations where problems araises in an assurance, the next step is, if there is no immediate solution, to file a dispute. This needs also some training, to realize, what can be handled immediatly and when to file a dispute.

Experienced Assurers can help unexperienced Assurers, but this often consists of exchanging the Assurees private data. As long as there can be expected, that the experienced Assurer also did assure the Assuree, there is no problem here. But there is a problem in the case, the Assuree hadn't give the experienced Assurer the permission to verify the Assurees privacy data.

A typical situation on big booths is: -- 2 Assurers staying byside, assuring 2 Assurees at the same time. The unexperienced Assurer has a problem with a hyphen in the name that isn't on the CAP form, but in the ID document. As the unexperienced Assurer didn't know about a special country variation rule for Germany, that 2 givennames combined by a hyphen are considered to be one name, he asks the experienced Assurer, how to proceed?

Assuming, that the Assurer hasn't been assured by the experienced Assurer, the experienced Assurer didn't got yet the permission to verify the data against data in the ID document. At this moment, the Assuree is participient of this situation. If he doesn't gave such a permission to the unexperienced Assurer, that the experienced Assurer can assist him, to handle this situation, he can intervent in this situation. As a recommendation, the unexperienced Assurer should ask the Assuree, if he can get assistance from an experienced Assurer. Privacy problem solved, as now the Assuree has the option to decline.

Same situation, different timing: -- At the booth an Assuree got assured by an unknown count of Assurers who works on the booth of a big event. Afterwork getting dining, the group of assurers mets for discussions about the day, hacking in their assurances and so on. The group of unexperienced, more experienced and experienced Assurers and also Senior Assurers can be seen as the events Assurers unit. So its likely that one Assuree gets assured by all Assurers. Now one Assurer detects one problem with one Assurance.

When, not now, is the best time to find a simple solution about this problem ?

With the assistance of experienced and Senior Assurers, probably a solution can be found: i.e. contact the Assuree by email to solve the problem, before starting a dispute. In such situations the experienced- and Senior Assurers fulfills a pre- Case Manager / Arbitrator role, before a case ends in the disputes queue. To check the solutions that are possible to handle this unique and special case.

At Froscon 2008 the group of Assurers had a closed communication channel thru mailing list. Close after the event the first assurer found a problem in an Assurees name and stopped assurance, contacted a 2nd Assurer ... who continued checking the Assurees data and found also a DoB problem. Both Assurers notified the other Assurers about such a problem. A 3rd Assurer was warned and also stopped to continue to transfer points to the account. Assurer 1 and 2 stumbled over the notification in the online form, that the Assuree has already 80 pts, later on 100 pts. So at least 4 Assurers had transfered their assurance points onto the account. Thru the communications channel the problem has been identified also the 4 assurers who already transfered assurance points. Support-Engineers, a Senior Assurer and also an Arbitrator has been contacted. The quick solution was to revoke the falsery given 4 assurances by request from the Assurers. The left 3 Assurers who didn't transfered their assurance points yet, than later transfered their assurance points, after the Assuree corrected the Name and DoB data in his account at the moment the 4 assurances was revoked.

This story shows transparent the minimum need for communications between the Assurers, so they can detect and fix problems, before a case have to be moved into the arbitration queue. An unbureaucratic approach is a limited approach. Limited to big events (3 and more Assurers), the post-event work is handled not in the public and is limited to the Assurers who works on such an event as Assurer (at Cebit 2010 we had about 3 known people who doesn't doing assurances but with my knowledge, that they have at least in 2 cases Assurer status, they aren't part of this closed group of active Assurers to be named under this limitation).

At Cebit 2010 we had a group of Under18 Assurees. Before the Assurances started we had to identify that all assurees are underaged and falling under PoJAM. This was the first event, a practicle workaround needs to be settled, to handle all these cases at once. As they underaged assurees are from Austria, the Assurers needs some knowledge about the Austrian regulations about underaged people. So we've contacted PD by phone to get assistance from him. Without some knowledge about the Assurees - they are under 18 years old, they settled in Austria, this case hadn't been handled w/o prior informations and informations exchange. The PoJAM was in force at this time, but it needs at least 4 Senior Assurers to find a solution, how to handle this case. Without a minimum of informations that has been exchanged before, this case hasn't been could opened and started. Not all Senior Assurers that are involved in this pre-Assurance work has done an Assurance over the Assurees but w/o their assistance it wasn't possible to build up a script how to handle these Assurances. The Assurers get informed and to be named for this case to exchange informations also in the post-Assurance work to get the Parental Consent spread to all the Assurers.

In other than Assurance areas within CAcert we have also situations, where privacy data is exchanged as part of the jobs duty. These areas are

Starting new in the Support or starting new as a Case Manager / Arbitrator each role gets probably informations about the involved parties privacy information (i.e. request from the arbitrator about the fullname of a user named by email adress) under supervision. This means, the supervisor didn't get the explicit permission to handle the privacy data by the case related parties. At the moment of supervision, the Supervisor is a passive participient in an defined event as long he controls the work of a trainee. This is covered thru AP 7. Privacy "CAcert support administration and CAcert systems administration when operating under the authority of Arbitrator or under CAcert policy." and AP 6.2. High Risk Applications "Additional training"

To train Assurers, Support-Engineers, Arbitrators is not yet well covered by the policys. But its an essential part in the overall operation, in the daily business, to increase the overall quality of Assurance, Support, Arbitration.

Everybody knows the concept of the driving school. It consists of a theoretical part and the practicle part. The theoretical part in the Assurers education is the presentations part in ATEs and the practicle part is the co-Audited assurances part in ATEs.

There still exists no ATE for Support-Engineers nor for Arbitrators. Support-Engineers and Arbitrators have to do their work from scratch. This doesn't work.

So here comes the education / training. The same way, Assurers get experience by doing Assurances, they sometimes need assistance from experienced Assurers, Support-Engineers needs assistance from an experienced SE, also unexperienced Arbitrators needs assistance from experienced Arbitrators.

So does the training on each roles leave limited room for exchanging privacy informations, as long as it is needed to handle a case that follows the policys (AP, AH, SP, SM, DRP) to the involved parties ?

A Supervisor and/or Mentor isn't explicitly named in a Support case, Arbitration case, Assurance process, but becomes part of this process.

So the question here is: does the Supervisor / Mentor be explicitly named under a case so his Supervisor / Mentor role gets noted ?

Questions

So the questions to be answered by this arbitration are (unordered):

Affected Policies

Possible affected policys and documents by this arbitration case:

Assurance, Privacy and Training

This case also covers the Privacy part of an assurance under the education and training aspect that AP 7. Privacy allows under some circumstances access to privacy informations in a limited way.

The group of Assurers at a booth at a big event can be seen as a Assurers "unit". Mostly all got the permission from the Assuree, to conduct the assurance. This wasn't probably the intension on writing the policy. But thus includes the handling of the data in a problem case in a limited way.

One limitation is that only Assurers that are part of the Assurers "unit" can exchange some informations. The 2nd limitation is, that only parts of the full information set (Full name, DoB, Email address) is exchanged between the assurers to identify one special case: i.e. Givenname or special part of the lastname or year of DoB or Day+Month of a DoB or domain of email address and not all informations (Fullname + DoB + Email) at once with the goal to identify one case of all Assurees that got assured at one event.

Thus relates for training purposes or to prepare an Arbitration case to fix a problem with an Assuree if it cannot be handled directly.

With this PoV, actions in this way cannot be seen as a policy breach. (R) handled as an unexperienced Assurer in his training phase, to ask for assistance of an experienced Assurer about a special problem.

Every Assurer at the named event was aware of (R)'s status as unexperienced Assurer. His training state wasn't in question.

So education - training is a central component, that needs deeper inspection. As shown under deliberations, there are 2 elementary points that needs a consideration: privacy vs. training.

Both are handled within AP, so both are under control of a policy as stated under AP 7. Privacy: The Member's information can be accessed under these circumstances:

and AP 6.2. High Risk Applications: Additional measures may include:

As (R) did not attend an ATE before, as long as (R) didn't got an private educational training about privacy purposes before this event happens, this event was under training of (R). The experienced- and Senior Assurers were the named (C) and also other Assurers (AS#) that are witnesses in this case.

An Assurers job about privacy issues is like a system admin. Its not limited to one special case, to the Assurees data an Assurer has assured, its also over the additional duties, to educate and train unexperienced Assurers. If he got informations by train others, his duty is to keep the information safe and not to use the data for any other purpose as for the training. i.e. training purpose "file a dispute" - what data needs to be written in a dispute filing ? The name of the Assuree, the primary email adress that is used in the Assurance. If there is a problem with the DoB also the DoB that is seen in the ID docs of the Assuree, what is written on the CAP form and what has been found in the online account. So on a DoB problem, the notation of the day, month and year needs some addtl. informations, so the Supervisor, Trainer, Mentor probably got also the DoB information of an Assuree the Mentor didn't assure to give the Assurer in question advice how to write down the dates from different sources (ID doc, CAP form, Online Account). This described scenario relates to cases after an Assurance was made and the Assuree hasn't direct control to the interactions the Assurer has with a Mentor. Cases with interaction by the Assuree are described under deliberations.

Each Assurer should limit the exchange of Assuree data informations to a minimum under all circumstances, also under training purposes. To inform the Assuree over the possibility, that after an event an Assurer can exchange some of the privacy data with an experienced- or Senior Assurer for training purposes seems to be impracticle:

  1. An Assurer has to inform the Assuree about CCA, CAcert and much more.
  2. Problem cases in relations of uncomplicated cases are the minority.
    • and also problem cases that needs training by an experienced- or Senior Assurer are a minority in relation to all problem cases.

To get an idea, how many problem cases are practicle, I use the statistics data about total Assurances and total new Arbitration cases Not all Arbitration cases are administrative disputes, not all problem cases coming into the disputes queue, as they are solved in the pre-arbitration stage, but the result may give an overview:

The relation between successful assurances and problem cases is 1352 : 11 => 0,8 %

So we're probably talking about 0,8 % of all Assurance cases, that probably needs assistance from an experienced- or Senior Assurer.

Its too less to make it mandatory in a talk between the Assurer and the Assuree, but its too much, to ignore this problem.

Policy group makes it clear, that thus is no default behavior, so that it becomes a rare condition. But policy group by writing AP allows such events in a limited way.

There exists an Education group within CAcert with a team leader. This is an indication that education and training is an integral component of CAcert. Education groups duty is not only the education over Assurers. Its also for Support-Engineers and Casemanagers/Arbitrators and probably other areas within CAcert. CATS, the CAcert Training Service is open to other areas also, not only for training of Assurers. But yet only the Assurer Training has been implemented. A training course for Support-Engineers and Casemanagers/Arbitrators will be deployed within the Wiki, first to collect informations that are essential for each group. Maybe one day this can be transferred into a training course.

In 2009, CAcert started the advanced Assurers training with the Assurer Training Events (ATE's). An addtl. indication that there is a general concept for education and training within CAcert.

Reporting to the board by these groups is also part of this concept.

The Mentorship finds also its relation in the Proposal: CAcert Community Spirit Team

and is also covered by

Organisation Assurance concept uses Supervision for the first two cases a new Organisation Admin has to do, before he can be nominated to become OA-Admin.

Support-Engineers have to pass the Triage phase, by practicle work in the pre-Support work, to learn and understand the CAcert structure. Than he has to undergo an ABC before he can be nominated to become Support-Engineer. Case Managers and Arbitrators don't need to pass an ABC but they also need some education and training for this area they will be nominated for. In difference to the Support-Engineers, that have direct system access and therefor falls under SP/SM and therefor has to undergo an ABC, Case Managers and Arbitrators have to follow DRP and are not directly under SP/SM sovereignty. Arbitrators have to follow SP in cases were its applicable, but themselves they aren't under this regime.

Privacy issues aren't such a problem in cases where an Arbitrator orders a Support-Engineer to take actions. A Support-Engineer under Supervision is also covered by this Arbitrators order. The Support-Engineer role is exchangable.

The privacy issue is not in question if it is handled thru an Arbitration, cause this is explicitly defined under AP 7. Privacy The Member's information can be accessed under these circumstances:

So the areas in question regarding privacy issues are:

Privacy is defined under:

Section 9. Exceptions is also handled in AP 7. Privacy. Section 8. Privacy of user data is more interesting for further inspection: What does

mean ?

It leaves open the question, if other Assurers can possibly read the data, as long an Assurer searches for an email address in the Online account database.

So other possibilities aren't allowed nor explicitly denied (i.e. for training purposes, fixing problems within an assurance)

Training is defined under:

The count of definitions about Privacy vs. Training written in Policys and Documents leads to the conclusion, that the Training issue gets less attention.

This is a false conclusion.

Training finds a way into the principles, and therefor is at the same level to the Privacy issue. So the question Privacy or Training cannot be answered exclusivly. Both needs to be considered by each action taken:

If I can answer both questions with Yes, I'm safe to all the Policys and Rules and Principles.

Training is not limited to special Training events. Training starts within an Assurance. Each Assurance is a training for an Assurer, unexperienced or experienced one. Questions that araises within an Assurance process, is a signal Training required.

As shown in the answer in the section above a question Privacy or Training cannot be answered exclusivly. But how can answer an Assurer this question in an Assurance event?

The nature of this question is a conflicting question between two principles. Such conflicting questions can only be answered thru discussion, as each event is individual, each event may result to either answer. So this questions needs to be questioned in each event, for each case.

A simple rule can be simple followed: Don't show the CAP form any person

The expanded rule is also not a problem to follow: Don't show the CAP form any person, except an Arbitrator on request

But how to follow the rule if it gets expanded with the Training principle ? Don't show the CAP form any person, except an Arbitrator on request ... and under Training purposes

Training under CATS or ATE is defined properly as it includes the training aspect in the name. But in an Assurance event Training moves to a soft definition.

Can it be named Training if an unexperienced Assurer runs into a problem and asks an experienced- or Senior Assurer ?

The answer is yes.

At Linuxtag 2009, Berlin a group of experienced and Senior Assurers discussed the question: "Is the Assurance limited to the face-2-face meeting by defining the Assurance points, or does the Assurance include the process from the meeting upto the moment entering the Assurance Points given into the Online system ?"

I'm following the view, that the Assurance is a process. A process with several steps and tasks, and each step and task is related to the Assurance between an Assurer and one Assuree. A process with the possibility of late descisions, Training, dispute filing. As long as the Assurance points transfer to the account hasn't been finished, the Assurance process is still open, the Assurance process hasn't been finished.

The definitions of "Assurance" and "Assurance process":

Wiki defines Assurance as Assurance_services. and "... the goal of improving the information or the context of the information so that decision makers can make more informed, and presumably better decisions". One can argue, that the moment I make the decision to give X assurance points by entering it on the CAP form is the moment of "Assurance". But remember, you may running into a problem, where you have to check further information you've gathered in the face-2-face meeting against databases. You, as an Assurer have an option of a late decision. So this moment of "Assurance" is not limited into the face-2-face meeting. These are rare conditions, but they'll exists.

The answer to this question relates also to the question "how to handle CAP forms of Assurances where the Assuree did not create an Online Account?" but this is out of scope of this arbitration. The question I have to answer is, how Privacy and Training relates to the Assurance process and if this is well communicated to the community ?!?

The question, why I opened up this view is twofolded:

As shown under deliberations, the Assuree has the option to deny the request for assistance by an experienced- or Senior Assurer to the unexperienced Assurer.

In the Assurance process after the meeting, the Assuree cannot answer this question, as long he hasn't been contacted by email by the Assurer.

Can it be assumed, that the Assuree will answer this question with Yes ? Is this sufficient for argumentation?

Ok, two scenarios: Scenario 1: The Assurer runs into a simple question for an experienced Assurer, but the question is not simple to the unexperienced Assurer. If the Assurer is now at home, sitting over this question, and finds no answer, he can come to the conclusion, to search the answer in the internet. Asking in the mailing list. As long he uses the users data for the question, the 'Privacy' is no longer under control. Does the Assuree will answer the question with Yes ? Probably No.

Scenario 2: The Assurer runs into a simple question for an experienced Assurer, but the question is not simple to the unexperienced Assurer. If the Assurer is sitting in a group of Assurers from the Event, where the Assurance was made, and he asks for assistance one of the experienced- or Senior Assurers who also did assurances at this event. The 'Privacy' is under control by the experienced- or Senior Assurer. Does the Assuree will answer the question with Yes ? Probably Yes.

Can I use assumptions as a basis for my decision ?

In the Assurance process one task is to check the ID document for validity. I'm trained about all the security features of a Germany IDcard. I've verfied all the security features and I've found they are all ok. I've also checked the script type of the fields against the DoB field (one indication of a faked DoB). They are all of identical type. The picture on the IDcard shows the person I'm sitting face-2-face. All UV security features are on the IDcard. Also the 2nd wavelength shows other security features on the IDcard. All holograms are at the position they have to be. The expiry date is in the future. The issuing authority is correct and valid. And at the very end of the ID checking process, the Assuree tells me, that this document is a fake. Puhh.

Would you like to continue with the Assurance ?

The Nondeterministic Experiment (Watzlawick)

Test persons got pairs of numbers submitted (31 and 80). They must decide whether the numbers fit. The pairs of numbers are coincidentally arranged, and the test manager gives his evaluation correct or wrong on the basis to a half rising Gauss bath tub curve. The evaluation becomes correct also runs away the experiment ever more frequently, it comes to the training of a hypothesis by the test subject.

If them the experimental assembly is revealed, the test subject assumes even occasionally a regularity to have discovered which escaped the test manager. The test subject thus in the true sense of the word reality invented from which it with good reason accepts, it to have found. For the test situation this reality is assertible, it recognizes however not in the removing the actual experimental assembly.

How does this relates to the Assurance, the Privacy and the Training ?

Assumtions mostly tends not to fit but we have to make daily decisions based on assumptions. So we have to deal with the risk, that our assumptions are wrong.

So how we can reduce the risks ?

Practicle solutions

In the moment of Assurance, running into a problem, asking an experienced- or Senior Assurer for assistance, we are not aware about the Training purpose that happens and we're also not aware of the Privacy concerns over the Assuree as we, the experienced- and Senior Assurers are bound to the principle to assist unexperienced Assurers but we have also to take care about the privacy concerns.

So every assistance request of an unexperienced Assurer to an experienced Assurer is a training also for privacy purposes. Tell the unexperienced Assurer, that he is bound by AP 7. Privacy, to allow access to the privacy data only to Arbitrators by request and you are now running into a privacy conflict if you didn't assure the Assuree also. That you may assist under the premiss of AP 6.2. High Risk Applications by 'Additional training' and the access to privacy data has to be limited to solve the problem. So none or a minimum of the privacy data should be presented to the experienced Assurer, to assist the unexperienced Assurer in this case.

While reading http://www.sfwork.com/jsp/index.jsp?lnk=644 (Keywords: Systems Action in Organisations, Change, A Learning Organisation, Levels of Learning, First Level Learning, Changing The Rules, Second Level Learning), I'm impressed about the analogies to this case. The conflict between Privacy and Training is also a question over First Level Learning and Second Level Learning. We don't need to change the rules (Second Level Learning) here, as long as we allow some First Level Learning here. The First Level Learning is implemented in AP 6.2. High Risk Applications by 'Additional training'. Accepting the need for Training of our unexperienced Assurers and by following the Privacy requirements by our experienced- and Senior Assurers that they not only bound by direct relations of an Assurance, also to indirect relations of an Assurance (assistance of unexperienced Assurers), we have a construct with a limited scope to a group of Assurers of a special event where the assurance was conducted. As such cases may happen rarely, the High Risk Applications definition is adequate.

Later on in a dispute filing about this Assurance, an Arbitrator may be interested in the details that happens in the Assurance process. So its likely, that the Arbitrator still gets notice, that the unexperienced Assurer gots assistance from an experienced- or Senior Assurer. So it maybe helpful, to have the name of the experienced- or Senior Assurer to contact him also. So documentation comes in place. If the unexperienced Assurer documents this asssistance onto the CAP form, he has requested assistance for, the involved parties where a possible "privacy data" leak occures are named and can be later on a dispute case be heard.

The purpose of the CAP form

The CAP form can be seen as the Assurance protocol. First to document the details seen in an ID document of the Assuree. Also its a document like a contract about the CCA. In dispute filings the CAP form will be used as a protocol over an Assurance. Notes made by the Assurer about found differences of different documents, notes about Assurees push to finish the Assurance and so on. Later on at home, trying to transfer the Assurance points onto the online account, the not found email address in the online system can/should be added as a note onto the CAP form, to document, that the non-existance of an account did happen. Waiting a few days, until the Assuree created his account, the try of transfering the points can be noted and the date of transfer of points should also be documented. Adding notes about consulted assistance from an experienced- or Senior Assurer is an addtl. note that states what happens in the Assurance process and documents a AP 6.2. High Risk Applications - Additional Training.

Ruling

Training is yet a not so well documented feature, that may break privacy issues. But as long as its documented, this behavior is revealed. So in relation - privacy vs. training - do we want our Assurers running into a problem, by not giving them the optional assistance? Every assistance is also a training. So therefor "Additional training" is also named under AP 6.2. as "High Risk Applications". This issue needs attention.

I follow the opinion of (AS1) and (AS3), that (R) is a badly chosen victim in this case. I relieve (R) in this case and move the duty to (C) as an experienced and also Senior Assurer to educate and train unexperienced Assurers instead of filing a dispute at the very first time.

But this said, I have also to point to CCA "2. Your Risks, Liabilities and Obligations" As a Member, you have risks, liabilities and obligations within this agreement.

So this Arbitration case is the practicle part of this agreement that each member has to accept, before he can become a member.

So Arbitration system is also there to protect the members. An Arbitrator has to decide, if a claim against (R) is either valid or invalid and needs to be rejected. Like other courts, an accused is innocent until its debt is proven.

The Arbitration system is about to handle all disputes between members. But this cannot be read as a global charter to move all cases to the Arbitration system at the very first time.

The disputing parties should check before they move a case into the disputes queue, if they can handle a dispute by their own, by either discussing a case in a face-2-face meeting or by email. If the disputing parties doesn't came to a solution, either disputes party has the option to file a dispute. This step of pre-arbitration work can be mentored by an experienced Assurer, a Senior Assurer or by an Arbitrator.

Also an experienced- or Senior Assurer have to check, if the problem case was done by an unexperienced Assurer, so his own duty is to train the unexperienced Assurer. If this fails, than a dispute can be filed. In the presented case, there was an option to first talk with (R) about the privacy problems and discuss it. I cannot read in any statement, that (R) rejected a training, instead he asks for assistance.

Detailed questions

AP 6 and AP 6.2 sections

AP 6.2. High Risk Applications is a subsection of 6. Subsidiary Policies. It can be read that the subsection talks about Subsidiary Policies only, not about AP. From talks with persons working on AP, I've got the impression, that 6.2's intension relates also to AP, the main policy. But this needs the section title to be modified to:

thus it includes AP also (inclusive / exclusive view). To find answers in this Arbitration case I've read and use this section this way (inclusive), but I will leave this question open for Policy Group to further discuss this part and to clarify this issue about AP.

(C) gained hold of the CAP form. (Fast move, not too violent. ...)

(C) as a Senior Assurer should know AP 7. Privacy. So therefor he also takes care about unexperienced Assurers and their knowledge about privacy issues. (C)'s duty in such an event is to train the unexperienced Assurer about the privacy issue, not to push him into a situation, so that he has to file a dispute regarding this issue. Maybe (C) acted in affect as he wrest the CAP form away from (R). But this isn't an adequate handling of a Senior Assurer. Despite the fact of the following discussion about privacy issues and the handover to a dispute filing to get a precedence case, as it shows the problem with such a case, I let the incident be based on itself.

Regarding the request 'I hereby strongly request the arbitrator to consider that policy group be directed / gently pushed to discuss mentor-ship as it relates to privacy, DRP and any other applicable policies.'

As shown, rules exists to handle Training and Mentorship in such events. The only missing component is documentation of such events.

Here I come back to the question (under Deliberation): The question, why I opened up this view is twofolded:

Document such issues is possible in the face-2-face meeting and documentation is possible after the face-2-face meeting with an Assuree, so it makes no difference to the Assurance process. The need: to document such events.

Returning to the question (under Deliberation): "Is the privacy problem well communicated into the community ?"

My simple answer is: No.

Solutions found in this arbitration ruling, thats more an excurse over Assurance, Privacy and Training, aren't yet communicated to the community of Assurers.

So therefor I order:

a) Policy Group should take a review over AP section 6 title

b) To the Education- and ATE teams

c) To the Assurers:

d) To the AO:

e) No explicite actions over (C) or (R) needed.

Frankfurt/Main, July 27th, 2010

Execution

Similiar Cases

a20100313.1

Coordinated privacy breach

Post Arbitration Note