New requirement for data ownership and right to be deleted

Coversheet	RDM-2024-0054
Meeting ID	RDM #67
Source	Sejong University (JaeSeung Song, jssong@sejong.ac.kr / Jieun Lee, love9ly@sju.ac.kr)
CR Title	New requirement for data ownership and right to be deleted
CR Against Release	Release 4
CR Against TS/TR	TS-0002 V5.3.0
Work-item	WI-0001 Requirements
Reason	oneM2M TR-0062 studied privacy regulations such as GDPR, and recommended to address various issues in oneM2M Systems including data ownership and right to be forgotten. This contribution proposes to add a new requirement to TS-0002 v5.3.0 to address issues related to data ownership and right to be forgotten. Please refer Section 9.4 Key issue on Ownership and Right to be deleted and Section 10 Conclusion in TR-0062 "oneM2M System Enhancement to Support Privacy Data Protection Regulations". Below is the contents addressed in Section 9.4. In the case of GDPR-applied data, different data should be displayed depending on the user. For example, the owner of pseudonymised data can access the original contents regardless of the applied regulation. On the other hand, in the case of general users, they can access data containing personal information, but in the form of pseudonymisation. Therefore, in the case of data specified as containing personal information, data ownership, not a simple access control policy, plays an important role. In addition, in the case of data subject to the Personal Information Protection Act, upon request of the user who owns the data, it must be immediately deleted from the system (i.e., right to be deleted or forgotten). Therefore, if there is a request to be forgotten from a user who has the ownership of privacy-related data, the IoT platform can process the request with two pieces of information, namely data ownership and whether or not GDPR is applied.
Type of change	Correction
Clauses	Section 6.4 Security Requirements
Other comments

changed the description

closed