Editors:
Version | Status | Writer | Editor | reviewer |
---|---|---|---|---|
v.01 | X | Mark Lizar - ; Summary of Intent | Mary Hodder | |
v.02 | X | Mark Lizar & Mary Hodder Stakeholder Analysis | John Wunderlich | |
v.03 | X | John & Mark: Summary of Compliance Contents | Mary Hodder | |
v.04 | Current | Spec Outline: Mark Lizar Respect Network Save Receipt to Cloud: Technical Walkthrough: Markus Sabadello Open Notice Website CR Demo: Mark Lizar | John Wunderlich Mary Hodder | |
v.05 | Next Edit |
Status
first draft v,04 for a complete outline for v.05
...
- Former user (Deleted) insert walkthrough demo links)
- John Wunderlich edit edit the content and working, make less passive and more succinct, help make this the most simple bare bones but functional spec possible for first version.
- Mark Lizar (Unlicensed) needs Open Open Notice Demo (in progress)
- Former user (Deleted) Formatting review and update
- needs a flow chart (will talk to Renee)
- will talk to Renee)
...
Note to Collaborators
- Before you save please note what you changed in the field provided to the left of the save button
- For any structural changes to the tables or format please request these changes in the comment box, not by directly editing the spec itself
Table Of Contents
Table of Contents outline true indent 10px
- Related
Links to Dependent Documents:
- Latest Consent Receipt Template
- Example 1: Open Notice Receipt Implementation
- Example 2: Respect Network PClound Implementation
- Ext Example: 3rd Party
- Compliance Audit
-
- CISWG: Consent Requirements Map: (spreadsheet of laws/principles for receipt and data control R&D)
-
- Hackathon Video and Convergathon Hack Notes from July 12&13 2014 -->
- Scale of Compliance to measure the legal compliance of a consent receipt
...
Respect Network (RN) Technical Demo:
- Store a Consent Receipt in your RN personal cloud using XDI: http://amazon-respect-consent.herokuapp.com/
- List Consent Receipts in your RN personal cloud: http://open-notice.github.io/respect-network-receipts/
...
- Consent notice requirements can be appended to the MVCR to accommodate different personal data sensitivity, data sharing and additional contextual compliance requirements.
- A context field is a field in the MVCR as there are contextual conditions and exceptions to consent that can be listed and applied by an organisation to the context of receiving consent. In the MVCR the context is a flag with yes or no, if yes, this means the provider has explicitly stated that they implement the check list of contextual consent requirements. Additional contexts can also be added to a consent receipt.
- Organisations can append Trusted Services links/icons to the receipt and further extend the assurance to capture multiple consent notice types e.g. cookie, terms of use. For additional notice delivery context, and, for
Specification by example (SBE) is a collaborative approach to defining requirements and business-oriented functional tests for software products based on capturing and illustrating requirements using realistic examples instead of abstract statements. It is applied in the context of agile software development methods, in particular behavior-driven development. This approach is particularly successful for managing requirements and functional tests on large-scale projects of significant domain and organisational complexity.[1] (https://en.wikipedia.org/wiki/Behavior-driven_development)
A key aspect of 'specification by example' is creating a single source of truth about required changes from all perspectives. This latest version specification with this document title is the single source of truth.
Objective
The aim of the specification is to produce a the minimum compliant capable consent receipt that directly links all required policies (open notices) to the consent receipt.
...
The Open Notice Initiative is an effort that calls for open consent (http://opennotice.org/callforcollaboration). This has resulted in the development of this specification for a Minimum Viable Consent Receipt(MVCR).
Glossary
Minimum Viable Consent Receipt(MVCR)
Minimum: (in Minimum Viable Consent Receipt) means to include links to all the policies that inform the consent
Viable: (in Minimum Viable Consent Receipt)
Example: Is an MVCR implementation that demonstrates a functional implementation of a consent receipt
Consent Receipt (CR) A Consent Receipt -denotes a single record of consent and consent context at point of consent provision,
Trusted Services; A provider of Trust/Privacy Icons, Standard Assurance, Reputation Services, Trusted Network, Trusted Protocols,
Data Subject(DS)
Data Controller(DC)
Operational Context (OC) of Consent: is a check list of required implementation points which is accompanied by a defined notice delivery requirements found in legislation for jurisidiction of consent provision
Minimum Viable Consent Requirements
The MVCR consists of fields that are used to linked to the (required-to-be open) consent policy at the point consent is provided and by so doing provide compliance by default. (as seen in Example1: Personal Cloud Storage of Receipt)
MVCR enables Organizations to self-assert that they are compliant and to provide in an open and reviewable manner their policies. To achieve a complaint rating a DC provides an audit able self asserted MVCR and agree's/states that they will implement contextual notice requirements listed for the MVCR. Most Data Controllers do not share personal information with 3rd parties and do not collect sensitive personal information will gain an automatic compliance. If a DC does share a DS personal information and/or collects a DS sensitive personal information, trusted service providers can automate higher level of compliance and provide a robust compliant by default status for complex consent requirements.
A MVCR with a complaint status will assure a level of regulatory compliance in a more than compliant manner as it is a digital record that both parties have and inherently more open. The consent receipt should make sense at a glance, be one click to use Data Controller contact, and to get to a purpose(s) short notice or trust . This visual format can then be audit for these data points at a glance, with one click access to all consent related policies by default.
...
Field Name | Description | Purpose/Explanation | Reason Why This Field is Required | Cloud Receipt Capture & Sign: Format example in (XDI) Note: following lines all prepended with ([=]!:uuid:1111/[+]!:uuid:9999) |
---|---|---|---|---|
Data Subject | Name or pseudonym of the user at minimum, | Data Subject is primary party to consent | Is the consent contributor and primary party of the consent, (which is why this is the first field of the MVCR) if not signed by Data Subject then its use post consent may be limited. | Data Subject: Alice [=]!:uuid:1111 |
Address (and jurisdiction) of Data Controller | Name of the entity issuing the receipt | Should be the entity/organization that is in control of the personal data and is responsible for consent compliance. | Is the Data Controller and is the primary party responsible for administration of the consent | Data Controller: Amazon [+]!:uuid:9999 |
Purpose | The purposes for which the personal information is being collected. | this is a single purpose at minimum linked to the short purpose notice, or policy of purpose. | A purpose notice is a basic and common legal requirement and functionally a requirement of consent. | [#receipt]!:uuid:1234[<#purpose>]<@0>&/&/"We need to process your payment." [#receipt]!:uuid:1234[<#purpose>]<@1>&/&/"We need your data to prevent fraud." [#receipt]!:uuid:1234[<#purpose>]<@2>&/&/"We will advertise to you." |
Location of Consent | The location of the consent provision. from which the consent receipt originates.(For example the web page with the consent button. ) | This indicates the 'point of consent' - hopefully a button where the user clicked "I agree" or "I consent" (i.e. the biggest lie) Can be a URI, URL, URN, This can also be a physical space where surveillance legal notice requirements exist (EU) - Global Positioning System (GPS) |
| |
Sensitive Personal Data Flag (Y/N) | Flag to categorise the information collected as sensitive or not (Y/N) | Each jurisdiction has classifications of sensitive personal information: The generally include health, financial, Child Protection, Religious, Union categorisations | If Yes, then additional notice requirements are needed to confirm its compliance status. If No, then the consent is automatically compliant | |
Third Party Sharing | Flag whether data is shared with third parties. (Y/N) | If true, then compliance is dependent upon additional notice requirements not present in a MVCR. This can be addressed with the "Third Party Sharing" extension. | If Yes, then additional notice requirements are needed to confirm its compliance status. If No, then the consent is automatically compliant | |
Timestamp | When consent was obtained | To record when the user, either by implication or explicity, granted consent for the purposes described. | ||
Privacy Policy | The issuing entity's privacy policy (either inline copy, or reference to URI) | If not available, should provide a notice that it is missing | Is the minmum Policy (or short notice) Needed to create a consent receipt. | |
Operational Context Flag | Flag wether the Operational Requirements are present or not. (Y/N/Unknown) | For the presentation of consent there are contextual and prescriptive requirements in legislation, a check list of these elements is being crated in this draft below. | Consent has contextual compliance requirements for the notice to be sufficent. These depend on the location and format of the consent notices An organisation displays agreement (or not) to implement these OC requirements and this is reflected on the consent receipt. |
MVCR Format Notice Format Notice Requirements (in progress)
Full reference table can be found found here:
Notice Requirements Receipt Meets | Description | UK UK DPA 1998 | EU Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML | USA For Sharing Personal Sensitive Information with 3rd Parties | Canada | APEC | P3P | FTC FIPPS | OECD FIPPS |
---|---|---|---|---|---|---|---|---|---|
Contact of Data Controller (DC) | Legally required to provide contact details of the DC | X | X | ||||||
Address of Data Controller (DC) | Legally required to provide contact details of the DC | X | X | ||||||
Purpose(s) | Legally required to provide purpose for data control | X | X | ||||||
Third Party Legal Requirements Transparency | This is a flag to see if additional notice extensions are requirements to assess compliance | X | X | ||||||
Sensitive Personal Information Collection Transparency | This is a flag to see if additional notice extensions are requirements to assess compliance | X | X |
...
An extension can be appended to the MVCR to strengthen the compliance of a consent receipt,
Extension Types
Operational Context:core extension
- Note for the MVCR First Draft there is only the online website format context, additional context can be added by extension
- Core
Trusted Services - Trust Framework Extensions
- Usability: Extensions that increase usability and adoption of the consent receipt
Operational Context (OC): Legal Requirements for MVCR Context (in progress)
this is essentially a check list of provisions for the implementation of a consent notice, it is fundamentally used to assure that the consent is fair and reasonable. There are specific and existing policy requirements that are formalled used to create this checklis.
Each jurisdiction has prescriptive text which need to accompany specific types of consent as well as legally written terminology for these requirements. With notices there are also contextual and prescriptive requirements in legislation.
As a part of creating a receipt for a service user an organisation displays that they have agreed to implement (or not) the OC requirements checklist that accompanies the receipt. This is a flag yes or no, If yes then their is a self assertion that the notice will be provided in a fair manner with all of the required considerations as prescribed in law in that jurisdiction. This is then reflected on the consent receipt.
Instructions: This is a self asserted option, the Operational Context is a yes or no flag that the receipt provisioner turns on or off. Operational context is dependent on the location of consent, the use of personal data, the origin of the data, and type of data provided. As Context of a consent can vary significantly operational requirements will also vary.
Fair & Resonable Consent ConditionsThis table will collect a check list of these elements is being crated in this draft below.
...
In each jurisdiction there are sensitive types of personal information found in privacy and data protection law. Each sensitive type corresponds to a jurisdiction, is defined by an industry, and has prescribed context requirements for the use of a notice. Core extensions can be added to the MVCR to meet more complex notice requirements and meet the requirements of multiple regulatory jurisdictions. .
Core extensions can be used by policy makers to localise the use of consent notices to operational contexts
Trusted Services
3rd party trusted services can also be used to extend the compliance or trust inherent to corporate process and these can be added in the form of linked Icons to a MVCR.
...
Priority | Extension Type | Field Name | Description | Instructions | Legal Requirement Jurisdiction (this item must be listed on LR table) | Context (this item must be listed in the Operational Requirements table) | (usability/Interoperability Benefit) | XDI Example |
---|---|---|---|---|---|---|---|---|
1 | Core Extension | Jurisdiction | The jurisdictions of the parties: the data protection authority is mandatory. |
| All | Usability: enables receipt to be used as evidence or for the purpose of legal data controls out of context of the consent event. | ||
2 | Core Extension | Collect Sensitive Personal Data |
| |||||
3 | Core Extension | 3rd Party Trusted Services Extension (this is the functionality for Registry) | ability to add trusted services to the minimum viable consent receipt | This incorporates 3rd party sharing and purpose listing format | ||||
4 | Usability Extension | Consent Receipt Request Extension | This is a button a user can press to request a consent receipt from a business |
|
| This is for all contexts of the MVCR | Usability | |
5 | Operational Context Extension | Policy Extension for Consent Cookie Policy Link | The issuing entity's cookie policy Link (either inline copy, or reference to URI) | If not available, should provide a notice that it is missing or self assert an icon | Legally in the EU a cookie requires explicit assent |
| ||
6 | OperationalContext Extension | Policy Extension for Terms of Service Link | The issuing entity's terms of service (either inline copy, or reference to URI) | If not available, should provide a notice that it is missing | Legally Terms need to be open and accessible in order to be fair and reasonable. |
| ||
7 | keep copy of all notices with receipt | Store all notice data option as a part of signed receipt |
Examples:
This is a specification by example, all examples need to be listed and demoed in this section.
MVCR Consent Receipt Template
The MVCR has a base template v.1 that we have using to wireframe consent receipts: V.1
...
(Example (in progress) can be found at http://on.smartspecies.com/support-open-notice/
Image:ON-CR: Example
Example 2: Storing Receipt in Personal Data Store: Technical Walkthrough Example with Respect Network
...
Respect Network (RN) Technical Demo:
...
- Store a Consent Receipt in your RN personal cloud using XDI: http://amazon-respect-consent.herokuapp.com/
- List Consent Receipts in your RN personal cloud: http://open-notice.github.io/respect-network-receipts/
...
Amazon Respect Use Case: With the Respect Network and Open Notice
(Note: Amazon Respect is a Fictitious organisation used here only as an example)
(http://open-notice.github.io/consent-receipt/amazon-mock/signup.html)
Implementation of consent receipt which is signed & created by a DC and stored in a personal Cloud.
...
The usability of a MVCR can then be made scalable for use in aggregate beyond the point of consent for the data subject with a process in whch the receipt is digitally signed by both parties. This process identifies the jurisdiction of the Data Controller and of the Data Subject. This example also includes signing of the receipt by the DC. (the digital signing of the DS (data subject) is is currently out of scope of the first draft1)
...
Notice Compliance Checklist | Non Compliant | Partially Compliant | Compliant | Above Compliant | Trusted | User Managed |
---|---|---|---|---|---|---|
Contact of DC |
|
| X |
| ||
Address of DC |
|
| X |
| ||
Purpose(s) |
|
| X |
| ||
Sensitive Data (If NO) |
|
| X |
| ||
Share with 3rd Party (If No) |
|
| X |
| ||
Agree to implement context checklist? (Y/N) | Yes | |||||
Any of the above self asserted is Disputed or un verifiable (Y/N Flag) (If No) ( if Yes and unresolved = Non-Compliant) | X |
...
The compliance scale is based on the ICO table of compliance http://ico.org.uk/for_organisations/data_protection/working_with_the_ico/~/media/documents/library/Data_Protection/Detailed_specialist_guides/auditing_data_protection.pdf
Trusted Services Appendix
...
- Transparency: The MVCR receipt is a common format for the legally required policies which provide notice. links to all notices and demonstrate a much higher level of minimum viable notice (for consent) legal compliance. This standard is intended to augment the existing legal notice and consent infrastructures that is already in place and reward greater transparency of consent with higher default usability. .
- Extensible: The MVCR Spec is intended to be easily extensible and auditable, with a jurisdicitional legal compliance audit built in for making transparent legal context and controls of a consent transaction. Meaning that consent legal notice requirements are different by jurisdictions, industry, for various sensitive data types, for sharing to 3rd parties, tracking (cookie consents), in additional to personal and contextual consent preferences of the individual. Extensions are notice requirements layered onto this MVCR format to meet and match legal requirements and trust frameworks to address cross jurisdictional management of consent.
- Trusted Services Vehicle: A receipt passed to the service user at time of consent provides a legal trust framework to build upon. As a result it is the MVCR is intended as a vehicle for delivering trusted services to the individual. A stakeholder can utilise trust services, which are then linked to the receipt, which further extend the compliance and "fast track" usability of consent and identity management by using a spec compliant receipt. Eg.privacy icons, TOS reputation, certifications, trusted networks, and protocols
- MVC is intended to be an all purpose consent process enhancement.
- This MVCR specification is intended to be used so any organisation can implement the spec and provide a MVCR.