UMA legal subgroup notes
...
- Fridays, 8-9am PT
- Please see the UMA home page for dial-in details
- Please see the UMA calendar for full scheduling details: http://kantarainitiative.org/confluence/display/uma/Calendar
2018-03-02
...
Attending: Eve, Colin, JimJohn, Kathleen, ThomasMark, Tim, Thomas, SalThe International Association for Contract and Commercial Management (IACCM) as Bjorn
Status update on the publication of the business model doc: It is finally posted! The listing on the Reports & Recommendations page needs to be fixed, but you can point people directly here.
We kind of need a UML diagram (or some kind of graph that lets us label the arcs) to express our delegation and licensing relationships more clearly, and we may need more role names for clarity as well. For example, a Resource Owner "is-a" Data Subject Representative (or whatever we want to call it – that's what GDPR calls it) but we have gone directly from DS to RO in our delegation mapping step. It would be clearer if we had a formal model that went:
- DS delegates-X-rights-to DSR (the mechanism for this might be law, by contract – e.g. a will...)
- DSR is-a RO
- RO delegates-X-rights-to ASO
- etc.
Can we get hold of a UML modeling expert to ensure we don't miss any of the relationships and roles?
In terms of finding one – or multiple – use cases to map onto the model, Eve is talking to 2-3 candidates about this.
The complete list of agreements that seem to be possible in our model so far (the purple ones weren't mentioned in the business model paper yet):
- Agreement that turns a service provider into an RSO (wasn't included in business model report)
- Agreement that turns a service (or app) provider into a CO (wasn't included in business model report)
- Agreement that enables a Person to act on behalf of a Data Subject [which puts them into position to act as a Resource Owner -- otherwise RO=DS]
- Agreement(s) that delegates authorization for an ASO to grant access permissions on behalf of an RO (typically Ts & Cs, privacy notice, EULA...)
- Agreement(s) that delegates authorization for an RSO to manage resources on behalf of an RO (typically Ts & Cs, privacy notice, EULA...)
- Agreement that enables a Person to act on behalf of a Requesting Party [which puts them into position to act as a Requesting Party Agent -- otherwise RqPA=RqP]
- Agreement that delegates access seeking to a CO on behalf of a Requesting Party
- Agreement that delegates permission to know and persist personal data to an ASO on behalf of a Requesting Party
It sounds like we need to do this for the POC:
- Complete the formal model (and likely express it in a formal way)
- Construct the set of agreements and licenses (or whatever the latter end up being in the case of individual permissions?) in a skeletal CmA format
- Use the CmA format to invite UMA deployers to work with us on testing the format by applying their use cases
A central element of our proposal is that licenses have the right design characteristics to give ROs (acting on behalf of whoever the DS is) to enable the autonomy, reciprocity, and objectivity needed above and beyond contracts. Regs variously require policy elements of the contracts to enable the individual to have certain rights. "Right of action" in healthcare is one.
2018-02-16
Attending: Eve, Colin, Jim, Thomas, Tim, Sal
The International Association for Contract and Commercial Management (IACCM) has 40K or so members. It's old and venerable and works on "the contract problem". For large businesses, this looks like: coming up with a legal vs. a business deal, being unable to react to events, having insufficiently agile contracts, etc. Marketing, purchasing, and other business roles are engaging. They have chapter and annual meetings: Europe, NA, and Australasia. Jim is now head of the tech community, a new role. His goal is to network and bring together the threads around improving transacting. Tim Cummins founded IACCM. They are increasingly aware that businesses must play in networks and supply chains. Does a KI/IACCM liaison make sense? Colin and Jim can talk offline about this possibility.
...
Arrgh, so close! Tim and Eve will try and wrap up all the remaining comments in the doc by Monday and get the e-ballot out.
2018-01-12
Attending: Eve, Colin, Tim
...