...
- Review User-Managed Access (UMA) in Contractual and Regulatory Contexts
- Nailing down the right 1-2 paragraph scenario for use throughout the document (send your alternatives before the meeting)
Attending: Eve, Kathleen, Andrew H, Adrian, Mary, Jim, John
NOTE: No meeting next week!
Regarding finding the right scenario: Smart home scenarios are really just as important due to sensitivity as health scenarios. In health research, it looks like the first BSC use case is going to get more complex still because real-life scenarios are getting blocked due to patients' reluctance to consent without a way to be notified of additional researchers' requests to access. Jim notes that "broad" consent is the key problem – anticipating future needs. And speaking of this, Adrian dislikes "informed" consent, because people don't know what's going to be done with it later. Transparency in being kept aware of status and where else the data is traveling is a key part of resource owner empowerment.
Our discussion this time is ranging all over, but it all seems related to our hoped-for Regulatory section.
Maybe we need a discussion in the Regulatory section about what "consent" maps to in UMA's "authorization" concept. There is a notion of authorization as a thing that can be dynamic – an RO can grant authorization and later revoke it (by an interaction with the AS that is actually outside the protocol but in scope for our model text), at a grain that is finer than Ts & Cs, and empowered by that grain, by the option to "Share" at will, and by the option to "un-share" any portion of the resource at will. John likes the phrase "Dynamic Consent"... It may be taken already. See this Nature article.
Hazard@All: could have an obligation on the data user to destroy. Like my passport number for a hotel stay. Hazard@All: but once the other guy has it, we need to rely on some other method to have them delete it. Hazard@All: either contract or escrow Hazard@All: that is a matter of legal verbiage, I think Hazard@All: the lawyers phrase it however seems to work Hazard@All: and the vocabulary will change based on dozens of factors, including the common vocabulary of the business sector, jurisdiction and language Hazard@All: notice can be specified however you want - right? Hazard@All: you can use my stuff but you agree to text me whenever you do.
Would we have to deal with privacy/data protection regulations as property-based vs. rights-based in our model text? We may very well, but it needs more discussion. Could Jeffrey 's model may provide an elegant way out. 
apply his model?
AI: Eve: Ask if Jeffrey would be willing to adapt his Information Governance school assignment into a small scenario for the primer, adding Alice to it, as an alternative scenario for consideration.NOTE: No meeting next week!
2016-07-28
Attending: Eve, Scott, Adrian, Jeff S, Jeffrey R, John, Kathleen, Jim
The 50K-foot view: We are tardy on our original model definitions and clauses schedule, but our "primer" deliverable is intended (ultimately) to drive clarity and force around the model text deliverable.
Do we want to enlarge our scope to encompass "enterprise UMA"/federated authorization use cases? Maybe we give it a nod, but don't address it fully. We may want a separate, similar paper on the "Legal Person" opportunities.
Our history with BLT in the primer: It didn't survive our analysis of doc structure. Scott's history with the invention of BLT: It was meant to be extractive: breakdown and then buildup. It might be the case that the duties within our obligations in the model clauses have "BLT metadata" somehow, if it's determined that this is useful, but they seem not to be a useful organizing principle in the doc.
In the intro, we want to get from a sharp Problem to a Solution and then to an enticing How we're going to help them solve it. UMA can help soft, fuzzy circumstances become harder and more measurable.
What scenario should we pick? Should it have "health" in it? We always debate this. Should we go with "smart home" and non-health, perhaps? Or "pure Google Apps-like"? We could tweak it to have smart home for a disabled person to allow them to live at home vs. other circumstances. That introduces an additional layer of regulations, however. The appeal of health is that the data is so intimate and sensitive. A baby monitor, or some other smart home devices, might have the same characteristics, though. IoT seems definitely popular.
Homework for next time: Please send your own ideal 1-2 paragraph scenario to the list so we can nail this down next week and power through the next section.
...