...
- Working session on User-Managed Access (UMA) in Contractual and Regulatory Contexts
- We can make progress with the current scenario
Attending: ..Eve, Kathleen, Mary, Jeffrey, Jim, John W, Ann, Mark, Colin L.
NOTE: No meeting next week!
The "UMA technical" agenda is pressing ahead. Eve summarized our UMA legal status for the LC as "fits and starts but progressing" recently. The idea of changing or providing multiple scenarios is fine; doing that after we press ahead on the doc seems like it won't block our mapping work.
Jeffrey's Information Governance fact pattern includes Home Trunk Industries, which decided to be an aggregator. The challenge in applying this directly to the UMA scenario is that an aggregator usually gets full control of all that data. Are some "orchestrator" companies (service operators) able to use new consent strategies that defer to Alice the ability to control her data and even access to her physical stuff? Eve just had a Twitter conversation about car/plane co-leasing with maintenance taken care of through UMA, and we discussed drone and lawnmower control through smart contracts. John puts it this way: HTI would own the data (it's fungible), but Alice would own the information (it represents her).
We made lots of edits to the Introduction and nearly finished it.
2016-08-05
- Review User-Managed Access (UMA) in Contractual and Regulatory Contexts
- Nailing down the right 1-2 paragraph scenario for use throughout the document (send your alternatives before the meeting)
Attending: Eve, Kathleen, Andrew H, Adrian, Mary, Jim, John
NOTE: No meeting next week!
Regarding finding the right scenario: Smart home scenarios are really just as important due to sensitivity as health scenarios. In health research, it looks like the first BSC use case is going to get more complex still because real-life scenarios are getting blocked due to patients' reluctance to consent without a way to be notified of additional researchers' requests to access. Jim notes that "broad" consent is the key problem – anticipating future needs. And speaking of this, Adrian dislikes "informed" consent, because people don't know what's going to be done with it later. Transparency in being kept aware of status and where else the data is traveling is a key part of resource owner empowerment.
Our discussion this time is ranging all over, but it all seems related to our hoped-for Regulatory section.
Maybe we need a discussion in the Regulatory section about what "consent" maps to in UMA's "authorization" concept. There is a notion of authorization as a thing that can be dynamic – an RO can grant authorization and later revoke it (by an interaction with the AS that is actually outside the protocol but in scope for our model text), at a grain that is finer than Ts & Cs, and empowered by that grain, by the option to "Share" at will, and by the option to "un-share" any portion of the resource at will. John likes the phrase "Dynamic Consent"... It may be taken already. See this Nature article.
Hazard@All: could have an obligation on the data user to destroy. Like my passport number for a hotel stay. Hazard@All: but once the other guy has it, we need to rely on some other method to have them delete it. Hazard@All: either contract or escrow Hazard@All: that is a matter of legal verbiage, I think Hazard@All: the lawyers phrase it however seems to work Hazard@All: and the vocabulary will change based on dozens of factors, including the common vocabulary of the business sector, jurisdiction and language Hazard@All: notice can be specified however you want - right? Hazard@All: you can use my stuff but you agree to text me whenever you do.
Would we have to deal with privacy/data protection regulations as property-based vs. rights-based in our model text? We may very well, but it needs more discussion. Could Jeffrey apply his model?
AI: Eve: Ask if Jeffrey would be willing to adapt his Information Governance school assignment into a small scenario for the primer, adding Alice to it, as an alternative scenario for consideration.
...