...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
Contents
| Table of Contents | ||||||
|---|---|---|---|---|---|---|
|
...
Frontmatter
Status
First draft v0.04 for a complete outline for v.05 (note: first v.1 should be a functional spec by example)
Action Items
- Former user (Deleted) insert walkthrough demo links)
- John Wunderlich edit the content and working, make less passive and more succinct, help make this the most simple bare bones but functional spec possible for first version.
- Mark Lizar (Unlicensed) Open Notice Demo (in progress)
- Former user (Deleted) Formatting review and update
- needs a flow chart
- finish consent receipt request extension and link to technical information
Version Tracking
| Version | Status | Writer | Editor | Notes |
|---|---|---|---|---|
v.01 | Done | Mark Lizar | Mary Hodder | Summary of Intent |
| v.02 | Done | Mark Lizar Mary Hodder | John Wunderlich | Stakeholder Analysis |
| v.03 | Done | John Wunderlich, Mark Lizar | Mary Hodder | Summary of Compliance Contents |
| v.04 | Done | Mark Lizar, Markus Sabadello | John Wunderlich Mary Hodder | Spec Outline & Demo (Mark), Technical Walkthrough (Markus) |
| v.05 | In Progress |
Note to Collaborators
Before you save please note what you changed in the field provided to the left of the save button
For any structural changes to the tables or format please request these changes in the comment box, not by directly editing the spec itself
Links to Dependent Documents
- Latest Consent Receipt Template
- Example 1: Open Notice Receipt Implementation
- Example 2: Respect Network PClound Implementation
- Ext Example: 3rd Party
- Compliance Audit
- MVCR Consent Notice Legislation Map
- Hackathon Video and Convergathon Hack Notes from July 12&13 2014 -->
- Scale of Compliance Use to measure the legal compliance of a consent receipt
Respect Network (RN) Technical Demonstration:
- Store a Consent Receipt in your RN personal cloud using XDI: http://amazon-respect-consent.herokuapp.com/
- List Consent Receipts in your RN personal cloud: http://open-notice.github.io/respect-network-receipts/
...
Introduction
A minimum viable consent receipt on the Internet is intended to serve the same purpose as a receipt for a cash transaction. It will provide a record of a transaction where notice of intent to process personal information is provide and consent for personal data processing is returned. Receiving a consent receipt immediately after a web transaction provides an individual with an opportunity to confirm and challenge the collection of their personal information. Similarly, the concept receipt gives the data controller a clear signal as to what they can and cannot do with that person's information. The consent receipt provides protection for both sides against misunderstanding and can demonstrate compliance with regulations in the jurisdiction in which it was issued.
The MVCR will enable simple two party personal data transactions to be recorded by both sides (above). Extensions and developments of the consent receipt infrastructure will allow auditing and third party (including regulator) validation and confirmation of consent notices for compliance.
Background
The Open Notice Initiative is an effort that calls for open consent practices. This has resulted in the development of this specification for a Minimum Viable Consent Receipt(MVCR).
Overview
This specification creates a common format for provisioning consent receipts. The Minimum Viable Consent Receipt Specification will provide organisations with the ability to create and provision a record of consent. Proper construction of a consent receipt will require the record to be based on the minimum notice requirements for the jurisdiction in which the organization is operating (e.g. the jurisdiction of the company operating the data centre where the web servers are located).
...
- Consent notice details can be appended to the MVCR to accommodate different personal data sensitivity, data sharing and additional contextual compliance requirements.
- A context field is a field in the MVCR indicating that there are contextual conditions and exceptions to consent that can be listed and applied by an organisation to the context of receiving consent (e.g. medical emergency overrides). In the MVCR the context is a flag with yes or no. If yes, the provider is stating that they implement a check list of contextual consent requirements. Additional contexts can also be added to a consent receipt.
- Organisations can append trusted services links/icons to the receipt and further extend the assurance provided to capture multiple consent notice types e.g. cookie, terms of use.
Specification by example (SBE) is a collaborative approach to defining requirements and business-oriented functional tests for software products based on capturing and illustrating requirements using realistic examples instead of abstract statements. It is applied in the context of agile software development methods, in particular behavior-driven development. This approach is particularly successful for managing requirements and functional tests on large-scale projects of significant domain and organisational complexity.[1] (https://en.wikipedia.org/wiki/Behavior-driven_development)
A key aspect of 'specification by example' is creating a single source of truth about required changes from all perspectives. This document is that source for the MVCR.
Objectives
The aim of this specification is to produce a receipt in a format that includes links to the policies asserted in the consent receipt. This will require an 'open notice' framework so that the policies can be verified and validated by third parties and regulators.
- An Organisation organisation can use the MVCR to self assert that they are providing notice and getting implied consent in compliance with their policies and applicable regulations
- An A service user (individual) can save the MVCR to a personal cloud and self assess if the receipt is compliant with the policies and practices of the organisation
Interoperability & Scalability
- Interoperable: a common format enables the consent provisioner (the individual) to mange consent globally
- Open Notice is currently working on an open source Open Consent Registry (OCR) which will be a customisable registry that can be use to automate the functions required to provision, process, update and use consent receipts at scale.
Glossary
...
| Consent Receipt ( |
|---|
...
| CR) |
|---|
...
Consent Receipt (CR) A Consent Receipt -denotes a single record of consent and consent context at point of consent provision,
...
Trusted Services; A provider of Trust/Privacy Icons, Standard Assurance, Reputation Services, Trusted Network, Trusted Protocols,
...
Data Subject(DS)
...
Data Controller(DC)
...
| A singe record of notice and consent created at the point where consent was provided or deemed to be provided (and the consent receipt should make clear which is the case). | |
| Data Controller (DC) | An entity that processes personally identifiable information on behalf or and in accordance with the instructions of a data subject. |
|---|---|
| Data Subject (DS) | A natural person who is provides consent for the collection, use and disclosure of their personally identiable information. |
| Minimum | Receipt will contain links to all policies that inform the consent |
Operational Context of Consent | The list of requirements for notice and consent in the jurisdiction in which the consent is given. |
| Personally Identifiable Information (PII) | Any information that (a) can be used to identify the Data Subject to whom such information relates, or (b) is or might be directly or indirectly linked to a Data Subject. |
Trusted Services | A provider of Trust or Privacy icons, standard assurance, reputation services, trusted networks, trusted protocols, etc |
| Viable | Meets or exceeds regulatory minimum for notice in the jurisdiction where it is issued |
Minimum Viable Consent Requirements
The MVCR consists of Minimum Viable Consent Receipt (MVCR) provides information contained in data fields that are used to linked to the (required-to-be open) consent policy to link to the consent policy of the Data Controller in effect at the point consent is provided and by so doing provide compliance by default. (as seen in see Example1: Personal Cloud Storage of Receipt)
MVCR enables Organizations to self-assert that they are compliant and to provide in an open and reviewable manner their policies. To achieve a complaint rating a DC provides an audit able self asserted MVCR and agree's/states that they will implement contextual notice requirements listed for the MVCR. Most Data Controllers do not share personal information with 3rd parties and do not collect sensitive personal information will gain an automatic compliance. If a DC does share a DS personal information and/or collects a DS sensitive personal information, trusted service providers can automate higher level of compliance and provide a robust compliant by default status for complex consent requirements.
A MVCR with a complaint status
Note: For the consent receipt to be auditable and verifiable the consent policy must be accessible by any entity with the URI for the policy. Subsequent changes to the policy should not invalidate the URI for the policy in effect with the CR was issued.
MVCR enables organizations to self-assert compliance with legislation and their own policies. The open notice (URI) provides this assurance in a transparent manner. To be compliant a DC provides an auditable self-asserted MVCR which states that the DC will implement the contextual notice requirements listed in that MVCR. Most Data Controllers that identify the information that they collect, specify how it will be used, and that commit to not share personally identiable information with 3rd parties and to not collect sensitive personally identifiable information will be in compliant with most standards. If a DC does share personally identifiable information and/or collects asensitive personal information, trusted service providers can provide assurances of to enable compliance with more stringent obligations for sensitive information and/or disclosure.
A MVCR with that demonstrates compliance will assure a level of regulatory compliance in a more than compliant manner as because it is a digital record that both parties have and inherently more open. The . A human readable consent receipt should make sense at a glance, be enable one click to use Data Controller contact, and to get to a links or contacts with a data controller contact, and enable easy access to statements about purpose(s) short notice or and trust . This visual (human readable) format can then be audit and the machine readable versions of the consent receitp can be audited for these data points at a glance, with one click access to all consent related policies by default.
MVCR: Consent Notice Fields
Minimum: means to only include only the fundamental links needed to gain transparency and make further usable the consent receipt for consent and identity management.
| Field Name | Description | Purpose/Explanation | Reason Why This Field is Required | Cloud Receipt Capture & Sign: Format example in (XDI) Note: following lines all prepended with ([=]!:uuid:1111/[+]!:uuid:9999) |
|---|---|---|---|---|
| Data Subject | Name or pseudonym of the user at minimum, | Data Subject is primary party to consent | Is the consent contributor and primary party of the consent, (which is why this is the first field of the MVCR) if not signed by Data Subject then its use post consent may be limited. | Data Subject: Alice [=]!:uuid:1111 |
| Address (and jurisdiction) of Data Controller | Name of the entity issuing the receipt | Should be the entity/organization that is in control of the personal data and is responsible for consent compliance. | Is the Data Controller and is the primary party responsible for administration of the consent | Data Controller: Amazon [+]!:uuid:9999 |
| Purpose | The purposes for which the personal information is being collected. | this is a single purpose at minimum linked to the short purpose notice, or policy of purpose. | A purpose notice is a basic and common legal requirement and functionally a requirement of consent. | [#receipt]!:uuid:1234[<#purpose>]<@0>&/&/"We need to process your payment." [#receipt]!:uuid:1234[<#purpose>]<@1>&/&/"We need your data to prevent fraud." [#receipt]!:uuid:1234[<#purpose>]<@2>&/&/"We will advertise to you." |
| Location of Consent | The location of the consent provision. from which the consent receipt originates.(For example the web page with the consent button. ) | This indicates the 'point of consent' - hopefully a button where the user clicked "I agree" or "I consent" (i.e. the biggest lie) Can be a URI, URL, URN, This can also be a physical space where surveillance legal notice requirements exist (EU) - Global Positioning System (GPS) |
| |
| Sensitive Personal Data Flag (Y/N) | Flag to categorise the information collected as sensitive or not (Y/N) | Each jurisdiction has classifications of sensitive personal information: The generally include health, financial, Child Protection, Religious, Union categorisations | If Yes, then additional notice requirements are needed to confirm its compliance status. If No, then the consent is automatically compliant | |
Third Party Sharing | Flag whether data is shared with third parties. (Y/N) | If true, then compliance is dependent upon additional notice requirements not present in a MVCR. This can be addressed with the "Third Party Sharing" extension. | If Yes, then additional notice requirements are needed to confirm its compliance status. If No, then the consent is automatically compliant | |
| Timestamp | When consent was obtained | To record when the user, either by implication or explicity, granted consent for the purposes described. | ||
| Privacy Policy | The issuing entity's privacy policy (either inline copy, or reference to URI) | If not available, should provide a notice that it is missing | Is the minmum Policy (or short notice) Needed to create a consent receipt. | |
| Operational Context Flag | Flag wether the Operational Requirements are present or not. (Y/N/Unknown) | For the presentation of consent there are contextual and prescriptive requirements in legislation, a check list of these elements is being crated in this draft below. | Consent has contextual compliance requirements for the notice to be sufficent. These depend on the location and format of the consent notices An organisation displays agreement (or not) to implement these OC requirements and this is reflected on the consent receipt. |
MVCR Format Notice Requirements (in progress)
Full reference table can be found here:
...
Notice Requirements Receipt Meets | Description | UK UK DPA 1998 | EU Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML | USA For Sharing Personal Sensitive Information with 3rd Parties | Canada | APEC | P3P | FTC FIPPS | OECD FIPPS |
|---|---|---|---|---|---|---|---|---|---|
Contact of Data Controller (DC) | Legally required to provide contact details of the DC | Schedule 1, Part II, 2.3 a)the identity of the data controller, | X | ||||||
Address of Data Controller (DC) | Legally required to provide contact details of the DC | (b)if he has nominated a representative for the purposes of this Act, the identity of that representative, | X | ||||||
Purpose(s) | Legally required to provide purpose for data control | (c)the purpose or purposes for which the data are intended to be processed, and | X | ||||||
Third Party Legal Requirements Transparency | This is a flag to see if additional notice extensions are requirements to assess compliance | (d)any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair. | X | ||||||
Sensitive Personal Information Collection Transparency | This is a flag to see if additional notice extensions are requirements to assess compliance | X | X |
Extensions for the MVCR
An extension can be appended to the MVCR to strengthen the compliance of a consent receipt,
...
Operational Context:core extension
- Note for the MVCR First Draft there is only the online website format context, additional context can be added by extension
- Core
Trusted Services - Trust Framework Extensions
- Usability: Extensions that increase usability and adoption of the consent receipt
Operational Context (OC): Legal Requirements for MVCR Context (in progress)
this is essentially a check list of provisions for the implementation of a consent notice, it is fundamentally used to assure that the consent is fair and reasonable. There are specific and existing policy requirements that are formalled used to create this checklis.
...
Context: Location Specific | Description | UK Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML | EU | USA | Canada |
|---|---|---|---|---|---|
website consent form | To provide notice at point of consent the consequences of not provisioning consent | X (put in legal ref) | X | ||
website consent form | To indicate what is required and optional information to provide for consent | X | X | ||
mobile application | |||||
Entering Physical Space | Sign posted upon entry to physical space |
Core Extensions
In each jurisdiction there are sensitive types of personal information found in privacy and data protection law. Each sensitive type corresponds to a jurisdiction, is defined by an industry, and has prescribed context requirements for the use of a notice. Core extensions can be added to the MVCR to meet more complex notice requirements and meet the requirements of multiple regulatory jurisdictions. .
Core extensions can be used by policy makers to localise the use of consent notices to operational contexts
Trusted Services
3rd party trusted services can also be used to extend the compliance or trust inherent to corporate process and these can be added in the form of linked Icons to a MVCR.
...
The various table currently include.
Usability
Usability of a consent can be from addint a protocol, or a compliance level, or a receipt capture option. In the table below a 'Consent Receipt Request' extenstion that was developed at the Data privacy Legal Hackathon is listed.
(Example 3:
Extension Dev Table
List of current or planned extensions
...
| Priority | Extension Type | Field Name | Description | Instructions | Legal Requirement Jurisdiction (this item must be listed on LR table) | Context (this item must be listed in the Operational Requirements table) | (usability/Interoperability Benefit) | XDI Example |
|---|---|---|---|---|---|---|---|---|
| 1 | Core Extension | Jurisdiction | The jurisdictions of the parties: the data protection authority is mandatory. |
| All | Usability: enables receipt to be used as evidence or for the purpose of legal data controls out of context of the consent event. | ||
| 2 | Core Extension | Collect Sensitive Personal Data |
| |||||
| 3 | Core Extension | 3rd Party Trusted Services Extension (this is the functionality for Registry) | ability to add trusted services to the minimum viable consent receipt | This incorporates 3rd party sharing and purpose listing format | ||||
| 4 | Usability Extension | Consent Receipt Request Extension | This is a button a user can press to request a consent receipt from a business |
|
| This is for all contexts of the MVCR | Usability | |
| 5 | Operational Context Extension | Policy Extension for Consent Cookie Policy Link | The issuing entity's cookie policy Link (either inline copy, or reference to URI) | If not available, should provide a notice that it is missing or self assert an icon | Legally in the EU a cookie requires explicit assent |
| ||
| 6 | OperationalContext Extension | Policy Extension for Terms of Service Link | The issuing entity's terms of service (either inline copy, or reference to URI) | If not available, should provide a notice that it is missing | Legally Terms need to be open and accessible in order to be fair and reasonable. |
| ||
| 7 | keep copy of all notices with receipt | Store all notice data option as a part of signed receipt |
Examples:
This is a specification by example, all examples need to be listed and demoed in this section.
Specification Examples
Open Notice Website - Consent Receipt - Technical Demo
...
...
The MVCR has a base template v.1 that we have using to wireframe consent receipts: V.1
Latest Template Version
We have a template that we have created to guide the design and development of the MVCR, the GUI design is also out of scope of this specification versin. What is provided by default is a Consent Receipt Template that we are using for technical design.
Example 1: Open Notice Minimum Viable Consent Receipt
Open Notice Website - Consent Receipt - Technical Demo
...
(Example (in progress) can be found at http://on.smartspecies.com/support-open-notice/
Image:ON-CR: Example
Example 2: Storing Receipt in Personal Data Store: Technical Walkthrough Example with Respect Network
Respect Network (RN) Technical Demo:
...
- Store a Consent Receipt in your RN personal cloud using XDI: http://amazon-respect-consent.herokuapp.com/
- List Consent Receipts in your RN personal cloud: http://open-notice.github.io/respect-network-receipts/
...
Amazon Respect Use Case: With the Respect Network and Open Notice
(Note: Amazon Respect is a Fictitious organisation used here only as an example)
(http://open-notice.github.io/consent-receipt/amazon-mock/signup.html)
Implementation of consent receipt which is signed & created by a DC and stored in a personal Cloud.
...
The usability of a MVCR can then be made scalable for use in aggregate beyond the point of consent for the data subject with a process in whch the receipt is digitally signed by both parties. This process identifies the jurisdiction of the Data Controller and of the Data Subject. This example also includes signing of the receipt by the DC. (the digital signing of the DS (data subject) is currently out of scope of the first draft1)
MVCR Mock Up for Amazon Respect Use Case
MVCR Compliance
Audit
Each field on the MVCR contains legal notice requirements, each of these components are listed in and the presence of these are counted and a flag is added to record if any of these self asserted claims have been disputed and not resolved.
...
(additional architecture is needed to mediate compliance level ratings)
MVCR Compliance Assurance Audit & Compliance Scale
Each item in the MVCR will be rated with this scale presented below
The compliance scale is based on the ICO table of compliance http://ico.org.uk/for_organisations/data_protection/working_with_the_ico/~/media/documents/library/Data_Protection/Detailed_specialist_guides/auditing_data_protection.pdf
Trusted Services Appendix
Trusted services/networks and frameworks, can be used to meet or exceed notice(and therefore consent) legal requirements. Or to address the need for assurance and trust for people so that consent and its management can be automated and more usable. It is for seen that a notice registry is the natural place for trust services to register their services.
...
This is a table to map the list and categories of assurance framework with examples and notes on interoperability with this category of service.
Type of Trust Framework
Consent Policy Format
Personal Policy Preference
Consent Extension Location
Trusted Service Provider Examples
Tracker: Analytics etc:
Cookie
Do Not Track
browser header
cookiepedia, privacy clearing warehouse, Ghostery
Terms of Use Policy
Agree to terms
TOS;DR, Citizen Me
Policy Tracking Services
Policy Comparison
Has terms materially changed ( is consent still compliant? )
TOSBack
Consent Type
What kind of consent has been received
To record the type of consent or whether there is an exception to the requirement for consent.
Reputation
Trust Framework
(all trust services provide reputation)
Privacy Icons
Pictorial Short Notices
Disconnect Me
Capture of Personal Preference at Time of Consent
Does the issuing entity acknowledge DNT
If not available, should provide a notice that it is missing
Data Control Protocol
User Managed Access
Trusted Network Service
Respect Network
Standards
Certificates
TrustE
Levels of Assurance
KI: Identity Assurance Framework
Design Appendix:
Summary Design Goals to Assess: MVCR
...