Versions Compared

Old Version 69

changes.mady.by.user Mark Lizar

Saved on

compared with

New Version 70

changes.mady.by.user Mark Lizar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: MVCR Template Graphic Added

Editors:

VersionStatusWriterEditorreviewer

v.01


XMark Lizar - ; Summary of IntentMary Hodder 
v.02X Mark Lizar & Mary Hodder Stakeholder Analysis  John Wunderlich
v.03 XJohn & Mark: Summary of Compliance ContentsMary Hodder 
v.04Current

Spec Outline: Mark Lizar

Respect Network Save Receipt to Cloud: Technical Walkthrough: Markus Sabadello

Open Notice Website CR Demo: Mark Lizar


John Wunderlich 

Mary Hodder

 
v.05Next Edit   

Status

first draft in progressv,04 for a complete outline for v.05 

(note: first v.1 should be a functional spec by example)

Action Items

  •   Former user (Deleted)  insert walkthrough demo links)
  •  John Wunderlich edit the outline for draft 5the content and working, make less passive and more succinct, help make this the most simple bare bones but functional spec possible for first version. 
  •  Mark Lizar (Unlicensed) Finish Compliance Scale description and compliance audit rules (needs a table)
  •  Mark Lizar (Unlicensed) needs a first read through edit after many changes
  •  Mark Lizar (Unlicensed) needs Open Notice Demo (in progress)
  •  Fix Formatting
  •  Mary Hodder edit draft
  • needs Open Notice Demo (in progress)
  •  Former user (Deleted) Formatting review and update 
  •  needs a flow chart (will talk to Renee)
  •  

...

 Table Of Contents

Table of Contents
outlinetrue
indent10px


  1. Related Documents:

...

Respect Network (RN) Technical Demo:

...

 

Specification by example (SBE) is a collaborative approach to defining requirements and business-oriented functional tests for software products based on capturing and illustrating requirements using realistic examples instead of abstract statements. It is applied in the context of agile software development methods, in particular behavior-driven development. This approach is particularly successful for managing requirements and functional tests on large-scale projects of significant domain and organisational complexity.[1] (https://en.wikipedia.org/wiki/Behavior-driven_development)

A key aspect of 'specification by example' is creating a single source of truth about required changes from all perspectives. This latest version specification with this document title is the single source of truth. 

Objective

The aim of the specification is to produce a the minimum compliant capable consent receipt that directly links all required policies (open notices) to the consent receipt. 

...

Field NameDescriptionPurpose/ExplanationReason Why This Field is Required

Cloud Receipt Capture & Sign: Format example in (XDI)

Note: following lines all prepended with ([=]!:uuid:1111/[+]!:uuid:9999)

Data Subject

Name or pseudonym of the user at minimum,

Data Subject is primary party to consent

Is the consent contributor and primary party of the consent, (which is why this is the first field of the MVCR)

if not signed by Data Subject then its use post consent may be limited.

Data Subject: Alice [=]!:uuid:1111

Address (and jurisdiction) of Data Controller

Name of the entity issuing the receipt

Should be the entity/organization that is in control of the personal data and is responsible for consent compliance.Is the Data Controller and is the primary party responsible for administration of the consent

Data Controller: Amazon [+]!:uuid:9999

PurposeThe purposes for which the personal information is being collected.this is a single purpose at minimum linked to the short purpose notice, or policy of purpose.

A purpose notice is a basic and common legal requirement and functionally a requirement of consent.

[#receipt]!:uuid:1234[<#purpose>]<@0>&/&/"We need to process your payment."

[#receipt]!:uuid:1234[<#purpose>]<@1>&/&/"We  need your data to prevent fraud."

[#receipt]!:uuid:1234[<#purpose>]<@2>&/&/"We will advertise to you."

Location of Consent

The location of the consent provision. from which the consent receipt originates.(For example the web page with the consent button. )

This indicates the 'point of consent' - hopefully a button where the user clicked "I agree" or "I consent" (i.e. the biggest lie)

Can be a URI, URL, URN, 

This can also be a physical space where surveillance legal notice requirements exist (EU) - Global Positioning System (GPS)

 

[#receipt]!:uuid:1234<#location><$uri>&/&/"....." 

Sensitive Personal Data Flag (Y/N)Flag to categorise the information collected as sensitive or not (Y/N)Each jurisdiction has classifications of sensitive personal information: The generally include health, financial, Child Protection, Religious, Union categorisations

If Yes, then additional notice requirements are needed to confirm its compliance status.

If No, then the consent is automatically compliant

[#receipt]!:uuid:1234<#sensitive>&/&/true

Third Party Sharing

Flag whether data is shared with third parties. (Y/N)

If true, then compliance is dependent upon additional notice requirements not present in a MVCR. This can be addressed with the "Third Party Sharing" extension.

If Yes, then additional notice requirements are needed to confirm its compliance status.

If No, then the consent is automatically compliant

[#receipt]!:uuid:1234<#third><parties>&/&/true

TimestampWhen consent was obtainedTo record when the user, either by implication or explicity, granted consent for the purposes described. [#receipt]!:uuid:1234<$t>&/&/"2014-07-13T21:32:52"
Privacy PolicyThe issuing entity's privacy policy (either inline copy, or reference to URI)If not available, should provide a notice that it is missingIs the minmum Policy (or short notice) Needed to create a consent receipt.

[#receipt]!:uuid:1234<#privacy><#policy>&/&/"copy of privacy policy here"

or

 

[#receipt]!:uuid:1234<#privacy><#policy><$uri>&/&/"https://..."

Operational Context FlagFlag wether the Operational Requirements are present or not. (Y/N/Unknown)For the presentation of consent there are contextual and prescriptive requirements in legislation, a check list of these elements is being crated in this draft below.

Consent has contextual compliance requirements for the notice to be sufficent. These depend on the location and format of the consent notices

An organisation displays agreement (or not) to implement these OC requirements and this is reflected on the consent receipt.

 

...

Notice Requirements Receipt Meets

Description

UK

UK DPA 1998

http://www.legislation.gov.uk/ukpga/1998/29

EU

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML

USA

For Sharing Personal Sensitive Information with 3rd Parties

Canada

APEC

P3P

FTC FIPPS

OECD FIPPS

Contact of Data Controller (DC)

Legally required to provide contact details of the DC

X

X

      

Address of Data Controller (DC)

Legally required to provide contact details of the DC

X

X

      

Purpose(s)

Legally required to provide purpose for data control

X

X

      

Third Party Legal Requirements Transparency

This is a flag to see if additional notice extensions are requirements to assess compliance

X

X

      

Sensitive Personal Information Collection Transparency

This is a flag to see if additional notice extensions are requirements to assess compliance

X

X

      

...

The MVCR has a base template v.1 that we have using to wireframe consent receipts: V.1


Latest Template Version 

(******Template  HERE***)

We have  a template that we are using for the technical design of the consent receipthave created to guide the design and development of the MVCR, the GUI design is also out of scope of this specification versin.  What is provided by default is a Consent Receipt Template that we are using for technical design. 

Example 1: Open Notice Consent Receipt 

(Example (in progress)  

Open Notice  Website - Consent Receipt - Technical Demo

 


(Example (in progress) can be found at http://on.smartspecies.com/support-open-notice/

 

Image Removed Image:ON-CR: Example

Image Added

Example 2: Storing Receipt in Personal Data Store: Technical Walkthrough Example with Respect Network

 

Respect Network (RN) Technical Demo:

 


Amazon Respect Use Case: With the Respect Network and Open Notice
(Note: Amazon Respect is a Fictitious organisation used here only as an example) 

(http://open-notice.github.io/consent-receipt/amazon-mock/signup.html)

Implementation of consent receipt which is signed & created by a DC and stored in a personal Cloud. 

...

 

Trusted Services Appendix

...