Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Kantara CISWG Implementation Use Case (TBF)

Authors: Mark & Oliver

ActivitiesDateStatusNotes
Converted Api to Plugin Finished 
Updating JSON to v0.8   

 

The Consent & Information Sharing WG is developing a reference implementation for v0.8 draft of the Consent Receipt specification. 

The aim is to use using the Kantara Initiative and the CISWG Work Group sign-up form  to create an example implementation. Building upon the beta v0.7 beta sign up form an consent receipt generator.

https://kantarainitiative.org/beta-signup/

In this use case;

  1. the Kantara Brand is reviewed,
  2. Consents requested in the WGPA sign up form
  3. the Privacy Policy is reviewed,
  4. the personally identifiable information (PII) sharing practices of the WG member’s PI are also reviewed.
  5. Personal information (PI) collection, sharing, and usage practices are reviewed
    1. Device ID, IP address, cookie data,
  6. 3rd Party Sharing of PI & PII

 

All of the consent & information sharing practices are listed, and with this information, the consent receipt specification is used to

  • create a consent notice and receipt that conforms to the v0.8 consent receipt.

 

1. The Kantara Brand Review

 

Kantara has a trusted and unique brand in trusted services, in that it is a community of people invested in standards development, developing trusted technology, policy, protocols around identity and policy.

 

If people can tell Kantara how they want their membership administered, and Kantara can customise the membership and communications accordingly this would be the ideal outcome. 

Kantara Initiative is comprised of open and transparent Work Groups, where members agree to participate in a WG by consenting to a workgroup participation agreement.

 

Most if not all of the participants in Kantara are volunteers, and, as a result it is important to be transparent and clear about information sharing practices.

 

In order to increase trust and transparency in the brand it is recommend to implement the consent receipt and for the WG membership be able to withdraw consent or have their membership be actively renewed at self specified intervals. This will further reflect the trusted brand that Kantara has built.

2. Review of Consents in Form

In the current CISWG Participation Agreement sign up form there are 4 active consent options, each option is reviewed with recommendations for consent enhancement.

 

  1. Consent to Join WG
    1. Recommend adding a link to withdraw consent from membership
    2. Link to and/or display policy information for what happens when consent is withdrawn (**** need WG review)
  2. Authority to consent on behalf of organsiation (requires link to withdraw authority)
  3. Consent Preference - voting or non-voting (link to policy for changing voting status)
  4. WG PII Sharing practices

 

3. Privacy Policy Review

 

To implement a consent receipt the privacy policy needs to be reviewed to collect consent and policy components which should be a) reviewed by the Kantara organization b)

consent enhancement recommendations.  

 

  • In the privacy policy there is a reference to an implied consent to transfer personal information across jurisdictional borders which is not compliant with current Privacy Shield practices
  • Recommend adding an explicit consent to the WPA form
  • Member data shared on WG WIKI in participation roster (link to participant roster)
  • All post to mailing list are captured in a public achieved (link to mailing list for m)

WG PI Sharing practices

  • Share IP with Google Analytics (non-identified data) (link to policy)

3. PII Sharing Practices

 

 

4. PI Sharing Practices

 

 

5. 3rd Party Sharing Practices

 

When reviewing the 3rd Party Sharing practices for both PII and PI, it became clear that there were some sharing.

  1. Google Analytics; Analytical services collect some sort of personally identifiable information as a rule of thumb, which is why it this sharing should also be disclosed this fact to people via something like a privacy policy:

 

 the Kantara CISWG (Consent & Information Sharing Work Group) The WG Participation agreement. This agreement on boards the work group participant to the Consent & Information Sharing Work Group.

  • Review the privacy policy at Kantara,
  • Review at the PI information sharing practices for Kantara WG membership.
  • Review the privacy policy and membership agreement
  • Review existing consent form (if there is one)

Privacy Policy Review (https://kantarainitiative.org/confluence/display/GI/Privacy+Policy)

  • Transfer of personal data to the USA can benefit from consent on the GPA form

Results

The results of the consent audit for the CIS WG participation agreement provided a number of recommendations for consent enhancement in addition to some recommendations for review by the Kantara Organisation.

 

Importantly, it is clear that the current priacy policy is not in compliance with consent and information regulations, nor does it reflect the brand trust that is inherent to the Kantara organization. 

Error rendering macro 'viewdoc' : Failed to find attachment with Name Kantara-Imp -CIS-Audit v.1.docx

Error rendering macro 'viewpdf' : Failed to find attachment with Name Kan-Imp v0.8-Edit-v.2.pdf

 

  • No labels