Reference #: UC_CR_001
A web user provides information to a web site for the purpose of creating a persistent user identity on that site. The web site collects the information provided by the user and provides the user with a consent receipt to record the information transaction.
Alice: Alice is the web user seeking to make use of the information or services provided by the web site on which she is registering.
Bob: Bob is the person or organization that is accountable for the operation of the web site.
Data Protection Authority (DPA): The competent authority or authorities that have jurisdiction over the operation of the web site in this use case. This is the authority to which Bob will be accountable and to which Alice could raise issues or complaints.
The following conditions must be true before this Use Case can be executed:
Alice is registered as a user on Bob’s web site and has been presented with a consent receipt that allows her to understand what information about her has been collected, the purposes for that data collection, how the information will be used, whether or not the information will be disclosed to third parties and for how long the information will be retained.
The creation and presentation of a consent receipt is triggered when Alice consents to the collection of her information for site registration.
Mode 2 is the same basic flow as Mode 1, with additions noted below in bold.
Depending on the regulatory environment in which Bob operates, or because of internal policies, Bob may wish to include information in the consent receipt beyond the information (mode 1) or fields (mode 2) that have been specified. The guidance in this case to implementers is this:
An implementer of consent receipts (Bob) may include additional information in the consent receipt, and still conform to the consent receipt standard, except where such information negates, contradicts or invalidates information required in the consent receipt.
The information security measures used to protect the confidentiality, integrity and availability of consent receipts should not be less than the measures used to protect the information referred to by the consent receipt.
Consent receipts should be assumed to be personally identifiable information about the person who has provided the consent.
Link to be provided
Link to be provided
Link to be provided or graphic added