Information Sharing Agreements (background and work plan)
*Our Premise*
As the Internet, and organisational customer management processes, re-architect and re-configure themselves around the individual, a need will emerge to have information sharing agreements built to meet the needs of the individuals (data subjects). This is in contrast to the more common current 'tick the box' model, in which information sharing agreements are defined and deployed by organisations, and individuals invited to agree (or not).
This group proposes to build on work done to date by Mydex CIC, and within the Information Sharing Work Group, to define, test and publish a standardised approach to an information sharing agreement as seen from the individual perspective.
Rather than tackle the entire set of options at one swoop, we will focus on on particular class of information, and use that to act as the prototype for others. The class we will use in this initial design is 'Volunteered Personal Information', which in this case we define as the information that an individual will not share under the current modus operandi. This new class of information is discussed many times in our automotive scenario, and in our personal RFP documentation.
We envisage using contract law as the basis for establishing legally binding relationships between information provider (the individual), and information consumer (most typically, an organisation). In that sense, an individual makes  information available under contract to any entity that wishes to access it, subject to that organisation being able to accept the terms and conditions associated with that contract.
The VPI agreement is likely to have a number of sub-agreements, differentiated by specific terms and conditions associated with each sharing instance (e.g. you can use this for X, Y and Z, but must confirm back to me that no other use was enabled, and that my information was destroyed after these uses). The bulk of the work we envisage will be around working through the detailed permutations of data type, by usage type, by nature of ongoing use - in order to come up with a workable set of options.
When a set of options have been identified, we will work to create a solid description of each, a visual icon representing each, and illustrate one or more means through which an individuals VPI availability and preferences can be discovered and shared without their manual intervention. In turn, we will show how an organisation might digitally discover and 'sign' an individuals VPI agreement in order to instantiate that contract, and complete the loop by accessing and using the relevant data, and completing/ confirming any contract driven obligations (e.g. payment, data deletion). We will document the means through which liabilities in each transaction will be assessed and which party will underpin them.
In support of this work, we will show a reputation management mechanic that will aid an individual in determining which organisations might best be able to work with their data in these new ways. Also, a compliance mechanism will be defined in order to assure that VPI agreements are being adhered to.
Lastly, the above will be published as a VPI trust framework, likely led by Mydex CIC and published via The Open Identity Exchange.