Alice Explicitly Shares PI

Owned by Mark Lizar (Unlicensed)
Last updated: Jun 28, 2016

CR-USE Case 1: Alice Explicitly Shares Sensitive PI with a friend using a 3rd party System that uses UMA.  

 

Consent Receipt Used for Explicit sharing, and explicit sharing of SPII. 

  1. Interoperability requirements:
    1. extensible to enable 3rd party trust services to use receipt for this purpose
    2. Map to ISO 29100 terms for Explicit ISO 
    3. Map to NIST sp800-63 - Appendix J for notice and consent privacy controls
    4. Map to ISO IEC  User Friendly Notice & Consent
    5. Map to UMA - Alice uses BobCo profile of her to share the access and permission a   tax  resources
Explict Sharing Receipt B) Terminology and Use of Referenes ISO 29100 Explicit Consent - How a Receipt Maps to ISO 29100
Explicit Sharing Receipt (C) Use of Explicit Use of Receipt For SPI
Explcit Sensitive Notice Receipt   To provide a record of an explicit consent notice in a consent receipt for sensitive personal information sharing: refer to privacy notice laws, ISO 29100 standard, and privacy best practices exemplified by GAPP, as well as ISO SC

Intro

This Use Case is a Double Use Case Combing the ability for Alice to explicitly share information  (and ask for a consent receipt ) . 

 

With - An Organisation being able to provide a consent receipt for the explicit sharing of information - for example with UMA - which is ultimately a guidance document on creating a receipt with information that should already be recorded.

 

These are summarised so far as:  

 

A) Explicit Alice to Bob Sharing (via Company X) 

B)  Explicit Sharing for Sensitive Personally Identifiable Information for Disclosure with 3rd Parties as Directed by Alice  (via Company X) (Using UMA) 

 

as these two use cases covers the breadth of the use cases.  In which and individual is explicitly directing sharing, and where Data Controllers of sensitive personal information can extend their current practice with a receipt.  To accommodate  - together this is an example of the common integration point or ‘consent intersection’.  

 

This use case of explicit sharing  is designed to illustrate how enabling people to explicitly share and consent themselves is a ‘common use for the consent receipt’ that is across jurisdiction and type of sensitive personal information. 

 

So that the consent receipt can also be recommend for sensitive personal information, and  a good practice  customer service tool to enhance experience. 

 

Objective

An effort to build a standard candidate 

 

 was launched in what is now called CISWG. 

 

 

Back Ground

 

In short, a lot of the thinking behind this consent receipt comes from the ISTPA - Operational Analysis of Privacy -  in which  all Jurisdictions for Sensitive Personal Information require explicit consent and informed notice to be documented. 

 

It was this thinking that launched Open Notice in 2012 , that  produced a report and some research that ended up being prosed as a project to create a standard candidate in the Kantara initiative for fast track by ISO.

 

This combined the two efforts. 

 

  1. In the Information Sharing WG - the focus was on explicit sharing of information so that people could control and use rich more valuable PI  that people generate themselves i.e. intent casting and the like. 

 

  1. Open Notice - Consent recording — the consent receipt evolved out of this  by referencing the existent guidance on the most common requirements for consent notices, and which contexts a record of consent is required.  Where/how a standard record of consent can be created so that people can independently track and communicate about the use and control of PII. 

 

 

 

 

 

 

 

 

This use case can also be the example of the most granular extreme to show the breadth of use of the receipt to capture consent to process SPII. 

 

It builds off of the Sharing for Explicit Purpose, (which would encompasses disclosure, permission and/or consent directives) 

 

 

 

  • Globally -  notice for consent is required in all types and forms socially, legally, technically.  (as this is a human and social requirement for collaborative society) 
  • In Addition 
    • in all jurisdictions - for sensitive personal information, explicit consent is required.  (which can be demonstrated with a consent receipt and provide a more manageable consent experience for the individual ) 
    • There is a large demand for this explicit consent to be managed by people themselves, and for organisations to provide proof of consent and withdrawal of consent facilities according to the GDPR
    • With Identity Assurance L0A1 -4 - the individual can get a record of the consent to use credentials
      • this receipt can link the purpose, the policies, the scopes and provide the links to information for the individual to manage these themselves (at the minimum) 
      • For higher LOA - a consent receipt can be required to demonstrate and provide enhanced consent capabilities to conform to privacy controls and scopes as defined externally to this specification 
    • This use case has a question to answer: Can a  consent receipt can document the divesting of liability by a provider using explicit consent for sensitive data, then listing/linking to the requirement and the notice that was provided for consent. 
      • what tech involved
        • User needs a Public/Private Key
        • UMA is Required
          • Identity Based Access Management 
        •  
  • In this context a consent receipt is designed to 
    • capture the explicit consent. (according to standard defined by ISO) 
    • capture the sensitive PI category (according to the context)
    • capture the subsequent link, scopes, and extensions of this purpose of use - (to build in compliance and controls into the receipt which the individual can use themselves)  
    • Potentially Use Kantara Trust Services and IAWG work Product for Use Case with ISO and EU GDPR. 

 

Example of SPI-