MVCR: Two Party Use Case
Minimum Viable Consent Receipt
Simple Use Case
Contents
Introduction................................................................................................................................... 1
Scenario......................................................................................................................................... 1
Data Flows..................................................................................................................................... 1
The Consent Receipt.................................................................................................................... 1
Introduction
The notion of a ‘minimum viable consent receipt’ described below is based on the notion that, a data subject who provides personally identifiable information about themselves to a data processor has a right to expect a clear explanation of what information has been collected, for what purpose and with whom it will be shared.
Scenario
There are as many different scenarios for personal data collection as there are types of interactions between people and systems. We will focus on a simple representative scenario here. A user, called Alice, has browsed to a web site that she has found interesting which we will call, Bob’s compendium of interesting news. Bob, who runs the web site, doesn’t want anonymous Internet trolls leaving comments on his web site so he disallows comments on his stories unless a person registers with their real name and a valid email. Because he is a proponent of privacy, Bob is committed to not sharing personal information he collects with others. Alice is willing to do register on Bob’s site to make comments, but wants to retain a record of Bob’s commitment not to share her information. This is where a minimum viable consent receipt comes in. After Alice enters her information on Bob’s site she presses a “Register” button. At that time, Bob’s site collects her information and shows her a receipt on her screen which she can save locally on her computer. At the same time Bob can save a copy himself. Now Bob and Alice have identical copies of a receipt that describes what information Bob has collected, describes in broad terms what he will do with this information and with whom the information is shared.
Diagrams
This high level scenario can be visualized in a couple of different ways:
The Consent Receipt
The consent receipt that Alice received in the scenario above could be as simple as a generated word document or PDF that looks like this. The highlighted fields should be generated at the time of issue, but everything else may remain static until Bob changes the terms of his web site.
Bob’s Compendium Of Interesting Things Web Site
Consent Receipt
Issued by | BobsCompendiumOfInterestingThings.com |
Date Issued | Sunday, June 14, 2015 |
Time Issued | 2:35 PM |
Receipt ID | c78f8e2a-5bbf-4f97-9c85-cf8738a027d6[1] |
About BobsCompendiumOfInterestingThings.com
Requests for more information | |
Privacy Policy | BobsCompendiumOfInterestingThings.com/privacy |
Purpose | The information described below was collected to ensure the integrity and transparency of the comments on BobsCompendiumOfInterestingThings.com. |
Personal Information Collected
Receipt Issued to | Alice |
Personal Information collected from Alice | Full Name |
| |
Other Information collected from Alice | Browser Header |
Other Information
3rd Party Sharing | No |
Sensitive Data Collected | No |