Date

2018-06-21

Status of Minutes

Approved

Approved at: 2019-12-12 Meeting notes (CR) DRAFT

Attendees

Voting

Andrew Hughes
jim pasquale Pasquale
Oscar Santolalla
John Wunderlich
Mark Lizar

Non-Voting

Richard Gomer
Mircea Patachi
David Turner
Robert Lapes
Kartik Venkatesh
Colin Wallis
Sal D'Agostino

Regrets

Quorum Status

Meeting was quorate

Voting participants

Participant Roster (2016) - Quorum is 5 of 8 as of 2018-02-22

Iain Henderson, Mary Hodder, Harri Honko, Mark Lizar, Jim Pasquale, John Wunderlich, Andrew Hughes, Oscar Santolalla

Discussion Items

Time	Item	Who	Notes
4 mins	Roll call Agenda bashing	Former user (Deleted)
5 min	Organization updates	All	Please review these blogs offline for current status on Kantara and all the DG/WG: Director's Corner: 2018: May Working + Discussion Group Activity There is a new wiki page that will hold all the known implementations of Consent Receipts - Please update the page or inform Andrew of your implementation. Planning a Member Plenary meeting October 26-ish San Francisco (Friday after IIW) Are there specific cross-group items you'd like to propose to work on?
40 min	Interoperable Consent Receipt demo at MyData Conference	Andrew	John walked through the draft scenario Mircea: why would the receiving org need to generate a new CR? A: Depends on the interpretation of Article 20 implementation Jim: digi.me's consent feature requires that the data processor notifies the user on downstream sharing Karik: Trunomi allows counterparties to be defined and data sharing rules defined up front. PSD2 scenarios - has 2 consents that are tracked - 3rd party doing payments on behalf and the financial institution ACH: Would it make sense to just do the simplest thing: one data controller mints a CR and a different org displays it. Richard: important to do display and that the back end system is following the CR instructions Jim: digi.me has started work to 'export' a CR artifact. The user might be notified of sharing event. John: starting to think that we should disconnect the demo scenario from any specific regulatory requirement - this should stay a technical demo Robert: agrees - show what you received is what was sent - and show multiple receipts that display in the same way ACH: related that people in unconference sessions are capable of imagining potential uses of CRs - we need to show the simplest functions Kartik: conceptually makes sense - questions on the details about how multiple platforms will play Mircea - need to decide on which systems take on what roles in the demo - which ones create CR, which ones consume & display Richard: in principle it is OK - what does it actually look like to a User - the UX and concept of a CR moving from one place to another - there is no metaphor for this yet Oscar: does not have viewer yet - so this would help to have some else's viewer to use Mark: is the CR moved directly by the back end or are the actions done by the User. ACH: has lined up a mobile operator as a issuer of CRs - but they have no viewer - they need the user to use someone else's viewer ACH: need to do a storyboard Robert: the metaphor should probably be the same as physical receipt management - one place to view them ACTION: Richard to sketch a story board for this ACTION: Kartik to ask questions around how consent management platforms - send to email - includes sequence diagram Mircea - is each consent receipt unique? and should it stay at the originator org? then the only thing transfered would be the CR id? ACTION: Jim - to list some of the high level activities that digi.me is undertaking Mark: OpenConsent is planning to have a Viewer by August Possible distinction: A Viewer - look at CRs one at a time. Dashboard - look at multiple CRs and act on them.
	AOB
	Next meeting		2018-06-28 same time, same number

From 2018-06-14 call:

Jim: any project wanting to participate in the MyData consent receipt interop demo - we need you do do a mapping against the CR fields - there is a spreadsheet!
Need to ensure that the Use Case spotlights the user-centric approach. A motivator to show vendor-vendor interop is to demonstrate industry resilience.
Since the CR will contain personal data (and probably sensitive data) we must avoid giving the impression that we are unware of risks and anti-patterns.
There are 10 weeks remaining until presentation day!
Next week's call:
- Confirm the high-level scenario for the demo
  - Should this be limited to exchange of CRs? or showing data transfer that involves CRs
- Discuss and finalize a sequence/interaction diagram
  - Confirm the CR-related roles required for the demo (Display-ers/dashboards, the Person, CR Issuers)
- Richard Gomer is committed to the project (per Chris ) - will have input into the UX issues
  - The Consentua WebSDK demonstrator has embodied some of these concepts
- Pre-work assignments (due for distribution to the WG by Tuesday):
  - John - will develop a draft sequence diagram

Browser not supported