2019-02-28 Meeting notes (CR)

4 mins

• Roll call

• Agenda bashing

@Former user (Deleted)

• Deferred: Status: Wiki refresh work

• Deferred: Status: Distribution-version of slide deck describing the work here (consent receipt today → personal data processing receipt tomorrow - or whatever we decide)

• Discuss EIC demo and scheduling

• Discuss proposal for specification extension approach

5 min

• Organization updates

All

Please review these blogs offline for current status on Kantara and all the DG/WG:

• Director's Corner: 2019: Feb. (Datafund)

• Work + Discussion Group Activity

There is a wiki page that will hold all the known implementations of Consent Receipts - Please update the page or inform Jim, or John, or Andrew of your implementation.

• TIIME, Vienna, February

• EIC, Munich, May

• Identiverse, Washington, June

• MyData NGI Next Generation Trust

Dativa is developing an innovation hub around consent and CR

10 min

Product roadmap for the demo

All

• Target is EIC May 2019

Here's the project page for the "Demo v2"

Go to the demo v2 page for the breakdown of roles and functions for 2019-02-21 call

=======

THESE NOTES ARE FROM 2019-01-31 CALL AND ARE DIRECT-EDIT-UPDATED FROM 2019-02-07 CALL

Andrew's personal opinion on what to highlight:

• The fact that giving the person tools necessary for them to keep records (the 'receipts') about their data controller & personal data processing interactions is a new thing in the world

• The ability for the person to take action because they have these records in their possession - the Privacy Control Panel

• The fact that interoperability standards allow many products to work in an 'ecosystem' way

• Even if the audience does not believe that the lawful basis of consent will become a mainstream thing, the person-side record keeping idea is a good one that has broad applicability

Comments:

• This opens the door to ongoing management of the relationship by the person with the data controller/other

• The consent receipt is also a Notice

• People have an independent record of the interaction in the receipt

• Have hard receipts gone away because they are viewed as 'too much friction'? Is this dangerous?

Decisions needed:

• The specific set of user stories we want to showcase - what is the "Consent Journey" of the person?

• The roles that each product will cover in the demo

Comments (2019-02-14):

Comments (2019-02-07):

• digi.me: https://developers.digi.me and  https://developers.digi.me/consent-access

• Peter to sketch up a rough sequence

Comments (2019-01-31):

• The discrete functions need to be identified

• Receipt issuers should be enrolled in advance (data controller should be known)

• Can we show multiple wallets that hold receipts?

• Should build on the flow of the Demo v1 - person does stuff, gets receipts, sees them, acts on them

• Is the 'wallet' (a.k.a. the receipt storage location) singular or multiple?

  • Sphere app can display receipts from their own storage locations

  • Digi.me only shows receipts within their system

    • Jim is pushing engineering towards the idea that the 'control panel' should be able to work on receipts in other app storage locations

• Passing control over a receipt (to act on a receipt and manage it going forward) to a 3rd party breaks the security concept of digi.me and Sphere's apps

  • Exporting a receipt is possible, but action on the exported receipt might require a redirect back into the Sphere app

  • This is probably the same with all app ecosystems

• Jan - looking at the topic of using the receipt as a data schema but also using the universal namespace/identifiers (a.k.a. Decentralized Identifiers) to reference the entities and object might allow for broader interoperability

• Peter: we lack the protocols for operations on the receipts themselves - maybe do this in Kantara

• Jan - last week call - Paul and Jan presented on the Hyperledger Indy work for interop

• Remember that we are limited by what exists today - a list of JSON files

  • The 'take action' function might be a simple "open URL in the receipt issuer's app"

• Action: Andrew to draw an information flow diagram for discussion for the demo

• Action: ALL - to think about the functionality that your products can do today in light of the "Privacy Control Panel" idea - we will try to do a heat map to try to sort out role assignments and find gaps

20 min

Approach to "extension kit"

Mark

I have start a wiki page for working on a consent receipt extension and was thinking of trying to work on the document outline during the call tomorrow and just get a basic set of steps for the work effort to complete a simple scope. . 

1. Draft & Review extension Outline 
2. Walk through use of extension 
3. Recommend extension

Here is the link - https://kantarainitiative.org/confluence/pages/viewpage.action?pageId=104600510

Meeting notes

• Approach to mapping the CR to a specific law/regulation and ensuring that the terms/fields are correct for the specific law

  • Then, replacing the terms in the specification to create a law-specific specification

• Try this out on CFR 42 - a healthcare regulation in US that requires explicit consent - on top if HIPPA - which did not cover explicit consent

  • HIPPA has a 'burden of proof' requirement

• Discussion about interoperability between domains, parsing and

Deferred

Specification update approach

• Discovery approach leading to backlog leading to prioritization?

• How do we decide what changes we must do in this round versus deferrable changes?

• See https://github.com/KantaraInitiative/consent-receipt-v-next

See a flowchart version of this here:

https://share.mindmanager.com/#publish/b-DWOcuKGnVY1PXBKXTpL0-DQOeqmZMGfGUAPiC5

5 min

AOB

Sneha

• Update from Sphere Identity about ID4D challenge

  • "How could an identity solution work for 1 Billion people"

Next meeting

*** Next call 2019-02-21 10:30 am Eastern Standard Time / 15:30 GMT

https://global.gotomeeting.com/join/323930725