Hi;

I’m continuing to noodle in the PEMC Requirements Conformance Documentation.

I have put the following under Principle 1: Consent and Choice

Applying the Consent and Choice Principle to Mobile Credentials
Where consent is the applicable basis for processing data, this principle mandates that organisations, including Issuers, Verifiers, and their respective Providers and Vendors, shall only process personal information with the explicit consent and choice of the individual Holder. This underscores the fundamental right of individuals (Holders) to control their personal information within the mobile credential ecosystem. 
Consent is only valid if the Holder has a genuine choice to allow or disallow the processing of their information. This means mechanisms must be in place for Holders to make informed decisions before or when any data processing occurs. These mechanisms should present distinguishable processing options, empowering the Holder to select their preferred level of data interaction.
Considerations for Implementors:

The Consent and Choice Principle for mobile credentials supports individual autonomy and transparency, ensuring that Holders are active participants in decisions regarding their data, rather than passive subjects of data processing.

2.1.1.1 Obtain Consent for Verifier Processing
Description

Applicability
Pre-conditions
Data Scope has been documented
The Verifier should explicitly identify and document the personal information elements they intend to request or derive from a Holder's mobile credential. Without knowing what data is involved, it's impossible to design an appropriate consent mechanism or adequately inform the Holder. 

Purposes have been identified and documented.
The Verifier should clearly define and document the specific, legitimate purpose(s) for collecting and processing each personal information element or group. Consent must be specific to the purpose(s) for collection. Vague or overly broad purposes invalidate consent. This also forms the basis of the Notice to the Holder. 

Notice Mechanism has been implemented.
The Verifier has designed and implemented an evident, conspicuous, and easily understandable Notice. This Notice must be presented to the Holder before or at the point of requesting mobile credential data and must contain:

Consent Mechanism has been implemented.
The Verifier has designed and implemented an unambiguous mechanism for the Holder to provide affirmative consent after reviewing the Notice. This mechanism must:

There is a Consent Record System
The Verifier has a reliable system or process to record the Holder's consent (e.g., timestamp, specific version of notice consented to, scope of consent given).

There is a No-Consent Process
The Verifier has a defined process for scenarios where a Holder withholds consent, ensuring that processing related to the denied consent does not occur and the Holder is appropriately informed of any consequences (e.g., inability to access a specific service).

Staff Training
The Verifier has been trained. Staff who engage with consent systems or processes (e.g., those involved in designing interaction flows, IT staff implementing the systems, and customer-facing staff, if applicable) are trained on this consent requirement and internal procedures.
Tests
Notice Availability & Timing Test
Procedure: Initiate an interaction requiring credential data from the Verifier's system.
Observation: Is a Notice presented before or at the point of data request? Is it easily accessible and readable?
Success Criteria: Notice is timely and presented.

Notice Content Adequacy Test
Procedure: Review the content of the presented Notice.
Observation: Does it accurately list the personal information to be processed? Does it clearly state the specific purpose(s)? Is the Verifier identified? Is the language understandable to a typical Holder?
Success Criteria: Notice content is complete, accurate, and transparent as per pre-conditions.

Consent Action Test
Procedure: Interact with the consent mechanism.
Observation: Does the system require an explicit, affirmative action from the Holder to signify consent (e.g., clicking "Agree," unchecking a pre-filled box is not sufficient)? Can the Holder easily decline?
Success Criteria: Consent requires an explicit, affirmative action. Declining is straightforward.

Data Processing Post-Consent Decision Test
Procedure:
Scenario A: Provide consent. Attempt to complete the transaction/interaction.
Scenario B: Decline consent. Attempt to complete the transaction/interaction.
Observation:
Scenario A: Does the system process the Holder's data as described in the Notice?
Scenario B: Does the system refrain from processing the Holder's personal information for the purpose for which consent was denied? Is the Holder informed of the outcome of declining (e.g., service unavailability)?
Success Criteria: Data processing aligns with the Holder's consent decision. The system respects denial of consent.

Consent Record Audit:
Procedure: (If backend access or logs are available) After a successful consent interaction, attempt to locate the record of this consent.
Observation: Is a record of consent stored? Does it contain relevant details (timestamp, scope)?
Success Criteria: A verifiable record of consent exists.

Test Results
Does Not Meet Requirement: The Verifier meets less than 50% of the test conditions that apply for its use case.


Have a better than expected day,
John Wunderlich

“The law, in its majestic equality, forbids rich and poor alike to sleep under bridges, to beg in the streets, and to steal their bread.”

Anatole France   





This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.