Mark, I’m not sure I’m following the distinction you were making with user-managed vs. user-controlled either, but I didn’t think it was a separation of consent receipt vs. authorization (policy?) storage. I thought it was more in the direction — perhaps — of data that is self-asserted (Alice is literally in control of saying whether she prefers aisle vs. window) vs. data that is about her but that she can’t control the value of (Alice can manage access to her credit score, but there’s no way she can control its content).

Is that the distinction? If so, is the first one “controlled” and the second one “managed”? And if so, where does Alice-as-data-controller in law come in?

If that’s not the distinction, could you provide an example that highlights more sharply what it is?

Eve

On 16 Aug 2015, at 7:12 PM, Mark Lizar <mark@smartspecies.com> wrote:

Hi Adrian, 

On 16 Aug 2015, at 10:58, Adrian Gropper <agropper@healthurl.com> wrote:

Mark,

I've read this twice, and I don't follow the distinction you're making. I can't think of any reason that Alice would want to have a separate server for her consent receipts and her data sharing authorizations. Both of these require a set of standards acceptable to the various other actors.

I agree with you, in an UMA deployment I can not think of a reason why these would be separate. 

The major difference I see between consent and authorization is that consent seems to focus on the registration of a relationship while authorization seems to focus on the info sharing  pursuant to that relationship. 

My sense is that, from a legal perspective, the registration and sharing are inseparable and we would do well to merge consent and authorization lest we confuse the standards and our message.

This might be a good idea, I have been unclear about how a consent record will be maintained and if a consents provides authority for a range of practices that happens long after the point of consent, if this is called something else, i.e. an authorisation.  In this case are their other types of ‘authorisation’ records that deals with privilege management and I have wondered how these might relate or be chained together. 




Adrian 

On Friday, August 14, 2015, Mark Lizar <mark@smartspecies.com> wrote:
Pushing the penny forward an inch. 

As a follow up to the MVCR, there are it seems, some legal considerations that surround the application of policy in terms of what takes precedent, the privacy policy, the terms of use policies.  As well, liability around who owns, controls and manages the data is also critical and needs to be clear.   T

A simple way to start putting this all together is to look at applying the MVCR roles ( that are anchored in ISO 29100 “roles") as an overlay to Adrian's (and any other) UMA use cases  to address the legal questions and topics that arrise.   

To get things going  here are a couple of items and their flows for the legal eagles. . 

A. Data Rights Ownership; User Managed Access Vs. User Controlled Access.  (see use case below)

B. Are T&C’s subjected to a Privacy Policy?  Does the legal chain of authority that leads to the provisioning of roles and privileges, for access to personal attributes, start with the privacy policy for enrolment, then the terms and conditions? 

For example: 
1. In the MVCR their is an undiscussed assumption that the privacy policy which provides the consent is counted as the primary contract for the use of personal information so the service provider may then use the personal information. At which point,   The service provider uses the PI provided with the consent and then enrols the service user  with a secondary policy, the terms and conditions, which Alice needs to contractually abide by, to use the service. As the requirement for a privacy policy and consent is legal infrastructure, and the T&C’s is organisation specific, the T&C’s are subjected to the privacy policy.  i.e. legal requirements trump the business requirements in  a court of law.

2.  In regards to the above  Issue 2 . What are the legal connotations -  I.e. If a user blocks access to a  PII resources (using EU law), the terms  for that service might be that the service is stopped. But, the user may be required by the contract to keep paying for that service according to the contract and licence agreed too, and the service may be legally required to keep the user data while still charging for the service.  (of course this is over simplified)
i.e. the org indemnifies themself by give the functionality to users to manage the access to a copy of the user data the org controls.  But in a very privacy by design way. 

The point being, this would appear to be different UMA Legal Flows than the user (in control of her own data) licensing access to the use of an attribute using UMA, which seems to me, like a different legal flavour of UMA all together.  (closer to the UMA Health Flow) 
I.e.. Alice can turn on and off access to all or just a single attribute at any time in any scoped context.  

3. Legal Flow/Use Case:  User Managed Access Vs. User Controlled Access.
  • UMA profile that is of two flavours

    • Flavour A. Alice controls access to her own PII,  authorises access using UMA to personal profile 
    • Flavour B. Alice Manages Access to her own PII . Using UMA installed behind a  company siloed (and own Company copy of PII that the user maintains) that runs UMA so users can have more functionality through this silo. 
    • Note: this is the difference between the user being the data controller or the user being the data subject.  

  • Who controls and owns the data rights? 
    • if the service user is also the data controller, then data protection and privacy laws are effected in that the liability and policy for protecting the data lies with the service user, and the liability or contract/license for the usage of the data lies with the company. 
      - this would be a different policy structure, with a consent directive and UMA, for orgs to agree too. Like a Personal Privacy Policy (PPP) to cover the different liability. 
      •  liability of being a data controller no longer applies the same way as data protection liability is moved (reduced, or changed into another form) if the data subject is owner/controller of the data and its access. 
         
For Example: 
  • A good example here is in health care where consent directives and laws and frameworks are mature.
    • (i.e. consent and access controls are being bound together already)

  • With Flavour A, Alice Owns and Manages PII, gets to see how many times her personal data (medical records) were accessed, when and by whom 
  • Flavour B, Alice, gives away PII - that is already under the T&C’s of service, and owed by the company or institution. 
  • in the second circumstance she does not get to see how many times her data was accessed or even what the live status is of her active consents and medical data usage, unless she pays a fee to the Experian like company that owns them. 
    • With the MVCR based authorisation log Alice knows that her permission and access to her data should line up to the purpose of the sharing, the permission to access data, and the specified purpose of the active consent the company now maintains for her 
    • This would be a very helpful tool for alice to quickly understand medical sharing policies 
  • Without clarity between UMA Flavour A & B, does UMA have the opportunity to be :
    • incredibly good (the good guys), because Alice is in full control of their own data
    • incredibly bad, because Alice thinks she has control of a copy of their data.  Or that another service provider, that she is forced to trust, has her best interests at hear. 
    • should their be a different flavour of UMA (in terms of legal considerations) that designates between A & B? 
    • Can their be a flavour of UMA that is both A&B?
  • The MVCR - Binding A & B Together 
    • A consent receipt is being developed as a tool that will help bind consent and legal requirements to access roles and policy rules for sharing data.  
    • The MVCR is designed to make explicit the policies and notice requirements to make binding these together legitimate and understandable - i.e. this can be used to tie the role of data subject to the liability of access controls and vice versa
  • For example
    • the various frameworks that are used in the space of consent and access control can be added to a receipt. 
      • In this scenario, we would see
      • Alice is at a hospital in the US
        • Alice consents to provide PII to hospital for medical treatment
        • Alice gets a consent receipt 
        • On receipt is UMA  Icon and a HIPPA icon linked to legal requirements, or maybe just a field for a URI that links directly to the  PPP, which has all the links and info needed for Alice’s medical records and consent directives (from her AS)
        • Every test or comment can be then linked to her PPP and available for the next health data context
      • This receipt under info sharing would have the PPP Icon, the HIPPA TrustMark icon, and the UMA icon all linked to the audit, enforcement and complaint processes that all of these frameworks require. 

In parallel to the US health System
  • The UK’s heath care system is the reverse and has the same problems but for different reasons
    • it is a universl health care system, where it costs the infrastructure money to provide medical services. (as oppose to the US) where the infrastructure makes money by providing medical services.
  • In the UK you (the patient)  are unable to see if you have consented to sharing PII, with whom you have shared, what medical records you have with Sensitive Medical Data spread on computers ranging from win 95 and up.
  • An UMA enabled doctors office in the UK should be able to receive consent, use the medical data from the US and provide seamless service.  
  • So how would a consent receipt look like  if it was used to bind ths 
  • A Consent Receipt extend the MVCR by: 
    • Adding UMA Framework
    • Adding PPP (Personal Privacy Policy: Like a Consent Directive) police requirements
    • Adding HIPPA: 
    • Add UK Jurisdiction profile and Medical PII profile to the consent requirements, add these processes at point of consent or enrollment  at UK health care centre. 
    •  These might all appear as ICONS of the above listed to the receipt and managed by 3rd parties operating the trust frameworks for the above elements. 


Mark


On 10 Aug 2015, at 18:36, Dazza Greenwood <dazza@civics.com> wrote:

Ok Eve, I'm on it.  Looking forward to see the negative cases.

Hi Mark, do you have any additional use cases to consider?

Thanks,
 - Dazza

   _ _ _ _ _ _ _ _ _ _ _ _ _ _
   |   Dazza Greenwood, JD
   |   CIVICS.com, Founder & Principal
   |   MIT Media Lab, Visiting Scientist
   |     Vmail: 617.500.3644
   |     Email: dazza@CIVICS.com
   |     Biz: http://CIVICS.com
   |     MIT: https://law.MIT.edu
   |     Me: DazzaGreenwood.com
   |     Twitter: @DazzaGreenwood
   |     Google+: google.com/+DazzaGreenwood
   |     LinkedIn: linkedin.com/in/DazzaGreenwood
   |     GitHub: github.com/DazzaGreenwood/Interface
   |     Postal: P.O. Box 425845 Cambridge, MA  02142
   | _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

On Mon, Aug 10, 2015 at 3:44 PM, Eve Maler <eve@xmlgrrl.com> wrote:
Hi Dazza— Please feel free to send links and updates to the list. I have an action item to work on additional use cases (“negative” ones), and health use case patterns definitely aren’t the only ones we want to consider (nor am I positive that Adrian has captured all of those). Mark may want to contribute some too. And we probably want to spend more than one week on reviewing and understanding them. :-)

Eve

On 10 Aug 2015, at 12:12 PM, Dazza Greenwood <dazza@civics.com> wrote:

Update - As promised, I put the draft mission, use cases and other background materials on the current GitHub wiki and am UMA-customizing a basic "how to use GitHub issues and wiki pages - for lawyers" faq. 

Are the use cases from Adrian solid enough to work on and reflect the business case(s) you need to focus on?  Also, do these use cases correctly and completed highlight the UMA functions and flows or is anything off base, incomplete etc? 

Anything else needed before next meeting? Should probably send links and ask people to contribute or think about something. Minimally, I'd suggest maintaining some focus on the use cases for now, to ensure an apples to apples anchor for legal conversation and to provide a double check basis for mapping stuff people say from legal to tech and vice versa. 

Thanks,
 - Dazza 

   |  Sent from my iPhone 
   |  Please Forgive Typos
   _________________
   |   Dazza Greenwood, JD
   |   CIVICS.com, Founder & Principal
   |   MIT Media Lab, Visiting Scientist
   |     Vmail: 617.500.3644
   |     Email: dazza@CIVICS.com
   |     Biz: http://CIVICS.com
   |     MIT: https://law.MIT.edu
   |     Me: DazzaGreenwood.com
   |     Twitter: @DazzaGreenwood
   |     Google+: google.com/+DazzaGreenwood
   |     LinkedIn: linkedin.com/in/DazzaGreenwood
   |     GitHub: github.com/DazzaGreenwood/Interface

On Aug 10, 2015, at 2:59 PM, Eve Maler <eve@xmlgrrl.com> wrote:

I created a (really huge) swimlane and a pro/con list, and a bit more... I ended up writing a recommendation. You can find the whole thing linked from here:

https://docs.google.com/document/d/1OsIqPbVNx66vypnCzjxoFjX0AHCD_rEmgP8Q-5hnFYQ/edit?usp=sharing

   Eve

Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma


Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com





-- 

Adrian Gropper MD

RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma


Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com