On Wed, Sep 2, 2015 at 5:51 PM, Mark Lizar <mark@smartspecies.com> wrote:
Hi Adrian,Ah yes, I should keep up with my reading.On 2 Sep 2015, at 14:04, Adrian Gropper <agropper@healthurl.com> wrote:I think the most important deliverable is a clear explanation and demonstration of how implementing UMA will provide the Resource Server institution increased cybersecurity and a safe harbor for exposing an interface to the public Internet. Although many of us are mostly motivated by other goals including consumer protection and the hope of selling software to the operators of authorization servers, these will not drive adoption of UMA without new laws and regulations. Let's see how far we can get with the current laws.I've tried to map the essential elements of Agency: Principal, Agent, and Third Party into a very simple document https://docs.google.com/document/d/1N6tocmA0KaBE6v3u-cZSyw0N52lG_LdWHAaPybS_vM0/edit that is open for discussion and editing.Eve and I had a very long session trying to understand the gaps between the Agency Law and UMA. These gaps are represented in the table toward the end of the Gdocument.I think that mapping UMA to Agency Law is more important and easier than standardizing or formalizing Terms of Use and Privacy Policies. To the extent that we can map UMA to Agency Law without introducing any specific profiling for healthcare, education, or any other vertical domain, we will be doing the best job of promoting adoption of UMA for the benefit of the RSs, the ROs, and the AS business..The MVCR work is based only on existing law and not dependant on any new law, I seem to have mis-represented this.. The consent receipt is only a format for recording and logging consents/authorisations, i.e. a format for capturing the agency, regardless of the policy as these consent requirements that are already in law. i.e. required.How Agency is represented is very interesting and I think a different but very related topic of liability which a record is just a piece of. (AKA UMA FLAVOUR) The provision of a standard consent notice system is a way to transfer the liability around, its more of a vehicle for Agency rather than the way to define Agency. Apologies for confusing these issues if I have Dazza seems to be able to unpack these very well and these seem to need to be unpacked more.Purpose specification is more a micro focus on HOW an UMA purpose might best be represented. I think the focus with the mapping WHAT would be in it is important and will have an effect on the way in which policy is formulated and innovated.- Mark_______________________________________________AdrianOn Wed, Sep 2, 2015 at 1:11 PM, Dazza Greenwood <notifications@github.com> wrote:In conversations during the Legal subgroup meetings, some people have suggested including example, sample or "standard" legal wording for ToS and other legal instruments for use with UMA deployments. Not yet sure what those would say, but it would be a sign of success to get to the point of recommending such terms. If the subgroup deliverables includes both recommended terms and an approach to audit logs for legal compliance or enforceability, we would have a strong set of deliverables.
—
Reply to this email directly or view it on GitHub.
--Adrian Gropper MD
RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma
--
Adrian Gropper MD
RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/
RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/