HI Jeff, [some comments inline]
I think you are suggesting that there needs to be a scenario in which Alice controls certain data and authorizes specific uses of the data without transferring the data to Bob. Bob can view or print (as in a label), but cannot electronically save the data. (Of course, printing the data is a form of saving the data, because the label can be copied or OCRed to recover Alice's address in electronic form.)
Perhaps Bobs Health Widget uses a delivery company, which uses a 3rd party trust framework, that is verified and audited by another intdependant third party to ensure to Alice that her address is not accessed, saved or copied by Bob’s Health Widgets. So the name, the contents of the package and the address are separated so no one party can have all three bits of data? How does Bob’s widgets advertise that they have these privacy and security practices, which are different than Dave’s Widget company? Is Bob’s Widgets more trust worthy than Dave’s? In one context, Privacy by Design is a container for trusting process that Dave’s company asserts when collecting Alice’s consent and data ( to effectively control the data rights management) Because Dave’s company holds Alice’s data, Dave’s company is subject then to Data Protection laws and Privacy by Design certifies that he encrypts Alices data and doesn’t leak it. 3 In the context of Bob’s Health widgets’ he doesn’t need privacy by design, and is not liable to data protection, because Bob may never hold’s Alice’s Data.
Notionally, this sounds like a good idea, but enforcement would be tricky. If Bob is actually Bob's Widget company and Alice orders a widget and provides her address under this scenario, what happens if Alice's widget never arrives? Bob cannot tell Alice what address the widget shipped to, because he no longer has a record of the address.
Enforcement can happen in a number of ways: - fines by law - breach of contract - reputation damage - 3rd party audit for compliance - trust framework enrolment process or customer software and so on.
The issue that we are running into full speed is that some data does not have a single "owner". When Alice transacts with Bob, both are parties to the transaction. Whether or not Bob is an individual or an institution, I would assert that the transaction data is as much his as it is Alice's. In fact, in many jurisdictions, there are legal reasons (e.g., "Know Your Customer" in the US) for Bob to maintain certain information about Alice. And when a third-party payment system is involved (e.g., a credit card or PayPal), they would also have a stake in the transaction, giving them a stake in (some of) the data, as well.
This problem has not been solved, yet. And I don't think that there is anything in UMA that takes on this challenge. UMA solves several use cases, but does not claim to solve this one.
I think we need to be careful trying to avoid applying UMA to problems that are beyond its scope just because it is such an elegant solution to portions of the problem.
I think what we are exploring here is the transference of liability, through consent, access control, and data control scenario’s. If Alice has the freshest copy of her own aggregate data, and she sets a notice that Dave no longer has a accurate data, then legally, with the proposed EU laws I believe Dave will no longer be allowed to process that data. In this regard I can imagine IOT scenario’s where data is only valid when it’s live data. (but that’s just me) Best , Mark
Jeff
--------------------------------- Jeff Stollman stollman.j@gmail.com <> 1 202.683.8699
Truth never triumphs — its opponents just die out. Science advances one funeral at a time. Max Planck
On Tue, Aug 18, 2015 at 6:40 AM, Adrian Gropper <agropper@healthurl.com <>> wrote: Mark,
You seem to be saying that the Institution has less liability when accessing Alice's attribute "by Reference" rather than "by Value". I agree. Less risk of breach. Less risk of using stale data. Less liability to provide Alice with a verification and correction mechanism.
I would agree, and out UMA as enabling access "by Reference" in more use-cases.
Adrian
On Tuesday, August 18, 2015, Mark Lizar <mark@smartspecies.com <>> wrote: Ah yes,
I see the confusion. I thought these were two issues were separate. 1. Comparing the terms Consent and Authorisation and 2. liability and data rights management
The 2nd issue:
A. User controlled vs. B. User Managed. —> The data rights ownership issue,
A: Refers to the data subject (Alice) who is in control and owns her own profile of her own personal information, independently from a service provider, as opposed to B. filing in personal information (PI) into forms presented by a company as to create a copy of her (PI) and to give it to a company to owns and keep.
This issue is specifically related to: Who owns the data the User is managing access to?
This is also very similar to the design principle of: Always knowing who to sue. I think this also could be considered apart of the liability, ownership and data control discussion we have been having.
What I am specifically interested in, is if, data protection regulation is relevant in the context of A: When a user controls their own data. Would the liability (or legal requirements) for data protection be on the data subject themselves? Is the liability for attribute access and use only permission the same as take a copy of all Personal Information.
If B - when the personal data is controlled and a copy owned by a company, then the liability (for its protection and use) is with the organisation and hypothetically the user needs to trust the organisation more than in scenario A: where the User controls their own copy of their data and can turn on and off access. (Sort of like turning on and off automatic monthly payments to a service provider at the bank.)
For Example: company A, only gets to see Alice’s Address when they print a label and Alice's AS give Company A Access to print only a label from Alice’s personal resource server, then Alice can block access to her address at any time.
IF company A, gets alice to give over Alice’s address, then they can access Alice’s address at any time and don’t need to ask alice for permission to use it etc. One scenario requires much more trust from Alice than the other.
In A - Alice controls her data, in B- Alice Manages her data another company owns and keeps for her.
Does this make any sense?
- Mark
On 18 Aug 2015, at 00:00, Eve Maler <eve@xmlgrrl.com <>> wrote:
Mark, I’m not sure I’m following the distinction you were making with user-managed vs. user-controlled either, but I didn’t think it was a separation of consent receipt vs. authorization (policy?) storage. I thought it was more in the direction — perhaps — of data that is self-asserted (Alice is literally in control of saying whether she prefers aisle vs. window) vs. data that is about her but that she can’t control the value of (Alice can manage access to her credit score, but there’s no way she can control its content).
Is that the distinction? If so, is the first one “controlled” and the second one “managed”? And if so, where does Alice-as-data-controller in law come in?
If that’s not the distinction, could you provide an example that highlights more sharply what it is?
Eve
On 16 Aug 2015, at 7:12 PM, Mark Lizar <mark@smartspecies.com <>> wrote:
Hi Adrian,
On 16 Aug 2015, at 10:58, Adrian Gropper <agropper@healthurl.com <>> wrote:
Mark,
I've read this twice, and I don't follow the distinction you're making. I can't think of any reason that Alice would want to have a separate server for her consent receipts and her data sharing authorizations. Both of these require a set of standards acceptable to the various other actors.
I agree with you, in an UMA deployment I can not think of a reason why these would be separate.
The major difference I see between consent and authorization is that consent seems to focus on the registration of a relationship while authorization seems to focus on the info sharing pursuant to that relationship.
My sense is that, from a legal perspective, the registration and sharing are inseparable and we would do well to merge consent and authorization lest we confuse the standards and our message.
This might be a good idea, I have been unclear about how a consent record will be maintained and if a consents provides authority for a range of practices that happens long after the point of consent, if this is called something else, i.e. an authorisation. In this case are their other types of ‘authorisation’ records that deals with privilege management and I have wondered how these might relate or be chained together.
Adrian
On Friday, August 14, 2015, Mark Lizar <mark@smartspecies.com <>> wrote: Pushing the penny forward an inch.
As a follow up to the MVCR, there are it seems, some legal considerations that surround the application of policy in terms of what takes precedent, the privacy policy, the terms of use policies. As well, liability around who owns, controls and manages the data is also critical and needs to be clear. T
A simple way to start putting this all together is to look at applying the MVCR roles ( that are anchored in ISO 29100 “roles") as an overlay to Adrian's (and any other) UMA use cases to address the legal questions and topics that arrise.
To get things going here are a couple of items and their flows for the legal eagles. .
A. Data Rights Ownership; User Managed Access Vs. User Controlled Access. (see use case below)
B. Are T&C’s subjected to a Privacy Policy? Does the legal chain of authority that leads to the provisioning of roles and privileges, for access to personal attributes, start with the privacy policy for enrolment, then the terms and conditions?
For example: 1. In the MVCR their is an undiscussed assumption that the privacy policy which provides the consent is counted as the primary contract for the use of personal information so the service provider may then use the personal information. At which point, The service provider uses the PI provided with the consent and then enrols the service user with a secondary policy, the terms and conditions, which Alice needs to contractually abide by, to use the service. As the requirement for a privacy policy and consent is legal infrastructure, and the T&C’s is organisation specific, the T&C’s are subjected to the privacy policy. i.e. legal requirements trump the business requirements in a court of law.
2. In regards to the above Issue 2 . What are the legal connotations - I.e. If a user blocks access to a PII resources (using EU law), the terms for that service might be that the service is stopped. But, the user may be required by the contract to keep paying for that service according to the contract and licence agreed too, and the service may be legally required to keep the user data while still charging for the service. (of course this is over simplified) i.e. the org indemnifies themself by give the functionality to users to manage the access to a copy of the user data the org controls. But in a very privacy by design way.
The point being, this would appear to be different UMA Legal Flows than the user (in control of her own data) licensing access to the use of an attribute using UMA, which seems to me, like a different legal flavour of UMA all together. (closer to the UMA Health Flow) I.e.. Alice can turn on and off access to all or just a single attribute at any time in any scoped context.
3. Legal Flow/Use Case: User Managed Access Vs. User Controlled Access. UMA profile that is of two flavours Flavour A. Alice controls access to her own PII, authorises access using UMA to personal profile Flavour B. Alice Manages Access to her own PII . Using UMA installed behind a company siloed (and own Company copy of PII that the user maintains) that runs UMA so users can have more functionality through this silo. Note: this is the difference between the user being the data controller or the user being the data subject.
Who controls and owns the data rights? if the service user is also the data controller, then data protection and privacy laws are effected in that the liability and policy for protecting the data lies with the service user, and the liability or contract/license for the usage of the data lies with the company. - this would be a different policy structure, with a consent directive and UMA, for orgs to agree too. Like a Personal Privacy Policy (PPP) to cover the different liability. liability of being a data controller no longer applies the same way as data protection liability is moved (reduced, or changed into another form) if the data subject is owner/controller of the data and its access.
For Example: A good example here is in health care where consent directives and laws and frameworks are mature. (i.e. consent and access controls are being bound together already)
With Flavour A, Alice Owns and Manages PII, gets to see how many times her personal data (medical records) were accessed, when and by whom Flavour B, Alice, gives away PII - that is already under the T&C’s of service, and owed by the company or institution. in the second circumstance she does not get to see how many times her data was accessed or even what the live status is of her active consents and medical data usage, unless she pays a fee to the Experian like company that owns them. With the MVCR based authorisation log Alice knows that her permission and access to her data should line up to the purpose of the sharing, the permission to access data, and the specified purpose of the active consent the company now maintains for her This would be a very helpful tool for alice to quickly understand medical sharing policies Without clarity between UMA Flavour A & B, does UMA have the opportunity to be : incredibly good (the good guys), because Alice is in full control of their own data incredibly bad, because Alice thinks she has control of a copy of their data. Or that another service provider, that she is forced to trust, has her best interests at hear. should their be a different flavour of UMA (in terms of legal considerations) that designates between A & B? Can their be a flavour of UMA that is both A&B? The MVCR - Binding A & B Together A consent receipt is being developed as a tool that will help bind consent and legal requirements to access roles and policy rules for sharing data. The MVCR is designed to make explicit the policies and notice requirements to make binding these together legitimate and understandable - i.e. this can be used to tie the role of data subject to the liability of access controls and vice versa For example the various frameworks that are used in the space of consent and access control can be added to a receipt. In this scenario, we would see Alice is at a hospital in the US Alice consents to provide PII to hospital for medical treatment Alice gets a consent receipt On receipt is UMA Icon and a HIPPA icon linked to legal requirements, or maybe just a field for a URI that links directly to the PPP, which has all the links and info needed for Alice’s medical records and consent directives (from her AS) Every test or comment can be then linked to her PPP and available for the next health data context This receipt under info sharing would have the PPP Icon, the HIPPA TrustMark icon, and the UMA icon all linked to the audit, enforcement and complaint processes that all of these frameworks require.
In parallel to the US health System The UK’s heath care system is the reverse and has the same problems but for different reasons it is a universl health care system, where it costs the infrastructure money to provide medical services. (as oppose to the US) where the infrastructure makes money by providing medical services. In the UK you (the patient) are unable to see if you have consented to sharing PII, with whom you have shared, what medical records you have with Sensitive Medical Data spread on computers ranging from win 95 and up. An UMA enabled doctors office in the UK should be able to receive consent, use the medical data from the US and provide seamless service. So how would a consent receipt look like if it was used to bind ths A Consent Receipt extend the MVCR by: Adding UMA Framework Adding PPP (Personal Privacy Policy: Like a Consent Directive) police requirements Adding HIPPA: Add UK Jurisdiction profile and Medical PII profile to the consent requirements, add these processes at point of consent or enrollment at UK health care centre. These might all appear as ICONS of the above listed to the receipt and managed by 3rd parties operating the trust frameworks for the above elements.
Mark
On 10 Aug 2015, at 18:36, Dazza Greenwood <dazza@civics.com <>> wrote:
Ok Eve, I'm on it. Looking forward to see the negative cases.
Hi Mark, do you have any additional use cases to consider?
Thanks, - Dazza
_ _ _ _ _ _ _ _ _ _ _ _ _ _ | Dazza Greenwood, JD | CIVICS.com <http://civics.com/>, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 <tel:617.500.3644> | Email: dazza@CIVICS.com <> | Biz: http://CIVICS.com <http://civics.com/> | MIT: https://law.MIT.edu <https://law.mit.edu/> | Me: DazzaGreenwood.com <http://dazzagreenwood.com/> | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood <http://google.com/+DazzaGreenwood> | LinkedIn: linkedin.com/in/DazzaGreenwood <http://linkedin.com/in/DazzaGreenwood> | GitHub: github.com/DazzaGreenwood/Interface <http://github.com/DazzaGreenwood/Interface> | Postal: P.O. Box 425845 Cambridge, MA 02142 | _ _ _ _ _ _ _ _ _ _ _ _ _ _
On Mon, Aug 10, 2015 at 3:44 PM, Eve Maler <eve@xmlgrrl.com <>> wrote: Hi Dazza— Please feel free to send links and updates to the list. I have an action item to work on additional use cases (“negative” ones), and health use case patterns definitely aren’t the only ones we want to consider (nor am I positive that Adrian has captured all of those). Mark may want to contribute some too. And we probably want to spend more than one week on reviewing and understanding them. :-)
Eve
On 10 Aug 2015, at 12:12 PM, Dazza Greenwood <dazza@civics.com <>> wrote:
Update - As promised, I put the draft mission, use cases and other background materials on the current GitHub wiki and am UMA-customizing a basic "how to use GitHub issues and wiki pages - for lawyers" faq.
Are the use cases from Adrian solid enough to work on and reflect the business case(s) you need to focus on? Also, do these use cases correctly and completed highlight the UMA functions and flows or is anything off base, incomplete etc?
Anything else needed before next meeting? Should probably send links and ask people to contribute or think about something. Minimally, I'd suggest maintaining some focus on the use cases for now, to ensure an apples to apples anchor for legal conversation and to provide a double check basis for mapping stuff people say from legal to tech and vice versa.
Thanks, - Dazza
| Sent from my iPhone | Please Forgive Typos _________________ | Dazza Greenwood, JD | CIVICS.com <http://civics.com/>, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 <tel:617.500.3644> | Email: dazza@CIVICS.com <> | Biz: http://CIVICS.com <http://civics.com/> | MIT: https://law.MIT.edu <https://law.mit.edu/> | Me: DazzaGreenwood.com <http://dazzagreenwood.com/> | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood <http://google.com/+DazzaGreenwood> | LinkedIn: linkedin.com/in/DazzaGreenwood <http://linkedin.com/in/DazzaGreenwood> | GitHub: github.com/DazzaGreenwood/Interface <http://github.com/DazzaGreenwood/Interface>
On Aug 10, 2015, at 2:59 PM, Eve Maler <eve@xmlgrrl.com <>> wrote:
> I created a (really huge) swimlane and a pro/con list, and a bit more... I ended up writing a recommendation. You can find the whole thing linked from here: > > https://docs.google.com/document/d/1OsIqPbVNx66vypnCzjxoFjX0AHCD_rEmgP8Q-5hn... <https://docs.google.com/document/d/1OsIqPbVNx66vypnCzjxoFjX0AHCD_rEmgP8Q-5hnFYQ/edit?usp=sharing> > > Eve > > Eve Maler | cell +1 425.345.6756 <tel:%2B1%20425.345.6756> | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com <> > > _______________________________________________ > WG-UMA mailing list > WG-UMA@kantarainitiative.org <> > http://kantarainitiative.org/mailman/listinfo/wg-uma <http://kantarainitiative.org/mailman/listinfo/wg-uma>
Eve Maler | cell +1 425.345.6756 <tel:%2B1%20425.345.6756> | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com <>
--
Adrian Gropper MD
RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/ <http://patientprivacyrights.org/donate-2/> _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <> http://kantarainitiative.org/mailman/listinfo/wg-uma <http://kantarainitiative.org/mailman/listinfo/wg-uma>
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <> http://kantarainitiative.org/mailman/listinfo/wg-uma <http://kantarainitiative.org/mailman/listinfo/wg-uma>
Eve Maler | cell +1 425.345.6756 <tel:%2B1%20425.345.6756> | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com <>
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <> http://kantarainitiative.org/mailman/listinfo/wg-uma <http://kantarainitiative.org/mailman/listinfo/wg-uma>
--
Adrian Gropper MD
RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/ <http://patientprivacyrights.org/donate-2/>
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <> http://kantarainitiative.org/mailman/listinfo/wg-uma <http://kantarainitiative.org/mailman/listinfo/wg-uma>
--
Adrian Gropper MD
RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/ <http://patientprivacyrights.org/donate-2/> _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <mailto:WG-UMA@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/wg-uma <http://kantarainitiative.org/mailman/listinfo/wg-uma>