Mark,

Perhaps you could let me know what a detailed consent might look like.  Following the suggestion at the call, I automated the Model Clauses in a couple of languages, and put a place in Appendix 1 for specification of MBP (minimum best practices) - the policies and protections that the parties agree to maintain.  The same set of protections would be assured to the citizen via a privacy policy (in their language) that would link to or incorporate the MBP.  The privacy policy would be driven by shared materials that can be customized by both company (collector) and citizen, mostly by making selections.  The selections and record of the interactions can be a log consisting of key/values of the choices.

In addition to creating a generalizable way of handling consent (consent applies also to the GA4GH, and the same structure is present in all of contracting). 

This example is not fully built out, but Dazza is proposing related stuff for the Future of Commerce.

http://www.commonaccord.org/index.php?action=source&file=Dx/Acme_UK/01-EU-US-DataTransfer/Doc_v0.md

Thanks, Jim


 


On Fri, Oct 23, 2015 at 1:45 PM, Mark Lizar <mark@smartspecies.com> wrote:
Some background on the thinking that has gone into the design of a consent receipt specific to safe harbour. 

One of the biggest issues with moving data across jurisdictions is the different laws.  This is in addition to the complexity of difference cultures and different contexts that create expectations of data use.  This is why data protection and privacy in the context of cross border data transfers is so difficult. 

A preferred way to expedite data transfers is for people to control their own data and to consent to its access, rather than only its transfer.  (A new and developing layer of technical capability affectionately called Consent 2.0)  

A consent receipt is like a reverse (VRM) cookie, its a record that people get to track organisations and what they share about them.  It collects the identity attributes that are provided, the purpose they are provided for and who they are shared with.  The Consent Receipt can also carry assurances, trust marks, security promises and even reputations.   

Combined with UMA, a consent receipt is a tool to show how personal control over data means that it can stay in a jurisdiction, and be shared  with others. In essence people can control access to data and create their own safe harbour to transfer data across borders.

Regardless of who the data controller is, a key benefit of a consent receipt for organisations is the ability to add, record and provide jurisdictionally based notice requirements to a consent notice.  Demonstrating compliance (or not) by the notices provided with the privacy policy for sharing and data use.   Combined with model contract clauses, which are used to assure liability and define data controls, consent receipts address Privacy Policies while model contracts address Terms of Use policies. 

In the EU, notice and consent is required for all personal data collection and sharing.  In the US, explicit notices are required for consent for sensitive data.  Data covered by federal laws like COPPA, GBLA, HIPPA, and the like. 

In every jurisdiction sensitive data comes with specific, legally defined, notice requirements, that are localised.  All sensitive personal data transfer requires explicit consent and notice that are intended to assure informed consent.   It is for this reason that a consent receipt has been designed to highlight sensitive data, both what an individual considers sensitive and what the law considers sensitive, so that PII can be shared.

If an organisation doesn’t meet legal notice requirements across jurisdictions, then it doesn’t matter what model contract clauses are used, the consent is not informed and compliant for sensitive data collection and sharing.  In fact, model clauses can become a source of toxic liability and can be used to hold the data controller or processors liable. (which builds trust)

Posted on consentreceipt.org 


_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma