Pushing the penny forward an inch.
As a follow up to the MVCR, there are it seems, some legal considerations that surround the application of policy in terms of what takes precedent, the privacy policy, the terms of use policies. As well, liability around who owns, controls and manages the data is also critical and needs to be clear. T
A simple way to start putting this all together is to look at applying the MVCR roles ( that are anchored in ISO 29100 “roles") as an overlay to Adrian's (and any other) UMA use cases to address the legal questions and topics that arrise.
To get things going here are a couple of items and their flows for the legal eagles. .
A. Data Rights Ownership; User Managed Access Vs. User Controlled Access. (see use case below)
B. Are T&C’s subjected to a Privacy Policy? Does the legal chain of authority that leads to the provisioning of roles and privileges, for access to personal attributes, start with the privacy policy for enrolment, then the terms and conditions?
For example:
1. In the MVCR their is an undiscussed assumption that the privacy policy which provides the consent is counted as the primary contract for the use of personal information so the service provider may then use the personal information. At which point, The service provider uses the PI provided with the consent and then enrols the service user with a secondary policy, the terms and conditions, which Alice needs to contractually abide by, to use the service. As the requirement for a privacy policy and consent is legal infrastructure, and the T&C’s is organisation specific, the T&C’s are subjected to the privacy policy. i.e. legal requirements trump the business requirements in a court of law.
2. In regards to the above Issue 2 . What are the legal connotations - I.e. If a user blocks access to a PII resources (using EU law), the terms for that service might be that the service is stopped. But, the user may be required by the contract to keep paying for that service according to the contract and licence agreed too, and the service may be legally required to keep the user data while still charging for the service. (of course this is over simplified)
i.e. the org indemnifies themself by give the functionality to users to manage the access to a copy of the user data the org controls. But in a very privacy by design way.
The point being, this would appear to be different UMA Legal Flows than the user (in control of her own data) licensing access to the use of an attribute using UMA, which seems to me, like a different legal flavour of UMA all together. (closer to the UMA Health Flow)
I.e.. Alice can turn on and off access to all or just a single attribute at any time in any scoped context.
3. Legal Flow/Use Case: User Managed Access Vs. User Controlled Access.
For Example:
With Flavour A, Alice Owns and Manages PII, gets to see how many times her personal data (medical records) were accessed, when and by whom
Flavour B, Alice, gives away PII - that is already under the T&C’s of service, and owed by the company or institution.
in the second circumstance she does not get to see how many times her data was accessed or even what the live status is of her active consents and medical data usage, unless she pays a fee to the Experian like company that owns them.
With the MVCR based authorisation log Alice knows that her permission and access to her data should line up to the purpose of the sharing, the permission to access data, and the specified purpose of the active consent the company now maintains for her
This would be a very helpful tool for alice to quickly understand medical sharing policies
Without clarity between UMA Flavour A & B, does UMA have the opportunity to be :
incredibly good (the good guys), because Alice is in full control of their own data
incredibly bad, because Alice thinks she has control of a copy of their data. Or that another service provider, that she is forced to trust, has her best interests at hear.
should their be a different flavour of UMA (in terms of legal considerations) that designates between A & B?
Can their be a flavour of UMA that is both A&B?
The MVCR - Binding A & B Together
A consent receipt is being developed as a tool that will help bind consent and legal requirements to access roles and policy rules for sharing data.
The MVCR is designed to make explicit the policies and notice requirements to make binding these together legitimate and understandable - i.e. this can be used to tie the role of data subject to the liability of access controls and vice versa
For example
In parallel to the US health System
The UK’s heath care system is the reverse and has the same problems but for different reasons
In the UK you (the patient) are unable to see if you have consented to sharing PII, with whom you have shared, what medical records you have with Sensitive Medical Data spread on computers ranging from win 95 and up.
An UMA enabled doctors office in the UK should be able to receive consent, use the medical data from the US and provide seamless service.
So how would a consent receipt look like if it was used to bind ths
A Consent Receipt extend the MVCR by:
Adding UMA Framework
Adding PPP (Personal Privacy Policy: Like a Consent Directive) police requirements
Adding HIPPA:
Add UK Jurisdiction profile and Medical PII profile to the consent requirements, add these processes at point of consent or enrollment at UK health care centre.
These might all appear as ICONS of the above listed to the receipt and managed by 3rd parties operating the trust frameworks for the above elements.
Mark