Complementary trust: IDEF Registry and Kantara cross-attestation
Kantara - Consent & Information Sharing WG Update
-
Upload
kantarainitiative -
Category
Technology
-
view
450 -
download
0
Transcript of Kantara - Consent & Information Sharing WG Update
CONSENT & INFORMATION SHARINGKantara Initiative
Consent Receipt v0.8: The Alpha@kantaraCISWG
Mark Lizar
2
A consent receipt is the first layer of a privacy notice and links to the rest of the layers and policy notices
It is being designed to reduce friction and improves the customer experience around personal information sharing.
What is a Consent Receipt?
To enable high value flows of volunteered personal information between individuals and organisations that merit their trust.
Step 2Step 1
3
I Agree
Your receipt has been sent to you: Download another? ClickPresentation Options : • Display on screen • email • direct to PDS • Download to local device
Benefits -Opens Consent - people have a record and are able to use it in the future to manage digital rights.
-organisations have proof of consent -uses a common meta-format for recording consent so that consent can be managed on aggregate
Alpha - v0.8 —> 2 Step Receipt
Kantara respects your privacy
To Send with Email
To deliver Goods
Trusted Services
Y/N
Y/N Sensitive Personal Information
LinkLinkLink
Trusted Services
Data Categories Collected
Link to Policies Privacy Policy
Link To Kantara Website https://
kantarainitiat
This consent receipt is provided by the Kantara Initiative, this receipt can be used to access, rectify PII and manage consent
Purpose List
Minimum (or Simple) Consent Receipt
To charge Credit Card
To Advertise
Linked Trusted Services Icons
[email protected] AR St. London, WC2X 1NG
Data Controller Contact Information
Date & Time
NameEmail
Credit Card
Stamped
V.2 This Receipt is Compliant
Minimum Viable Consent Receipt
Kantara respects your privacy
To Send with Email
To deliver Goods
Trusted Services
Y/N
Y/N Sensitive Personal Information
LinkLinkLink
Trusted Services
Data Categories Collected
To charge Credit Card
To Advertise
[email protected] AR St. London, WC2X 1NG
Date & Time
Machine Readable: JWT
Integrity
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdXJpc2RpY3Rpb24iOiJVUyIsInN1YiI6Im1hcmtAc21hcnRzcGVjaWVzLmNvbSIsInN2YyI6WyJLYW50YXJhIiwiQ29uc2VudCAmIEluZm9ybWF0aW9uIFNoYXJpbmcgV29yayBHcm91cCJdLCJub3RpY2UiOiJEYXRhIGlzIGNvbGxlY3RlZCBmb3IgbWVtYmVyc2hpcCBhbmQgYWRtaW5pc3RhcnRpdmUgIHB1cnBvc2UiLCJwb2xpY3lfdXJpIjoiaHR0cDovL3d3dy5rYW50YX
This consent receipt is provided by the Kantara Initiative, this receipt can be used to access, rectify PII and manage consent
WHEN FULLY EVOLVED THE STANDARD BECOMES A VEHICLE FOR TRUST MARKS
Membership Priv.IPR TRACKING
YES
4
Stakeholder BenefitsStakeholder/ Development
StageAlpha - v0.8 V1. Consent Receipt
SpecificationStandard Candidate - ISO
Fast Track
1 Individuals (data subjects)
Provides people with a record of consent and
information to manually manage
Reduces friction around personal information sharing.
focused on human centric approach a clear and simple standard to bridge the legal
and technical divide
2Kantara
Implementation (orgs)
Demonstrate that consent has been provided and
people can use receipt to manage
Improves customer experience.
Simplify data protection, data control, negotiation of terms
3 Regulators (education)
Proof of consent and useful to demonstrate compliance
or lack thereof
Enable good personal information management
practices for data controllers and processors. Provides proof
of compliance.
Use for Market Self-Regulation
4Trust Services
(education)Used to demonstrate value
to trust servicescore format for binding
protocols and trust services
needed an missing standard to channel trust services and create interoperability in trust
8
General Data Protection RevisionArticle 7
1. Where Article 6(1)(a) applies the controller shall bear the burden of proof for the data subject's be able to demonstrate that unambiguous consent to the processing of their personal data for specified purposes was given by the data subject. 1a. Where article 9(2)(a) applies, the controller shall be able to demonstrate that explicit consent was given by the data subject.
9
General Data Protection RevisionArticle 7
2. If the data subject's consent is to be given in the context of a written declaration which also concerns another matter, the requirement to request consent must be presented in a manner which is clearly distinguishable in its appearance, in an intelligible and easily accessible form, using clear and plain language.
10
General Data Protection Revision
Article 7
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject thereof shall be informed
11
There should be no doubt on the elements establishing consent and the intention of the data subject to consent.
Even though it can be expressed in many different ways, for instance through a statement or an affirmative action, the essential requirement is that such statement or action must clearly signify the data subject’s agreement to personal data relating to them being processed. There has to be a clear distinction between opt-in and opt-out.
Therefore, the notion of unambiguous consent foreseen by the Council of the EU in Recital 25 may create some confusion with respect to the aim of the proposed text especially on the Internet where there is now too much improper use of consent. Requiring it to be explicit is an important clarification, truly enabling data subjects the exercise of their rights.
Furthermore consent should be informed and concern a specific purpose, any ́broad consent ́ would therefore not be acceptable.
Article 29 WP - Consent 17 June 2015
12
To Get Involved
We are looking for use cases for the v.1 specification that represent different identity relationships in the “Connected Life” ecosystem:
The Individual: Managing Consent Organisations: Dealing with managing identities with consent Service Providers: using rich consent to deliver services Health Care: consent directors and portability Government: Open Consent IOT: Dynamic Consent
CONSENT & INFORMATION SHARING WG
If you would like to chat, or get a copy of this presentation
If you would like to get involved in developing the receipt infrastructure – join us at CISWG https://kantarainitiative.org/confluence/display/infosharing/Home
To keep Track: Follow us on Twitter @kantaraCISWG