[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: COEL-54 Consent
|
Working with potential customers for the COEL standard, I have noticed that main concern for the larger customers in this space is currently managing consent – proving to themselves that they have the consent for any action, acting on the
consent wishes of their customers and the ability to demonstrate this to the regulator. The atom structure has the potential for us to record the consent associated with any piece of data within the data. In addition, we can use an atom to record consent activities (providing, changing, revoking, agreeing to data sharing,
etc.). A proposed solution for issue COEL-54 is to add an optional field to the BAP for consent recording and raise an issue to include consent actions into the COEL model. There is an existing stream of work in this area called the Minimum Viable Consent Receipt (MVCR) which has many of the attributes that we would need: https://kantarainitiative.org/groups/ciswg/ https://github.com/KantaraInitiative/CISWG/blob/master/MVCR-Spec/mvcr-v.08/MVCR%20v0.7.1.md I have spoken with one of the chairs, Mark Lizar, and he is keen to explore how we might work together. This open standard work is based in JSON on very similar IPR terms to ours. The MVCR programme has a wider scope that we initially need but provides the basic information needed to record consent (which I have summarised below). The programme extends to a registry of privacy policies and a consent receipt management
system. I believe we could choose at which level we wanted to integrate – the BAP and COEL model additions would be a simple and productive first step.
Consent fields: Jurisdiction New BAP field (country look-up) Timestamp New BAP field (date when consent was given) Method of collection New BAP field (look-up) Consent provider Possible new BAP field (this provides the link to the consent record management) Unique ID Possible new BAP field (unique ID for consent record management) PII principle Not needed (ConsumerID) Data controller Not needed (ServiceProviderID) Privacy Policy URL New BAP field (could be IDA, or other, inc policy notice) Purposes New BAP field (look-up
http://tinyurl.com/zchqhut) Sensitive Personal Information Not needed (all COEL might be sensitive) 3rd Party Sharing of Personal Info Possible New BAP field (might help with data sharing between Service Providers) Link to short privacy notice Not sure we need this (see above) Oauth Scope Not sure we need this (Retention period) New BAP field (this is not in the MVCR spec but I think it is useful) Best regards Joss Joss Langford Technical Director Activinsights Ltd
Tel: 01480 862080 MBL 07712 886208 Important Information: The contents of this email are intended for the named addresses only and contain information
which is confidential and which may also be privileged. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy, use it, or disclose it to anyone else. If you received it in error, please notify us immediately at
enquiries@activinsights.co.uk and then destroy it. Further, whilst we make efforts to keep our network free from computer viruses, etc., you do need to check this email and
any attachments to it for viruses as we can take no responsibility for any viruses which might be transferred by way of this email.
Activinsights Limited, Unit 11, Harvard Industrial Estate, Kimbolton, Cambs, PE28 0NJ. A company registered in England
& Wales. Registered number: 06576069 |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]