How does this project fit with the strategy?
Project time frame to Completion:
Specs: Framework Specification for Personal Data Use Receipts
Recommendation / Practices:
Why are we doing this?
The Consent Receipt v1.1 from Kantara was frozen in 2017 and has seen enormous success as seen, e.g., in adoption across organizations, as it brings efficiency, compliance, and user control. The original receipt was primarily aimed at personal information and, to a large extent, driven by upcoming regulations (at the time) such as EU's GDPR. Adaptations to different contexts such as Healthcare or Financial are now common but, as expected, the current specification is often limiting and requires modifications to specific use-cases.
In discussions with organizations that handle personal information, it became apparent that a more general framework would be readily accepted by implementers that were not addressing only consent-based personal data sharing situations. The concept that individuals should be given material for personal record-keeping about data interactions has proven to be very powerful and compelling.
The aim of this project is to create a framework specification that describes the requirements for Data Use Receipts. The framework specification will include mandatory and optional elements. Communities of interest will create profile specifications of the framework specification that are customized for their use cases and scenarios.
The framework specification will allow implementers from any community to be assured that their profiled specifications contain the essential element of Data Use Receipts. Different profiles are not expected to be automatically semantically interoperable or technically interoperable between domains. However, with some planning, profilers can adopt or align with pieces of other profiles.
How do we judge success?
A published framework specification that describes Data Use Receipts requirements and guidelines for the creation of profile specifications.
The end result should be that the current Consent Receipt Specification v1.1 should appear as if was constructed as a profile from the PDUR Framework specification.
What do we already know?
The Kantara Initiative Consent Receipt Specification v1.1 was published by Kantara Initiative in 2017 and several communities and companies have implemented compatible consent receipt definitions. Feedback from implementers of v1.1 was collected as a potential backlog of work items for future evolution of the CR v1.1
ISO 10000 provides guidance on how to write framework specifications and how to construct profile specifications from them. This approach will be used in the PDUR Framework Specification.
What do we need to answer?
|A description, in framework specification format, of the mandatory and optional data elements and metadata that should be present in any personal data use receipt type of data structure.|
Ready to make it
What are we doing?
Taking the existing Consent Receipt Specification v1.1 plus implementer feedback as input to retroactively create a PDUR Framework Specification that will appear to be the progenitor of the v1.1 specification.
Constructing the PDUR Framework Specification in a way that it could be contributed to the ISO 27560 "Consent Record Information Structure" project as input into that ISO SC 27/WG 5 project. The ISO 27560 project intends to create an ISO Technical Specification that describes the requirements of consent record information structures - this is the same objective as the PDUR Framework specification project.
Why will a customer want this?
Personal record keeping for important events is a well-founded concept. The Personal Data Use Receipt framework specification will allow implementers to offer a standardized person record that corresponds to the data controller's records. Having an independent personal record is a powerful person-enabling capability that companies can use to increase the value delivered to people.
Visualize the solution
The context of the solution is an online data-transfer interaction event between two parties. The PDUR Framework Specification will set out the expectations for PDUR profiles and the kinds of event metadata that should be kept, offered, and maintained by one or both parties.
For example, Party A might be an organization wanting to obtain data from Party B, an individual. In this example scenario, the data transfer interaction is online only.
Party A and Party B come to agree on the terms, conditions, and details of the data transfer. Party B positively indicates authorization to Party A to proceed with the data transfer interaction. In most cases, Party A must keep a record of the agreement, the authorization, and the event. Today, if Party B wishes to maintain a personal record about the agreement, authorization, and event, they must proactively decide to do so and record whatever they can with little or no assistance from Party A.
In the future, a PDUR profile would specify the expected metadata about the agreement, the authorization and the event to be retained by Party A, to be offered to Party B, and to be maintained by Party B over time.
The records kept by Party A could be called "Personal Data Use Records" and the corresponding records offered to and kept by Party B could be called "Personal Data Use Receipts". Both records would conform to the applicable PDUR Profile specification.
The highest-level description of the PDUR structure is:
This Project Poster template is copyright © 2016 Atlassian.
This work is licensed under a Creative Commons Attribution-Non Commercial-Share Alike 4.0 International License.