[WG-InfoSharing] MVCR Modes of Conformance & Compliance

Mark Lizar - OCG m.lizar at openconsentgroup.com
Fri Mar 11 18:46:45 CST 2016


Hi CISWG, 

As mentioned in a previous post to the list, there is a nice and gooey challenge to replace some of the text in the specification about why we need an MVCR, (as this battle is largely won),  with the operational objectives and scope of the MVCR. 

In this regard, I have been I’m’ing with Eve and she has put me in touch with specification models where there are layers, or packages of operational levels.   (like SAML)  and Eve has really helped me with some of the language to facilitate discussing spec development.   

in this regard, I am taking a bit of a brute force approach here to moving this forward in terms of getting the spec into a more comfortable place for us to work on.  

 MVCR Goals:
a) interoperability 
b) adoption 
c) no one running screaming from CRs 
d) compliance

Interoperability in the sense that we would like the MVCR to be usable as a light weight (minimalist use case), as well as scalable to complex contexts and (maximalist use cases) 

To this end, I have taken a stab at what the MVCR might look like in different conformance modes. (see table attached) 

Conformance modes including
MVCR Lite
Implied Consent
Explicit Consent
UK Legal Compliance


********

The  MVCR Lite Explained
-  Goal to OPEN CONSENT: 
The consent grantee (aka owner of consent/data subject) obtains a record of the consent at point in time which consent is granted so that the record can be contextually usable
The consent grantee MUST be able to use the receipt to communicate with the data controller about the consent in a manner proportionate to its method provision (i.e. online, in writing etc)
this means the Data Controller contact information must be linked, valid, and proportionately usable 
The consent receipt can be used by the grantee (data subject) and the grantor (Data Controller) post consent provision to prove and manage the consent after the point consent is granted (in accordance with terms) 
The MVCR Lite  in this way can have a low barrier to compliance so that it is usable in the most wide array of context and circumstances with the minimum liability for the lawyers and was of implementation by the SME’s/ 

Ultimately its intend is to enables people to receive a consent receipt to communicate with the data controller about elements of the consent in the context of consent if there are questions. 

Should I continue down this path?  Any comments? 

- Mark



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-infosharing/attachments/20160312/046d7ac4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2016-03-12 at 00.42.06.png
Type: image/png
Size: 48490 bytes
Desc: not available
URL: <http://kantarainitiative.org/pipermail/wg-infosharing/attachments/20160312/046d7ac4/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3591 bytes
Desc: not available
URL: <http://kantarainitiative.org/pipermail/wg-infosharing/attachments/20160312/046d7ac4/attachment-0001.p7s>


More information about the WG-InfoSharing mailing list