[WG-InfoSharing] CIS WG roadmap material

Andrew Hughes andrewhughes3000 at gmail.com
Mon Nov 12 16:24:12 UTC 2018

Hi all - I'm continuing to work on framing up Kantara's future work areas
related to consent management and consent & information sharing...

I'm still pursuing this concept that at the core of our work is the
"agreement" step between the parties.
But now, I do not include "personal data" directly as a "valuable
consideration" - because, as was discussed last week, data collected and
processed must be required for the service provided - and must not be
viewed as "payment" to the service provider.

So - the link below is to a flow chart showing an idealized "agreement"

It is my belief that we can layer specific use case conditions onto this
idealized flow chart, and ask questions that will inform our work products.

For example, we could specify a use case where consent is the legal basis,
and personal data is collected and processed. This would affect the
information provided/consumed at each flowchart step and probably change
the information stored by either party. Also, the post-interaction
activities would be different (Subject Access Request, for example).

You should be able to see where and how the Kantara Consent Receipt fits
onto the flow chart (hint: at the "establish agreement" to "record keeping"
connections). I'm guessing that all of you with product have similar user
flows or business process flows that you work from.

These are some of the questions that came to my mind, to ask at the flow
chart steps:
* At each point in timeline what data is offered or consumed?
* What information and metadata should persist? (to record keeping)
* Under different legal bases what information should be provided to the
* What happens at first use? Does something different happen at subsequent
* What information is needed to exercising a day subject right? (and is
that information recorded anywhere?)

Notice that if we look at the flow from the Individual's viewpoint, the
answers and analysis looks different than when we take the Service
Provider's viewpoint. I think this indicates that we can use the same flows
to look at person-centred v controller-centred approaches.

I'm sketching a series of flow charts that dig into more detail at the
interesting stages in the overall flow chart - for example, what happens a
the "provide notices" box.

Food for thought for Thursday's call

I'm interested in what your reactions are to this analysis approach to
generate a roadmap. I'm getting more positive reactions so far, but lots of
silence too :-)

*Andrew Hughes *CISM CISSP
*In Turn Information Management Consulting*

o  +1 650.209.7542
m +1 250.888.9474
1249 Palmer Road, Victoria, BC V8P 2H8
AndrewHughes3000 at gmail.com
*Digital Identity | International Standards | Information Security *
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-infosharing/attachments/20181112/03776a7c/attachment.html>

More information about the WG-InfoSharing mailing list