[WG-InfoSharing] Call for A Critical Assessment of the Capacity of CISWG to produce a V2 of the Consent Receipt

Mark @ OC mark at openconsent.com
Thu May 30 19:28:20 UTC 2019


HI Colin, 

Perahaps you are right. 


 This might originates with a few mis-communications, and these  are really important for a working effort to address  and the role of the chair to facilitate. 

 In this proposal there seems to be a key mis-understanding in the scope.   

From my understanding, the consent receipt specification customer  (or core audience)  are  regulators and standards organisations, and the identity industry/implementors are the consumers  or users of the work.   This is because this standard made in this way is legally authoritative, if it is combined with other legally authoritative standards, laws  and artefacts. (Like perhaps a consent certificate) 

It has been used as input into the GDPR and other regulators changes, and these have been fundamental to the development of the iteration on requirements which produced this specification .  It is actually now a going concern, because this approach, this lobby, this combination of people and community, have won in it’s combined work. 

The market wants, and people need a standard that is capable of automating compliance and evidence requirements in the ‘market’.     As Iain and Tom are saying, consent should be in the background and not a burden on people. 

This is why,  Kantara is the ideal place for such works, due to its bottom up approach, its key roles in assurance in the identity industry, and all of the people who participate and genuinely care about this stuff.  Care enough to battle and lobby for consent and notice to actually be a piece of infrastructure that identity systems can add as tools to the systems they make possible. 

Hopefully, this helps with providing some insight into the very focused and hardened consent receipt works that we now have the opportunity to complete.  Expanding the scope to more types of processing besides consent is not actually required to fulfil the objective of this work.  But creating a specification capable of compliance automation that people can control and use  - is. 

The people with the expertise to evaluate how to expand the scope for legal compliance use, to something like a processing receipt for many legal justifications, are largely not in this work group.  

I would have no objecting to a separate piece of work called the personal data receipt or whatever the group chose.  And if there was an expansion of scope - my major sticking point, is that the  expansion of the scope would need to be crystal clear (ideally to the existing customer ) before expanding it.  
 
Mark






> On 30 May 2019, at 19:57, Colin Wallis Kantara <colin at kantarainitiative.org> wrote:
> 
> OK, thanks.
> Yes, sounds like some crossed wires, but also, it is a different approach than is typical in Kantara, and there's always a level of discomfort when something new is tried, .
> How it is expressed of course is an individual thing..;-).
> 
> 
> On Thu, May 30, 2019 at 6:03 PM Andrew Hughes <andrewhughes3000 at gmail.com <mailto:andrewhughes3000 at gmail.com>> wrote:
> Mark. There are factual errors in your email. More to come.
> Andrew Hughes CISM CISSP 
> In Turn Information Management Consulting
> 
> o  +1 650.209.7542
> m +1 250.888.9474
> 1249 Palmer Road, Victoria, BC V8P 2H8
> AndrewHughes3000 at gmail.com <mailto:AndrewHughes3000 at gmail.com> 
> https://www.linkedin.com/in/andrew-hughes-682058a <https://www.linkedin.com/in/andrew-hughes-682058a>
> Digital Identity | International Standards | Information Security 
> 
> 
> 
> On Thu, May 30, 2019 at 9:46 AM Mark @ OC <mark at openconsent.com <mailto:mark at openconsent.com>> wrote:
> 
> Dear CISWG, 
> 
> After the last call, I have some critical concerns about the ability of the  V.2 work to be progressed in the current proposal.  There definitely should not be this much friction in process and admin. 
> 
> The proposal for the V2, is not a transparent approach, agreed by consensus, and what is extremely alarming is the proposition of  a  re-start to requirement gathering from the identity industry, to produce a specification in 3 months.  
> 
> The existing consent receipt specification was developed with 5 years of requirement gathering (over 10 versions of separate requirements for each version and use cases ) in consultation with standards bodies, industry trade associations and regulators.  This took a heck of a lot of work and has resulted in a legal tech specification for using consent with notice transparency that has been adopted by global standards efforts and entire industries. (US Health) To the point in which ISO has offered to initiate a study period which would be driven by this work group. 
> 
> For leadership, to not be aware or understand this scope, while also proposing to lead the work group product, is a massive red flag .  
> 
> A WG chair, to not know of the history of this extraordinary effort called the consent receipt, and to want to reframe this entire work from a identity implementation perspective is not only alarming but would not work. As this would be a different specification and not be CR V2 
> 
> In addition, I personally have a complaint that the behaviour continuously exhibited in calls by the convening chairs is not acceptable.  In particularly, not letting other people speak, not being transparent, and effectively (or continuously man-splaining) is not acceptable from a WG chair in any organisations - especially for work of such  import.
> 
> It is very clear that this proposal to V2 doesn’t consider the legal scope of work, which makes this a real legal framework (regulation usable) in consent standard for legal compliance.  
> 
> I would like to respectfully ask Kantara Leadership  Colin and Jim (of course) to review this behaviour, as well as all of you in this work group, and perhaps in the mean time, respectfully request that  Jim  (the Chair) take over the reigns of leadership in CISWG. .
> 
> With respect to CISWG,  I invite everyone to provide an opinion on this matter, who has an investment in the V2 work. 
> 
> Kind Regards,
> 
> Mark
> 
> _______________________________________________
> WG-InfoSharing mailing list
> WG-InfoSharing at kantarainitiative.org <mailto:WG-InfoSharing at kantarainitiative.org>
> https://kantarainitiative.org/mailman/listinfo/wg-infosharing <https://kantarainitiative.org/mailman/listinfo/wg-infosharing>
> _______________________________________________
> WG-InfoSharing mailing list
> WG-InfoSharing at kantarainitiative.org <mailto:WG-InfoSharing at kantarainitiative.org>
> https://kantarainitiative.org/mailman/listinfo/wg-infosharing <https://kantarainitiative.org/mailman/listinfo/wg-infosharing>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-infosharing/attachments/20190530/1fa4c244/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3862 bytes
Desc: not available
URL: <http://kantarainitiative.org/pipermail/wg-infosharing/attachments/20190530/1fa4c244/attachment-0001.p7s>


More information about the WG-InfoSharing mailing list