[WG-P3] [WG-IDAssurance] What to call a Relying Party in terms of aTrust Framework
iain at mydex.org
Thu Mar 10 15:20:24 EST 2011
Let me chip in from the less-active part of the list as this resonates closely with one of the learnings from the Mydex Community Prototype which is ongoing at present.
It's a long story, but the short version is:
- In this community prototype we are connecting a personal data store to a local council (Brent, London) in order to instantiate a 'soft subject access request' (*), an enable a two way flow of data between an individual and their local council (both parties can read, write and edit each others database).
- The UK Information Commissioner is represented in the steering group for the project, observing and commenting where appropriate (as is Simon Davies/ LSE); in that dialogue we have dug deeply into the 'who is controller, who is processor etc. Needless to say, in their own words, the current legislation did not anticipate the situation where the individual is quite clearly in the driving seat (i.e. acting as controller for all practical purposes for at least some of the data flows); and that causes problems going forward for this and many other similar systems (e.g. Healthvault), not least around identifying where liability rightly lies.
So there is a need for a term, such as master controller, or sovereign controller, that might help deal with the above scenario - even if it takes the law 5 years to catch up....
Hope that helps more than it confuses.
(*) We have defined this as a consent based ability for an individual to look at and edit (where appropriate) the record held on them by an organisation, and not the more traditional pay £10 and get a large bundle of paper model. We believe this soft version offers real benefit to both individual and organisation.
On 10 Mar 2011, at 18:28, Mark Lizar wrote:
> Yes, I see the limits of the term principle..
> Personally, I like Master Controller, but it suffers from the same
> sort of limitations. I think in a privacy perspective Master
> Controller may be incredibly useful as a technical term but that is
> just my opinion.
> In reality even data subject has semantical issues as a term and maybe
> even a blurring of terminological meaning at an attribute level.
> The significant difference is that Data Subject, Data Controller, and
> Data Processor are entrenched legally and therefore have some
> recognised authority.
> Either way, it seems, terms need to find a way to be mapped by
> something like an agreed standard.
> - Mark
> On 10 Mar 2011, at 17:19, John Bradley wrote:
>> Principal is used in the protocol domain to refer to entity that the
>> assertion is about.
>> In many cases it is the same as Data Subject but as assertions can
>> be used for many things that is not always true.
>> John B.
>> On 2011-03-10, at 11:41 AM, Rainer Hörbe wrote:
>>> Am 10.03.2011 um 12:26 schrieb Mark Lizar:
>>>> In Data Protection, there are Roles: Controller, Processor and
>>> I am only familiar with the terminology from the European DPD:
>>> Controller, Processor, Requester and Data subject. In which domain
>>> is Principle defined, and how does it map?
>>> - Rainer
>>> WG-P3 mailing list
>>> WG-P3 at kantarainitiative.org
> WG-IDAssurance mailing list
> WG-IDAssurance at kantarainitiative.org
Co-founder, Mydex CIC
e-mail: iain at mydex.org
This email and any attachment contains information which is private and confidential and is intended for the addressee only. If you are not an addressee, you are not authorised to read, copy or use the e-mail or any attachment. If you have received this e-mail in error, please notify the sender by return e-mail and then destroy it.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the WG-P3