Upload
digital-catapult
View
3.311
Download
1
Embed Size (px)
Citation preview
Consent Receipts: The future of Personal Data Sharing? MyData 2016 Conference Day 1, August 31st, Helsinki Session: Making Trust Ecosystems Happen
Michele Nati Lead Technologist Personal Data and Trust Digital Catapult, London @michelenati
What is a Consent Receipt?
h"ps://github.com/KantaraIni5a5ve/CISWG/blob/master/MVCR@Spec/[email protected]/MVCRCv0.7.9.mdC
Recommenda5onCforCstandard,CKantaraCIni5a5ve,CCISWGC
What a Consent Receipt could be useful for?
TaCsC ConsentCNo5ceC ConsentCReceiptC
AgreeCandCForgetC
LieC&CAgreeC
(Pre@service)CConsentCshouldCbe:C@ FreelyCgivenC@ Informed,CunambiguousCandC
specificC@ NoCmoreClegi5mateCinterestC
(In@service)CConsent:C@ Dynamic,CchangeCandC
removeC@ TransparentC@ AuditableC@ BreachesCno5fica5onC
StandardizedCprocessCandCdataC(ConsentCReceipt)C
Process to issue a Consent Receipt
AssessmentC
• AssessCprivacyCpoliciesCofCanCorganiza5onC• ExtractCfixedCpartCofCconsentCreceiptC
Customiza5onC
• CustomizeCconsentCreceiptCgeneratorCforCaCgivenCorganiza5onCandCpolicyC
IssuingC
• CollectCmissing/transac5onalCdataCspecificCtoCtheCcurrentCindividual/organiza5onCtransac5onC(atC5meCofCsigningCforCaCservice)C
• GenerateCaCpersonalizedCreceiptC–CaddCuniqueC“pseudonymous”CIDC• SendCaCcopyCofCreceipt,CasCplainCtext,ChumanCreadable/informa5veCC(alsoCmachineCreadable)C
Where did we start?
WorkCinCcollabora5onCwithCPhDCCandidate,CTa5anaCStyliari,CUniversityCofCNoanghamC
Initial findings
Consent Receipt design & content: ● Icons ●Text to accompany icons ● Colors (related to security level) ● Quick to scan read ●Bulletpoints ● Who, what, why, where, with whom ● Link with more info for each section ● Easy access (mobile) ● Forget me option ●Team/person details to contact for info/complain General Feeling: • Necessity of the consent receipt: People recognise the need
to have more control over the data they share. • Identification of a wider societal impact: collect consent
receipts to distinguish your data sharing patterns.
What we have learned?
(after involving lawyers !) According to DPA, consent is not required for: a) the “legitimate interests” of the data controller so long as they do
not override the fundamental rights of the data subject; b) data that it is necessary to collect or process the data to fulfill a
contract the data subject asked to enter
This might limit the impact of Consent Receipt and confuse end users Solution: we will issue a Personal Data Receipt (GDPR has an “Information Notice” requirement), including all the collected personal data
(PD) Receipt trial aims
• Educate consumers (visitors) about information receipts
• Understand the value of information receipts for consumers
• Increase transparency • Promote good practices and adoption
of information receipts across a various range of stakeholders
How to make this scalable?
This requires: - 3rd party to provide service assessment
(similar to Privacy Seal assignation) - Standardized Privacy Policies to make it
scalable - A standardized (Consent) Information
Notice to guarantee interoperability - Maintain easiness of understanding
from end-users - We will combine with BSI PAS 4891
Initiative
BSI PAS 4891
• Recommendation on how organizations communicate how they use customers personal data online
• Define the categories of information
• Provide an initial icons mockup • Can be used in layered privacy policies
(and information notice)
Here to help grow the UK’s digital economy
Office of National Statistics shows only 7% of UK national output comes from the digital sector significantly behind the global leader South Korea at 11%.
DIGITAL CATAPULTS
Here to accelerate economic growth and productivity for the UK
1
A not-for-profit, private limited company 2
Completely neutral
3
HOW DO WE DO THIS?
1.Through adding technological, business expertise and academia
o Help SMEs to scale faster
o Help businesses with digital transformation
2.Tackle large scale digital challenges that are too complex,
financially risky or take too long
3.Use Research & Development to open up new markets and
commercial opportunities
FIVE CENTRES ACROSS THE UK
We work across the UK with • Digital communities • Innovation clusters • Businesses (all sizes) • Public sector • Research • Government • Universities and academics • Not-for-profit organisations
WE WORK ACROSS A RANGE OF TECHNOLOGY LAYERS
Next generation Internet:
Internet of Things, distributed ledger technologies, decentralised web, 5G and low powered wide area networks
Data-driven: trust, privacy, identity and security
Intelligent: machine learning and artificial intelligence
Personal Data and Trust Network
PDTNC
SMEsC
CorporatesCUniversi5esC
600+ Innovators in Personal Data and TrustC
THANK YOU!
#DigiCatapult
0300 1233 101
Digital Catapult
digicatapult.org.uk
/DigitalCatapult
@DigitalCatapult