How to operationalise consent

Authors: Shaun Conway, Mark Lizar & Tracy Kosa

Getting consent right will create a balance between Me (my expectations, rights and interests) and the rest of the world. MyData is a vision and set of guiding technical principles for how we, as individuals, can have more control over the data trails we leave behind us in our everyday actions. The idea is that individuals should have easy and practical ways to see and decide where data about us goes, to specify who can use it and modify these decisions over time. Consent is the fulcrum that makes MyData possible — it tips the balance in favour of people (the human aspect), but also makes MyData exponentially more valuable and useful to organisations. This should enhance, rather than impede the value of personal data flows.

Over the past year a growing number of initiatives have been working on ways to operationalise various aspects of consent.

The Personal Data Receipts project, led by Michele Nati, is a data format for taking forward user experience (UX) research.

Smart Consent is based on the COALA IP protocol, championed by Tim Daubenschuetz and Trent McConaghy (both from BigChainDB) and Shaun Conway (from Global Consent). This extends the consent receipt standard (invented and driven by Mark Lizar) from the Open Consent Group , to include decentralised digital rights management. The protocol can be implemented using Blockchain Smart Contracts (Smart Consent) to govern personal Terms of Access that will reduce the reliance on Terms of Service regulated by third-parties.

UMA (User Managed Access), led by Eve Maler through the Kantara Initiative, can be used to extend consent-based access control into Enterprise and Cloud-based Systems, for federated consent-driven data flows.

The MyData Architecture – The Stack is an exciting community initiative sponsored by the Finnish government, led by the Aalto and Oulu Universities and includes business and trade representatives from Europe (and North America). This expects to enable the MyData community to innovate at a global level within the MyData Operator framework.

ISO, 29184 — The Consent Receipt specification from the Kantara Consent & Information Sharing Working Group is based on the ISO 29100 Privacy Framework lexicon and designed to work with consent security requirements in the latest ISO 29184 , which focuses on security guidelines for online notice-based consent.

Many of the pioneers of these developments will be congregating at the MyData Conference at the end of August 2017 to share their experiences and knowledge.

The MyData 2017 conference represents a global community and collaborative space for exploring technical architectures, education and creating awareness of efforts to promote MyData and trust globally. This initiative has been gaining momentum and recognition over the past 5 years under the leadership of Jogi Poikola and Kai Kuikkaniemi from Open Knowledge Finland. We see this now being propelled forward with new regulations in data protection and privacy coming into effect and with new information technologies. This is a key moment for innovations in consent to gain traction.

Consent is arguably the most important operational principle of the EU General Data Protection Regulation (and of similar frameworks in other parts of the world). As an indication of how this is moving towards practical implementation, the UK Information Commissioner’s Office (OCI) recently issued the first ever draft guidance on consent.

At MyData 2017, the Consent Track will primarily focus on operationalising consent. We invite everyone who is working in this space to contribute. Let’s explore the art of putting consent obligations (regulations, standards, policies, legal terms) into practice. We could push the boundaries to discover unexpected innovations and would be excited to see practical demos! Submissions that address emerging issues, such as consent for AI or machine learning, IoT, healthcare, or special protection groups could be extremely interesting. Topics could include exceptions to consent, notice as a proxy for consent, or even the limitations of consent.

Leading up to the conference, we are fielding comments and collaborating through Slack, to prepare for the event and to make progress on a range of related initiatives. A conference call will take place every 3rd Tuesday of the month. Please contact us by email to consent@mydata for more information and an invitation to join. (Note that we will also be collating public comments on the ICO guidance, which are needed by March 26th, 2017).

We look forward to welcoming you to join this open collaboration and hope to see you at MyData 2017.