This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links

Version management

Difference between version and

At line 1 added 99 lines
!!! Overview
[{$pagename}] is a record of a [consent] provided to an individual at the point in a [person] agrees to the sharing of [data] (usually [Sensitive Data]).
[{$pagename}]s purpose is to capture the [Privacy Policy] and its purpose for sharing [Personal data] so it can be easily used by [Entities] to communicate and manage [consent] and sharing of [Sensitive Data] once it is provided. [1]
[{$pagename}] is a [Kantara Initiative]
!! [Minimum Viable Consent Receipt] [2]
The [Minimum Viable Consent Receipt] ([MVCR]) is used to create [{$pagename}] that puts people in the control of [personal data].
The [MVCR] is a specification for creating an open standard for dynamic [consent], proof of [consent], [privacy] icons and kitemarks
!! [{$pagename}] and [General Data Protection Regulation]
[General Data Protection Regulation] ([GDPR]) implies:
* Valid [consent] must be explicit for [data] collected and purposes data used
* [Data Controller] [MUST] be able to prove [Consent]
!! [{$pagename}] Details [1]
[{$pagename}] is presented in a [JSON Web Token] which is signed by [JSON Web Signature].
To find more information
* [GitHub] Repo: [https://github.com/KantaraInitiative/CISWG/issues|https://github.com/KantaraInitiative/CISWG/issues|target='_blank']
* Meeting Notes: Meetings and Minutes
* Known Implementations:
** [Provides individual ability to share their locally owned personal data with apps & web services via Consent Access Certificate process|https://digi.me/ |target='_blank']
** [API & Widget that simply captures consent and creates an interoperable consent receipt|http://blog.consentua.com/ |target='_blank']
* Consent Receipt v0.7 test api on display at [ConsentReceipt.org|http://api.consentreceipt.org,|target='_blank']
* [Consent Receipt API - Documentation|http://api.consentreceipt.org/doc/ |target='_blank']
!! [{$pagename}] and [Personal Health Records]
[{$pagename}] could be a possibility for providing [Personal Health Record] information to [End-User]
! Consent Receipt Transaction Details
Administrative fields for the consent transaction and the metadata for the overall Consent Receipt.
%%zebra-table
%%sortable
%%table-filter
||Field Name||Definition||Guidance||Required
|[Version]|The version of this specification a receipt conforms to.|The value [MUST] be “KI-CR-v1.0.0” for this version of the specification.|[MUST]
|[Jurisdiction]|Jurisdiction(s) applicable to this transaction.|This field MUST contain a non-empty string describing the jurisdiction(s).|[MUST]
|Consent [Timestamp]|Date and time of the [consent] transaction|[MUST] include a time zone or indicate [UTC]. Presentation to end users [SHOULD] consider localization requirements.|[MUST]
|Collection Method|A description of the method by which consent was obtained.|Collection Method is a key field for context and determining what fields [MUST] be used for the Consent Receipt.|[MUST]
|Consent Receipt ID|A unique number for each Consent Receipt.|For example, UUID-4 [RFC 4122]|[MUST]
|[Public Key]|The PII Controller’s public key.| |[MAY]
/%
/%
/%
! Consent Transaction Parties
%%zebra-table
%%sortable
%%table-filter
||Field Name||Definition||Guidance||Required
|[PII] Principal ID|[PII] Principal provided identifier. E.g. email address, claim, defined/namespace.|Consent is not possible without an identifier.|[MUST]
|[PII] [Controller|Data Controller]|Name of the initial PII controller who collects the data. This entity is accountable for compliance over the management of PII.|The PII Controller determines the purpose(s) and type(s) of PII processing. There may be more than one PII Controller for the same set(s) of operations performed on the PII. In this case, the different PII Controllers SHOULD be listed, and it MUST be listed for Sensitive PII with legally required explicit notice to the PII Principal.|[MUST]
|On Behalf|Acting on behalf of a PII Controller or PII Processor. |For example, a third-party [analytics] service would be a PII Processor on behalf of the PII Controller, or a site operator acting on behalf of the PII Controller.|[MAY]
|[PII] Controller Contact|Contact name of the PII Controller|Name and/or title of the DPO.|[MUST]
|PII Controller Address|The physical address of PII controller.|Address for contacting the DPO in writing.|[MUST]
|PII Controller Email|Contact email address of the PII Controller|The direct email to contact the PII Controller regarding the consent. e.g., DPO, CPO, privacy contact.|[MUST]
|PII Controller Phone|Contact phone number of the PII Controller.|The business phone number to contact the PII Controller regarding the consent. e.g., DPO, CPO, administrator.|[MUST]
/%
/%
/%
! Data, collection, and use
This section specifies services, personal information categories, attributes, PII confidentiality level, and PII Sensitivity.
%%zebra-table
%%sortable
%%table-filter
||Field Name||Definition||Guidance||Required
|[Privacy Policy]|A link to the [Privacy Policy] and applicable terms of use in effect when the consent was obtained and the receipt was issued.|If a [Privacy Policy] changes, the link [SHOULD] continue to point to the old [Privacy Policy] until there is evidence of an updated consent from the PII Principal.|[MUST]
|Service|The service or group of services being provided for which PII is collected.|The name of the service for which consent for the collection, use and disclosure of PII is being provided. This field MUST contain a non-empty string.[MUST]
|Purpose|A short, clear explanation of why the PII item is required.|This field [MUST] contain a non-empty string.|[MAY]
|Purpose Category|The reason the PII Controller is collecting the PII.|[Example] Purpose Categories currently in use can are available on the Kantara Consent & Information Sharing Work Group (CISWG) Wiki page (http://kantarainitiative.org/confluence/display/infosharing/Appendix+CR+-+V.9.3+-+Example+Purpose+Categories)|[MUST]
|Consent Type|The type of the consent used by the PII Controller as their authority to collect, use or disclose PII.|The field MUST contain a non-empty string and the default value is “EXPLICIT”. If consent was not explicit, a description of the consent method MUST be provided.|[MUST]
|PII Categories|A list of defined PII categories.|PII Category should reflect the category that will be shared as understood by the PII Principal. In Appendix B there is an example of a defined list as supplied by a PII Controller.|[MUST]
|Primary Purpose|Indicates if a purpose is part of the core service of the PII Controller.|Possible values are [TRUE] or [FALSE]|[MAY]
|Termination|Conditions for the termination of consent.|Link to policy defining how consent or purpose is terminated.|[MUST]
|Third Party Disclosure|Indicates if the PII Controller is disclosing PII to a third party.|Possible values are TRUE or FALSE.|[MUST]
|Third Party Name|The name or names of the third party the PII Processor may disclose the PII to.|MUST be supplied if Third Party Disclosure IS TRUE.|[MUST] if Third Party Disclosure is TRUE
|Sensitive PII|Indicates whether PII is sensitive or not sensitive.|Possible values are TRUE or FALSE.\\A value of TRUE indicates that data covered by the Consent Receipt is sensitive, or could be interpreted as sensitive, which indicates that there is policy information out-of-band of the Consent Receipt.[MUST]
|Sensitive PII Category|Listing the categories where PII data collected is sensitive.|The field MUST contain a non-empty string if Sensitive PII is TRUE. See section 7.2 for common sensitive PII categories that have specific consent notice requirements|[MUST] if Sensitive PII Level is TRUE
/%
/%
/%
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Consent Receipt Specification|https://kantarainitiative.org/confluence/display/infosharing/Consent+Receipt+Specification|target='_blank'] - based on information obtained 2016-05-15
* [#2] - [Consent Receipts|http://www.consentreceipt.org//|target='_blank'] - based on information obtained 2016-05-15
* [#2] - [An Interoperable Personal Data Receipt Ecosystem in Practice|https://youtu.be/AQu5KUx2k0w|target='_blank'] - based on information obtained 2019-08-26