michaelgeamanu
commented
2 years ago A voting session during the 2nd thematic workshop of 21/10/2021 concluded that the attendees prefer to leave the options for different type of identifiers open. They expect no advantage in limiting the list in advance. It was mentioned that it is important to keep in mind that transactions between different countries should be possible. Hence, the strategy should be to define the identifier in a more global/general way, this is done by adding it as an general attribute to the class Agent.
Possible types of identifiers are:
- For a person:
- WebID
- DID (i.e., decentralised ID)
- National Registration Number
- eID (i.e., electronic identification)
- URN (i.e., Uniform Resource Name): rather a way to formulate the identifier than an identifier on itself
- For a company:
- VAT Number
- GLEIF (i.e., Global Legal Entity Identifier Foundation)
It is important that all the Agents involved in a Consent are unambiguously identifiable, e.g. the Data Subject/Controller/Provider/Receiver.
Regarding Persons, it was mentioned during the workshop dd. 2021-09-23 that the combination of the national register number and name is not suitable. Identifiers are considered as personal information, so you need to have consent to be able to use them. WebIDs and DIDs were given as alternatives.
For Organisations, a similar identifier is needed. An additional complexity was also mentioned of (1) some organisations not having legal identifiers and (2) the need to identify a sub-organisation, e.g. the marketing department of Google.
We invite the community to further discuss the various identification methods. Note that it is also possible to leave the exact way to identify Agents as out-of-scope for this standard by assuming that an Agent will be identified by some kind of “identifier” that will be dependent on the specific application/implementation.
The editors are in the meanwhile checking the legal validity of the model. It should not be the intention to develop a standard for consents that turn out to not have a legal basis (because certain information is missing and/or is defined too broadly). That’s why we are reaching out to the relevant parties to inform us on the legal requirements and constraints regarding consents. Nevertheless, we invite the community to share their knowledge on this topic.