Closed smartopian closed 8 years ago
smartopian
commented
8 years ago Conflating issue in the CRG - needs more info - @john " Because the simplified format is more clear, it suggests some necessary changes. For example “Method of collection” in the API conflated the type of consent (expressed vs implied) with how that information was collected. Made minimal changes/additions to address this and similar issues."
PrivacyCDN
commented
8 years ago The API has a field, moc, for Method of Collection. The contents of this string include both how consent was collected and the type of consent which are clearly two different items of information. Consent can be expressed or implied. That field should be a simple declaration that the consent that was received was expressed or implied. Once that is established, it is a separate piece of information as to how that was collected. Hence two fields should be in the MVCR representing these different pieces of information:
Note I didn't change this in the API field table. Only in the section body of the MVCR.
Additional Issue: In some circumstances consent should not be sought, such as when the only reason that information is collected is because the entity is required to do so by the government. Consent is moot or not applicable in those circumstances, although it may become relevant if the entity that has collected the information because of a regulatory requirement then wants to use if for other purposes. In that case consent would be necessary. In the edits I suggested addressing this by making consent a trinary field but that's a kludge. The actuality is more complicated and will be interesting to deal with past the MVCR.
We can discuss these field changes one by one on the call.
smartopian
commented
8 years ago Each Github Issues needs to be for one issue. (removing the additional issue and created issuse #11
smartopian
commented
8 years ago As the MVCR is for explicit consent - is the issue of implied consent in scope of the MVCR?
PrivacyCDN
commented
8 years ago I don't recall an agreement in the group that the MVCR is for any particular kind of consent. Given the prevalence of implied consent for so many use cases - whether or not it's appropriate - I wouldn't want to exclude it from the MVCR
Sent from Outlook Mobile
_____________________________From: Mark Lizar notifications@github.com Sent: Monday, February 15, 2016 15:36 Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9) To: KantaraInitiative/CISWG ciswg@noreply.github.com Cc: John Wunderlich john@wunderlich.ca
As the MVCR is for explicit consent - is the issue of implied consent in scope of the MVCR?
— Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
smartopian
commented
8 years ago Hi John,
The scope from the initial proposal was for explicit consent. It has been since the first v0.1 consent tagging diagrams focusing on a consent button. Which was a while back, explicit consent was the first sentence written because Implied consent is so much broader. That and dealing with consent exceptions and an array of elements that would need to be added. Elements that would come with receipt logging. Issues already earmarked for 1.1.discussions. The explicit scope kept the spec manageable from the outset. The original intent was to try and create a single spec for all of consent.
In fact, this originally started in Kantara with a implied consent use case around surveillance and notice (the IOT use case-with cop monkey aka UMA).
That being said.. What are you thinking ? Rather than the usual (put it in the parking lot response) Do you have a particular use case in mind? (would be great to hear)
On 15 Feb 2016, at 23:50, John Wunderlich notifications@github.com wrote:
I don't recall an agreement in the group that the MVCR is for any particular kind of consent. Given the prevalence of implied consent for so many use cases - whether or not it's appropriate - I wouldn't want to exclude it from the MVCR
Sent from Outlook Mobile
From: Mark Lizar notifications@github.com Sent: Monday, February 15, 2016 15:36 Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9) To: KantaraInitiative/CISWG ciswg@noreply.github.com Cc: John Wunderlich john@wunderlich.ca
As the MVCR is for explicit consent - is the issue of implied consent in scope of the MVCR?
— Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617.
PrivacyCDN
commented
8 years ago I've always proceeded on the assumption that this was not restricted to explicit consent. It seems to me that that the general case, the basic case, is the simplest case because it only has to record the type of consent actually used, rather than add logic or conditions depending on that.
Sincerely, John Wunderlich @PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca
On 15 February 2016 at 20:06, Mark Lizar notifications@github.com wrote:
Hi John,
The scope from the initial proposal was for explicit consent. It has been since the first v0.1 consent tagging diagrams focusing on a consent button. Which was a while back, explicit consent was the first sentence written because Implied consent is so much broader. That and dealing with consent exceptions and an array of elements that would need to be added. Elements that would come with receipt logging. Issues already earmarked for 1.1.discussions. The explicit scope kept the spec manageable from the outset. The original intent was to try and create a single spec for all of consent.
In fact, this originally started in Kantara with a implied consent use case around surveillance and notice (the IOT use case-with cop monkey aka UMA).
That being said.. What are you thinking ? Rather than the usual (put it in the parking lot response) Do you have a particular use case in mind? (would be great to hear)
On 15 Feb 2016, at 23:50, John Wunderlich notifications@github.com wrote:
I don't recall an agreement in the group that the MVCR is for any particular kind of consent. Given the prevalence of implied consent for so many use cases - whether or not it's appropriate - I wouldn't want to exclude it from the MVCR
Sent from Outlook Mobile
From: Mark Lizar notifications@github.com Sent: Monday, February 15, 2016 15:36 Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9) To: KantaraInitiative/CISWG ciswg@noreply.github.com Cc: John Wunderlich john@wunderlich.ca
As the MVCR is for explicit consent - is the issue of implied consent in scope of the MVCR?
— Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617 .
— Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081 .
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
smartopian
commented
8 years ago Interesting, I suppose implied consent doesn't require notice or Identity Management where as explicit consent does require notice and an identity. It could be argued that there is no formal requirement for a receipt with implied consent and that implied consent are based on actions rather than an informed agreement. I suppose this would also explain some of the substantive changes in the latest edit you have provided.
This is the line in the scope, and I do recall this being discussed on a couple of occasions in the work group as well.
"The scope of the MVCR is limited to defining the minimum consent fields for an explicit consent. “
Mark
On 16 Feb 2016, at 01:15, John Wunderlich notifications@github.com wrote:
I've always proceeded on the assumption that this was not restricted to explicit consent. It seems to me that that the general case, the basic case, is the simplest case because it only has to record the type of consent actually used, rather than add logic or conditions depending on that.
Sincerely, John Wunderlich @PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca
On 15 February 2016 at 20:06, Mark Lizar notifications@github.com wrote:
Hi John,
The scope from the initial proposal was for explicit consent. It has been since the first v0.1 consent tagging diagrams focusing on a consent button. Which was a while back, explicit consent was the first sentence written because Implied consent is so much broader. That and dealing with consent exceptions and an array of elements that would need to be added. Elements that would come with receipt logging. Issues already earmarked for 1.1.discussions. The explicit scope kept the spec manageable from the outset. The original intent was to try and create a single spec for all of consent.
In fact, this originally started in Kantara with a implied consent use case around surveillance and notice (the IOT use case-with cop monkey aka UMA).
That being said.. What are you thinking ? Rather than the usual (put it in the parking lot response) Do you have a particular use case in mind? (would be great to hear)
On 15 Feb 2016, at 23:50, John Wunderlich notifications@github.com wrote:
I don't recall an agreement in the group that the MVCR is for any particular kind of consent. Given the prevalence of implied consent for so many use cases - whether or not it's appropriate - I wouldn't want to exclude it from the MVCR
Sent from Outlook Mobile
From: Mark Lizar notifications@github.com Sent: Monday, February 15, 2016 15:36 Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9) To: KantaraInitiative/CISWG ciswg@noreply.github.com Cc: John Wunderlich john@wunderlich.ca
As the MVCR is for explicit consent - is the issue of implied consent in scope of the MVCR?
— Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617 .
— Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081 .
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951.
PrivacyCDN
commented
8 years ago Implied consent doesn’t necessarliy obviate the need for notice. The general case is exemplified when you complete a form and submit it (web or paper - same case), it is is reasonable to imply consent for any use that is reasonably consistent with the purpose set out in the form. Thus if I complete a form that says “Subscription”, consent for uses of my information for the purpose of delivering and maintaining the subscription would be implied - as would the security precautions necessary in the circumstances. Notice can be decoupled from the consent transaction, but that doesn’t mean there isn’t that obligation.
It’s fuzzy and in most cases not sufficient where the data collected is sensitive, but nonetheless notice is still part of the equation.
Sincerely, John Wunderlich (@PrivacyCDN)
http://privacybydesign.ca/ http://privacybydesign.ca/
http://privacybydesign.ca/Privacist & PbD Ambassador http://privacybydesign.ca/
On Feb 16, 2016, at 05:14, Mark Lizar notifications@github.com wrote:
Interesting, I suppose implied consent doesn't require notice or Identity Management where as explicit consent does require notice and an identity. It could be argued that there is no formal requirement for a receipt with implied consent and that implied consent are based on actions rather than an informed agreement. I suppose this would also explain some of the substantive changes in the latest edit you have provided.
This is the line in the scope, and I do recall this being discussed on a couple of occasions in the work group as well.
"The scope of the MVCR is limited to defining the minimum consent fields for an explicit consent. “
Mark
On 16 Feb 2016, at 01:15, John Wunderlich notifications@github.com wrote:
I've always proceeded on the assumption that this was not restricted to explicit consent. It seems to me that that the general case, the basic case, is the simplest case because it only has to record the type of consent actually used, rather than add logic or conditions depending on that.
Sincerely, John Wunderlich @PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca
On 15 February 2016 at 20:06, Mark Lizar notifications@github.com wrote:
Hi John,
The scope from the initial proposal was for explicit consent. It has been since the first v0.1 consent tagging diagrams focusing on a consent button. Which was a while back, explicit consent was the first sentence written because Implied consent is so much broader. That and dealing with consent exceptions and an array of elements that would need to be added. Elements that would come with receipt logging. Issues already earmarked for 1.1.discussions. The explicit scope kept the spec manageable from the outset. The original intent was to try and create a single spec for all of consent.
In fact, this originally started in Kantara with a implied consent use case around surveillance and notice (the IOT use case-with cop monkey aka UMA).
That being said.. What are you thinking ? Rather than the usual (put it in the parking lot response) Do you have a particular use case in mind? (would be great to hear)
On 15 Feb 2016, at 23:50, John Wunderlich notifications@github.com wrote:
I don't recall an agreement in the group that the MVCR is for any particular kind of consent. Given the prevalence of implied consent for so many use cases - whether or not it's appropriate - I wouldn't want to exclude it from the MVCR
Sent from Outlook Mobile
From: Mark Lizar notifications@github.com Sent: Monday, February 15, 2016 15:36 Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9) To: KantaraInitiative/CISWG ciswg@noreply.github.com Cc: John Wunderlich john@wunderlich.ca
As the MVCR is for explicit consent - is the issue of implied consent in scope of the MVCR?
— Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617 .
— Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081 .
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951.
— Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
smartopian
commented
8 years ago That’s really interesting - so I was thinking implied consent was when I click on a web link and my IP address is taken. Or when I walk in a bank with a CCTV surveillance notice on the door and they record me on video.
In this example below, you are referring to when explicit consent is provided, then, it is used to provide an on going service. In this regard it is first explicit then rendered operation for the purposes that are explicit.
Perhaps we should call this something different? like, downstream consent and find an easier way to distinguish the types of operational consent. I am definitely with you on the (people should have notice of when their consent is being used) side of things. Need to look at this more and to have a use case. Definitely a good item to discuss and perhaps it can be discussed in terms of a UMA implementation.
Mark Lizar Executive Director Open Consent Group
Email: m.lizar@openconsentgroup.com Mobile: +447738382658 Twitter: @smartopian
On 16 Feb 2016, at 17:28, John Wunderlich notifications@github.com wrote:
Implied consent doesn’t necessarliy obviate the need for notice. The general case is exemplified when you complete a form and submit it (web or paper - same case), it is is reasonable to imply consent for any use that is reasonably consistent with the purpose set out in the form. Thus if I complete a form that says “Subscription”, consent for uses of my information for the purpose of delivering and maintaining the subscription would be implied - as would the security precautions necessary in the circumstances. Notice can be decoupled from the consent transaction, but that doesn’t mean there isn’t that obligation.
It’s fuzzy and in most cases not sufficient where the data collected is sensitive, but nonetheless notice is still part of the equation.
Sincerely, John Wunderlich (@PrivacyCDN)
http://privacybydesign.ca/ http://privacybydesign.ca/
http://privacybydesign.ca/Privacist & PbD Ambassador http://privacybydesign.ca/
On Feb 16, 2016, at 05:14, Mark Lizar notifications@github.com wrote:
Interesting, I suppose implied consent doesn't require notice or Identity Management where as explicit consent does require notice and an identity. It could be argued that there is no formal requirement for a receipt with implied consent and that implied consent are based on actions rather than an informed agreement. I suppose this would also explain some of the substantive changes in the latest edit you have provided.
This is the line in the scope, and I do recall this being discussed on a couple of occasions in the work group as well.
"The scope of the MVCR is limited to defining the minimum consent fields for an explicit consent. “
Mark
On 16 Feb 2016, at 01:15, John Wunderlich notifications@github.com wrote:
I've always proceeded on the assumption that this was not restricted to explicit consent. It seems to me that that the general case, the basic case, is the simplest case because it only has to record the type of consent actually used, rather than add logic or conditions depending on that.
Sincerely, John Wunderlich @PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca
On 15 February 2016 at 20:06, Mark Lizar notifications@github.com wrote:
Hi John,
The scope from the initial proposal was for explicit consent. It has been since the first v0.1 consent tagging diagrams focusing on a consent button. Which was a while back, explicit consent was the first sentence written because Implied consent is so much broader. That and dealing with consent exceptions and an array of elements that would need to be added. Elements that would come with receipt logging. Issues already earmarked for 1.1.discussions. The explicit scope kept the spec manageable from the outset. The original intent was to try and create a single spec for all of consent.
In fact, this originally started in Kantara with a implied consent use case around surveillance and notice (the IOT use case-with cop monkey aka UMA).
That being said.. What are you thinking ? Rather than the usual (put it in the parking lot response) Do you have a particular use case in mind? (would be great to hear)
On 15 Feb 2016, at 23:50, John Wunderlich notifications@github.com wrote:
I don't recall an agreement in the group that the MVCR is for any particular kind of consent. Given the prevalence of implied consent for so many use cases - whether or not it's appropriate - I wouldn't want to exclude it from the MVCR
Sent from Outlook Mobile
From: Mark Lizar notifications@github.com Sent: Monday, February 15, 2016 15:36 Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9) To: KantaraInitiative/CISWG ciswg@noreply.github.com Cc: John Wunderlich john@wunderlich.ca
As the MVCR is for explicit consent - is the issue of implied consent in scope of the MVCR?
— Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617 .
— Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081 .
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951.
— Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747.
PrivacyCDN
commented
8 years ago Mark; I can't speak for Europe but the example I gave would be accepted, I think, by most Canadian regulators as the difference between implied and explicit consent. I think your first example, the IP address, is implied consent for the use of that IP for the purposes of maintaining the site and serving you your pages. Using that IP for other purpose would be a violation of the implied consent. As for your second example, it would depend on whether there was video surveillance signage and notification. May also be the case that if the only time that the surveillance is used is when there is a crime, and it's used to identify criminals, there might be a judgement that any reasonable person would expect that surveillance for those purposes. Again, uses or disclosures for other purposes would be a problem. My advice to such a client would be signage outside and strict controls over the video data thereafter. No need to invent new terms that regulators, privacy engineers, and others won't understand. JW
Sent from Outlook Mobile
_____________________________From: Mark Lizar notifications@github.com Sent: Tuesday, February 16, 2016 21:25 Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9) To: KantaraInitiative/CISWG ciswg@noreply.github.com Cc: John Wunderlich john@wunderlich.ca
That’s really interesting - so I was thinking implied consent was when I click on a web link and my IP address is taken. Or when I walk in a bank with a CCTV surveillance notice on the door and they record me on video.
In this example below, you are referring to when explicit consent is provided, then, it is used to provide an on going service. In this regard it is first explicit then rendered operation for the purposes that are explicit.
Perhaps we should call this something different? like, downstream consent and find an easier way to distinguish the types of operational consent. I am definitely with you on the (people should have notice of when their consent is being used) side of things. Need to look at this more and to have a use case. Definitely a good item to discuss and perhaps it can be discussed in terms of a UMA implementation.
Mark Lizar
Executive Director
Open Consent Group
Email: m.lizar@openconsentgroup.com
Mobile: +447738382658
Twitter: @smartopian
On 16 Feb 2016, at 17:28, John Wunderlich notifications@github.com wrote:
Implied consent doesn’t necessarliy obviate the need for notice. The general case is exemplified when you complete a form and submit it (web or paper - same case), it is is reasonable to imply consent for any use that is reasonably consistent with the purpose set out in the form. Thus if I complete a form that says “Subscription”, consent for uses of my information for the purpose of delivering and maintaining the subscription would be implied - as would the security precautions necessary in the circumstances. Notice can be decoupled from the consent transaction, but that doesn’t mean there isn’t that obligation.
It’s fuzzy and in most cases not sufficient where the data collected is sensitive, but nonetheless notice is still part of the equation.
Sincerely,
John Wunderlich
(@PrivacyCDN)http://privacybydesign.ca/ http://privacybydesign.ca/
http://privacybydesign.ca/Privacist & PbD Ambassador http://privacybydesign.ca/
On Feb 16, 2016, at 05:14, Mark Lizar notifications@github.com wrote:
Interesting, I suppose implied consent doesn't require notice or Identity Management where as explicit consent does require notice and an identity. It could be argued that there is no formal requirement for a receipt with implied consent and that implied consent are based on actions rather than an informed agreement. I suppose this would also explain some of the substantive changes in the latest edit you have provided.
This is the line in the scope, and I do recall this being discussed on a couple of occasions in the work group as well.
"The scope of the MVCR is limited to defining the minimum consent fields for an explicit consent. “
Mark
On 16 Feb 2016, at 01:15, John Wunderlich notifications@github.com wrote:
I've always proceeded on the assumption that this was not restricted to
explicit consent. It seems to me that that the general case, the basic
case, is the simplest case because it only has to record the type of
consent actually used, rather than add logic or conditions depending on
that.Sincerely,
John Wunderlich
@PrivacyCDNCall: +1 (647) 669-4749
eMail: john@wunderlich.caOn 15 February 2016 at 20:06, Mark Lizar notifications@github.com wrote:
Hi John,
The scope from the initial proposal was for explicit consent. It has been
since the first v0.1 consent tagging diagrams focusing on a consent button.
Which was a while back, explicit consent was the first sentence written
because Implied consent is so much broader. That and dealing with consent
exceptions and an array of elements that would need to be added. Elements
that would come with receipt logging. Issues already earmarked for
1.1.discussions. The explicit scope kept the spec manageable from the
outset. The original intent was to try and create a single spec for all of
consent.In fact, this originally started in Kantara with a implied consent use
case around surveillance and notice (the IOT use case-with cop monkey aka
UMA).That being said.. What are you thinking ? Rather than the usual (put it in
the parking lot response) Do you have a particular use case in mind? (would
be great to hear)On 15 Feb 2016, at 23:50, John Wunderlich notifications@github.com
wrote:I don't recall an agreement in the group that the MVCR is for any
particular kind of consent. Given the prevalence of implied consent for so
many use cases - whether or not it's appropriate - I wouldn't want to
exclude it from the MVCRSent from Outlook Mobile
From: Mark Lizar notifications@github.com
Sent: Monday, February 15, 2016 15:36
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG ciswg@noreply.github.com
Cc: John Wunderlich john@wunderlich.caAs the MVCR is for explicit consent - is the issue of implied consent in
scope of the MVCR?—
Reply to this email directly or view it on GitHub.This email and any files transmitted with it are confidential and
intended
solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error please notify the system
manager.
This message contains confidential information and is intended only for
the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended
recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617
.—
Reply to this email directly or view it on GitHub
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081
.This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951.—
Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466.This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747.
— Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
smartopian
commented
8 years ago John, at first the consent is explicit, and then with this explicit consent additional uses of pII for a purpose is implied.
If there was not explicit consent then there is not consent. As I mentioned there was a sign in the example I was providing to illustrate implied consent. I am not trying to invent terms, but to invent ways to make you understandable.
On 17 Feb 2016, at 02:36, John Wunderlich notifications@github.com wrote:
Mark; I can't speak for Europe but the example I gave would be accepted, I think, by most Canadian regulators as the difference between implied and explicit consent. I think your first example, the IP address, is implied consent for the use of that IP for the purposes of maintaining the site and serving you your pages. Using that IP for other purpose would be a violation of the implied consent. As for your second example, it would depend on whether there was video surveillance signage and notification. May also be the case that if the only time that the surveillance is used is when there is a crime, and it's used to identify criminals, there might be a judgement that any reasonable person would expect that surveillance for those purposes. Again, uses or disclosures for other purposes would be a problem. My advice to such a client would be signage outside and strict controls over the video data thereafter. No need to invent new terms that regulators, privacy engineers, and others won't understand. JW
Sent from Outlook Mobile
From: Mark Lizar notifications@github.com Sent: Tuesday, February 16, 2016 21:25 Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9) To: KantaraInitiative/CISWG ciswg@noreply.github.com Cc: John Wunderlich john@wunderlich.ca
That’s really interesting - so I was thinking implied consent was when I click on a web link and my IP address is taken. Or when I walk in a bank with a CCTV surveillance notice on the door and they record me on video.
In this example below, you are referring to when explicit consent is provided, then, it is used to provide an on going service. In this regard it is first explicit then rendered operation for the purposes that are explicit.
Perhaps we should call this something different? like, downstream consent and find an easier way to distinguish the types of operational consent. I am definitely with you on the (people should have notice of when their consent is being used) side of things. Need to look at this more and to have a use case. Definitely a good item to discuss and perhaps it can be discussed in terms of a UMA implementation.
Mark Lizar Executive Director Open Consent Group
Email: m.lizar@openconsentgroup.com Mobile: +447738382658 Twitter: @smartopian
On 16 Feb 2016, at 17:28, John Wunderlich notifications@github.com wrote:
Implied consent doesn’t necessarliy obviate the need for notice. The general case is exemplified when you complete a form and submit it (web or paper - same case), it is is reasonable to imply consent for any use that is reasonably consistent with the purpose set out in the form. Thus if I complete a form that says “Subscription”, consent for uses of my information for the purpose of delivering and maintaining the subscription would be implied - as would the security precautions necessary in the circumstances. Notice can be decoupled from the consent transaction, but that doesn’t mean there isn’t that obligation.
It’s fuzzy and in most cases not sufficient where the data collected is sensitive, but nonetheless notice is still part of the equation.
Sincerely, John Wunderlich (@PrivacyCDN)
http://privacybydesign.ca/ http://privacybydesign.ca/
http://privacybydesign.ca/Privacist & PbD Ambassador http://privacybydesign.ca/
On Feb 16, 2016, at 05:14, Mark Lizar notifications@github.com wrote:
Interesting, I suppose implied consent doesn't require notice or Identity Management where as explicit consent does require notice and an identity. It could be argued that there is no formal requirement for a receipt with implied consent and that implied consent are based on actions rather than an informed agreement. I suppose this would also explain some of the substantive changes in the latest edit you have provided.
This is the line in the scope, and I do recall this being discussed on a couple of occasions in the work group as well.
"The scope of the MVCR is limited to defining the minimum consent fields for an explicit consent. “
Mark
On 16 Feb 2016, at 01:15, John Wunderlich notifications@github.com wrote:
I've always proceeded on the assumption that this was not restricted to explicit consent. It seems to me that that the general case, the basic case, is the simplest case because it only has to record the type of consent actually used, rather than add logic or conditions depending on that.
Sincerely, John Wunderlich @PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca
On 15 February 2016 at 20:06, Mark Lizar notifications@github.com wrote:
Hi John,
The scope from the initial proposal was for explicit consent. It has been since the first v0.1 consent tagging diagrams focusing on a consent button. Which was a while back, explicit consent was the first sentence written because Implied consent is so much broader. That and dealing with consent exceptions and an array of elements that would need to be added. Elements that would come with receipt logging. Issues already earmarked for 1.1.discussions. The explicit scope kept the spec manageable from the outset. The original intent was to try and create a single spec for all of consent.
In fact, this originally started in Kantara with a implied consent use case around surveillance and notice (the IOT use case-with cop monkey aka UMA).
That being said.. What are you thinking ? Rather than the usual (put it in the parking lot response) Do you have a particular use case in mind? (would be great to hear)
On 15 Feb 2016, at 23:50, John Wunderlich notifications@github.com wrote:
I don't recall an agreement in the group that the MVCR is for any particular kind of consent. Given the prevalence of implied consent for so many use cases - whether or not it's appropriate - I wouldn't want to exclude it from the MVCR
Sent from Outlook Mobile
From: Mark Lizar notifications@github.com Sent: Monday, February 15, 2016 15:36 Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9) To: KantaraInitiative/CISWG ciswg@noreply.github.com Cc: John Wunderlich john@wunderlich.ca
As the MVCR is for explicit consent - is the issue of implied consent in scope of the MVCR?
— Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617 .
— Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081 .
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951.
— Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747.
— Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150.
PrivacyCDN
commented
8 years ago Mark; I'm using the terms as well understood terms of art by the regulators and technologists that I know and have worked with and in normal English usage. Other comments in line below
Sent from Outlook Mobile
_____________________________From: Mark Lizar notifications@github.com Sent: Tuesday, February 16, 2016 21:41 Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9) To: KantaraInitiative/CISWG ciswg@noreply.github.com Cc: John Wunderlich john@wunderlich.ca
John, at first the consent is explicit, and then with this explicit consent additional uses of pII for a purpose is implied. JW: this statement is self contradictory. If you have given explicit consent for specifies uses, then those uses are allowed and uses for other purposes may not be implied If there was not explicit consent then there is not consent. As I mentioned there was a sign in the example I was providing to illustrate implied consent. I am not trying to invent terms, but to invent ways to make you understandable.
You're right. I missed that you specified signage. The bank can imply that you have consented to surveillance because you entered the bank. That's not expressed (note that I use the term expressed, not explicit). Si both of you examples are implied consent. My bad for reading on a phone.
On 17 Feb 2016, at 02:36, John Wunderlich notifications@github.com wrote:
Mark;
I can't speak for Europe but the example I gave would be accepted, I think, by most Canadian regulators as the difference between implied and explicit consent.
I think your first example, the IP address, is implied consent for the use of that IP for the purposes of maintaining the site and serving you your pages. Using that IP for other purpose would be a violation of the implied consent.
As for your second example, it would depend on whether there was video surveillance signage and notification. May also be the case that if the only time that the surveillance is used is when there is a crime, and it's used to identify criminals, there might be a judgement that any reasonable person would expect that surveillance for those purposes. Again, uses or disclosures for other purposes would be a problem. My advice to such a client would be signage outside and strict controls over the video data thereafter.
No need to invent new terms that regulators, privacy engineers, and others won't understand.
JWSent from Outlook Mobile
From: Mark Lizar notifications@github.com
Sent: Tuesday, February 16, 2016 21:25
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG ciswg@noreply.github.com
Cc: John Wunderlich john@wunderlich.caThat’s really interesting - so I was thinking implied consent was when I click on a web link and my IP address is taken. Or when I walk in a bank with a CCTV surveillance notice on the door and they record me on video.
In this example below, you are referring to when explicit consent is provided, then, it is used to provide an on going service. In this regard it is first explicit then rendered operation for the purposes that are explicit.
Perhaps we should call this something different? like, downstream consent and find an easier way to distinguish the types of operational consent. I am definitely with you on the (people should have notice of when their consent is being used) side of things. Need to look at this more and to have a use case. Definitely a good item to discuss and perhaps it can be discussed in terms of a UMA implementation.
Mark Lizar
Executive Director
Open Consent GroupEmail: m.lizar@openconsentgroup.com
Mobile: +447738382658
Twitter: @smartopianOn 16 Feb 2016, at 17:28, John Wunderlich notifications@github.com wrote:
Implied consent doesn’t necessarliy obviate the need for notice. The general case is exemplified when you complete a form and submit it (web or paper - same case), it is is reasonable to imply consent for any use that is reasonably consistent with the purpose set out in the form. Thus if I complete a form that says “Subscription”, consent for uses of my information for the purpose of delivering and maintaining the subscription would be implied - as would the security precautions necessary in the circumstances. Notice can be decoupled from the consent transaction, but that doesn’t mean there isn’t that obligation.
It’s fuzzy and in most cases not sufficient where the data collected is sensitive, but nonetheless notice is still part of the equation.
Sincerely,
John Wunderlich
(@PrivacyCDN)http://privacybydesign.ca/ http://privacybydesign.ca/
http://privacybydesign.ca/Privacist & PbD Ambassador http://privacybydesign.ca/
On Feb 16, 2016, at 05:14, Mark Lizar notifications@github.com wrote:
Interesting, I suppose implied consent doesn't require notice or Identity Management where as explicit consent does require notice and an identity. It could be argued that there is no formal requirement for a receipt with implied consent and that implied consent are based on actions rather than an informed agreement. I suppose this would also explain some of the substantive changes in the latest edit you have provided.
This is the line in the scope, and I do recall this being discussed on a couple of occasions in the work group as well.
"The scope of the MVCR is limited to defining the minimum consent fields for an explicit consent. “
Mark
On 16 Feb 2016, at 01:15, John Wunderlich notifications@github.com wrote:
I've always proceeded on the assumption that this was not restricted to
explicit consent. It seems to me that that the general case, the basic
case, is the simplest case because it only has to record the type of
consent actually used, rather than add logic or conditions depending on
that.Sincerely,
John Wunderlich
@PrivacyCDNCall: +1 (647) 669-4749
eMail: john@wunderlich.caOn 15 February 2016 at 20:06, Mark Lizar notifications@github.com wrote:
Hi John,
The scope from the initial proposal was for explicit consent. It has been
since the first v0.1 consent tagging diagrams focusing on a consent button.
Which was a while back, explicit consent was the first sentence written
because Implied consent is so much broader. That and dealing with consent
exceptions and an array of elements that would need to be added. Elements
that would come with receipt logging. Issues already earmarked for
1.1.discussions. The explicit scope kept the spec manageable from the
outset. The original intent was to try and create a single spec for all of
consent.In fact, this originally started in Kantara with a implied consent use
case around surveillance and notice (the IOT use case-with cop monkey aka
UMA).That being said.. What are you thinking ? Rather than the usual (put it in
the parking lot response) Do you have a particular use case in mind? (would
be great to hear)On 15 Feb 2016, at 23:50, John Wunderlich notifications@github.com
wrote:I don't recall an agreement in the group that the MVCR is for any
particular kind of consent. Given the prevalence of implied consent for so
many use cases - whether or not it's appropriate - I wouldn't want to
exclude it from the MVCRSent from Outlook Mobile
From: Mark Lizar notifications@github.com
Sent: Monday, February 15, 2016 15:36
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG ciswg@noreply.github.com
Cc: John Wunderlich john@wunderlich.caAs the MVCR is for explicit consent - is the issue of implied consent in
scope of the MVCR?—
Reply to this email directly or view it on GitHub.This email and any files transmitted with it are confidential and
intended
solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error please notify the system
manager.
This message contains confidential information and is intended only for
the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended
recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617
.—
Reply to this email directly or view it on GitHub
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081
.This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951.—
Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466.This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747.—
Reply to this email directly or view it on GitHub.This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150.
— Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
smartopian
commented
8 years ago Obviously we disagree - not only is it hard to discuss via email, these elements require use cases. I am not trying to debate what you think terms of art are.
On 17 Feb 2016, at 02:51, John Wunderlich notifications@github.com wrote:
Mark; I'm using the terms as well understood terms of art by the regulators and technologists that I know and have worked with and in normal English usage. Other comments in line below
Sent from Outlook Mobile
From: Mark Lizar notifications@github.com Sent: Tuesday, February 16, 2016 21:41 Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9) To: KantaraInitiative/CISWG ciswg@noreply.github.com Cc: John Wunderlich john@wunderlich.ca
John, at first the consent is explicit, and then with this explicit consent additional uses of pII for a purpose is implied. JW: this statement is self contradictory. If you have given explicit consent for specifies uses, then those uses are allowed and uses for other purposes may not be implied
If there was not explicit consent then there is not consent. As I mentioned there was a sign in the example I was providing to illustrate implied consent. I am not trying to invent terms, but to invent ways to make you understandable.You're right. I missed that you specified signage. The bank can imply that you have consented to surveillance because you entered the bank. That's not expressed (note that I use the term expressed, not explicit). Si both of you examples are implied consent. My bad for reading on a phone.
On 17 Feb 2016, at 02:36, John Wunderlich notifications@github.com wrote:
Mark; I can't speak for Europe but the example I gave would be accepted, I think, by most Canadian regulators as the difference between implied and explicit consent. I think your first example, the IP address, is implied consent for the use of that IP for the purposes of maintaining the site and serving you your pages. Using that IP for other purpose would be a violation of the implied consent. As for your second example, it would depend on whether there was video surveillance signage and notification. May also be the case that if the only time that the surveillance is used is when there is a crime, and it's used to identify criminals, there might be a judgement that any reasonable person would expect that surveillance for those purposes. Again, uses or disclosures for other purposes would be a problem. My advice to such a client would be signage outside and strict controls over the video data thereafter. No need to invent new terms that regulators, privacy engineers, and others won't understand. JW
Sent from Outlook Mobile
From: Mark Lizar notifications@github.com Sent: Tuesday, February 16, 2016 21:25 Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9) To: KantaraInitiative/CISWG ciswg@noreply.github.com Cc: John Wunderlich john@wunderlich.ca
That’s really interesting - so I was thinking implied consent was when I click on a web link and my IP address is taken. Or when I walk in a bank with a CCTV surveillance notice on the door and they record me on video.
In this example below, you are referring to when explicit consent is provided, then, it is used to provide an on going service. In this regard it is first explicit then rendered operation for the purposes that are explicit.
Perhaps we should call this something different? like, downstream consent and find an easier way to distinguish the types of operational consent. I am definitely with you on the (people should have notice of when their consent is being used) side of things. Need to look at this more and to have a use case. Definitely a good item to discuss and perhaps it can be discussed in terms of a UMA implementation.
Mark Lizar Executive Director Open Consent Group
Email: m.lizar@openconsentgroup.com Mobile: +447738382658 Twitter: @smartopian
On 16 Feb 2016, at 17:28, John Wunderlich notifications@github.com wrote:
Implied consent doesn’t necessarliy obviate the need for notice. The general case is exemplified when you complete a form and submit it (web or paper - same case), it is is reasonable to imply consent for any use that is reasonably consistent with the purpose set out in the form. Thus if I complete a form that says “Subscription”, consent for uses of my information for the purpose of delivering and maintaining the subscription would be implied - as would the security precautions necessary in the circumstances. Notice can be decoupled from the consent transaction, but that doesn’t mean there isn’t that obligation.
It’s fuzzy and in most cases not sufficient where the data collected is sensitive, but nonetheless notice is still part of the equation.
Sincerely, John Wunderlich (@PrivacyCDN)
http://privacybydesign.ca/ http://privacybydesign.ca/
http://privacybydesign.ca/Privacist & PbD Ambassador http://privacybydesign.ca/
On Feb 16, 2016, at 05:14, Mark Lizar notifications@github.com wrote:
Interesting, I suppose implied consent doesn't require notice or Identity Management where as explicit consent does require notice and an identity. It could be argued that there is no formal requirement for a receipt with implied consent and that implied consent are based on actions rather than an informed agreement. I suppose this would also explain some of the substantive changes in the latest edit you have provided.
This is the line in the scope, and I do recall this being discussed on a couple of occasions in the work group as well.
"The scope of the MVCR is limited to defining the minimum consent fields for an explicit consent. “
Mark
On 16 Feb 2016, at 01:15, John Wunderlich notifications@github.com wrote:
I've always proceeded on the assumption that this was not restricted to explicit consent. It seems to me that that the general case, the basic case, is the simplest case because it only has to record the type of consent actually used, rather than add logic or conditions depending on that.
Sincerely, John Wunderlich @PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca
On 15 February 2016 at 20:06, Mark Lizar notifications@github.com wrote:
Hi John,
The scope from the initial proposal was for explicit consent. It has been since the first v0.1 consent tagging diagrams focusing on a consent button. Which was a while back, explicit consent was the first sentence written because Implied consent is so much broader. That and dealing with consent exceptions and an array of elements that would need to be added. Elements that would come with receipt logging. Issues already earmarked for 1.1.discussions. The explicit scope kept the spec manageable from the outset. The original intent was to try and create a single spec for all of consent.
In fact, this originally started in Kantara with a implied consent use case around surveillance and notice (the IOT use case-with cop monkey aka UMA).
That being said.. What are you thinking ? Rather than the usual (put it in the parking lot response) Do you have a particular use case in mind? (would be great to hear)
On 15 Feb 2016, at 23:50, John Wunderlich notifications@github.com wrote:
I don't recall an agreement in the group that the MVCR is for any particular kind of consent. Given the prevalence of implied consent for so many use cases - whether or not it's appropriate - I wouldn't want to exclude it from the MVCR
Sent from Outlook Mobile
From: Mark Lizar notifications@github.com Sent: Monday, February 15, 2016 15:36 Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9) To: KantaraInitiative/CISWG ciswg@noreply.github.com Cc: John Wunderlich john@wunderlich.ca
As the MVCR is for explicit consent - is the issue of implied consent in scope of the MVCR?
— Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617 .
— Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081 .
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951.
— Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747.
— Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150.
— Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758.
PrivacyCDN
commented
8 years ago Fair enough For reference purposes see PIPEDA, Schedule 1, Privacy Principle 3, Consent (Note the use of the terms express and implied consent.) Principle 4.3.6 The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney). Principle 4.3.7 Individuals can give consent in many ways. For example: (a) an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses; (b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties; (c) consent may be given orally when information is collected over the telephone; or (d) consent may be given at the time that individuals use a product or service.
Sent from Outlook Mobile
On Tue, Feb 16, 2016 at 6:57 PM -0800, "Mark Lizar" notifications@github.com wrote:
Obviously we disagree - not only is it hard to discuss via email, these elements require use cases. I am not trying to debate what you think terms of art are.
On 17 Feb 2016, at 02:51, John Wunderlich notifications@github.com wrote:
Mark;
I'm using the terms as well understood terms of art by the regulators and technologists that I know and have worked with and in normal English usage.
Other comments in line below
Sent from Outlook Mobile
From: Mark Lizar notifications@github.com
Sent: Tuesday, February 16, 2016 21:41
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG ciswg@noreply.github.com
Cc: John Wunderlich john@wunderlich.ca
John, at first the consent is explicit, and then with this explicit consent additional uses of pII for a purpose is implied. JW: this statement is self contradictory. If you have given explicit consent for specifies uses, then those uses are allowed and uses for other purposes may not be implied
If there was not explicit consent then there is not consent. As I mentioned there was a sign in the example I was providing to illustrate implied consent. I am not trying to invent terms, but to invent ways to make you understandable.
You're right. I missed that you specified signage. The bank can imply that you have consented to surveillance because you entered the bank. That's not expressed (note that I use the term expressed, not explicit). Si both of you examples are implied consent. My bad for reading on a phone.
On 17 Feb 2016, at 02:36, John Wunderlich notifications@github.com wrote:
Mark;
I can't speak for Europe but the example I gave would be accepted, I think, by most Canadian regulators as the difference between implied and explicit consent.
I think your first example, the IP address, is implied consent for the use of that IP for the purposes of maintaining the site and serving you your pages. Using that IP for other purpose would be a violation of the implied consent.
As for your second example, it would depend on whether there was video surveillance signage and notification. May also be the case that if the only time that the surveillance is used is when there is a crime, and it's used to identify criminals, there might be a judgement that any reasonable person would expect that surveillance for those purposes. Again, uses or disclosures for other purposes would be a problem. My advice to such a client would be signage outside and strict controls over the video data thereafter.
No need to invent new terms that regulators, privacy engineers, and others won't understand.
JW
Sent from Outlook Mobile
From: Mark Lizar notifications@github.com
Sent: Tuesday, February 16, 2016 21:25
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG ciswg@noreply.github.com
Cc: John Wunderlich john@wunderlich.ca
That’s really interesting - so I was thinking implied consent was when I click on a web link and my IP address is taken. Or when I walk in a bank with a CCTV surveillance notice on the door and they record me on video.
In this example below, you are referring to when explicit consent is provided, then, it is used to provide an on going service. In this regard it is first explicit then rendered operation for the purposes that are explicit.
Perhaps we should call this something different? like, downstream consent and find an easier way to distinguish the types of operational consent. I am definitely with you on the (people should have notice of when their consent is being used) side of things. Need to look at this more and to have a use case. Definitely a good item to discuss and perhaps it can be discussed in terms of a UMA implementation.
Mark Lizar
Executive Director
Open Consent Group
Email: m.lizar@openconsentgroup.com
Mobile: +447738382658
Twitter: @smartopian
On 16 Feb 2016, at 17:28, John Wunderlich notifications@github.com wrote:
Implied consent doesn’t necessarliy obviate the need for notice. The general case is exemplified when you complete a form and submit it (web or paper - same case), it is is reasonable to imply consent for any use that is reasonably consistent with the purpose set out in the form. Thus if I complete a form that says “Subscription”, consent for uses of my information for the purpose of delivering and maintaining the subscription would be implied - as would the security precautions necessary in the circumstances. Notice can be decoupled from the consent transaction, but that doesn’t mean there isn’t that obligation.
It’s fuzzy and in most cases not sufficient where the data collected is sensitive, but nonetheless notice is still part of the equation.
Sincerely,
John Wunderlich
(@PrivacyCDN)
http://privacybydesign.ca/ http://privacybydesign.ca/
http://privacybydesign.ca/Privacist & PbD Ambassador http://privacybydesign.ca/
On Feb 16, 2016, at 05:14, Mark Lizar notifications@github.com wrote:
Interesting, I suppose implied consent doesn't require notice or Identity Management where as explicit consent does require notice and an identity. It could be argued that there is no formal requirement for a receipt with implied consent and that implied consent are based on actions rather than an informed agreement. I suppose this would also explain some of the substantive changes in the latest edit you have provided.
This is the line in the scope, and I do recall this being discussed on a couple of occasions in the work group as well.
"The scope of the MVCR is limited to defining the minimum consent fields for an explicit consent. “
Mark
On 16 Feb 2016, at 01:15, John Wunderlich notifications@github.com wrote:
I've always proceeded on the assumption that this was not restricted to
explicit consent. It seems to me that that the general case, the basic
case, is the simplest case because it only has to record the type of
consent actually used, rather than add logic or conditions depending on
that.
Sincerely,
John Wunderlich
@PrivacyCDN
Call: +1 (647) 669-4749
eMail: john@wunderlich.ca
On 15 February 2016 at 20:06, Mark Lizar notifications@github.com wrote:
Hi John,
The scope from the initial proposal was for explicit consent. It has been
since the first v0.1 consent tagging diagrams focusing on a consent button.
Which was a while back, explicit consent was the first sentence written
because Implied consent is so much broader. That and dealing with consent
exceptions and an array of elements that would need to be added. Elements
that would come with receipt logging. Issues already earmarked for
1.1.discussions. The explicit scope kept the spec manageable from the
outset. The original intent was to try and create a single spec for all of
consent.
In fact, this originally started in Kantara with a implied consent use
case around surveillance and notice (the IOT use case-with cop monkey aka
UMA).
That being said.. What are you thinking ? Rather than the usual (put it in
the parking lot response) Do you have a particular use case in mind? (would
be great to hear)
On 15 Feb 2016, at 23:50, John Wunderlich notifications@github.com
wrote:
I don't recall an agreement in the group that the MVCR is for any
particular kind of consent. Given the prevalence of implied consent for so
many use cases - whether or not it's appropriate - I wouldn't want to
exclude it from the MVCR
Sent from Outlook Mobile
From: Mark Lizar notifications@github.com
Sent: Monday, February 15, 2016 15:36
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG ciswg@noreply.github.com
Cc: John Wunderlich john@wunderlich.ca
As the MVCR is for explicit consent - is the issue of implied consent in
scope of the MVCR?
—
Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and
intended
solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error please notify the system
manager.
This message contains confidential information and is intended only for
the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended
recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617
.
—
Reply to this email directly or view it on GitHub
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081
.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951.
—
Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747.
—
Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150.
—
Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758.
— Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
smartopian
commented
8 years ago Still I do not understand your point ? Are you going to present an implied consent use case for the consent receipt ? Do you want to add express consent to the terms in the spec?
On 17 Feb 2016, at 03:19, John Wunderlich <notifications@github.com mailto:notifications@github.com> wrote:
Fair enough For reference purposes see PIPEDA, Schedule 1, Privacy Principle 3, Consent (Note the use of the terms express and implied consent.) Principle 4.3.6 The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney). Principle 4.3.7 Individuals can give consent in many ways. For example: (a) an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses; (b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties; (c) consent may be given orally when information is collected over the telephone; or (d) consent may be given at the time that individuals use a product or service.
Sent from Outlook Mobile
On Tue, Feb 16, 2016 at 6:57 PM -0800, "Mark Lizar" <notifications@github.com mailto:notifications@github.com> wrote:
Obviously we disagree - not only is it hard to discuss via email, these elements require use cases. I am not trying to debate what you think terms of art are.
On 17 Feb 2016, at 02:51, John Wunderlich <notifications@github.com mailto:notifications@github.com> wrote:
Mark;
I'm using the terms as well understood terms of art by the regulators and technologists that I know and have worked with and in normal English usage.
Other comments in line below
Sent from Outlook Mobile
From: Mark Lizar <notifications@github.com mailto:notifications@github.com>
Sent: Tuesday, February 16, 2016 21:41
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG <ciswg@noreply.github.com mailto:ciswg@noreply.github.com>
Cc: John Wunderlich <john@wunderlich.ca mailto:john@wunderlich.ca>
John, at first the consent is explicit, and then with this explicit consent additional uses of pII for a purpose is implied. JW: this statement is self contradictory. If you have given explicit consent for specifies uses, then those uses are allowed and uses for other purposes may not be implied
If there was not explicit consent then there is not consent. As I mentioned there was a sign in the example I was providing to illustrate implied consent. I am not trying to invent terms, but to invent ways to make you understandable.
You're right. I missed that you specified signage. The bank can imply that you have consented to surveillance because you entered the bank. That's not expressed (note that I use the term expressed, not explicit). Si both of you examples are implied consent. My bad for reading on a phone.
On 17 Feb 2016, at 02:36, John Wunderlich <notifications@github.com mailto:notifications@github.com> wrote:
Mark;
I can't speak for Europe but the example I gave would be accepted, I think, by most Canadian regulators as the difference between implied and explicit consent.
I think your first example, the IP address, is implied consent for the use of that IP for the purposes of maintaining the site and serving you your pages. Using that IP for other purpose would be a violation of the implied consent.
As for your second example, it would depend on whether there was video surveillance signage and notification. May also be the case that if the only time that the surveillance is used is when there is a crime, and it's used to identify criminals, there might be a judgement that any reasonable person would expect that surveillance for those purposes. Again, uses or disclosures for other purposes would be a problem. My advice to such a client would be signage outside and strict controls over the video data thereafter.
No need to invent new terms that regulators, privacy engineers, and others won't understand.
JW
Sent from Outlook Mobile
From: Mark Lizar <notifications@github.com mailto:notifications@github.com>
Sent: Tuesday, February 16, 2016 21:25
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG <ciswg@noreply.github.com mailto:ciswg@noreply.github.com>
Cc: John Wunderlich <john@wunderlich.ca mailto:john@wunderlich.ca>
That’s really interesting - so I was thinking implied consent was when I click on a web link and my IP address is taken. Or when I walk in a bank with a CCTV surveillance notice on the door and they record me on video.
In this example below, you are referring to when explicit consent is provided, then, it is used to provide an on going service. In this regard it is first explicit then rendered operation for the purposes that are explicit.
Perhaps we should call this something different? like, downstream consent and find an easier way to distinguish the types of operational consent. I am definitely with you on the (people should have notice of when their consent is being used) side of things. Need to look at this more and to have a use case. Definitely a good item to discuss and perhaps it can be discussed in terms of a UMA implementation.
Mark Lizar
Executive Director
Open Consent Group
Email: m.lizar@openconsentgroup.com mailto:m.lizar@openconsentgroup.com
Mobile: +447738382658
Twitter: @smartopian
On 16 Feb 2016, at 17:28, John Wunderlich <notifications@github.com mailto:notifications@github.com> wrote:
Implied consent doesn’t necessarliy obviate the need for notice. The general case is exemplified when you complete a form and submit it (web or paper - same case), it is is reasonable to imply consent for any use that is reasonably consistent with the purpose set out in the form. Thus if I complete a form that says “Subscription”, consent for uses of my information for the purpose of delivering and maintaining the subscription would be implied - as would the security precautions necessary in the circumstances. Notice can be decoupled from the consent transaction, but that doesn’t mean there isn’t that obligation.
It’s fuzzy and in most cases not sufficient where the data collected is sensitive, but nonetheless notice is still part of the equation.
Sincerely,
John Wunderlich
(@PrivacyCDN)
<http://privacybydesign.ca/ http://privacybydesign.ca/> <http://privacybydesign.ca/ http://privacybydesign.ca/>
<http://privacybydesign.ca/ http://privacybydesign.ca/>Privacist & PbD Ambassador <http://privacybydesign.ca/ http://privacybydesign.ca/>
On Feb 16, 2016, at 05:14, Mark Lizar <notifications@github.com mailto:notifications@github.com> wrote:
Interesting, I suppose implied consent doesn't require notice or Identity Management where as explicit consent does require notice and an identity. It could be argued that there is no formal requirement for a receipt with implied consent and that implied consent are based on actions rather than an informed agreement. I suppose this would also explain some of the substantive changes in the latest edit you have provided.
This is the line in the scope, and I do recall this being discussed on a couple of occasions in the work group as well.
"The scope of the MVCR is limited to defining the minimum consent fields for an explicit consent. “
Mark
On 16 Feb 2016, at 01:15, John Wunderlich <notifications@github.com mailto:notifications@github.com> wrote:
I've always proceeded on the assumption that this was not restricted to
explicit consent. It seems to me that that the general case, the basic
case, is the simplest case because it only has to record the type of
consent actually used, rather than add logic or conditions depending on
that.
Sincerely,
John Wunderlich
@PrivacyCDN
Call: +1 (647) 669-4749
eMail: john@wunderlich.ca mailto:john@wunderlich.ca
On 15 February 2016 at 20:06, Mark Lizar <notifications@github.com mailto:notifications@github.com> wrote:
Hi John,
The scope from the initial proposal was for explicit consent. It has been
since the first v0.1 consent tagging diagrams focusing on a consent button.
Which was a while back, explicit consent was the first sentence written
because Implied consent is so much broader. That and dealing with consent
exceptions and an array of elements that would need to be added. Elements
that would come with receipt logging. Issues already earmarked for
1.1.discussions. The explicit scope kept the spec manageable from the
outset. The original intent was to try and create a single spec for all of
consent.
In fact, this originally started in Kantara with a implied consent use
case around surveillance and notice (the IOT use case-with cop monkey aka
UMA).
That being said.. What are you thinking ? Rather than the usual (put it in
the parking lot response) Do you have a particular use case in mind? (would
be great to hear)
On 15 Feb 2016, at 23:50, John Wunderlich <notifications@github.com mailto:notifications@github.com>
wrote:
I don't recall an agreement in the group that the MVCR is for any
particular kind of consent. Given the prevalence of implied consent for so
many use cases - whether or not it's appropriate - I wouldn't want to
exclude it from the MVCR
Sent from Outlook Mobile
From: Mark Lizar <notifications@github.com mailto:notifications@github.com>
Sent: Monday, February 15, 2016 15:36
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG <ciswg@noreply.github.com mailto:ciswg@noreply.github.com>
Cc: John Wunderlich <john@wunderlich.ca mailto:john@wunderlich.ca>
As the MVCR is for explicit consent - is the issue of implied consent in
scope of the MVCR?
—
Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and
intended
solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error please notify the system
manager.
This message contains confidential information and is intended only for
the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended
recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617
.
—
Reply to this email directly or view it on GitHub
<https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081>
.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951>.
—
Reply to this email directly or view it on GitHub <https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466>.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747>.
—
Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150>.
—
Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758>.
— Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184996129.
PrivacyCDN
commented
8 years ago Mark;
If I understand what you mean by explicit consent, my point is that explicit consent as you have explained it encompasses both expressed and implied consent, since both should have explicit purposes on the PII Controller side. My comments on the spec in this regard were that when you inform the PII subject, it will be important to let them know how the PII controller got their consent.
JW
Sincerely, John Wunderlich @PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca
On 17 February 2016 at 04:01, Mark Lizar notifications@github.com wrote:
Still I do not understand your point ? Are you going to present an implied consent use case for the consent receipt ? Do you want to add express consent to the terms in the spec?
On 17 Feb 2016, at 03:19, John Wunderlich <notifications@github.com mailto:notifications@github.com> wrote:
Fair enough For reference purposes see PIPEDA, Schedule 1, Privacy Principle 3, Consent (Note the use of the terms express and implied consent.) Principle 4.3.6 The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney). Principle 4.3.7 Individuals can give consent in many ways. For example: (a) an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses; (b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties; (c) consent may be given orally when information is collected over the telephone; or (d) consent may be given at the time that individuals use a product or service.
Sent from Outlook Mobile
On Tue, Feb 16, 2016 at 6:57 PM -0800, "Mark Lizar" < notifications@github.com mailto:notifications@github.com> wrote:
Obviously we disagree - not only is it hard to discuss via email, these elements require use cases. I am not trying to debate what you think terms of art are.
On 17 Feb 2016, at 02:51, John Wunderlich <notifications@github.com mailto:notifications@github.com> wrote:
Mark;
I'm using the terms as well understood terms of art by the regulators and technologists that I know and have worked with and in normal English usage.
Other comments in line below
Sent from Outlook Mobile
From: Mark Lizar <notifications@github.com <mailto: notifications@github.com>>
Sent: Tuesday, February 16, 2016 21:41
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG <ciswg@noreply.github.com <mailto: ciswg@noreply.github.com>>
Cc: John Wunderlich <john@wunderlich.ca mailto:john@wunderlich.ca>
John, at first the consent is explicit, and then with this explicit consent additional uses of pII for a purpose is implied. JW: this statement is self contradictory. If you have given explicit consent for specifies uses, then those uses are allowed and uses for other purposes may not be implied
If there was not explicit consent then there is not consent. As I mentioned there was a sign in the example I was providing to illustrate implied consent. I am not trying to invent terms, but to invent ways to make you understandable.
You're right. I missed that you specified signage. The bank can imply that you have consented to surveillance because you entered the bank. That's not expressed (note that I use the term expressed, not explicit). Si both of you examples are implied consent. My bad for reading on a phone.
On 17 Feb 2016, at 02:36, John Wunderlich <notifications@github.com mailto:notifications@github.com> wrote:
Mark;
I can't speak for Europe but the example I gave would be accepted, I think, by most Canadian regulators as the difference between implied and explicit consent.
I think your first example, the IP address, is implied consent for the use of that IP for the purposes of maintaining the site and serving you your pages. Using that IP for other purpose would be a violation of the implied consent.
As for your second example, it would depend on whether there was video surveillance signage and notification. May also be the case that if the only time that the surveillance is used is when there is a crime, and it's used to identify criminals, there might be a judgement that any reasonable person would expect that surveillance for those purposes. Again, uses or disclosures for other purposes would be a problem. My advice to such a client would be signage outside and strict controls over the video data thereafter.
No need to invent new terms that regulators, privacy engineers, and others won't understand.
JW
Sent from Outlook Mobile
From: Mark Lizar <notifications@github.com <mailto: notifications@github.com>>
Sent: Tuesday, February 16, 2016 21:25
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG <ciswg@noreply.github.com <mailto: ciswg@noreply.github.com>>
Cc: John Wunderlich <john@wunderlich.ca mailto:john@wunderlich.ca>
That’s really interesting - so I was thinking implied consent was when I click on a web link and my IP address is taken. Or when I walk in a bank with a CCTV surveillance notice on the door and they record me on video.
In this example below, you are referring to when explicit consent is provided, then, it is used to provide an on going service. In this regard it is first explicit then rendered operation for the purposes that are explicit.
Perhaps we should call this something different? like, downstream consent and find an easier way to distinguish the types of operational consent. I am definitely with you on the (people should have notice of when their consent is being used) side of things. Need to look at this more and to have a use case. Definitely a good item to discuss and perhaps it can be discussed in terms of a UMA implementation.
Mark Lizar
Executive Director
Open Consent Group
Email: m.lizar@openconsentgroup.com <mailto: m.lizar@openconsentgroup.com>
Mobile: +447738382658
Twitter: @smartopian
On 16 Feb 2016, at 17:28, John Wunderlich < notifications@github.com mailto:notifications@github.com> wrote:
Implied consent doesn’t necessarliy obviate the need for notice. The general case is exemplified when you complete a form and submit it (web or paper - same case), it is is reasonable to imply consent for any use that is reasonably consistent with the purpose set out in the form. Thus if I complete a form that says “Subscription”, consent for uses of my information for the purpose of delivering and maintaining the subscription would be implied - as would the security precautions necessary in the circumstances. Notice can be decoupled from the consent transaction, but that doesn’t mean there isn’t that obligation.
It’s fuzzy and in most cases not sufficient where the data collected is sensitive, but nonetheless notice is still part of the equation.
Sincerely,
John Wunderlich
(@PrivacyCDN)
<http://privacybydesign.ca/ http://privacybydesign.ca/> < http://privacybydesign.ca/ http://privacybydesign.ca/>
<http://privacybydesign.ca/ http://privacybydesign.ca/>Privacist & PbD Ambassador <http://privacybydesign.ca/ http://privacybydesign.ca/>
On Feb 16, 2016, at 05:14, Mark Lizar <notifications@github.com mailto:notifications@github.com> wrote:
Interesting, I suppose implied consent doesn't require notice or Identity Management where as explicit consent does require notice and an identity. It could be argued that there is no formal requirement for a receipt with implied consent and that implied consent are based on actions rather than an informed agreement. I suppose this would also explain some of the substantive changes in the latest edit you have provided.
This is the line in the scope, and I do recall this being discussed on a couple of occasions in the work group as well.
"The scope of the MVCR is limited to defining the minimum consent fields for an explicit consent. “
Mark
On 16 Feb 2016, at 01:15, John Wunderlich < notifications@github.com mailto:notifications@github.com> wrote:
I've always proceeded on the assumption that this was not restricted to
explicit consent. It seems to me that that the general case, the basic
case, is the simplest case because it only has to record the type of
consent actually used, rather than add logic or conditions depending on
that.
Sincerely,
John Wunderlich
@PrivacyCDN
Call: +1 (647) 669-4749
eMail: john@wunderlich.ca mailto:john@wunderlich.ca
On 15 February 2016 at 20:06, Mark Lizar < notifications@github.com mailto:notifications@github.com> wrote:
Hi John,
The scope from the initial proposal was for explicit consent. It has been
since the first v0.1 consent tagging diagrams focusing on a consent button.
Which was a while back, explicit consent was the first sentence written
because Implied consent is so much broader. That and dealing with consent
exceptions and an array of elements that would need to be added. Elements
that would come with receipt logging. Issues already earmarked for
1.1.discussions. The explicit scope kept the spec manageable from the
outset. The original intent was to try and create a single spec for all of
consent.
In fact, this originally started in Kantara with a implied consent use
case around surveillance and notice (the IOT use case-with cop monkey aka
UMA).
That being said.. What are you thinking ? Rather than the usual (put it in
the parking lot response) Do you have a particular use case in mind? (would
be great to hear)
On 15 Feb 2016, at 23:50, John Wunderlich < notifications@github.com mailto:notifications@github.com>
wrote:
I don't recall an agreement in the group that the MVCR is for any
particular kind of consent. Given the prevalence of implied consent for so
many use cases - whether or not it's appropriate - I wouldn't want to
exclude it from the MVCR
Sent from Outlook Mobile
From: Mark Lizar <notifications@github.com <mailto: notifications@github.com>>
Sent: Monday, February 15, 2016 15:36
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG <ciswg@noreply.github.com mailto:ciswg@noreply.github.com>
Cc: John Wunderlich <john@wunderlich.ca <mailto: john@wunderlich.ca>>
As the MVCR is for explicit consent - is the issue of implied consent in
scope of the MVCR?
—
Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and
intended
solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error please notify the system
manager.
This message contains confidential information and is intended only for
the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended
recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617>
.
—
Reply to this email directly or view it on GitHub
< https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081>>
.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951>>.
—
Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466>>.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747>>.
—
Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150>>.
—
Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758 .
— Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184996129 .
— Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-185104319 .
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
smartopian
commented
8 years ago Ok, Thanks,
My Response was, for implied consent (not explicit consent) there is no requirement for notice, there is no requirement for identity management. (as id not required) Unless of course, implied consent comes after explicit consent has been provided already. Which is what you seem to be getting at.
For many instances of implied consent the purpose is obvious and not needed in a notice via a controller. In addition, it appears you are conflating the need for notice with implied consent. in the context of implied consent being based on an earlier explicit consent, then addition notice or a log there of makes sense. Still out of scope from the there receipt, which is very clearly for explicit consent.
Now this has gone full circle and unless you are going to provide use cases to further clarify I propose that implied consent be moved to parking lot under consent record logging.
On 17 Feb 2016, at 15:01, John Wunderlich <notifications@github.com mailto:notifications@github.com> wrote:
Mark;
If I understand what you mean by explicit consent, my point is that explicit consent as you have explained it encompasses both expressed and implied consent, since both should have explicit purposes on the PII Controller side. My comments on the spec in this regard were that when you inform the PII subject, it will be important to let them know how the PII controller got their consent.
JW
Sincerely, John Wunderlich @PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca mailto:john@wunderlich.ca
On 17 February 2016 at 04:01, Mark Lizar <notifications@github.com mailto:notifications@github.com> wrote:
Still I do not understand your point ? Are you going to present an implied consent use case for the consent receipt ? Do you want to add express consent to the terms in the spec?
On 17 Feb 2016, at 03:19, John Wunderlich <notifications@github.com mailto:notifications@github.com <mailto:notifications@github.com mailto:notifications@github.com>> wrote:
Fair enough For reference purposes see PIPEDA, Schedule 1, Privacy Principle 3, Consent (Note the use of the terms express and implied consent.) Principle 4.3.6 The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney). Principle 4.3.7 Individuals can give consent in many ways. For example: (a) an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses; (b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties; (c) consent may be given orally when information is collected over the telephone; or (d) consent may be given at the time that individuals use a product or service.
Sent from Outlook Mobile
On Tue, Feb 16, 2016 at 6:57 PM -0800, "Mark Lizar" < notifications@github.com mailto:notifications@github.com <mailto:notifications@github.com mailto:notifications@github.com>> wrote:
Obviously we disagree - not only is it hard to discuss via email, these elements require use cases. I am not trying to debate what you think terms of art are.
On 17 Feb 2016, at 02:51, John Wunderlich <notifications@github.com mailto:notifications@github.com <mailto:notifications@github.com mailto:notifications@github.com>> wrote:
Mark;
I'm using the terms as well understood terms of art by the regulators and technologists that I know and have worked with and in normal English usage.
Other comments in line below
Sent from Outlook Mobile
From: Mark Lizar <notifications@github.com mailto:notifications@github.com <mailto: notifications@github.com mailto:notifications@github.com>>
Sent: Tuesday, February 16, 2016 21:41
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG <ciswg@noreply.github.com mailto:ciswg@noreply.github.com <mailto: ciswg@noreply.github.com mailto:ciswg@noreply.github.com>>
Cc: John Wunderlich <john@wunderlich.ca mailto:john@wunderlich.ca <mailto:john@wunderlich.ca mailto:john@wunderlich.ca>>
John, at first the consent is explicit, and then with this explicit consent additional uses of pII for a purpose is implied. JW: this statement is self contradictory. If you have given explicit consent for specifies uses, then those uses are allowed and uses for other purposes may not be implied
If there was not explicit consent then there is not consent. As I mentioned there was a sign in the example I was providing to illustrate implied consent. I am not trying to invent terms, but to invent ways to make you understandable.
You're right. I missed that you specified signage. The bank can imply that you have consented to surveillance because you entered the bank. That's not expressed (note that I use the term expressed, not explicit). Si both of you examples are implied consent. My bad for reading on a phone.
On 17 Feb 2016, at 02:36, John Wunderlich <notifications@github.com mailto:notifications@github.com <mailto:notifications@github.com mailto:notifications@github.com>> wrote:
Mark;
I can't speak for Europe but the example I gave would be accepted, I think, by most Canadian regulators as the difference between implied and explicit consent.
I think your first example, the IP address, is implied consent for the use of that IP for the purposes of maintaining the site and serving you your pages. Using that IP for other purpose would be a violation of the implied consent.
As for your second example, it would depend on whether there was video surveillance signage and notification. May also be the case that if the only time that the surveillance is used is when there is a crime, and it's used to identify criminals, there might be a judgement that any reasonable person would expect that surveillance for those purposes. Again, uses or disclosures for other purposes would be a problem. My advice to such a client would be signage outside and strict controls over the video data thereafter.
No need to invent new terms that regulators, privacy engineers, and others won't understand.
JW
Sent from Outlook Mobile
From: Mark Lizar <notifications@github.com mailto:notifications@github.com <mailto: notifications@github.com mailto:notifications@github.com>>
Sent: Tuesday, February 16, 2016 21:25
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG <ciswg@noreply.github.com mailto:ciswg@noreply.github.com <mailto: ciswg@noreply.github.com mailto:ciswg@noreply.github.com>>
Cc: John Wunderlich <john@wunderlich.ca mailto:john@wunderlich.ca <mailto:john@wunderlich.ca mailto:john@wunderlich.ca>>
That’s really interesting - so I was thinking implied consent was when I click on a web link and my IP address is taken. Or when I walk in a bank with a CCTV surveillance notice on the door and they record me on video.
In this example below, you are referring to when explicit consent is provided, then, it is used to provide an on going service. In this regard it is first explicit then rendered operation for the purposes that are explicit.
Perhaps we should call this something different? like, downstream consent and find an easier way to distinguish the types of operational consent. I am definitely with you on the (people should have notice of when their consent is being used) side of things. Need to look at this more and to have a use case. Definitely a good item to discuss and perhaps it can be discussed in terms of a UMA implementation.
Mark Lizar
Executive Director
Open Consent Group
Email: m.lizar@openconsentgroup.com mailto:m.lizar@openconsentgroup.com <mailto: m.lizar@openconsentgroup.com mailto:m.lizar@openconsentgroup.com>
Mobile: +447738382658
Twitter: @smartopian
On 16 Feb 2016, at 17:28, John Wunderlich < notifications@github.com mailto:notifications@github.com <mailto:notifications@github.com mailto:notifications@github.com>> wrote:
Implied consent doesn’t necessarliy obviate the need for notice. The general case is exemplified when you complete a form and submit it (web or paper - same case), it is is reasonable to imply consent for any use that is reasonably consistent with the purpose set out in the form. Thus if I complete a form that says “Subscription”, consent for uses of my information for the purpose of delivering and maintaining the subscription would be implied - as would the security precautions necessary in the circumstances. Notice can be decoupled from the consent transaction, but that doesn’t mean there isn’t that obligation.
It’s fuzzy and in most cases not sufficient where the data collected is sensitive, but nonetheless notice is still part of the equation.
Sincerely,
John Wunderlich
(@PrivacyCDN)
<http://privacybydesign.ca/ http://privacybydesign.ca/ <http://privacybydesign.ca/ http://privacybydesign.ca/>> < http://privacybydesign.ca/ http://privacybydesign.ca/ <http://privacybydesign.ca/ http://privacybydesign.ca/>>
<http://privacybydesign.ca/ http://privacybydesign.ca/ <http://privacybydesign.ca/ http://privacybydesign.ca/>>Privacist & PbD Ambassador <http://privacybydesign.ca/ http://privacybydesign.ca/ <http://privacybydesign.ca/ http://privacybydesign.ca/>>
On Feb 16, 2016, at 05:14, Mark Lizar <notifications@github.com mailto:notifications@github.com <mailto:notifications@github.com mailto:notifications@github.com>> wrote:
Interesting, I suppose implied consent doesn't require notice or Identity Management where as explicit consent does require notice and an identity. It could be argued that there is no formal requirement for a receipt with implied consent and that implied consent are based on actions rather than an informed agreement. I suppose this would also explain some of the substantive changes in the latest edit you have provided.
This is the line in the scope, and I do recall this being discussed on a couple of occasions in the work group as well.
"The scope of the MVCR is limited to defining the minimum consent fields for an explicit consent. “
Mark
On 16 Feb 2016, at 01:15, John Wunderlich < notifications@github.com mailto:notifications@github.com <mailto:notifications@github.com mailto:notifications@github.com>> wrote:
I've always proceeded on the assumption that this was not restricted to
explicit consent. It seems to me that that the general case, the basic
case, is the simplest case because it only has to record the type of
consent actually used, rather than add logic or conditions depending on
that.
Sincerely,
John Wunderlich
@PrivacyCDN
Call: +1 (647) 669-4749
eMail: john@wunderlich.ca mailto:john@wunderlich.ca <mailto:john@wunderlich.ca mailto:john@wunderlich.ca>
On 15 February 2016 at 20:06, Mark Lizar < notifications@github.com mailto:notifications@github.com <mailto:notifications@github.com mailto:notifications@github.com>> wrote:
Hi John,
The scope from the initial proposal was for explicit consent. It has been
since the first v0.1 consent tagging diagrams focusing on a consent button.
Which was a while back, explicit consent was the first sentence written
because Implied consent is so much broader. That and dealing with consent
exceptions and an array of elements that would need to be added. Elements
that would come with receipt logging. Issues already earmarked for
1.1.discussions. The explicit scope kept the spec manageable from the
outset. The original intent was to try and create a single spec for all of
consent.
In fact, this originally started in Kantara with a implied consent use
case around surveillance and notice (the IOT use case-with cop monkey aka
UMA).
That being said.. What are you thinking ? Rather than the usual (put it in
the parking lot response) Do you have a particular use case in mind? (would
be great to hear)
On 15 Feb 2016, at 23:50, John Wunderlich < notifications@github.com mailto:notifications@github.com <mailto:notifications@github.com mailto:notifications@github.com>>
wrote:
I don't recall an agreement in the group that the MVCR is for any
particular kind of consent. Given the prevalence of implied consent for so
many use cases - whether or not it's appropriate - I wouldn't want to
exclude it from the MVCR
Sent from Outlook Mobile
From: Mark Lizar <notifications@github.com mailto:notifications@github.com <mailto: notifications@github.com mailto:notifications@github.com>>
Sent: Monday, February 15, 2016 15:36
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG <ciswg@noreply.github.com mailto:ciswg@noreply.github.com <mailto:ciswg@noreply.github.com mailto:ciswg@noreply.github.com>>
Cc: John Wunderlich <john@wunderlich.ca mailto:john@wunderlich.ca <mailto: john@wunderlich.ca mailto:john@wunderlich.ca>>
As the MVCR is for explicit consent - is the issue of implied consent in
scope of the MVCR?
—
Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and
intended
solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error please notify the system
manager.
This message contains confidential information and is intended only for
the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended
recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617>
.
—
Reply to this email directly or view it on GitHub
< https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081>>
.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951>>.
—
Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466>>.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747>>.
—
Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150>>.
—
Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758 .
— Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184996129 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184996129 .
— Reply to this email directly or view it on GitHub <https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-185104319 https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-185104319> .
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-185242278.
PrivacyCDN
commented
8 years ago Mark;
Inline below
Sincerely, John Wunderlich @PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca
On 17 February 2016 at 11:15, Mark Lizar notifications@github.com wrote:
Ok, Thanks,
My Response was, for implied consent (not explicit consent) there is no requirement for notice, there is no requirement for identity management. (as id not required) Unless of course, implied consent comes after explicit consent has been provided already. Which is what you seem to be getting at.
What I said was that the way you appear to be using explicit consent encompasses both IMPLIED and EXPRESS consent - the two variants I have to work with all the time in my practice. Just because the consent is implied does not therefore mean that the requirement for notice is missing. The PII Controller has the same obligations irregardless of whether the consent was implied or expressed. And it's implied OR explicit not one then the other. Is it the case that you are talking about explicit and implicit consent as synomyms for expressed and implied? If so, I can work with that, but still hold that the consent receipt is valid for both types of consent - because it is consent.
For many instances of implied consent the purpose is obvious and not needed in a notice via a controller. In addition, it appears you are conflating the need for notice with implied consent. in the context of implied consent being based on an earlier explicit consent, then addition notice or a log there of makes sense. Still out of scope from the there receipt, which is very clearly for explicit consent.
The notice has been provided in the obviousness of the purpose. Notice is always required for consent to be valid. When notice, purpose etc are inherent in the transaction such that the PII subject will understand what their information is being collected for, and how it it will be used the consent is implied (or implicit) by the subject completing the form. It doesn't mean that the requirement to provide notice is missing. Notice has already been accomplished.
I note that the phrase "implied consent being based on an earlier explicit consent" I'd like you to expand on that. You are suggesting a downgrade in the level of consent. In most regimes that I'm aware of, implied consent is a lower level of consent, and can not be used for PII that has a higher degree of risk or sensitivity.
Now this has gone full circle and unless you are going to provide use cases to further clarify I propose that implied consent be moved to parking lot under consent record logging.
The use case that I have articulated from day one is a use case for implied consent - web site registration. Alice goes to Bob's web site and completes his registration form. All the form has is the following:
----
"Please complete this form in order to register on Bob's Web Site so that you can submit comments"
Enter your Real Name: Enter your User Name: (this is the name that will be shared on the site) Enter your email: ____
{Submit}
If the above is the entirety of the form that Alice completes, Bob may imply consent for the purposes of allowing Alice to comment on his web site (and those other purposes that are reasonable for the maintenance of that site etc..)
If we agree that this is a case to which the MVCR applies then we are having an argument about definitions - which I would expect in this kind of discussion but does need to be resolved to get to 1.0. If you don't agree that this is a case where Bob should supply Alice with a consent receipt then we have a bigger issue to resolve. In either case, I don't believe that this goes to the parking lot.
- Mark
On 17 Feb 2016, at 15:01, John Wunderlich <notifications@github.com mailto:notifications@github.com> wrote:
Mark;
If I understand what you mean by explicit consent, my point is that explicit consent as you have explained it encompasses both expressed and implied consent, since both should have explicit purposes on the PII Controller side. My comments on the spec in this regard were that when you inform the PII subject, it will be important to let them know how the PII controller got their consent.
JW
Sincerely, John Wunderlich @PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca mailto:john@wunderlich.ca
On 17 February 2016 at 04:01, Mark Lizar <notifications@github.com mailto:notifications@github.com> wrote:
Still I do not understand your point ? Are you going to present an implied consent use case for the consent receipt ? Do you want to add express consent to the terms in the spec?
On 17 Feb 2016, at 03:19, John Wunderlich <notifications@github.com mailto:notifications@github.com <mailto:notifications@github.com mailto:notifications@github.com>> wrote:
Fair enough For reference purposes see PIPEDA, Schedule 1, Privacy Principle 3, Consent (Note the use of the terms express and implied consent.) Principle 4.3.6 The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney). Principle 4.3.7 Individuals can give consent in many ways. For example: (a) an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses; (b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties; (c) consent may be given orally when information is collected over the telephone; or (d) consent may be given at the time that individuals use a product or service.
Sent from Outlook Mobile
On Tue, Feb 16, 2016 at 6:57 PM -0800, "Mark Lizar" < notifications@github.com mailto:notifications@github.com <mailto: notifications@github.com mailto:notifications@github.com>> wrote:
Obviously we disagree - not only is it hard to discuss via email, these elements require use cases. I am not trying to debate what you think terms of art are.
On 17 Feb 2016, at 02:51, John Wunderlich < notifications@github.com mailto:notifications@github.com <mailto:notifications@github.com mailto:notifications@github.com>> wrote:
Mark;
I'm using the terms as well understood terms of art by the regulators and technologists that I know and have worked with and in normal English usage.
Other comments in line below
Sent from Outlook Mobile
From: Mark Lizar <notifications@github.com <mailto: notifications@github.com> <mailto: notifications@github.com mailto:notifications@github.com>>
Sent: Tuesday, February 16, 2016 21:41
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG <ciswg@noreply.github.com <mailto: ciswg@noreply.github.com> <mailto: ciswg@noreply.github.com mailto:ciswg@noreply.github.com>>
Cc: John Wunderlich <john@wunderlich.ca mailto:john@wunderlich.ca <mailto:john@wunderlich.ca mailto:john@wunderlich.ca>>
John, at first the consent is explicit, and then with this explicit consent additional uses of pII for a purpose is implied. JW: this statement is self contradictory. If you have given explicit consent for specifies uses, then those uses are allowed and uses for other purposes may not be implied
If there was not explicit consent then there is not consent. As I mentioned there was a sign in the example I was providing to illustrate implied consent. I am not trying to invent terms, but to invent ways to make you understandable.
You're right. I missed that you specified signage. The bank can imply that you have consented to surveillance because you entered the bank. That's not expressed (note that I use the term expressed, not explicit). Si both of you examples are implied consent. My bad for reading on a phone.
On 17 Feb 2016, at 02:36, John Wunderlich < notifications@github.com mailto:notifications@github.com <mailto:notifications@github.com mailto:notifications@github.com>> wrote:
Mark;
I can't speak for Europe but the example I gave would be accepted, I think, by most Canadian regulators as the difference between implied and explicit consent.
I think your first example, the IP address, is implied consent for the use of that IP for the purposes of maintaining the site and serving you your pages. Using that IP for other purpose would be a violation of the implied consent.
As for your second example, it would depend on whether there was video surveillance signage and notification. May also be the case that if the only time that the surveillance is used is when there is a crime, and it's used to identify criminals, there might be a judgement that any reasonable person would expect that surveillance for those purposes. Again, uses or disclosures for other purposes would be a problem. My advice to such a client would be signage outside and strict controls over the video data thereafter.
No need to invent new terms that regulators, privacy engineers, and others won't understand.
JW
Sent from Outlook Mobile
From: Mark Lizar <notifications@github.com <mailto: notifications@github.com> <mailto: notifications@github.com mailto:notifications@github.com>>
Sent: Tuesday, February 16, 2016 21:25
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG <ciswg@noreply.github.com <mailto: ciswg@noreply.github.com> <mailto: ciswg@noreply.github.com mailto:ciswg@noreply.github.com>>
Cc: John Wunderlich <john@wunderlich.ca <mailto: john@wunderlich.ca> <mailto:john@wunderlich.ca <mailto:john@wunderlich.ca
That’s really interesting - so I was thinking implied consent was when I click on a web link and my IP address is taken. Or when I walk in a bank with a CCTV surveillance notice on the door and they record me on video.
In this example below, you are referring to when explicit consent is provided, then, it is used to provide an on going service. In this regard it is first explicit then rendered operation for the purposes that are explicit.
Perhaps we should call this something different? like, downstream consent and find an easier way to distinguish the types of operational consent. I am definitely with you on the (people should have notice of when their consent is being used) side of things. Need to look at this more and to have a use case. Definitely a good item to discuss and perhaps it can be discussed in terms of a UMA implementation.
Mark Lizar
Executive Director
Open Consent Group
Email: m.lizar@openconsentgroup.com <mailto: m.lizar@openconsentgroup.com> <mailto: m.lizar@openconsentgroup.com mailto:m.lizar@openconsentgroup.com>
Mobile: +447738382658
Twitter: @smartopian
On 16 Feb 2016, at 17:28, John Wunderlich < notifications@github.com mailto:notifications@github.com <mailto: notifications@github.com mailto:notifications@github.com>> wrote:
Implied consent doesn’t necessarliy obviate the need for notice. The general case is exemplified when you complete a form and submit it (web or paper - same case), it is is reasonable to imply consent for any use that is reasonably consistent with the purpose set out in the form. Thus if I complete a form that says “Subscription”, consent for uses of my information for the purpose of delivering and maintaining the subscription would be implied - as would the security precautions necessary in the circumstances. Notice can be decoupled from the consent transaction, but that doesn’t mean there isn’t that obligation.
It’s fuzzy and in most cases not sufficient where the data collected is sensitive, but nonetheless notice is still part of the equation.
Sincerely,
John Wunderlich
(@PrivacyCDN)
<http://privacybydesign.ca/ http://privacybydesign.ca/ < http://privacybydesign.ca/ http://privacybydesign.ca/>> < http://privacybydesign.ca/ http://privacybydesign.ca/ < http://privacybydesign.ca/ http://privacybydesign.ca/>>
<http://privacybydesign.ca/ http://privacybydesign.ca/ < http://privacybydesign.ca/ http://privacybydesign.ca/>>Privacist & PbD Ambassador <http://privacybydesign.ca/ < http://privacybydesign.ca/> <http://privacybydesign.ca/ < http://privacybydesign.ca/>>>
On Feb 16, 2016, at 05:14, Mark Lizar < notifications@github.com mailto:notifications@github.com <mailto:notifications@github.com mailto:notifications@github.com>> wrote:
Interesting, I suppose implied consent doesn't require notice or Identity Management where as explicit consent does require notice and an identity. It could be argued that there is no formal requirement for a receipt with implied consent and that implied consent are based on actions rather than an informed agreement. I suppose this would also explain some of the substantive changes in the latest edit you have provided.
This is the line in the scope, and I do recall this being discussed on a couple of occasions in the work group as well.
"The scope of the MVCR is limited to defining the minimum consent fields for an explicit consent. “
Mark
On 16 Feb 2016, at 01:15, John Wunderlich < notifications@github.com mailto:notifications@github.com <mailto: notifications@github.com mailto:notifications@github.com>> wrote:
I've always proceeded on the assumption that this was not restricted to
explicit consent. It seems to me that that the general case, the basic
case, is the simplest case because it only has to record the type of
consent actually used, rather than add logic or conditions depending on
that.
Sincerely,
John Wunderlich
@PrivacyCDN
Call: +1 (647) 669-4749
eMail: john@wunderlich.ca mailto:john@wunderlich.ca <mailto:john@wunderlich.ca mailto:john@wunderlich.ca>
On 15 February 2016 at 20:06, Mark Lizar < notifications@github.com mailto:notifications@github.com <mailto: notifications@github.com mailto:notifications@github.com>> wrote:
Hi John,
The scope from the initial proposal was for explicit consent. It has been
since the first v0.1 consent tagging diagrams focusing on a consent button.
Which was a while back, explicit consent was the first sentence written
because Implied consent is so much broader. That and dealing with consent
exceptions and an array of elements that would need to be added. Elements
that would come with receipt logging. Issues already earmarked for
1.1.discussions. The explicit scope kept the spec manageable from the
outset. The original intent was to try and create a single spec for all of
consent.
In fact, this originally started in Kantara with a implied consent use
case around surveillance and notice (the IOT use case-with cop monkey aka
UMA).
That being said.. What are you thinking ? Rather than the usual (put it in
the parking lot response) Do you have a particular use case in mind? (would
be great to hear)
On 15 Feb 2016, at 23:50, John Wunderlich < notifications@github.com mailto:notifications@github.com <mailto: notifications@github.com mailto:notifications@github.com>>
wrote:
I don't recall an agreement in the group that the MVCR is for any
particular kind of consent. Given the prevalence of implied consent for so
many use cases - whether or not it's appropriate - I wouldn't want to
exclude it from the MVCR
Sent from Outlook Mobile
From: Mark Lizar <notifications@github.com <mailto: notifications@github.com> <mailto: notifications@github.com mailto:notifications@github.com>>
Sent: Monday, February 15, 2016 15:36
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG <ciswg@noreply.github.com mailto:ciswg@noreply.github.com <mailto:ciswg@noreply.github.com mailto:ciswg@noreply.github.com>>
Cc: John Wunderlich <john@wunderlich.ca <mailto: john@wunderlich.ca> <mailto: john@wunderlich.ca mailto:john@wunderlich.ca>>
As the MVCR is for explicit consent - is the issue of implied consent in
scope of the MVCR?
—
Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and
intended
solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error please notify the system
manager.
This message contains confidential information and is intended only for
the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended
recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617
.
—
Reply to this email directly or view it on GitHub
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081
.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951
.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466
.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747
.
—
Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150
.
—
Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758
.
— Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184996129 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184996129
.
— Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-185104319 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-185104319
.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-185242278 .
— Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-185278450 .
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
smartopian
commented
8 years ago From Wikipedia: Implied consent is consent which is not expressly granted by a person, but rather implicitly granted by a person's actions and the facts and circumstances of a particular situation. The term is most commonly encountered in the context of United States drunk driving laws.
From Free Dictionary the granting of permission for health care without a formal agreement between the patient and health care provider. An example is an appointment made with a physician by a patient with a physical complaint; it is implied that by making the appointment the patient gives consent to the physician to make a diagnosis and offer treatment. Compare informed consent http://medical-dictionary.thefreedictionary.com/informed+consent.
From Law.cm
implied consent: n. consent when surrounding circumstances exist which would lead a reasonable person to believe that this consent had been given, although no direct, express or explicit words of agreement had been uttered. Examples: a) a "contract" based on the fact that one person has been doing a particular thing and the other person expects him/her to continueRead more: http://dictionary.law.com/Default.aspx?selected=904#ixzz40Re5BVN8 http://dictionary.law.com/Default.aspx?selected=904#ixzz40Re5BVN8
It seems your example below is for explicit consent . AKA - Submit button.
Either way we, the CISWG, accepted version 0.7 which has the clear scope of the MVCR is for explicit (click a button) type of consent.
On 17 Feb 2016, at 16:44, John Wunderlich notifications@github.com wrote:
Mark;
Inline below
Sincerely, John Wunderlich @PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca
On 17 February 2016 at 11:15, Mark Lizar notifications@github.com wrote:
Ok, Thanks,
My Response was, for implied consent (not explicit consent) there is no requirement for notice, there is no requirement for identity management. (as id not required) Unless of course, implied consent comes after explicit consent has been provided already. Which is what you seem to be getting at.
What I said was that the way you appear to be using explicit consent encompasses both IMPLIED and EXPRESS consent - the two variants I have to work with all the time in my practice. Just because the consent is implied does not therefore mean that the requirement for notice is missing. The PII Controller has the same obligations irregardless of whether the consent was implied or expressed. And it's implied OR explicit not one then the other. Is it the case that you are talking about explicit and implicit consent as synomyms for expressed and implied? If so, I can work with that, but still hold that the consent receipt is valid for both types of consent - because it is consent.
For many instances of implied consent the purpose is obvious and not needed in a notice via a controller. In addition, it appears you are conflating the need for notice with implied consent. in the context of implied consent being based on an earlier explicit consent, then addition notice or a log there of makes sense. Still out of scope from the there receipt, which is very clearly for explicit consent.
The notice has been provided in the obviousness of the purpose. Notice is always required for consent to be valid. When notice, purpose etc are inherent in the transaction such that the PII subject will understand what their information is being collected for, and how it it will be used the consent is implied (or implicit) by the subject completing the form. It doesn't mean that the requirement to provide notice is missing. Notice has already been accomplished.
I note that the phrase "implied consent being based on an earlier explicit consent" I'd like you to expand on that. You are suggesting a downgrade in the level of consent. In most regimes that I'm aware of, implied consent is a lower level of consent, and can not be used for PII that has a higher degree of risk or sensitivity.
Now this has gone full circle and unless you are going to provide use cases to further clarify I propose that implied consent be moved to parking lot under consent record logging.
The use case that I have articulated from day one is a use case for implied consent - web site registration. Alice goes to Bob's web site and completes his registration form. All the form has is the following:
----
"Please complete this form in order to register on Bob's Web Site so that you can submit comments"
Enter your Real Name: Enter your User Name: (this is the name that will be shared on the site) Enter your email: ____
{Submit}
If the above is the entirety of the form that Alice completes, Bob may imply consent for the purposes of allowing Alice to comment on his web site (and those other purposes that are reasonable for the maintenance of that site etc..)
If we agree that this is a case to which the MVCR applies then we are having an argument about definitions - which I would expect in this kind of discussion but does need to be resolved to get to 1.0. If you don't agree that this is a case where Bob should supply Alice with a consent receipt then we have a bigger issue to resolve. In either case, I don't believe that this goes to the parking lot.
- Mark
On 17 Feb 2016, at 15:01, John Wunderlich <notifications@github.com mailto:notifications@github.com> wrote:
Mark;
If I understand what you mean by explicit consent, my point is that explicit consent as you have explained it encompasses both expressed and implied consent, since both should have explicit purposes on the PII Controller side. My comments on the spec in this regard were that when you inform the PII subject, it will be important to let them know how the PII controller got their consent.
JW
Sincerely, John Wunderlich @PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca mailto:john@wunderlich.ca
On 17 February 2016 at 04:01, Mark Lizar <notifications@github.com mailto:notifications@github.com> wrote:
Still I do not understand your point ? Are you going to present an implied consent use case for the consent receipt ? Do you want to add express consent to the terms in the spec?
On 17 Feb 2016, at 03:19, John Wunderlich <notifications@github.com mailto:notifications@github.com <mailto:notifications@github.com mailto:notifications@github.com>> wrote:
Fair enough For reference purposes see PIPEDA, Schedule 1, Privacy Principle 3, Consent (Note the use of the terms express and implied consent.) Principle 4.3.6 The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney). Principle 4.3.7 Individuals can give consent in many ways. For example: (a) an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses; (b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties; (c) consent may be given orally when information is collected over the telephone; or (d) consent may be given at the time that individuals use a product or service.
Sent from Outlook Mobile
On Tue, Feb 16, 2016 at 6:57 PM -0800, "Mark Lizar" < notifications@github.com mailto:notifications@github.com <mailto: notifications@github.com mailto:notifications@github.com>> wrote:
Obviously we disagree - not only is it hard to discuss via email, these elements require use cases. I am not trying to debate what you think terms of art are.
On 17 Feb 2016, at 02:51, John Wunderlich < notifications@github.com mailto:notifications@github.com <mailto:notifications@github.com mailto:notifications@github.com>> wrote:
Mark;
I'm using the terms as well understood terms of art by the regulators and technologists that I know and have worked with and in normal English usage.
Other comments in line below
Sent from Outlook Mobile
From: Mark Lizar <notifications@github.com <mailto: notifications@github.com> <mailto: notifications@github.com mailto:notifications@github.com>>
Sent: Tuesday, February 16, 2016 21:41
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG <ciswg@noreply.github.com <mailto: ciswg@noreply.github.com> <mailto: ciswg@noreply.github.com mailto:ciswg@noreply.github.com>>
Cc: John Wunderlich <john@wunderlich.ca mailto:john@wunderlich.ca <mailto:john@wunderlich.ca mailto:john@wunderlich.ca>>
John, at first the consent is explicit, and then with this explicit consent additional uses of pII for a purpose is implied. JW: this statement is self contradictory. If you have given explicit consent for specifies uses, then those uses are allowed and uses for other purposes may not be implied
If there was not explicit consent then there is not consent. As I mentioned there was a sign in the example I was providing to illustrate implied consent. I am not trying to invent terms, but to invent ways to make you understandable.
You're right. I missed that you specified signage. The bank can imply that you have consented to surveillance because you entered the bank. That's not expressed (note that I use the term expressed, not explicit). Si both of you examples are implied consent. My bad for reading on a phone.
On 17 Feb 2016, at 02:36, John Wunderlich < notifications@github.com mailto:notifications@github.com <mailto:notifications@github.com mailto:notifications@github.com>> wrote:
Mark;
I can't speak for Europe but the example I gave would be accepted, I think, by most Canadian regulators as the difference between implied and explicit consent.
I think your first example, the IP address, is implied consent for the use of that IP for the purposes of maintaining the site and serving you your pages. Using that IP for other purpose would be a violation of the implied consent.
As for your second example, it would depend on whether there was video surveillance signage and notification. May also be the case that if the only time that the surveillance is used is when there is a crime, and it's used to identify criminals, there might be a judgement that any reasonable person would expect that surveillance for those purposes. Again, uses or disclosures for other purposes would be a problem. My advice to such a client would be signage outside and strict controls over the video data thereafter.
No need to invent new terms that regulators, privacy engineers, and others won't understand.
JW
Sent from Outlook Mobile
From: Mark Lizar <notifications@github.com <mailto: notifications@github.com> <mailto: notifications@github.com mailto:notifications@github.com>>
Sent: Tuesday, February 16, 2016 21:25
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG <ciswg@noreply.github.com <mailto: ciswg@noreply.github.com> <mailto: ciswg@noreply.github.com mailto:ciswg@noreply.github.com>>
Cc: John Wunderlich <john@wunderlich.ca <mailto: john@wunderlich.ca> <mailto:john@wunderlich.ca <mailto:john@wunderlich.ca
That’s really interesting - so I was thinking implied consent was when I click on a web link and my IP address is taken. Or when I walk in a bank with a CCTV surveillance notice on the door and they record me on video.
In this example below, you are referring to when explicit consent is provided, then, it is used to provide an on going service. In this regard it is first explicit then rendered operation for the purposes that are explicit.
Perhaps we should call this something different? like, downstream consent and find an easier way to distinguish the types of operational consent. I am definitely with you on the (people should have notice of when their consent is being used) side of things. Need to look at this more and to have a use case. Definitely a good item to discuss and perhaps it can be discussed in terms of a UMA implementation.
Mark Lizar
Executive Director
Open Consent Group
Email: m.lizar@openconsentgroup.com <mailto: m.lizar@openconsentgroup.com> <mailto: m.lizar@openconsentgroup.com mailto:m.lizar@openconsentgroup.com>
Mobile: +447738382658
Twitter: @smartopian
On 16 Feb 2016, at 17:28, John Wunderlich < notifications@github.com mailto:notifications@github.com <mailto: notifications@github.com mailto:notifications@github.com>> wrote:
Implied consent doesn’t necessarliy obviate the need for notice. The general case is exemplified when you complete a form and submit it (web or paper - same case), it is is reasonable to imply consent for any use that is reasonably consistent with the purpose set out in the form. Thus if I complete a form that says “Subscription”, consent for uses of my information for the purpose of delivering and maintaining the subscription would be implied - as would the security precautions necessary in the circumstances. Notice can be decoupled from the consent transaction, but that doesn’t mean there isn’t that obligation.
It’s fuzzy and in most cases not sufficient where the data collected is sensitive, but nonetheless notice is still part of the equation.
Sincerely,
John Wunderlich
(@PrivacyCDN)
<http://privacybydesign.ca/ http://privacybydesign.ca/ < http://privacybydesign.ca/ http://privacybydesign.ca/>> < http://privacybydesign.ca/ http://privacybydesign.ca/ < http://privacybydesign.ca/ http://privacybydesign.ca/>>
<http://privacybydesign.ca/ http://privacybydesign.ca/ < http://privacybydesign.ca/ http://privacybydesign.ca/>>Privacist & PbD Ambassador <http://privacybydesign.ca/ < http://privacybydesign.ca/> <http://privacybydesign.ca/ < http://privacybydesign.ca/>>>
On Feb 16, 2016, at 05:14, Mark Lizar < notifications@github.com mailto:notifications@github.com <mailto:notifications@github.com mailto:notifications@github.com>> wrote:
Interesting, I suppose implied consent doesn't require notice or Identity Management where as explicit consent does require notice and an identity. It could be argued that there is no formal requirement for a receipt with implied consent and that implied consent are based on actions rather than an informed agreement. I suppose this would also explain some of the substantive changes in the latest edit you have provided.
This is the line in the scope, and I do recall this being discussed on a couple of occasions in the work group as well.
"The scope of the MVCR is limited to defining the minimum consent fields for an explicit consent. “
Mark
On 16 Feb 2016, at 01:15, John Wunderlich < notifications@github.com mailto:notifications@github.com <mailto: notifications@github.com mailto:notifications@github.com>> wrote:
I've always proceeded on the assumption that this was not restricted to
explicit consent. It seems to me that that the general case, the basic
case, is the simplest case because it only has to record the type of
consent actually used, rather than add logic or conditions depending on
that.
Sincerely,
John Wunderlich
@PrivacyCDN
Call: +1 (647) 669-4749
eMail: john@wunderlich.ca mailto:john@wunderlich.ca <mailto:john@wunderlich.ca mailto:john@wunderlich.ca>
On 15 February 2016 at 20:06, Mark Lizar < notifications@github.com mailto:notifications@github.com <mailto: notifications@github.com mailto:notifications@github.com>> wrote:
Hi John,
The scope from the initial proposal was for explicit consent. It has been
since the first v0.1 consent tagging diagrams focusing on a consent button.
Which was a while back, explicit consent was the first sentence written
because Implied consent is so much broader. That and dealing with consent
exceptions and an array of elements that would need to be added. Elements
that would come with receipt logging. Issues already earmarked for
1.1.discussions. The explicit scope kept the spec manageable from the
outset. The original intent was to try and create a single spec for all of
consent.
In fact, this originally started in Kantara with a implied consent use
case around surveillance and notice (the IOT use case-with cop monkey aka
UMA).
That being said.. What are you thinking ? Rather than the usual (put it in
the parking lot response) Do you have a particular use case in mind? (would
be great to hear)
On 15 Feb 2016, at 23:50, John Wunderlich < notifications@github.com mailto:notifications@github.com <mailto: notifications@github.com mailto:notifications@github.com>>
wrote:
I don't recall an agreement in the group that the MVCR is for any
particular kind of consent. Given the prevalence of implied consent for so
many use cases - whether or not it's appropriate - I wouldn't want to
exclude it from the MVCR
Sent from Outlook Mobile
From: Mark Lizar <notifications@github.com <mailto: notifications@github.com> <mailto: notifications@github.com mailto:notifications@github.com>>
Sent: Monday, February 15, 2016 15:36
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG <ciswg@noreply.github.com mailto:ciswg@noreply.github.com <mailto:ciswg@noreply.github.com mailto:ciswg@noreply.github.com>>
Cc: John Wunderlich <john@wunderlich.ca <mailto: john@wunderlich.ca> <mailto: john@wunderlich.ca mailto:john@wunderlich.ca>>
As the MVCR is for explicit consent - is the issue of implied consent in
scope of the MVCR?
—
Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and
intended
solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error please notify the system
manager.
This message contains confidential information and is intended only for
the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended
recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617
.
—
Reply to this email directly or view it on GitHub
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081
.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951
.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466
.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747
.
—
Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150
.
—
Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758
.
— Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184996129 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184996129
.
— Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-185104319 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-185104319
.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-185242278 .
— Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-185278450 .
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-185291922.
PrivacyCDN
commented
8 years ago Mark;
We are agreed then, that the case I laid out, where the only button that Alice clicks is “Submit”, is in scope of the MVCR. That’s the key takeaway for me.
That leaves the definitional discussion which I propose be added to the work group’s agenda.
Sincerely, John Wunderlich (@PrivacyCDN)
http://privacybydesign.ca/ http://privacybydesign.ca/
http://privacybydesign.ca/Privacist & PbD Ambassador http://privacybydesign.ca/
On Feb 17, 2016, at 12:07, Mark Lizar notifications@github.com wrote:
From Wikipedia: Implied consent is consent which is not expressly granted by a person, but rather implicitly granted by a person's actions and the facts and circumstances of a particular situation. The term is most commonly encountered in the context of United States drunk driving laws.
From Free Dictionary the granting of permission for health care without a formal agreement between the patient and health care provider. An example is an appointment made with a physician by a patient with a physical complaint; it is implied that by making the appointment the patient gives consent to the physician to make a diagnosis and offer treatment. Compare informed consent http://medical-dictionary.thefreedictionary.com/informed+consent.
From Law.cm
implied consent: n. consent when surrounding circumstances exist which would lead a reasonable person to believe that this consent had been given, although no direct, express or explicit words of agreement had been uttered. Examples: a) a "contract" based on the fact that one person has been doing a particular thing and the other person expects him/her to continueRead more: http://dictionary.law.com/Default.aspx?selected=904#ixzz40Re5BVN8 http://dictionary.law.com/Default.aspx?selected=904#ixzz40Re5BVN8
It seems your example below is for explicit consent . AKA - Submit button.
Either way we, the CISWG, accepted version 0.7 which has the clear scope of the MVCR is for explicit (click a button) type of consent.
- M
On 17 Feb 2016, at 16:44, John Wunderlich notifications@github.com wrote:
Mark;
Inline below
Sincerely, John Wunderlich @PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca
On 17 February 2016 at 11:15, Mark Lizar notifications@github.com wrote:
Ok, Thanks,
My Response was, for implied consent (not explicit consent) there is no requirement for notice, there is no requirement for identity management. (as id not required) Unless of course, implied consent comes after explicit consent has been provided already. Which is what you seem to be getting at.
What I said was that the way you appear to be using explicit consent encompasses both IMPLIED and EXPRESS consent - the two variants I have to work with all the time in my practice. Just because the consent is implied does not therefore mean that the requirement for notice is missing. The PII Controller has the same obligations irregardless of whether the consent was implied or expressed. And it's implied OR explicit not one then the other. Is it the case that you are talking about explicit and implicit consent as synomyms for expressed and implied? If so, I can work with that, but still hold that the consent receipt is valid for both types of consent - because it is consent.
For many instances of implied consent the purpose is obvious and not needed in a notice via a controller. In addition, it appears you are conflating the need for notice with implied consent. in the context of implied consent being based on an earlier explicit consent, then addition notice or a log there of makes sense. Still out of scope from the there receipt, which is very clearly for explicit consent.
The notice has been provided in the obviousness of the purpose. Notice is always required for consent to be valid. When notice, purpose etc are inherent in the transaction such that the PII subject will understand what their information is being collected for, and how it it will be used the consent is implied (or implicit) by the subject completing the form. It doesn't mean that the requirement to provide notice is missing. Notice has already been accomplished.
I note that the phrase "implied consent being based on an earlier explicit consent" I'd like you to expand on that. You are suggesting a downgrade in the level of consent. In most regimes that I'm aware of, implied consent is a lower level of consent, and can not be used for PII that has a higher degree of risk or sensitivity.
Now this has gone full circle and unless you are going to provide use cases to further clarify I propose that implied consent be moved to parking lot under consent record logging.
The use case that I have articulated from day one is a use case for implied consent - web site registration. Alice goes to Bob's web site and completes his registration form. All the form has is the following:
----
"Please complete this form in order to register on Bob's Web Site so that you can submit comments"
Enter your Real Name: Enter your User Name: (this is the name that will be shared on the site) Enter your email: ____
{Submit}
If the above is the entirety of the form that Alice completes, Bob may imply consent for the purposes of allowing Alice to comment on his web site (and those other purposes that are reasonable for the maintenance of that site etc..)
If we agree that this is a case to which the MVCR applies then we are having an argument about definitions - which I would expect in this kind of discussion but does need to be resolved to get to 1.0. If you don't agree that this is a case where Bob should supply Alice with a consent receipt then we have a bigger issue to resolve. In either case, I don't believe that this goes to the parking lot.
- Mark
On 17 Feb 2016, at 15:01, John Wunderlich <notifications@github.com mailto:notifications@github.com> wrote:
Mark;
If I understand what you mean by explicit consent, my point is that explicit consent as you have explained it encompasses both expressed and implied consent, since both should have explicit purposes on the PII Controller side. My comments on the spec in this regard were that when you inform the PII subject, it will be important to let them know how the PII controller got their consent.
JW
Sincerely, John Wunderlich @PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca mailto:john@wunderlich.ca
On 17 February 2016 at 04:01, Mark Lizar <notifications@github.com mailto:notifications@github.com> wrote:
Still I do not understand your point ? Are you going to present an implied consent use case for the consent receipt ? Do you want to add express consent to the terms in the spec?
On 17 Feb 2016, at 03:19, John Wunderlich <notifications@github.com mailto:notifications@github.com <mailto:notifications@github.com mailto:notifications@github.com>> wrote:
Fair enough For reference purposes see PIPEDA, Schedule 1, Privacy Principle 3, Consent (Note the use of the terms express and implied consent.) Principle 4.3.6 The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney). Principle 4.3.7 Individuals can give consent in many ways. For example: (a) an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses; (b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties; (c) consent may be given orally when information is collected over the telephone; or (d) consent may be given at the time that individuals use a product or service.
Sent from Outlook Mobile
On Tue, Feb 16, 2016 at 6:57 PM -0800, "Mark Lizar" < notifications@github.com mailto:notifications@github.com <mailto: notifications@github.com mailto:notifications@github.com>> wrote:
Obviously we disagree - not only is it hard to discuss via email, these elements require use cases. I am not trying to debate what you think terms of art are.
On 17 Feb 2016, at 02:51, John Wunderlich < notifications@github.com mailto:notifications@github.com <mailto:notifications@github.com mailto:notifications@github.com>> wrote:
Mark;
I'm using the terms as well understood terms of art by the regulators and technologists that I know and have worked with and in normal English usage.
Other comments in line below
Sent from Outlook Mobile
From: Mark Lizar <notifications@github.com <mailto: notifications@github.com> <mailto: notifications@github.com mailto:notifications@github.com>>
Sent: Tuesday, February 16, 2016 21:41
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG <ciswg@noreply.github.com <mailto: ciswg@noreply.github.com> <mailto: ciswg@noreply.github.com mailto:ciswg@noreply.github.com>>
Cc: John Wunderlich <john@wunderlich.ca mailto:john@wunderlich.ca <mailto:john@wunderlich.ca mailto:john@wunderlich.ca>>
John, at first the consent is explicit, and then with this explicit consent additional uses of pII for a purpose is implied. JW: this statement is self contradictory. If you have given explicit consent for specifies uses, then those uses are allowed and uses for other purposes may not be implied
If there was not explicit consent then there is not consent. As I mentioned there was a sign in the example I was providing to illustrate implied consent. I am not trying to invent terms, but to invent ways to make you understandable.
You're right. I missed that you specified signage. The bank can imply that you have consented to surveillance because you entered the bank. That's not expressed (note that I use the term expressed, not explicit). Si both of you examples are implied consent. My bad for reading on a phone.
On 17 Feb 2016, at 02:36, John Wunderlich < notifications@github.com mailto:notifications@github.com <mailto:notifications@github.com mailto:notifications@github.com>> wrote:
Mark;
I can't speak for Europe but the example I gave would be accepted, I think, by most Canadian regulators as the difference between implied and explicit consent.
I think your first example, the IP address, is implied consent for the use of that IP for the purposes of maintaining the site and serving you your pages. Using that IP for other purpose would be a violation of the implied consent.
As for your second example, it would depend on whether there was video surveillance signage and notification. May also be the case that if the only time that the surveillance is used is when there is a crime, and it's used to identify criminals, there might be a judgement that any reasonable person would expect that surveillance for those purposes. Again, uses or disclosures for other purposes would be a problem. My advice to such a client would be signage outside and strict controls over the video data thereafter.
No need to invent new terms that regulators, privacy engineers, and others won't understand.
JW
Sent from Outlook Mobile
From: Mark Lizar <notifications@github.com <mailto: notifications@github.com> <mailto: notifications@github.com mailto:notifications@github.com>>
Sent: Tuesday, February 16, 2016 21:25
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG <ciswg@noreply.github.com <mailto: ciswg@noreply.github.com> <mailto: ciswg@noreply.github.com mailto:ciswg@noreply.github.com>>
Cc: John Wunderlich <john@wunderlich.ca <mailto: john@wunderlich.ca> <mailto:john@wunderlich.ca <mailto:john@wunderlich.ca
That’s really interesting - so I was thinking implied consent was when I click on a web link and my IP address is taken. Or when I walk in a bank with a CCTV surveillance notice on the door and they record me on video.
In this example below, you are referring to when explicit consent is provided, then, it is used to provide an on going service. In this regard it is first explicit then rendered operation for the purposes that are explicit.
Perhaps we should call this something different? like, downstream consent and find an easier way to distinguish the types of operational consent. I am definitely with you on the (people should have notice of when their consent is being used) side of things. Need to look at this more and to have a use case. Definitely a good item to discuss and perhaps it can be discussed in terms of a UMA implementation.
Mark Lizar
Executive Director
Open Consent Group
Email: m.lizar@openconsentgroup.com <mailto: m.lizar@openconsentgroup.com> <mailto: m.lizar@openconsentgroup.com mailto:m.lizar@openconsentgroup.com>
Mobile: +447738382658
Twitter: @smartopian
On 16 Feb 2016, at 17:28, John Wunderlich < notifications@github.com mailto:notifications@github.com <mailto: notifications@github.com mailto:notifications@github.com>> wrote:
Implied consent doesn’t necessarliy obviate the need for notice. The general case is exemplified when you complete a form and submit it (web or paper - same case), it is is reasonable to imply consent for any use that is reasonably consistent with the purpose set out in the form. Thus if I complete a form that says “Subscription”, consent for uses of my information for the purpose of delivering and maintaining the subscription would be implied - as would the security precautions necessary in the circumstances. Notice can be decoupled from the consent transaction, but that doesn’t mean there isn’t that obligation.
It’s fuzzy and in most cases not sufficient where the data collected is sensitive, but nonetheless notice is still part of the equation.
Sincerely,
John Wunderlich
(@PrivacyCDN)
<http://privacybydesign.ca/ http://privacybydesign.ca/ < http://privacybydesign.ca/ http://privacybydesign.ca/>> < http://privacybydesign.ca/ http://privacybydesign.ca/ < http://privacybydesign.ca/ http://privacybydesign.ca/>>
<http://privacybydesign.ca/ http://privacybydesign.ca/ < http://privacybydesign.ca/ http://privacybydesign.ca/>>Privacist & PbD Ambassador <http://privacybydesign.ca/ < http://privacybydesign.ca/> <http://privacybydesign.ca/ < http://privacybydesign.ca/>>>
On Feb 16, 2016, at 05:14, Mark Lizar < notifications@github.com mailto:notifications@github.com <mailto:notifications@github.com mailto:notifications@github.com>> wrote:
Interesting, I suppose implied consent doesn't require notice or Identity Management where as explicit consent does require notice and an identity. It could be argued that there is no formal requirement for a receipt with implied consent and that implied consent are based on actions rather than an informed agreement. I suppose this would also explain some of the substantive changes in the latest edit you have provided.
This is the line in the scope, and I do recall this being discussed on a couple of occasions in the work group as well.
"The scope of the MVCR is limited to defining the minimum consent fields for an explicit consent. “
Mark
On 16 Feb 2016, at 01:15, John Wunderlich < notifications@github.com mailto:notifications@github.com <mailto: notifications@github.com mailto:notifications@github.com>> wrote:
I've always proceeded on the assumption that this was not restricted to
explicit consent. It seems to me that that the general case, the basic
case, is the simplest case because it only has to record the type of
consent actually used, rather than add logic or conditions depending on
that.
Sincerely,
John Wunderlich
@PrivacyCDN
Call: +1 (647) 669-4749
eMail: john@wunderlich.ca mailto:john@wunderlich.ca <mailto:john@wunderlich.ca mailto:john@wunderlich.ca>
On 15 February 2016 at 20:06, Mark Lizar < notifications@github.com mailto:notifications@github.com <mailto: notifications@github.com mailto:notifications@github.com>> wrote:
Hi John,
The scope from the initial proposal was for explicit consent. It has been
since the first v0.1 consent tagging diagrams focusing on a consent button.
Which was a while back, explicit consent was the first sentence written
because Implied consent is so much broader. That and dealing with consent
exceptions and an array of elements that would need to be added. Elements
that would come with receipt logging. Issues already earmarked for
1.1.discussions. The explicit scope kept the spec manageable from the
outset. The original intent was to try and create a single spec for all of
consent.
In fact, this originally started in Kantara with a implied consent use
case around surveillance and notice (the IOT use case-with cop monkey aka
UMA).
That being said.. What are you thinking ? Rather than the usual (put it in
the parking lot response) Do you have a particular use case in mind? (would
be great to hear)
On 15 Feb 2016, at 23:50, John Wunderlich < notifications@github.com mailto:notifications@github.com <mailto: notifications@github.com mailto:notifications@github.com>>
wrote:
I don't recall an agreement in the group that the MVCR is for any
particular kind of consent. Given the prevalence of implied consent for so
many use cases - whether or not it's appropriate - I wouldn't want to
exclude it from the MVCR
Sent from Outlook Mobile
From: Mark Lizar <notifications@github.com <mailto: notifications@github.com> <mailto: notifications@github.com mailto:notifications@github.com>>
Sent: Monday, February 15, 2016 15:36
Subject: Re: [CISWG] Add (or accept John's) API Doc from Generator (#9)
To: KantaraInitiative/CISWG <ciswg@noreply.github.com mailto:ciswg@noreply.github.com <mailto:ciswg@noreply.github.com mailto:ciswg@noreply.github.com>>
Cc: John Wunderlich <john@wunderlich.ca <mailto: john@wunderlich.ca> <mailto: john@wunderlich.ca mailto:john@wunderlich.ca>>
As the MVCR is for explicit consent - is the issue of implied consent in
scope of the MVCR?
—
Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and
intended
solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error please notify the system
manager.
This message contains confidential information and is intended only for
the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended
recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184444617
.
—
Reply to this email directly or view it on GitHub
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184462081
.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184463951
.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184609466
.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184786747
.
—
Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184983150
.
—
Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
—
Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758
<
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184988758
.
— Reply to this email directly or view it on GitHub.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub <
https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184996129 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-184996129
.
— Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-185104319 < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-185104319
.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub < https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-185242278 .
— Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-185278450 .
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. — Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-185291922.
— Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-185301553.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
smartopian
commented
8 years ago I think so, submit button = explicit consent, also I agree the receipt should be useful for other types of consent. Do you have an idea of what the receipt would look like?
PrivacyCDN
commented
8 years ago We’re agreed on the case, but not on the definitions, because I don’t think that the submit button necessarily = explicit or expressed consent.
On Feb 20, 2016, at 09:02, Mark Lizar notifications@github.com wrote:
I think so, submit button = explicit consent, also I agree the receipt should be useful for other types of consent. Do you have an idea of what the receipt would look like?
— Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-186606624.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
smartopian
commented
8 years ago In regards items (a-d) below: ( I may being a bit thick, but I dont 100% get what you are getting at)
Would it be safe to say the list you supplied below all require informed consent? (in some manner) from the grantee to the grantor? Could that context be captured in receipt?
If so, what terms or fields do you think shold be added, and why?
*** Reference * (a) an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses; (b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties; (c) consent may be given orally when information is collected over the telephone; or (d) consent may be given at the time that individuals use a product or service.
smartopian
commented
8 years ago Editorially, there is a requirement for defining the term explicit in the specification, and the significance of this terms in the specification. (in addition to discuss this post v0.8 draft) As well, there is a requirement for linking to definitions of consent types external to the specification. as well as post v0.8 Three items
PrivacyCDN
commented
8 years ago Mark;
It seems simpler to me to not define explicit in the spec. Terms like that are defined jurisdiction by jurisdiction. The point of the MVCR has been, I thought, to enable Bob to provide Alice with an artefact that records the consent that he is using as the basis for his collection, use and disclosure of her Information. Since Bob is the accountable party in whatever jurisdiction he is in, it is up to him to determine what the appropriate type of consent is, and to obtain it in a a way consistent with his jurisdiction. Requiring ‘explicit consent’ vs ‘consent’ ignores the reality of many potential use cases.
Since I can’t make the calls, please take this as my vote for the use of ‘consent’, and to move the terms explicit, implicit, implied, expressed, opt-out, opt-in to a list of ‘qualifiers’ or ‘types’ of consent that the spec can recommend be used, but not required.
At the end of the day Bob is accountable and responsible for determining the type of consent.
Sincerely, John Wunderlich @PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca
On 27 March 2016 at 21:14, Mark Lizar notifications@github.com wrote:
Editorially, there is a requirement for defining the term explicit in the specification, and the significance of this terms in the specification. (in addition to discuss this post v0.8 draft) As well, there is a requirement for linking to definitions of consent types external to the specification. as well as post v0.8 Three items
- defining explicit consent in spec a
- Action Item : raise as agenda item the term explicit and its multiple uses in spec
- Action item: Consent Type - Needs to be linkable to external definitions or models of consent (tabled post v0.8 draft)
— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-202060481
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
smartopian
commented
8 years ago Added Express consent to the terms Implied Notice - now has a lot of flexibility, but cannot use SENSITIVE PI fields for notice mappping Added Consent TYPE - but is not fully defined yet. - could be implied, explicit, opt-out, could be MVCR, EXPLICIT MVCR, COMPLIANT MVCR - it could be UST: Consent TYPE - defined with preferences, which accompany a MVCR. PIPEDA 4.3.7 c) interesting use case.. for the minimum MVCR.. see example 6.2 Remaining actions: @PrivacyCDN confirm and close this item. - add CONSENT TYPE GUIDANCE to SPEC.
PrivacyCDN
commented
8 years ago It’s “Expressed”, not "Express". The first is an indication of positive intent, the second is an indication of speed or bypassing process. Big difference.
Sincerely, John Wunderlich @PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca
On 6 April 2016 at 22:44, Mark Lizar notifications@github.com wrote:
Added Express consent to the terms Implied Notice - now has a lot of flexibility, but cannot use SENSITIVE PI fields for notice mappping Added Consent TYPE - but is not fully defined yet. - could be implied, explicit, opt-out, could be MVCR, EXPLICIT MVCR, COMPLIANT MVCR - it could be UST: Consent TYPE - defined with preferences, which accompany a MVCR. PIPEDA 4.3.7 c) interesting use case.. for the minimum MVCR.. see example 6.2 Remaining actions: @PrivacyCDN https://github.com/PrivacyCDN confirm and close this item. - add CONSENT TYPE GUIDANCE to SPEC.
— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/KantaraInitiative/CISWG/issues/9#issuecomment-206409765
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
smartopian
commented
8 years ago accepted api doc
see https://github.com/PrivacyCDN/CISWG/blob/master/MVCR-Spec/mvcr-v.08/MVCR%20v0.7.1.md ,
add this to a workgroup call and bring in and edit on call.