Ted: please share with the group any pertinent explorations you are undertaking
Dominik: Glenn shared his fleet management consent with us
Dominik shares screen
Data Provider | Neutral Server | Data Consumer / Service Provider | Registered Keeper / Customer
Dominik: I have started to
include the fleet manager use case in addition to the one we
have been descibing previously
... there is a third use case - this example is for a rental
company that can provide consumer (and third parties) a ride
log
... there will be a legal agreement captured by the rental
company
Glenn: that looks like the use
cases to explore
... we are a data processor and consent is required from the
customer, the fleet manager. it is up to them to get permission
from their employees
... we capture it in an EULA with the fleet manager
... it is a limited construct and very similar to your middle
use case. your third one (for rental) is potentially pertinent
when the drivers are independent contractors instead of
employees
Ted: receiving some early
pointers on potential work we may want to leverage, eg ODRL
vocabulary for consent capture and PROV for data
contracts
... I will be speaking to Ivan Herman, the W3C Team Contact for
ORDL, tomorrow
... Glenn and I are reaching out to people in heavy vehicles to
get their take on VSS (VISS/RSI) feasibility for their signals
and Electronic Data Logging (ELD, us regulator requirement for
fleets)
... spoke with John Schneider from Agile Delta who contributed
significantly to Efficient XML Interchange (EXI) about his
experiences using it to increase efficiency and reduce
bandwidth on data transmission
... although we deemed transmission out of scope for now it is
still worth learning more and he will be presenting at an
upcoming call plus reaching out to his OEM contacts about this
activity
... continuing talks with some OEM interested in this activity
and need to reach out to a few we have communicated with around
ISO Extended Vehicle work
Glenn: there are three main
actors data producer, the fleet owner and data processor
... the processor acts on behalf of the controller and up to
them to get consent from the data subject (driver)
... it can either be an employee which is more straight forward
or contractor
... we cover this with our EULA and cover all the intended uses
of the data, enumerating what information is collected
Glenn: we do not believe the data
is owned but used and can be redistributed provided consent was
given
... there are a couple other nuances in the note. it is
simplified when just looking at the fleet compared to the more
complex of the Caruso/Fraunhofer
... should any questions come up subsequent to this meeting,
please feel free
Ted: it can get more complicated though with fleet managers leasing vehicles and bringing in contractors on a short term basis in addition to owned vehicles and employed drivers
Glenn: as a data processor it is
not our responsibility to get the consent but up to the
controller to get it
... however the leasing company collects consent is up to the
controller
Dominik: there are more complex
scenarios as Ted described that adds indirections that we need
to handle
... how that consent gets shared among the different players is
what Caruso/Fraunhofer are working on
... in Geotab's case they have an assertion on behalf of the
controller that they have permission
Glenn: agree with what you said
Ted: it can get more complicated though with fleet managers leasing vehicles and bringing in contractors on a short term basis in addition to owned vehicles and employed drivers
Glenn: not sure, those differences may already be included
Dominik: data provider had data
and we consider it owned by the driver and data consumer is
providing a service to the driver that warrants access to the
information
... you can always reduce to the three models on that slide and
can handle multiple consumers
Ted: we may want to capture consent from multiple parties, fleet manager and contracted driver, since they may wish to share different subsets of information with different third parties, eg contractor with his insurance provider
Glenn: it would be a useful excercise to collect use cases and ensure all the edge cases are covered
Ted: I'll start the consent use case wiki
Glenn: I suggest having a table
with the different actors
... on the issue of data ownership, I can give my view
... information about you is not something you own but do
retain control from a privacy perspective
... there is an aspect of control but property rights do not
apply in our opinion
... GDPR and laws elsewhere require consent for PII
Glenn: we had a discussion within an internal group on the constructs of data contracts. Harjot and I can start a document to represent that and would like guidance on format the group would find useful
Ted: verbose description of the various aspects would be helpful. I'll share a link on PROV
[adjourned]