Re: Elements/Properties of Consent

Dear all,

in addition to ISSUE-4, to Harald's comments, and the suggestions of Harsh:

I think the elements suggested by Harsh are a pretty good start. I have 
two additional thoughts, of which I'd like to hear your opinion.

First, I think it could make sense to add a reference to the content of 
the consent _request_ (either as link or in any other form). Because in 
case if there is an audit, the auditor can look at both, the request 
(which usually has all the information of the agreement in detail) and 
the affirmative action given.

Second, the status of the consent could be a third point of the consent 
provenance (let's say no. 7 of the list, or as part of no. 5). But 
besides the labels Harsh suggested (I like them!), I suggest to also add:

  * pending, which means a request for consent has been made but the
    data subject has not yet responded,
  * referring to the personal data of a minor
  * referring to the personal data of a disabled person in need of
    specific accessibility provisions to manage consent

What do you think?

By the way, I agree that consent is only one possibility of legal basis 
for processing. I'll adress this in another email, responding 
specifically to this discussion.

Greetings,

Eva


Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
Eva Schlehahn, uld67@datenschutzzentrum.de
Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/

Informationen über die Verarbeitung der personenbezogenen Daten durch
die Landesbeauftragte für Datenschutz und zur verschlüsselten
E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung/

Am 16.10.2018 um 17:23 schrieb Harshvardhan J. Pandit:
> Dear All,
> This is in response to ISSUE-4 and ACTION-28 about describing consent 
> following today's meeting call.
>
> Taking the text by Axel as is (from definition of GDPR), consent here 
> is comprised of
> 1. the entity it was given to - data controller
> 2. the purposes/actions it was given for - purpose
> 3. the entities it governs - personal data (categories)
> 4. the duration of its applicability - duration
> The other properties are not part of the consent itself, but rather 
> describe it provenance. These are-
> 5. how it was obtained - affirmative action
> 6. when it was obtained - timestamp
> I feel that #6 is a property of #5 rather than of the consent itself. 
> That is, the action has a timestamp, a medium (online form, for 
> example), and therefore the time associated with the consent is 
> actually the time it was collected/obtained at.
>
> I am working on a consent ontology to represent these same instances 
> (that are described above). There are some questions that are already 
> part of this work, which I will share soon. The ontology itself is a 
> work-in-progress, and therefore not stable to be added to the working 
> group list of vocabularies. I'm happy to share it if anyone is 
> interested in looking at it.
>
> I will try to formalise these into questions/points as suggested by 
> Rigo based on experiences with modeling provenance of consent.
>
> There are a few other things to consider, such as what is the consent 
> was collected via automated mechanisms or a natural person; or whether 
> it was given by someone in lieu of the person - i.e. a delegate.
>
> From Eva's point regarding the status of consent, I agree and propose 
> the following:
> Unknown, Not Given, Implicitly Given, Explicitly Given, Withdrawn, 
> Expired, Invalidated
>
> On 16/10/18 7:38 AM, Data Privacy Vocabularies and Controls Community 
> Group Issue Tracker wrote:
>> ISSUE-4: What are the elements of consent? starting from "consent = 
>> agreement through an [affirmative action] at a specific [time] with a 
>> [data controller] to specific [processing] and [storage] of specific 
>> [data categories] for specific [purpose] and [duration]"
>>
>> https://www.w3.org/community/dpvcg/track/issues/4
>
> Best,