w3c
Add Measures for Obtain, Withdraw, etc. for Consent and other Actions
In #90 ISO/IEC 27560 records, information on how to withdraw consent must be provided. Currently in DPV we do not have the ability to express how consent can be withdrawn without it being specifically a right. We do have GDPR Art-7 right to withdraw consent, but that is specific to GDPR. Proposal to add two concepts as OrganisationalMeasure - ObtainConsent and WithdrawConsent to indicate how consent can be obtained and withdrawn without it being specifically a legal basis or a right.
This was discussed in the 2023-09-27 meeting, and was accepted for inclusion in DPV.
Edit: Proposal to model consent management processes (e.g. obtain, withdraw, record) under the umbrella concept of ConsentManagement under OrganisationalMeasure with property hasConsentManagement as a subproperty of hasOrganisationalMeasure.
A more complete consent management process list is:
Rectangles are processes that change the consent state, Ellipses are processes that work with consent records
ObtainConsent: the process to request and obtain consent - from Data Controller perspective. Can be from data subject or from another controller (i.e. transfer existing consent record).ProvideConsent: the process to provide consent - from Data Subject perspective. This includes aspects such as having the interface or technical means to enable the data subject to provide or express their consent.RecordConsent: the process to record consent or keeps consent recordsRetrieveConsent: the process to retrieve consent (all records or specific ones)DemonstrateConsent: the process to demonstrate consent existsChangeConsent: the process to enable change in consent e.g. to withdraw if given, or to give if requested, or to reaffirm if givenEnsureValidConsent: the process to assess and ensure consent is valid (e.g. whether the consent is correctly given, or has expired)ProcessConsentChange: the process to make corresponding changes to processing based on changes in consent state (e.g. given to withdrawn)WithdrawConsent: the process to withdraw consent (where given) - subtype ofChangeConsentReaffirmConsent: the process to reaffirm consent (e.g. again after some duration) - subtype ofChangeConsent
Proposal that these should be modeled under the umbrella concept of ConsentManagement under OrganisationalMeasure, and offered with a new relation called hasConsentManagement as a subproperty of hasOrganisationalMeasure.
Added to Organisational Measures:
- Permission Management: Methods to obtain, provide, modify, and withdraw permissions along with maintaining a record of permissions, retrieving records, and processing changes in permission states
- Consent Management: Methods to obtain, provide, modify, and withdraw consent along with maintaining a record of consent, retrieving records, and processing changes in consent states
Adding the granular measures for each consent action - obtain, modify, withdraw, etc. seems overkill unless it is representing the specific (technical) implementations of these activities e.g. instance of ModifyConsent to represent the action with description "click here to modify consent". Generic controls to obtain, provide, modify, withdraw, object, etc. should be developed and added under Entity Controls as another pillar of TOMs besides tech, org, legal, and physical.
List of Entity Controls. Replace 'action' with 'consent' or 'contract' or 'legitimate interest' or 'processing activity' - to see whether these controls are generic and applicable.
| Entity Control | Control or measure provided to (another) Entity to enable it to interact or act on some specific information, action, or context |
|---|---|
| Control Obtain | Control or measure provided to (another) Entity for obtaining information or action |
| Control Provide | Control or measure provided to (another) Entity for providing information or action |
| Control Modify | Control or measure provided to (another) Entity for modifying information or action |
| Control Withdraw | Control or measure provided to (another) Entity for withdrawing information or action |
| Control Terminate | Control or measure provided to (another) Entity for terminating information or action |
| Control Object | Control or measure provided to (another) Entity for objecting to information or action |
| Control Retrieve | Control or measure provided to (another) Entity for retrieving information or action |
| Control Record | Control or measure provided to (another) Entity for recording information or action |
| Control Demonstrate | Control or measure provided to (another) Entity for demonstrating information or action |
| Control Assess | Control or measure provided to (another) Entity for assessing information or action |
| Control Process Change | Control or measure provided to (another) Entity for processing change in information or action |
| Control Reaffirm | Control or measure provided to (another) Entity for reaffirming information or action |
HI Harsh,
I think what you have here is a bit confused, in that technially this would be to obtain permission, which can be bound to the consent the individual which is proven through notice, with for example a notice and consent receipt.
Humans manage consent, systems manage permissions.
Assuming you're referring to 'Control Obtain' and 'Control Provide' - it can be used with Consent to state how the entity is 'obtaining/providing consent' or with Permission to state how the entity is 'obtaining/providing permission'. Which aspect of this is incorrect?
See common controls for human involvement in https://github.com/w3c/dpv/issues/108#issuecomment-2067614593 - these can be used to indicate consent amongst other forms of 'involvement'. This issue and list of concepts would be redundant and not needed if that proposal is accepted.
Assuming you're referring to 'Control Obtain' and 'Control Provide' - it can be used with Consent to state how the entity is 'obtaining/providing consent' or with Permission to state how the entity is 'obtaining/providing permission'. Which aspect of this is incorrect?
I am referring to the context - that the 'entity does not 'obtain consent' but that through the presenation of notice, obtains permission, (not technically consent) in accordance with an existing consent, to which permission is bound.
As oppose to other legal justifications in which the purpose is provided for and specified as a derogation to consent, e.g. which break the glass to access data, (against what an individual might expect) under a legal justification which requires a notice, with out permission.
I don't get it, sorry. Please provide examples and definitions that we should be using, and how they relate to existing legal terms.
Continuing discussion from https://w3id.org/dpv/meetings/meeting-2024-05-15
Discussed this in meeting 22 MAY and agreed to accept the four proposed concepts (Provide, Obtain, Withdraw, Reaffirm Consent) based on requirements established. This issue will be closed by MAY-29.
Hi Harsh,
Is this for the legal justification of consent? Or for use with any legal justification? Are these also used for secondary purpose, or the primary purpose of consent, and are these consent permissions to systems to systems?
On May 23, 2024, at 6:56 AM, Harshvardhan Pandit @.***> wrote:
Discussed this in meeting 22 MAYhttps://w3id.org/dpv/meetings/meeting-2024-05-22 and agreed to accept the four proposed concepts (Provide, Obtain, Withdraw, Reaffirm Consent) based on requirements established. This issue will be closed by MAY-29.
— Reply to this email directly, view it on GitHubhttps://github.com/w3c/dpv/issues/115#issuecomment-2126816799, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABR6VZ5KEBXNLNJTQAITV5DZDXDOLAVCNFSM6AAAAAA5MV7FDOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRWHAYTMNZZHE. You are receiving this because you commented.Message ID: @.***>
Hi. These are to concepts needed to express information about how to provide consent, withdraw consent, etc. These are not legal basis or permissions or justifications.
And no indicaition is consent is valid or not
On May 29, 2024, at 2:00 PM, Harshvardhan Pandit @.***> wrote:
Hi. These are to concepts needed to express information about how to provide consent, withdraw consent, etc. These are not legal basis or permissions or justifications.
— Reply to this email directly, view it on GitHubhttps://github.com/w3c/dpv/issues/115#issuecomment-2137974349, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABR6VZ4SCZA754VHTF5H4P3ZEYJTZAVCNFSM6AAAAAA5MV7FDOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMZXHE3TIMZUHE. You are receiving this because you commented.Message ID: @.***>
Hi Harsh,
I think the big mis-understanding here is, that the legal justification is also the purpose, an what these controls need to be tied too, What is often described as purpose, in relation to consent are actually permissions, subject to the legal justification, Which requires at the minimum adequate notice, Which again is missing from the consent controls
Kind Regards,
Mark
On May 29, 2024, at 2:00 PM, Harshvardhan Pandit @.***> wrote:
Hi. These are to concepts needed to express information about how to provide consent, withdraw consent, etc. These are not legal basis or permissions or justifications.
— Reply to this email directly, view it on GitHubhttps://github.com/w3c/dpv/issues/115#issuecomment-2137974349, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABR6VZ4SCZA754VHTF5H4P3ZEYJTZAVCNFSM6AAAAAA5MV7FDOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMZXHE3TIMZUHE. You are receiving this because you commented.Message ID: @.***>