- From: Axel Polleres <axel.polleres@wu.ac.at>
- Date: Mon, 20 Aug 2018 11:13:44 +0200
- To: me@harshp.com, public-dpvcg@w3.org
- Cc: Eva Schlehahn <uld67@datenschutzzentrum.de>, Simon Steyskal <simon.steyskal@wu.ac.at>
- Message-Id: <54A01B99-173C-4AF7-AC03-0721D3615033@wu.ac.at>
> If the answer to the above is yes, or a partial yes, then does cherry-picking concepts and terms in this manner (in this context of consent) be considered good practice? FWIW, I think that linking and reusing terms from existing vocabularies (so, if you want to call it like that "cherry-picking") is a good approach to not re-invent the wheel, but this doesn't preclude to - essentially devise a new vocabulary and just make the equicalences with concepts from other ontologies/vocabularies clear. I am personally, in favor of keeping (at least an agree core of) what we need in one common namespace, though, and not just define a "wild mix" of existing vocabularies. Let's discuss this a bit further in tomorrow's call... Axel -- Prof. Dr. Axel Polleres Institute for Information Business, WU Vienna url: http://www.polleres.net/ twitter: @AxelPolleres > On 17.08.2018, at 18:10, Harsh <me@harshp.com> wrote: > > Thank you everyone for replying on this issue/query. > > @axel @javier @simon I have looked at the way SPECIAL models consent, which is a OWL model (as Axel mentioned in his email). For the specific definition and use-case of SPECIAL (see deliverables), this works to convey the information. This also brings the topic back to the OWL model being tied to the use-case. > > As rightly pointed out, ODRL does not cover purpose or storage restrictions explicitly, nor can it represent information about how consent was obtained, expires, etc. > > However, would ODRL still be useful as a vocabulary to express these permissions using its concepts and properties, while another vocabulary is used to define the missing aspects of how consent was obtained, purpose, etc. ? For e.g. using GDPRov (since I'm familiar with it) to capture the provenance of how the consent was obtained (HOW, WHEN) and using ODRL to define the actual consent itself, maybe as an extension through templates. > If the answer to the above is yes, or a partial yes, then does cherry-picking concepts and terms in this manner (in this context of consent) be considered good practice? > > This also brings up the question for DPVCG (in my mind) whether the outcome/deliverable should be an entirely new vocabulary or a new vocabulary that includes re-use of existing terms (if they fit defined criteria and requirements). > > Regards, > > Harsh > > On 17/08/18 14:42, Axel Polleres wrote: >> Hi Eva all, >> >> I don't think it is in scope of ORDL iteself to descripe when a certain permission was given, but this can be expressed with other vocabularies, FWIW, we sketched some initial ideas on how to combine different vocabularies (and this is IMHO the whole goal of defining in DPVCG) to express such metadata on the actual consent permission in SPECIAL's deliverable D6.3. >> E.g. in section 4.1.5 we sketch some shortcomings of ODRL alone, in this respect, in terms of while specifically ORDL covers modeling actions, it does not yet cover purpose or storage restrictions explicitly and that transaction time of consent isn't straightforwardly modeled in ODRL (i.e. when a certain permission was created, how long it holds) >> >> Axel >> >> >> >> >> >> -- >> Prof. Dr. Axel Polleres >> Institute for Information Business, WU Vienna >> url: http://www.polleres.net/ <http://www.polleres.net/> twitter: @AxelPolleres >> >>> On 17.08.2018, at 15:32, Eva Schlehahn <uld67@datenschutzzentrum.de <mailto:uld67@datenschutzzentrum.de>> wrote: >>> >>> Hi Simon, >>> >>> many things for sharing some insight on ODRL with us. >>> >>> I have a (hopefully not too embarassing/annoying) question, though since I do not having any technology backoground: >>> >>> When you wrote that ODRL does not define how consent has to "look like", i.e., what information ex:Consent has to contain, does this refer only to the content of the consent agreement, i.e. what was 'consented to', or does this even cover the status of consent? >>> >>> As a person coming in with a legal perspective, I think it could be desirable to capture the status of consent to enable reviewing its validness, e.g. in an audit. It appreas thinkable to me to have consent status labels like 'given' (if yes, specific whether explicit or implicit), 'pending / withheld', 'withdrawn', 'referring to the personal data of a minor', 'referring to the personal data of a disabled person in need of specific accessibility provisions to manage consent' or the like. Just as some starting thoughts, triggered by what the GDPR expresses in terms of possible consent situations. >>> >>> Therefore, it would be great if you could give you opinion on whether ODRL has the capability of expressing this or whether other methods may be more suitable. :) >>> >>> Thanks, greetings from Kiel and a great weekend to everyone! >>> >>> Eva >>> >>> >>> Landesbeauftragte für Datenschutz Schleswig-Holstein >>> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1200, Fax -1223 >>> mail@datenschutzzentrum.de <mailto:mail@datenschutzzentrum.de> - https://www.datenschutzzentrum.de/ <https://www.datenschutzzentrum.de/> >>> Eva Schlehahn, uld67@datenschutzzentrum.de <mailto:uld67@datenschutzzentrum.de> >>> >>> Informationen über die Verarbeitung der personenbezogenen Daten durch >>> die Landesbeauftragte für Datenschutz und zur verschlüsselten >>> E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung/ <https://datenschutzzentrum.de/datenschutzerklaerung/> >>> >>> Am 17.08.2018 um 14:19 schrieb Simon Steyskal: >>>> Hi! >>>> >>>> (Chiming in on the ODRL part of the conversation) >>>> >>>>> However, to date, I am not aware of any work attempting to model consent using ODRL (that has published their approach). >>>> >>>> ODRL allows you to define so-called Privacy policies [1]: "A Policy that expresses a Rule over an Asset containing personal information." which would contain permissions & prohibitions tied to your PI. >>>> For example, such a policy could in ODRL be expressed like this: >>>> >>>> <http://example.com/policy:42 <http://example.com/policy:42>> >>>> a odrl:Privacy ; >>>> odrl:permission [ >>>> a odrl:Permission ; >>>> odrl:target ex:asset_9898 ; >>>> odrl:action odrl:reproduce ; >>>> odrl:assigner ex:Alice ; >>>> odrl:assignee ex:Bob ; >>>> odrl:duty [ >>>> a odrl:Duty ; >>>> odrl:action odrl:obtainConsent ; >>>> odrl:output ex:Consent ; >>>> odrl:consentingParty ex:Alice ; >>>> odrl:consentedParty ex:Bob ; >>>> ] >>>> ] . >>>> >>>> Resembling a permission Alice has granted to Bob for reproducing her PI (denoted as asset_9898) under the condition that Bob obtains Alice's consent. >>>> >>>> https://www.w3.org/TR/odrl-vocab/#term-consentingParty <https://www.w3.org/TR/odrl-vocab/#term-consentingParty> - party to obtain consent from >>>> https://www.w3.org/TR/odrl-vocab/#term-consentedParty <https://www.w3.org/TR/odrl-vocab/#term-consentedParty> - party who obtains the consent >>>> https://www.w3.org/TR/odrl-vocab/#term-obtainConsent <https://www.w3.org/TR/odrl-vocab/#term-obtainConsent> - To obtain verifiable consent to perform the requested action in relation to the Asset. >>>> https://www.w3.org/TR/odrl-vocab/#term-output <https://www.w3.org/TR/odrl-vocab/#term-output> - specifies the Asset which is created from the output of the Action. >>>> >>>> However, ODRL does NOT define: >>>> >>>> 1) HOW & WHEN consent has to be obtained, i.e., HOW & WHEN fulfillment of the duty has to be verified/checked >>>> 2) HOW consent has to "look like", i.e., what information ex:Consent has to contain >>>> >>>> HTH, simon >>>> >>>> [1] https://www.w3.org/TR/odrl-vocab/#term-Privacy <https://www.w3.org/TR/odrl-vocab/#term-Privacy> >>>> >>>> --- >>>> DDipl.-Ing. Simon Steyskal >>>> Institute for Information Business, WU Vienna >>>> >>>> www: http://www.steyskal.info/ <http://www.steyskal.info/> twitter: @simonsteys >>>> >>>> Am 2018-08-17 09:04, schrieb Eva Schlehahn: >>>>> Hi Harsh, >>>>> >>>>> knowing the purpose of the processing ahead of time is one of the key >>>>> cornerstones of processing anyway, at least when personal data is >>>>> concerned. You recognized correctly that OWL can help then. Even >>>>> though I have no technology backoground, I got it that this was one of >>>>> the considerations in favor of OWL made in another project I was in. >>>>> So if anyone on this list has experience with ODRL, this would indeed >>>>> be quite useful for a more concrete comparison. >>>>> >>>>> Greetings from Kiel in northern Germany, >>>>> >>>>> Eva >>>>> >>>>> Landesbeauftragte für Datenschutz Schleswig-Holstein >>>>> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1200, Fax -1223 >>>>> mail@datenschutzzentrum.de <mailto:mail@datenschutzzentrum.de> - https://www.datenschutzzentrum.de/ <https://www.datenschutzzentrum.de/> >>>>> Eva Schlehahn, uld67@datenschutzzentrum.de <mailto:uld67@datenschutzzentrum.de> >>>>> >>>>> Informationen über die Verarbeitung der personenbezogenen Daten durch >>>>> die Landesbeauftragte für Datenschutz und zur verschlüsselten >>>>> E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung/ <https://datenschutzzentrum.de/datenschutzerklaerung/> >>>>> >>>>> Am 16.08.2018 um 18:52 schrieb Harsh: >>>>>> Ah! Thank you Axel. >>>>>> So the assumption I make from this is that it is possible to use ODRL, but simpler methods may exist (such as the OWL model). That being said, the work ahead would then be comparing these, and finding their strengths and complexities in terms of modeling consent. >>>>>> >>>>>> This cleared up a lot of things in my mind regarding your (SPECIAL) choice of using OWL as well. Mainly being that it is specific to the use-case and works quite well if the purposes (w.r.t consent) are known ahead of time. >>>>>> >>>>>> Regards, >>>>>> >>>>>> Harsh >>>>>> >>>>>> >>>>>> On 16/08/18 16:06, Axel Polleres wrote: >>>>>>> </chairhat> >>>>>>> >>>>>>> Simon might be more into this, we had some work using ODRL for modeling various Data access policies [1,2] >>>>>>> The reason for the choice of a simpler OWL taxonomy and fixed concepts (rathrer than describing each of these in detail in terms of more finr-granular ODRL policies, was AFAIR that the use cases in SPECIAL didn't require it and that with this OWL-based approach compliance checking can be defined in a relatively straightforward manner. >>>>>>> >>>>>>> 1. Simon Steyskal and Axel Polleres. Towards formal semantics for ODRL policies. In /9th International Web Rule Symposium (RuleML2015)/, number 9202 in Lecture Notes in Computer Science (LNCS), pages 360--375, Berlin, Germany, August 2015. Springer. [ .pdf <http://www.polleres.net/publications/stey-poll-2015RuleML.pdf <http://www.polleres.net/publications/stey-poll-2015RuleML.pdf>> ] >>>>>>> >>>>>>> 2. Simon Steyskal and Axel Polleres. Defining expressive access policies for linked data using the ODRL ontology 2.0. In /Proceedings of the SEMANTiCS 2014/, ACM International Conference Proceedings Series, Leipzig, Germany, September 2014. ACM. Short paper. [ .pdf <http://www.polleres.net/publications/stey-poll-2014SEMANTiCS.pdf <http://www.polleres.net/publications/stey-poll-2014SEMANTiCS.pdf>> ] >>>>>>> >>>>>>> -- Prof. Dr. Axel Polleres >>>>>>> Institute for Information Business, WU Vienna >>>>>>> url: http://www.polleres.net/ <http://www.polleres.net/> twitter: @AxelPolleres >>>>>>> >>>>>>>> On 16.08.2018, at 16:16, Harsh <me@harshp.com <mailto:me@harshp.com> <mailto:me@harshp.com <mailto:me@harshp.com>>> wrote: >>>>>>>> >>>>>>>> Hello all, >>>>>>>> >>>>>>>> I wish to know the community's informed opinions about any concerns for using ODRL to model Consent for GDPR. >>>>>>>> >>>>>>>> To elaborate: >>>>>>>> >>>>>>>> Consent can be modeled as the Data Subject providing permissions for purposes or activities for their (specific) personal data. ODRL provides a systematic way to model such permissions and prohibitions. >>>>>>>> >>>>>>>> However, to date, I am not aware of any work attempting to model consent using ODRL (that has published their approach). There has been use of RDF(S) and OWL [1,2] to model these concepts using terms which ODRL (seemingly) already provides. >>>>>>>> >>>>>>>> Having not worked with ODRL before, it would be valuable to know the community's thoughts on using what is essentially a rights language to express consent as a legal policy using the vocabulary. >>>>>>>> >>>>>>>> In terms of DPVCG, this discussion is essentially evaluating an existing ontology (ODRL) for a particular use-case (representation of given consent). >>>>>>>> >>>>>>>> [1] Sabrina Kirrane, Javier D. Fernández, Wouter Dullaert, Uros Milosevic, Axel Polleres, Piero Bonatti, Rigo Wenning, Olha Drozd and Philip Raschke.*A Scalable Consent, Transparency and Compliance Architecture.* Proceedings of the Posters and Demos Track of the Extended Semantic Web Conference (ESWC 2018) >>>>>>>> >>>>>>>> [2] Kaniz Fatema, Ensar Hadziselimovic, _Harshvardhan J. Pandit_, Dave Lewis. *Compliance through Informed Consent: Semantic Based Consent Permission and Data Management Model. *Society, Privacy and the Semantic Web - Policy and Technology (PrivOn), co-located with ISWC 2017 >>>>>>>> /Society, Privacy and the Semantic Web - Policy and Technology (PrivOn), co-located with ISWC 2017/ >>>>>>>> >>>>>>>> >>>>>>>> Regards, >>>>>>>> >>>>>>>> -- --- >>>>>>>> Harshvardhan Pandit >>>>>>>> PhD Researcher >>>>>>>> ADAPT Centre >>>>>>>> Trinity College Dublin >>>>>>> >>>>>> >>> >>> >>> >> > > -- > --- > Harshvardhan Pandit > PhD Researcher > ADAPT Centre > Trinity College Dublin
Received on Monday, 20 August 2018 09:14:16 UTC