Re: Controls for Entities to Obtain, Withdraw, Object etc. from Harshvardhan Pandit on 2024-04-20 (public-dpvcg@w3.org from April 2024)

From: Harshvardhan Pandit <me@harshp.com>
Date: Sat, 20 Apr 2024 10:29:27 +0100
To: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Cc: Delaram Golpayegani <delaram.golpayegani@adaptcentre.ie>
Message-ID: <7ebea831-1bfa-42d9-b22f-250c970e13b9@harshp.com>

Hi. Updates on this for discussion on Wednesday.

Automation Level - 
https://github.com/w3c/dpv/issues/108#issuecomment-2058921311 we 
discussed this last wednesday and there were no open questions. So we 
will propose to accept this in the next meeting.

Human Invovement (including opt-in/opt-out, challenge etc.) - this is a 
summarisation of the conversation so far. TBD in next meeting.

Active/Passive Data Subject, Informed/Uninformed, Expected/Unexpected, 
Determined vs Implemented 
https://github.com/w3c/dpv/issues/116#issuecomment-2067615791 - this is 
a summarisation of the conversation so far. TBD in next meeting.

Regards, Harsh

On 14/04/2024 23:45, Harshvardhan J. Pandit wrote:
> Hi.
> 
> I'm working on (the accumulated backlog) DPV v2 - see current plan 
> https://github.com/w3c/dpv/milestone/4
> 
> In resolving issue #115 https://github.com/w3c/dpv/issues/115 regarding 
> controls for consent regarding obtaining, withdrawing, etc. it occurred 
> to me that such controls would also be needed for other measures e.g. 
> permissions, contracts, legitimate interest.
> 
> Rather than creating terms for each one specifically (e.g. obtain 
> consent, obtain contract) - what if we provided a generic list of 
> controls that one Entity (e.g. Controller) provides to another Entity 
> (e.g. Data Subject). I called these 'Entity Controls' for lack of a 
> better word. These are different from tech/org measures which are about 
> an Organisation implementing actions for its own sake, whereas Entity 
> Controls are about one entity providing an action for another.
> 
> For example, Control Obtain can be used to provide information on how to 
> obtain information (e.g. for rights, contracts); or Control Object can 
> be used to provide information on how to object (e.g. for legitimate 
> interest or processing in general). These controls can be used 
> contextually:
> - e.g. Contract hasEntityControl <ControlTerminate> to describe how to 
> terminate the contract
> - e.g. Service hasEntityControl <ControlTerminate> to describe hwo to 
> terminate the service
> 
> Its usefulness is for cases where a Controller may be asked to describe 
> how it is providing information to the data subject regarding obtaining 
> consent or permission or a particular information associated with a 
> notice, or providing option for objecting to legitimate interest or to 
> processing (Art.21). This is a different question from how is the 
> Controller implementing these processes within their own systems.
> 
> The current list of controls is on the github issue: 
> https://github.com/w3c/dpv/issues/115#issuecomment-2054145671 and a live 
> version can be seen at: https://harshp.com/dpv/dpv/#vocab-TOM-entitycontrol
> 
> TBD in the meeting on Wednesday.
> 
> Regards,

-- 
---
Harshvardhan J. Pandit, Ph.D
Assistant Professor
ADAPT Centre, Dublin City University
https://harshp.com/

Received on Saturday, 20 April 2024 09:29:33 UTC