Digital consent may be simultaneously the best understood and most misunderstood concept by both individuals and organisations. Many are unaware of the dangers in simplifying a series of complex decisions around personal data rights to an “Agree” button. Behind the button, experts are grappling with a series of complex implementation challenges to address issues such as: how certain can one be that a person understands what they have agreed to, and how do we help individuals make better decisions in situations that are often complex?
GovStack* is a global initiative accelerating the digital transformation of government services. GovStack has recognised MyData Global’s leadership concerning human-centric consent management principles and since late 2021, MyData Global has helped shape the technical requirements for a consent management building block. Participate in the “MyData and GovStack – Accelerating digital transformations in the public sector globally” online event on 1 March 2022. More information and registration here.
Consent is a mechanism that allows individuals to decide what personal data they share with an organisation for a given purpose. According to the MyData Declaration, “consent” means that individuals should be empowered to give, deny, or revoke their intent to share data based on a clear understanding of why, how, and for how long their data will be used.
Consent is also a vital component for organisations and is regulated in many jurisdictions worldwide. As a result, data protection requirements, such as the EU’s GDPR, restrict organisations from collecting, processing, and sharing personal data without the explicit consent of the individual, commonly referred to as the “data subject”. The legal definition of “consent” relies on the purpose of usage and clear information provided to the individual. Errors in these steps can lead to invalidating the consent. For example, suppose the data subject has not been adequately informed that third-party entities are receiving their data; the purposes for which the personal data is intended to be used; or the duration it is designed to be retained. The complexity around consent leads not only to many implementation challenges, but also to opportunities to design solutions that embrace human-centric principles.
From fragmented trials to reusable building blocks
The GovStack Initiative’s vision is to empower governments to take ownership of their digital futures by building more effective and cost-efficient digital infrastructures. It aims to create a common understanding and technical practice around reusable and interoperable digital components. These components are referred to as building blocks, and these will provide key functionality facilitating generic workflows across multiple sectors. Having access to 23 building blocks will support governments in kick-starting their digital transformation journey by adopting, deploying, and scaling digital government services.
MyData’s involvement in GovStack
As one of the thought leaders in the personal data domain, recognised also by the European Data Strategy, MyData Global was invited to formally join the GovStack Initiative to scope, define, and bring forth technical requirements for consent management building blocks.
Whilst seeking to promote best practices and state-of-the-art technologies for consent management, the team has to also consider limited resources and capabilities governments may hold, as the GovStack Initiative is targeted primarily at resource-constrained environments. Thus, defining and scoping the idea of consent as a building block that can interface with the overall architecture was the necessary first step.
As a result, “consent” in the GovStack context is defined as a voluntary declaration of intent, which a person is free to withdraw at any time. It assumes that the person, called the “Consentee”, can decide on processing their personal data based on a documented agreement. Both the agreement and the consent record are registered for subsequent status queries and can be audited by an independent third party.
The consent management building block provides functional interfaces to register agreements for organisations wishing to consume or expose personal data; obtain consent from individuals; and audit all changes by an external auditor. These interfaces can be consumed by other GovStack building blocks (such as identity, workflow, or information mediator) or any application that uses them.
“As part of a multi-continental team, we are excited to influence this journey early on and believe MyData is uniquely positioned to create human-centric digital services worldwide,” said Philippe Page, one of the MyData experts joining the consent management working group. Different contexts and cultures will lead to the implementation of diverse consent management solutions. Whilst no single solution fits all, it is paramount that built solutions empower individuals to self-determine how their personal data can be used.
To continue the discussion on consent and digital infrastructures more broadly, MyData Global organises the “MyData and GovStack – Accelerating digital transformations in the public sector globally” online event on 1 March 2022. Tune in to learn more and discuss with fellow experts the opportunities to advance human-centric infrastructures for better government services. Sign up to the event here, and share the invitation with your colleagues!
*GovStack is established and coordinated by the International Telecommunication Union (ITU), together with the Ministry of Foreign Affairs of the Republic of Estonia (MFA Estonia), The Federal Ministry of Economic Cooperation and Development of the Federal Republic of Germany (BMZ), and the Digital Impact Alliance (DIAL) at the UN Foundation. MyData Global is represented in the consent management building block through its collaboration with Lal Chandran (iGrant.io) and Philippe Page (Human Colossus Foundation).