Key Decision Log (Consent)
- Steve Conrad
This document outlines key decisions made on the Consent Building Block project, so that new contributors can understand the context and history.
November-2021 | Decided to scope and work on basic flows first with Consent BB version 1.0. This will scope out some items as described in chapter Out-of-scope and future enhancements |
January-2022 | Removed “consenter” and “consentee” terminology: Due to the ambiguity of what these two terms mean, we strictly mention only “individual”, “data processor” and “data controller”. |
March-2022 | The lifecycle of a single Agreement should match a single purpose. A Consent Record can only match 1 Agreement. |
March-2022 | Data structures, API URL call structures etc., should never reveal personally identifiable information (PII). We assume that anonymised IDs and tokens can handle relations to identity. |
March-2022 | Right To Be Forgotten: The scope of this action is decided to be framed by each Agreement. The building block definition covers a variety of different use cases deleted to remove traces or needs to be retained is not by design necessary for the Consent BB to decide. |
March-2022 | Revision+Signature models are designed to give a tamper-resistant, auditable track of all schemas. Auditability means: 1) Event-based external tracking that may verify that the system’s data isn’t tampered with and 2) Revision and Signature logs that can be queried to periodically verify that specific event (such as data transactions) is happening in accordance with valid Consent Records and Agreements. |