Consent BB FAQ

Owned by Benjamin Balder Bach
Last updated: Jan 05, 2024
3 min read

Mar 31, 2023 : We have decided that some specification updates can go through vetting in this document. If something is relevant for the specification itself, it can be escalated through a Jira issue.

draft answer = we will discuss the draft async and approve at a meeting

accepted answer = answer has been accepted by the WG. If desired, the information can be built into the specification.

The following FAQ is meant to provide short and simple answers to someone expecting a short and simple answer. These answers can all be referenced to the Consent BB Definition document.

The most common denominator that we find is that the definition of consent itself is misunderstood.

Short answer: No, it’s not designed for that. GovStack specifications, use-cases and training resources should not encourage using Consent software for generic agreements.

Elaborated answer: It’s quite possible for an organization to assess and evaluate if their Consent software can handle agreements and satisfy legal obligations. But this is not encouraged since there are fundamental differences between binding agreements and revocable consent.

Using a consent system for an agreement, would most likely mean that the agreement can be recalled at any point in time by the individual who has given the consent. This is not a desirable property for most generic agreements.

Read more about how consent is defined by the building block: https://govstack.gitbook.io/bb-consent/2-description#2.1-what-consent-is

Can I query if a specific operation requires consent? accepted answer

No.

The Consent BB is not aware of special data properties or APIs in other systems. It does not manage access nor permissions.

A given system needs to configure the Consent BB with an Agreement and a Policy. It is the knowledge of the Agreement ID that a privileged system can query if a Consent Record exists for a given Individual.

We understand the question like this: Given a User A is required to give their consent for Process B to complete, can a new Process C be started to obtain consent from the user?

Yes. However, Process C is not initiated or owned by the Consent BB. Rather, it’s the role of Process B to initiate Process C, which is implemented by the application (not the Consent BB).

A given system needs to configure the Consent BB with an Agreement and a Policy. It is the knowledge of the Agreement ID that a privileged system can query if a Consent Record exists for a given Individual.

What is the responsibility of another Buiding Block or service? draft answer

Any service outside Consent BB is responsible for ID-handling of the queries. Consent BB validates the source and the given request (via authorisation token) and assumes any request to be valid, if it: 1) validates to be called from a trusted source; 2) via a trusted service/request; 3) as part of a valid session.

ID-token must be obtained and provided by the outside service; Consent BB verifies if the ID is valid (via an external independent ID BB/service) and provides relevant response. Consent BB does verify the individual ID authorisation profile (for example, if a given individual has authorised the request) - this is the responsibility of the outside service.

What are some critical scenarios for my BB/service to satisfy?

It’s GovStack’s policy to promote Consent collection through the Consent BB as a foundation of good public governance.

Other building blocks or processes are not advised to handle consent, since this implies questions like withdrawal, multi-party consent, auditing, and not least the life-cycle of consent agreements and policies.

Question from Sasi: is there any way to that multiple parties can interact with each other based on a broader agreement rather than a one to one agreement?