researching the transparency of personal data sharing final · michele nati (lead technologist...
Post on 10-Jul-2020
2 Views
Preview:
TRANSCRIPT
RESEARCHINGTHETRANSPARENCYOFPERSONALDATASHARING:DESIGNING
ACONSENTRECEIPT
Author:TatianaC.Styliari(PhDCandidateatHorizonDigitalEconomyCDT)
MicheleNati(LeadTechnologistPersonalData&TrustatDigitalCatapult)
Date:September2016
Researchingthetransparencyofpersonaldatasharing:Designingaconsentreceipt
2
CONTENTS1. Executivesummary 32. Motivationofourwork 33. Researchingtransparencyoverpersonaldatasharing:afour-phaseprocess 5
Phase1:Internalresearch 5Phase2:Exploratoryinterviews 7Phase3:Evaluationinterviews 9Phase4:Participatorydesignworkshop 11
4. Discussion:isaconsentreceiptthefutureofdatasharing? 145. Conclusion 176. References 17
Researchingthetransparencyofpersonaldatasharing:Designingaconsentreceipt
3
1. EXECUTIVESUMMARYThisreportpresentsathree-monthresearchinternshipfocusedontheprivacyandcontrolofpersonaldatasharing.Theaimoftheprojectwastoexplorehoworganisationscangivemorecontroloverthedatathatindividualssharewhenconductingpersonaldatatransactions.Wefocusedonpersonaldatasharingandtrustviauserexperience(UX)designandprototypingmethodology.Thisreportdescribestheprocesswefollowedalongwithfindings,andconcludesonhowtheoutcomesencouragedustofurtherdevelopthetestedideas.
Ourmainresearchquestionwas:Howcantransparencyandusers’trustinorganisationscollectingpersonaldatabeimproved?Istheideaofa‘consentreceipt’asuitabletoolfordoingthis?
ThefocusofourstudywasathoroughevaluationoftheUXaspectsrelatedtothisconcept.WestartedwithsomeinternalresearchmappingofDigitalCatapultCentrevisitors’journeysinrelationtothecollectionofpersonaldata.TheresearchwascarriedoutthroughexploratoryinterviewswithCentrevisitors,leadingtoanideationphaseandafirstiterationofa‘consentreceipt’prototype(areceiptofconsentgivenattimeofaccessingaservice,similartoareceiptforgoodspurchase)1.
Whenthefirstprototypewasready,moreinterviewswithDigitalCatapultvisitorswereconductedtoevaluatetheprototype.TheDigitalCatapultsign-insystemwasdraftedtoissueaconsentreceipttovisitorsattheendofthesigninprocess.Theprototypewasshowntothevisitorswhothenreviewedit.Basedonthecollectedfeedback,arefinementoftheconsentreceiptdesignfollowed.
Aparticipatorydesignworkshopconcludedourtestingoftheconsentreceiptasawaytoprovidemorecontrol,trustandawarenessaboutwhatpersonaldatapeopleshare,withwhom,why,whenandwhere.12participants,dividedintothreegroups,weregivendifferentdata-capturingscenarios,underpinningdifferentsecurityconcernsandultimatelyaskedtodesigntheirownconsentreceipts.
Theoverall participants’responsetothisprojectshowedpositiveoutcomesforthefollowingreasons:
1)Thedemandforpeopletoknowwheretheirdatagoesisrapidlygrowing,thereforeaconsentreceiptisseenasaviablesolutionandprovisioningcanbeeasilyimplementedbyorganisations
2)Organisationscouldincreasetheirtrustandprovidebettertransparencyinthedatasharingprocess.
Ultimately,thiswouldleadtothecreationofhealthierandsimplerdataprivacypoliciesandwouldeliminatetheproblemofagreeingtoTermsandConditions(T&Cs)withoutbeingawareofwhatwearesharing(arecentEurobarometersurveysays80%ofconsumersdon’tfullyreadtheT&Cs)2;aswellaslosingtrackandmakingitdifficulttoreconstructofallthedatatrailweleavebehindus,whenaccessingdigitalservices.Thisencouragedustofurtherdevelopandtrialthefindingsofourstudy.
2. MOTIVATIONOFOURWORKTobeginwith,throughoutthisreportthereisareferencetopersonaldata.WefollowtheEUGeneralDataProtectionRegulation’s(GDPR)definitionofpersonaldata:‘anyinformationrelatingtoanidentifiedoridentifiablenaturalperson’[art.2(a)].AccordingtoaDigitalCatapultstudy3,consumersmistrusthoworganisationshandletheirpersonaldata.Asaresult,businessgrowthslowsdown,with65%ofsurveyedconsumersbeingunsureifdataisbeingsharedwithouttheirconsent.
1ConsentreceiptisaconceptchampionedbyMarkLizarandJohnWunderlichfromKantaraInitiativeandtheConsent&InformationSharingWorkGroup(CISWG)[1,2].2http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_eurobarometer_240615_en.pdf3https://www.digitalcatapultcentre.org.uk/pdtreview/
Researchingthetransparencyofpersonaldatasharing:Designingaconsentreceipt
4
Thereportalsoshowsthatthereisaneedtoenhancepublicawarenessandunderstandinginsharingdataasawaytobenefitsocietyanddelivereconomicgrowth.PeopleusuallyignoretheT&Csthattheyagreetowhenconsentingtogivetheirdatainexchangeforaserviceoraproduct.Afteraperiodoftimetheycouldhaveforgottenwhattheyagreedtoandasaresultcan’ttrackwhotheyhavegiventheirdatatoandwhathappenstoit.
AstheInternetTechnicalAdvisoryCommitteehasstated:‘Itisclearthatacommonmechanismtoencodeandpublishthepoliciesgoverningusageofservicesisneeded’[4].Ouraimistoaddressthe‘(maybe)read,agreeandforget’problem,byevaluatingtheideaofa‘consentnotice’anda‘consentreceipt’.TheKantaraInitiativeConsent&InformationSharingWorkGroup(CISWG)iscurrentlydevelopingarecommendationforaspecificationstandardforaminimumviableconsentreceipt.
Theconsentreceipttriestofillinthisgapofnotifyingpeoplewhentheysharetheirdata.Ifweweretogiveadefinitionwecouldsaythata‘consentreceipt’tracksconsentbycreatingarecordofit–similartoaregularreceipt,whichisusedtotrackmoney[1,2].Italsoallowsusto:
1. Understandwhichdataweshare,whereitgoes,whohasitandwhy
2. Keepaproofofconsentandenableconsistentconsentpractices
3. Untangle‘obscure’TermsandConditionsdocuments
Ourultimateprojectgoalistopromoteorganisations’transparencythusincreasingpeople’sawareness,trustandultimately,controlovertheirdata.Ourworkisfocusedonhelpingpeopletounderstandwhyanorganisation(inourstudy,theDigitalCatapult)capturestheirdataandwhatthebenefitis.InsteadofexperimentingwithTrustMarks4,theeffectivenessofwhichrequirestimeforuserstofamiliarisewithit,weaimtoachievethisbyevaluatingtheideaofaconsentreceipt(includingvisualandtextualinformation).Inaddition,theconsentreceiptprovidesausefulcompliancetool,inlightoftheupcomingenforcementoftheGDPR5,requiringorganisationstoshowaproofofconsentforthepersonaldatatheycollectfromindividuals.
Weleveragedtheconsentreceiptstandardtodesignandgenerateawarenessofaconsumer-centricconsentprocessforincreasingconsumers’trustinorganisations.Therefore,inordertocreateameaningfulandeasy-to-understandconsentreceipt,wedecidedtotalkwithpeopleandunderstandtheirrealneedsandhowtheywouldwantittobe.
4https://econsultancy.com/blog/7941-which-e-commerce-trustmarks-are-most-effective/5https://www.privacyandsecuritymatters.com/2015/12/the-general-data-protection-regulation-in-bullet-points/
Researchingthetransparencyofpersonaldatasharing:Designingaconsentreceipt
5
3. RESEARCHINGTRANSPARENCYOVERPERSONALDATASHARING:AFOUR-PHASEPROCESS
Theprojectwasdividedinfourdifferentuser-centredphases.Belowisagraphthatsummarisestheprocesswefollowedthroughoutthethreemonths.
Figure1:Avisualisedsummaryofthemethodologyfollowedduringthewholeproject.
PHASE1:INTERNALRESEARCHInitially,inPhase1wecarriedoutinternalresearch.Morespecifically,wetalkedwithemployeesfromdifferentdepartmentsofDigitalCatapultandobservedvisitorsforaweekinordertomaptheirexperience.WeloggedeachcategoryofvisitorthatcametotheDigitalCatapult,understoodwhatdatatheysharedwithusandtheirexperienceduringtheirvisit.Wecameupwiththemapsillustratedbelow.
Thefirstmap(Figure2)ismoregenericandprovidesasummaryofallthedifferentvisitors’journeyswithinDigitalCatapult,withthemainvariablebeing‘thereasonforvisiting’,whichthendeterminestheotherdatacollected.
Researchingthetransparencyofpersonaldatasharing:Designingaconsentreceipt
6
Thesecondmap(Figure3)presentsaspecificexampleofavisitorexperience–atour/meeting.ItshowstheexactjourneyofavisitorandwhichkindofdataDigitalCatapultcollectseitherthroughitsconciergesystem(Envoy6)orthroughEventbrite7.
VisitReason
- OrganisationTypeMeansofDataCapturingand
DataCapturedNumberof
Visits
Experience
Meeting
Employee
ResearchOrganisation-SME-Enterprise-Public
Sector-DigitalEconomy
ENVOY:
Firsttimevisit/not,fullname,email,Institution/company,persontomeet,newsletter
yes/no(optional),IoTuk(optional).
Firsttimeorbeenherebefore(dataalreadyin)
Asdescribedindetailedmap.
Contributor
Event
Internal
EVENTBRITE:
Prefix,name,surname,email,jobtitle,company/organisation,(not)attended,website,mobile(compulsory),twitter,LinkedIn,
newsletter,passtothirdparty/organisationtype>
optionalandmanualupload:theydon’tgetsaved.
External X Fullname,company,attended/not
Figure2:ThegeneralDigitalCatapult'svisitorexperiencemap.
6https://envoy.com7https://www.eventbrite.co.uk
Researchingthetransparencyofpersonaldatasharing:Designingaconsentreceipt
7
Relatedperson Category
DataCaptured
Experience VisitReason
Operationsmanager(O.M.)
Visitorstours:academiaorforeign
dignitaries/institutes/embassies
&consulates,overseas
universities.
Envoyregistration
Ifbiggroup(20-30)noregistration.Personallog
withthecountry,organisation,organisername,dates,whodoes
thetour.
O.M.welcomesthem.
TouraroundDC
HearaboutwhatDCdoes
Ethosbehindthedesign
Whyit’ssituatedhere
Itdependsontheareaoffocusofthe
group.
O.M.showsthemout.
Explorethevenue/
showcase
Relationshipbuilding
Tryingtosetupsimilarinnovationprogrammeoverseas.
Iftradedelegation:
experttalkforacoupleofhours.
Figure3:Oneexampleofwhereinternalresearchledusintermsofunderstandingthevisitor'sexperiencewithrespecttopersonaldatacapturing.
PHASE2:EXPLORATORYINTERVIEWSAfterunderstandinghowdatacollectionisconductedforeachkindofvisitorandobservingwhatvisitorsobservedabout,howtheyreactedtoandinteractedwiththesign-inexperience,wemovedontoPhase2.Duetothebiggercontrolgroupandthereforeamountofdatacapturedthatwecanutilisethroughouron-sitesign-insystem,wedecidedtofocusonthisgroupofvisitors.
Phase2consistedof19exploratoryinterviewswithrandomvisitorsofDigitalCatapultCentre,aimingtounderstandwhattheyvalueintermsofthecaptureofpersonaldataandhowthedevelopmentofnewformsoftransparencyoverpersonaldatasharing,suchastheconsentreceipt,couldenhancetheirexperience.
Thesamplewasquitediverse(Figure4)withrespecttoagerangeandprofessionalinterest.Thereisaprevalenceofmaleoverfemaleparticipants,whichwasrepresentativeoftheCentre’svisitorsonthespecificdayofdatacollection.Asthe‘Interest’piechartshows,amixtureofdifferentpeople,withdifferentbackgroundsandexpertisewereinterviewed(namelynotonlyexpertsinprivacyandpersonaldataprotection),whichmakesourstudymoreneutralandunbiased.
Researchingthetransparencyofpersonaldatasharing:Designingaconsentreceipt
8
Figure4:Demographicsforthefirstdatacollectionmethod.Somevaluesdifferfromthenumberoftheparticipants(19)astheyhadtheopportunitytoexpressmultiplechoices.
Themainobservationsthatcameoutintheanalysisaresummarisedbelowandcanbesegmentedintwocategories:
Onewasrelatedtothedatacapturingperceptionofthevisitors,wheretheyhadtoanswerquestionssuchas“Doyoutrustsharingdatawithus?”“Whydoyouthinkwecaptureyourdata?”“Whichinformationandhowmuchistoomuchindatasharing?”
Understandingdatacapturing“Youwanttobuildupaprofileofthetypesofvisitors,whoyouaremarketingto,researchiskeytodrivinganybusiness.Iunderstandthevalueofresearch.”(P1)
Sharingdatadependsontrustintheorganisation“Itrustwhattheyaredoingwithmypersonaldata.AnythingItrustin,Iwouldbewillingtogivealltheinformationasked.”(P3)
Quality&quantityofdatashared“Iamgivingprofessionaldetails;Idon’thaveconcernsintermsoftheuseofdata,whenit’smyownpersonaladdressit’sslightlydifferent.”(P4)“Email,name&organisation:nothingtoointimate.”(P2)
Theotheronewasrelatedtothereceiptitselfwherewetalkedaboutitsnecessity,itsdesign,contentandimplementation.Respondentshadtoanswerasetofquestionsincluding“Doyouthinkaconsentreceiptcouldbeuseful?”“Why?”“Howwouldyouimagineit?”
Identification/establishmentoftheproblem“TherearesomeT&Csthatareimpossibletoread,becauseifyouarejustontimeforameetingyoudon’thavetime,andyouwon’tactuallygothroughit.”(P18)
Theendproductmustbe:timeefficient,easilyaccessible,userfriendly“(Makethistool...)verysimpleandquick,notcumbersome,mobileaccessible’(variousparticipants).”
Researchingthetransparencyofpersonaldatasharing:Designingaconsentreceipt
9
HowdidthisPhaseinformourprototype?Oncefeedbackwasreceived,wefocusedonthreemainareasregardingthedesignoftheconsentreceipt:Content,formatandwhenitshouldbegivenintheprocessofthevisit.Inregardstocontent,wehadtomakesurethattheconsentreceiptwouldbeuserfriendlywithiconsthatillustrate:
• Whywecollectthisdata(use/purpose)
• Whereandhowlongwekeepit(storage)
• Whichdatawekeeponthevisitor(content)
• Whohasit(sharing)
• Optionto‘forgetme’(deletion)Withregardstotheformat,itwasapparentfromtheintervieweesthatstatic,on-screenconsentnotificationattimeofsign-in,andanopt-in/outemailasaconsentreceiptwouldbethemostappropriate.Therewerethreeotheroptions:Saveasadigitalwallet,downloadasPDF,saveinDropbox.
Inregardstowhennotificationshouldbegiventovisitors,wedeterminedthatifitwasshownbeforetheysignedinitwouldbeaconsentnotification,andiftheysignedinanddecidedtokeepitintheirarchiveasanemail,itwouldbeaconsentreceipt.Whencoupledwiththeoptiontoaskfordataremoval,weagreedthatissuingaconsentreceiptaftersign-inwasenoughtoachieveourgoalofgivingeasy-to-understandnoticeandarecordofgivenconsent.
PHASE3:EVALUATIONINTERVIEWSAftercreatingthefirstprototypebasedonwhatpeoplewouldvalueinaconsentnotice/receipt,wewentbacktovisitorstoaskfortheirfeedback.Fourinfluencingfactorswereascertained:
1. Context(venue)
2. Scopeoftheconsent(whatpeopleconsentto)
3. Dataquantity(howmuchdatatheygive)
4. Dataquality(whichkindofdatatheygive)
Asvalueinaconsentnotice/receiptisdependentonthecontextthatthepersonaldataiscollected,wedecidedtodesignthreegroupsofquestionsthatwewouldthenrandomlyasktovisitors.GroupAwasthecontrolgroup,GroupBinvestigatedtheboundariesofvisitorsintermsofdatasharing(whichdatais‘toomuchtoask’)andGroupCsetouttoidentifyinwhatcircumstancesintervieweeswouldfindtheideaofaconsentreceiptmorevaluable.
TherewasalreadyquitealotoftrustinDigitalCatapultonthepartofvisitors,aswasrevealedinPhase2.Therefore,wewantedtotestthatifwetweakedthewaywedidthings,howwouldpeopleperceivethevalueofaconsentreceipt?Ourmainresearchquestionwas:‘Doesthereceiptweprototypedincreasevisitors’understandingof,andincreasetrustin,howwecurrentlycollectdata?’Wealsoaskedtherespondentstoanswerwhattheythinkisneededtomakesuchreceiptseffectiveaspractice.
Researchingthetransparencyofpersonaldatasharing:Designingaconsentreceipt
10
Therewere26respondents-nineforgroupA,nineforgroupB,andeightforgroupC.Again,therewasanobviousprevalenceofmaleoverfemaleparticipants,whichisarepresentativenumberoftheCentre’svisitorsonthedayofdatacollection.Theagerangevaried,whichgaveusdiversitywithinthesampleandthechancetoseehowbothyoungerandoldergenerationsthinkaboutdatasharingandprivacy.
Theoverallsentimentwasthatonlysomeoftheparticipantswerepositiveabouttheconcept-theylikedit,butitwasn’tperceivedassomethingthatwillmakehugedifferencetosharingofpersonaldatainsuchcircumstances.
WesuggestthatthisisduetothefactthatDigitalCatapultisalreadytrustedasabrand,sothereisenoughclarityandconfidenceinthewayitoperates.Additionally,italsohastodowiththefactthatthedataprovidedbyvisitorsisminimalandnotsensitive–somethingthatwasindicatedbytheparticipantsthemselveswhentheywereaskedhowtheywouldratethedatacaptured(1forminimal,2fornormal,3fortoomuch).However,therewasagreatunderstandingoftheconceptandofitsnecessity,especiallyinothercontextssuchasthoseinvestigatedingroupBandCwherelevelsoftrustdiffered(e.g.inthecaseofdatacollectedonlinebyarecruitmentagency).
Oneofthemostinterestingconclusionswasthatintimeitisworthgettingthispracticewidelyadoptedandinvestigateifandhowotherorganisationsandusers/citizenswilladapttoit.Thiscameoutofdiscussionswithsomeparticipantsonhowonlyoneconsentreceiptisperhapsnotusefulonitsownbutalongsidemanyconsentreceipts,usedineverydatatransaction,theywillbepowerfulandcanchangethewaywetrustorganisationsandshareourdata.
Figure5:Demographicsfortheseconddatacollectionmethod.Somevaluesdifferfromthenumberoftheparticipants(26)astheyhadtheopportunitytoexpressmultiplechoicesortheydidn’twant
toanswer.
Themainfindingsaresummarisedbelow:• Bigunderstandingandacceptanceoftheconcept• Databreachfrequencyisveryhighbutpeopledon’tknowwhotoaddresswhentheirdatais
breached(aconsentreceiptgivesthisinformation)
• Alternativenamesthatemergedfromtheinterviewees:
• Usernotification|verificationreceipt|trusteenotice|generalconsentform|proofofdatastorage|dataguarantee/assurance|dataconsent|consentconfirmation|dataprotectionform/userprotectionform|datausagesummary|consentsummary
Researchingthetransparencyofpersonaldatasharing:Designingaconsentreceipt
11
• Theintervieweesidentifiedmanybenefitsthattheconsentreceiptwouldhaveforusers,suchas:
o Clearandeasywaytounderstanddatapolicy/T&Cs|reassuringtoknowwhatisbeingdonewithyourdata|bestpracticeforvisitor|morecontroloveryourdata|feelmoreinformed|creationofcommitment|promisetowardseachuser|morewillingtoshareifIknowwhatit’sfor
• Thealternatesettingsthatwereidentifiedbytheintervieweesandwhereaconsentreceiptwouldbe
highlyvaluablewerethefollowing:
o Wi-Fi sign-in | online companies | online purchases | recruiting agencies | home lettingagencies | online networks subscriptions | insurance companies | Oyster card top-up |travelingservices.
• 14outof26intervieweeschosetobesenttheconsentreceiptemailsotheycouldkeepitasan
archive.
HowdidthisPhaseinformourprototype?Thisphaseledustoupdateourprototypeintermsofdesign,wordingandcontent.Weaddedatimestamp,anemailaddressthatuserscouldusetoreachthedatacontrollerteam,changedoneofthesection’sname(fromusetopurpose)andthewaythepurposefordataisexpressed.Users’feedbackalsohelpedustounderstandtherangeofvalueoftheconsentreceipt,dependingontheusers’trustinthevenue/organisation.
Wevalidatedthattheprototypeshouldbeveryshortbutcouldincludelinksthatwouldleadtoawebsitewithmoredetailsforthoseinterestedtoreadmore.
PHASE4:PARTICIPATORYDESIGNWORKSHOPOnFriday15July2016weconductedthefinalPhaseoftheproject:aparticipatorydesignworkshopwith12participants.
Theaimoftheworkshopwastotestthevalidityoftheconsentreceiptproducedalready,bygettingtheperspectiveofpeoplewhowouldreceiveit.Wewantedtoseehowtheywoulddesignit,inordertobeeasilyunderstoodanduserfriendly.Wedividedparticipantsintothreegroupsoffourandgavethemthreepossibleservicescenariostodesignaconsentreceipt:
1)Yourdataisverycontrolled,nosharing(DigitalCatapultevent/highleveloftrust)
2)Yourdataissomehowcontrolled,sharedwithsomeorganisations(trainticketonlinebookingservice/mediumleveloftrust)
3)Yourdataislooselycontrolledandsharedwithmanythirdparties(recruitmentagency/lowleveloftrust).
Researchingthetransparencyofpersonaldatasharing:Designingaconsentreceipt
12
Thereasonwecreatedthreedifferentscenarioswastoinvestigateboundariesandlimitsinpersonaldatasharing.Allgroupswereaskedtoprototypeconsentreceiptsforallthreescenarios.Theparticipants(demographicsindicatedinFigure7)wereshownalistof‘ingredients’thattheyshouldconsiderwhenthinkingaboutwhattoincludeandprioritiseinthecontentsoftheconsentreceipt(Figure6).
Figure6:Thesearetheingredientsthatshouldbeconsideredfortheconsentreceiptstandard.TheaboveisacombinationofthedataanalysisalongwiththeoriginalstandardfromKantaraInitiative.
Figure7:Demographicsfromthethirddatacollectionmethod.
Researchingthetransparencyofpersonaldatasharing:Designingaconsentreceipt
13
Themainfindingsofthisworkshoparesummarisedbelow:
GroupA• Thisteamdidn’tprovideadesignofthereceipt,butratherasummaryofthebasicconceptbehindit• Allscenariossharethesamebasis:theyshouldallhavethesameinformationbutdependingonhow
higherorlowerthelevelofsecurityistheywouldhavemoreorlessinformationtoprotectthemselvesincasethedataisleakedtosomeonetheydon’twanttohaveaccesstoit
• Usesymbolstoshowthelevelofriskforeachcase:Potentiallysimilartothetrafficlightsymbolsused
onpackagedfood-green,amberandred
• Provideweblinkstogivemoreinformationoneachspecificsection.Thisgroupwantedtoseethecontactinformationclearlyandwouldprefertocontactsomeonewithinanorganisationdirectly(byphone)incasesomethingunwantedhappened
GroupB• Expectedthereceipttobeuniversal
• The‘who’mustbestatedfirst(whoiscollectingthedata,theUniqueIDanddate/timestamp)
• Agraphicalrepresentationofwhatexactlyisbeingshared,howit’sbeingsharedandwhowith
• Ifthedataisnotshared,anorganisationshouldatleaststatehowit’susedandstoredsothatusers
knowthisasaminimum
• Toincludeadisclaimer:Howlongandwheredataisbeingstoredandhowtochangethatoroptout
• Includeathankyounoticeattheend
GroupC• Basicinformationhastoappearonthetopforeasyaccess
• Toexplain,inatable,thatcompanyAgetsthisamountofdata,companyBgetsthisamountofdata,
soit’seasiertotrackwhat’ssharedwithwhom
• Createanalgorithmtolimithowlongdataisbeingused,sharedandkept.Forexample,ifapersonislookingforajob,datashouldonlybekeptforaspecifictime,i.e.untiltheyhavefoundemployment
• Adataspecialist/departmenthastobetheretocontactincaseissuesarise
• Thepurposeforthedatacapturingneedstobetransparent.I.e.evenwhenapersongoestoan
event,anorganisationorthird-partycanextrapolatewhattheirlineofworkis,whattheirincomeis,theirlivingstandardsetc
Researchingthetransparencyofpersonaldatasharing:Designingaconsentreceipt
14
• Output/idea:Ifaperson’sdataisusedbyaresearchorganisationtheyshouldknowwhatthis
organisationisdoingwithit.Thereneedstobeaplace/platformthatpeoplecanaccesstoseewhathasbeenproducedexternallywiththeuseoftheirdata(differentfrompurpose)
• Datastoragemightbeoutsourcedbecauseit’sabigorganisation,sousersalsoneedinformation
abouttheoutsourcedcompany
• Morevisibleembodimentofthedatacapturedandthepurposeforcapturingit
4.DISCUSSION:ISACONSENTRECEIPTTHEFUTUREOFDATASHARING?
Thissectionpresentsanddiscussesthefinalprototypeoftheconsentreceiptasformedafterallofthedata-collectionPhases.Amock-upofitisshownbelow.WereiteratethatthisprojectreferredtoDigitalCatapult,however,itexploredhowtheconsentreceiptwouldaffectconsumersinothercircumstancesandcontextsaswell.Therefore,thelistpresentedbelowmightbebroadeneddependingonthedatacollectionthateachorganisationmakes.
Figure8:Thisisthefinalconsentnotificationasitwasstructuredandrefinedafterallthedatacollectionandprototypingphases.
The‘content’sectionreferstothe‘what’(whichkindofdataanorganisationcollects).Eachindividualcanhaveadetailedlistofallofthedatathatanorganisationkeepsaboutthemandrequirestheirconsent.Atransparentorganisationmighteventuallyalsolistallofthepersonaldatacollected,notnecessarilyrequiringexplicitconsent(thusmakingthereceiptnotonlyaconsentreceiptbuta‘PersonalDataReceipt’8).
The‘storage’sectionreferstothe‘where’andpotentiallythe‘when’aswellasthe‘howlong’thedataisstored.Iftheorganisation,forexample,deletesthedataafteroneyearthisshouldbementionedas‘keptfor8https://www.digitalcatapultcentre.org.uk/project/pd-receipt/
Researchingthetransparencyofpersonaldatasharing:Designingaconsentreceipt
15
oneyear’.Itwouldalsobehelpfultomentionwhenexactlythedataisusedincaseanotherorganisationmakesuseofitonaspecificoccasion,e.g.‘usegeolocationdataonlyfrom8-11am’.
Next,the‘purpose’sectionanswersthe‘why’anorganisationasksforaperson’sdata:Whatisthemainpurposebehindtheirdatacollection?Inourcaseitcouldvarybetweenmarketingordevelopmentalpurposesorsimplytocapturehowvisitorsareengagingwiththeorganisationandtokeepstatistics/metrics.Lastbutnotleast,thereisasectionthatwillbemostlydiversifieddependingoneachorganisation’sdatasharingpolicywiththirdparties.
The‘sharing’sectionrefers,therefore,towhethertheorganisationsharesitscustomers’datawithothersandifso,whoshouldbestatedinalisttoprovidetransparency.
Atthispoint,thereneedstobeareminderofamorecomprehensiveandevenmoreinformativeversionoftheconsentreceiptthatwouldincludeaclickablebuttonofeachsectionthatwouldlinktoawebpagewithdetailedexplanationofeachsection.Forexample,the‘sharing’sectionwouldleadtoalistofsharingpartiesandwhyaperson’sdataissharedwitheachone.
Attheendofthereceipt,wecanseetheemailoftheresponsibleperson/teamintheorganisation,whereausershouldaddressanyconcernsorcomplaints.ThereisalsoatimestamptoindicatewhenthereceiptwasissuedandauniqueIDnumbersothattheorganisationcanuseittoenquireaboutanyissuesthatarise.
Althoughaconsentreceiptcouldhavemanyadvantagesforboththeuserandtheorganisation,themainbenefitisperhapssocietal,bytriggeringachangeinthewayweconductdatatransactions.Therearealsosomelimitationsandchallengesthatshouldbetakenintoaccount,whichwelearnedbyconductingapreliminaryPrivacyImpactAssessmentfortheimplementationofaconsentreceiptintooursystems.
Firstofall,beforeimplementation,thereshouldbesetstandardisedformsofthereceipt,whichwouldbefollowedbyallorganisationsthatwanttoadaptthisnewtool.Secondly,theorganisationthatwillimplementtheconsentreceiptfirstshouldbeveryconsiderateaboutprivacypolicies,takemeasuresagainstthepotentialriskofconsentreceipts’hackingandmakesuretheyhavethebusinessprocessesinplacethatensurethedeletionofdatawouldactuallyoccur.
Thirdly,thereisachancethatsomeorganisationswouldn’twanttoimplementconsentreceiptsbecausetheyrevealtoomuchtotheircustomerswithone‘quickread’,butthisisouractualaim:toprovidesomethingthatwouldeventuallymakedatasharingfullytransparentandthatcouldbemoderatedandadoptedtoawiderextentsothatallorganisationswouldcomplywithit.Afterall,transparencyisrequiredbytheimpendingGeneralDataProtectionRegulation9.
9http://www.twobirds.com/~/media/pdfs/gdpr-pdfs/31--guide-to-the-gdpr--information-notices.pdf?la=en
Researchingthetransparencyofpersonaldatasharing:Designingaconsentreceipt
16
Figure9:Thisistheequivalentemailthatwouldbesentouttopeople(afteroptingintoreceivesuchanemail)sothattheycouldhaveanactualproofoftheirconsent.
Researchingthetransparencyofpersonaldatasharing:Designingaconsentreceipt
17
5.ConclusionFollowingauser-centredapproachweexploredhowpeoplecouldgainmoretransparencyandbemoreawareaboutthepersonaldatatheyshare.Toconclude,theprojectwasbuiltonfourdifferentPhases:TheaimofPhase1wastounderstandourdifferentvisitorsandhowwecollectpersonaldata;Phase2tofocusonthevisitorsfromwhichwecollectpersonaldatafromDigitalCatapulton-siteconciergesystem(Envoy)andinterviewthemtounderstandtheirconcernwithsharingpersonaldata(ifany)andifareceipt(asaconcept)increasestrust;Phase3toevaluateafirstrealprototypereceiptandtounderstandifitisclearforvisitors,ifitreallyincreasestrustandtransparencyandfinallytogainfeedbackonthedesign;andlastlytheobjectiveofPhase4wasforpeopletodesignthereceiptandseehowdifferentitisfromwhatwedesigned.
Asanoutcomeofthisprojectanewconcepthasbeenprototypedusingqualitativedatacollectionmethodsandaniterativeprocessofuserexperiencedesign.Thisworkcontributedtothedesignofameaningfulconsentreceipt-inassessingitsvalueincreatingtransparencyandtrustindifferentcontextsandinunderstandingpersonaldatasharingpatternsbytriggeringconsentreceiptsfromdifferentorganisations,andfinallyininformingfutureresearch.
Asaresult,theoutcomeofthisprojectiscurrentlybeingusedanddevelopedfurtherandtheconceptofthePersonalDataReceipt(providingtransparencytoindividualsonalltheirpersonaldatacollectedbyanorganisation)isbeingtrialledwithrealusersatDigitalCatapultCentrewiththehopethatadoptionofsuchtransparencypracticescouldbeafirstfoundationofthefutureofpersonaldatasharing.Evolutionofthisinterventionwillrequiretheneedforsomeonetotaketheleadonbuildingastandardthatcouldbeappliedtomanyorganisations,educatebothinstitutionsandconsumersandestablishcollaborationssothatitbecomesaprerequisiteinpersonaldatatransactions.DigitalCatapult’saimistochampionsuchactivities.
6.References[1]Lizar,M.(2016).ConsentReceiptSpecification.Availableat
https://kantarainitiative.org/confluence/display/infosharing/Consent+Receipt+Specification
[2]Brennan,J.andWunderlich,J.(2016).Consent&InformationSharingWorkGroup(CISWG).Availableathttps://kantarainitiative.org/confluence/display/infosharing/Home
[3]DigitalCatapult(2016).TrustInPersonalData:AUKReview.FollowingandAssessingtheUK’sJourneytoBecomingaData-DrivenNation.Availableat:http://www.digitalcatapultcentre.org.uk/wp-content/uploads/2015/07/Trust-in-Personal-Data-A-UK-Review.pdf
[4]InternetTechnicalAdvisoryCommittee(ITAC)(2010).Fosteringinnovationinprivacyprotection.ITACspeakingnotesfortheOECDprivacyconferenceinIsrael25-26October2010.Availableathttps://www.oecd.org/sti/ieconomy/46952687.pdf
top related