Researching the transparency of personal data sharing FINAL · Michele Nati (Lead Technologist...

RESEARCHINGTHETRANSPARENCYOFPERSONALDATASHARING:DESIGNING

ACONSENTRECEIPT

Author:TatianaC.Styliari(PhDCandidateatHorizonDigitalEconomyCDT)

MicheleNati(LeadTechnologistPersonalData&TrustatDigitalCatapult)

Date:September2016

Researchingthetransparencyofpersonaldatasharing:Designingaconsentreceipt

2

CONTENTS1. Executivesummary 32. Motivationofourwork 33. Researchingtransparencyoverpersonaldatasharing:afour-phaseprocess 5

Phase1:Internalresearch 5Phase2:Exploratoryinterviews 7Phase3:Evaluationinterviews 9Phase4:Participatorydesignworkshop 11

4. Discussion:isaconsentreceiptthefutureofdatasharing? 145. Conclusion 176. References 17


3

1. EXECUTIVESUMMARYThisreportpresentsathree-monthresearchinternshipfocusedontheprivacyandcontrolofpersonaldatasharing.Theaimoftheprojectwastoexplorehoworganisationscangivemorecontroloverthedatathatindividualssharewhenconductingpersonaldatatransactions.Wefocusedonpersonaldatasharingandtrustviauserexperience(UX)designandprototypingmethodology.Thisreportdescribestheprocesswefollowedalongwithfindings,andconcludesonhowtheoutcomesencouragedustofurtherdevelopthetestedideas.

Ourmainresearchquestionwas:Howcantransparencyandusers’trustinorganisationscollectingpersonaldatabeimproved?Istheideaofa‘consentreceipt’asuitabletoolfordoingthis?

ThefocusofourstudywasathoroughevaluationoftheUXaspectsrelatedtothisconcept.WestartedwithsomeinternalresearchmappingofDigitalCatapultCentrevisitors’journeysinrelationtothecollectionofpersonaldata.TheresearchwascarriedoutthroughexploratoryinterviewswithCentrevisitors,leadingtoanideationphaseandafirstiterationofa‘consentreceipt’prototype(areceiptofconsentgivenattimeofaccessingaservice,similartoareceiptforgoodspurchase)1.

Whenthefirstprototypewasready,moreinterviewswithDigitalCatapultvisitorswereconductedtoevaluatetheprototype.TheDigitalCatapultsign-insystemwasdraftedtoissueaconsentreceipttovisitorsattheendofthesigninprocess.Theprototypewasshowntothevisitorswhothenreviewedit.Basedonthecollectedfeedback,arefinementoftheconsentreceiptdesignfollowed.

Aparticipatorydesignworkshopconcludedourtestingoftheconsentreceiptasawaytoprovidemorecontrol,trustandawarenessaboutwhatpersonaldatapeopleshare,withwhom,why,whenandwhere.12participants,dividedintothreegroups,weregivendifferentdata-capturingscenarios,underpinningdifferentsecurityconcernsandultimatelyaskedtodesigntheirownconsentreceipts.

Theoverall participants’responsetothisprojectshowedpositiveoutcomesforthefollowingreasons:

1)Thedemandforpeopletoknowwheretheirdatagoesisrapidlygrowing,thereforeaconsentreceiptisseenasaviablesolutionandprovisioningcanbeeasilyimplementedbyorganisations

2)Organisationscouldincreasetheirtrustandprovidebettertransparencyinthedatasharingprocess.

Ultimately,thiswouldleadtothecreationofhealthierandsimplerdataprivacypoliciesandwouldeliminatetheproblemofagreeingtoTermsandConditions(T&Cs)withoutbeingawareofwhatwearesharing(arecentEurobarometersurveysays80%ofconsumersdon’tfullyreadtheT&Cs)2;aswellaslosingtrackandmakingitdifficulttoreconstructofallthedatatrailweleavebehindus,whenaccessingdigitalservices.Thisencouragedustofurtherdevelopandtrialthefindingsofourstudy.

2. MOTIVATIONOFOURWORKTobeginwith,throughoutthisreportthereisareferencetopersonaldata.WefollowtheEUGeneralDataProtectionRegulation’s(GDPR)definitionofpersonaldata:‘anyinformationrelatingtoanidentifiedoridentifiablenaturalperson’[art.2(a)].AccordingtoaDigitalCatapultstudy3,consumersmistrusthoworganisationshandletheirpersonaldata.Asaresult,businessgrowthslowsdown,with65%ofsurveyedconsumersbeingunsureifdataisbeingsharedwithouttheirconsent.

1ConsentreceiptisaconceptchampionedbyMarkLizarandJohnWunderlichfromKantaraInitiativeandtheConsent&InformationSharingWorkGroup(CISWG)[1,2].2http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_eurobarometer_240615_en.pdf3https://www.digitalcatapultcentre.org.uk/pdtreview/


4

Thereportalsoshowsthatthereisaneedtoenhancepublicawarenessandunderstandinginsharingdataasawaytobenefitsocietyanddelivereconomicgrowth.PeopleusuallyignoretheT&Csthattheyagreetowhenconsentingtogivetheirdatainexchangeforaserviceoraproduct.Afteraperiodoftimetheycouldhaveforgottenwhattheyagreedtoandasaresultcan’ttrackwhotheyhavegiventheirdatatoandwhathappenstoit.

AstheInternetTechnicalAdvisoryCommitteehasstated:‘Itisclearthatacommonmechanismtoencodeandpublishthepoliciesgoverningusageofservicesisneeded’[4].Ouraimistoaddressthe‘(maybe)read,agreeandforget’problem,byevaluatingtheideaofa‘consentnotice’anda‘consentreceipt’.TheKantaraInitiativeConsent&InformationSharingWorkGroup(CISWG)iscurrentlydevelopingarecommendationforaspecificationstandardforaminimumviableconsentreceipt.

Theconsentreceipttriestofillinthisgapofnotifyingpeoplewhentheysharetheirdata.Ifweweretogiveadefinitionwecouldsaythata‘consentreceipt’tracksconsentbycreatingarecordofit–similartoaregularreceipt,whichisusedtotrackmoney[1,2].Italsoallowsusto:

1. Understandwhichdataweshare,whereitgoes,whohasitandwhy

2. Keepaproofofconsentandenableconsistentconsentpractices

3. Untangle‘obscure’TermsandConditionsdocuments

Ourultimateprojectgoalistopromoteorganisations’transparencythusincreasingpeople’sawareness,trustandultimately,controlovertheirdata.Ourworkisfocusedonhelpingpeopletounderstandwhyanorganisation(inourstudy,theDigitalCatapult)capturestheirdataandwhatthebenefitis.InsteadofexperimentingwithTrustMarks4,theeffectivenessofwhichrequirestimeforuserstofamiliarisewithit,weaimtoachievethisbyevaluatingtheideaofaconsentreceipt(includingvisualandtextualinformation).Inaddition,theconsentreceiptprovidesausefulcompliancetool,inlightoftheupcomingenforcementoftheGDPR5,requiringorganisationstoshowaproofofconsentforthepersonaldatatheycollectfromindividuals.

Weleveragedtheconsentreceiptstandardtodesignandgenerateawarenessofaconsumer-centricconsentprocessforincreasingconsumers’trustinorganisations.Therefore,inordertocreateameaningfulandeasy-to-understandconsentreceipt,wedecidedtotalkwithpeopleandunderstandtheirrealneedsandhowtheywouldwantittobe.

4https://econsultancy.com/blog/7941-which-e-commerce-trustmarks-are-most-effective/5https://www.privacyandsecuritymatters.com/2015/12/the-general-data-protection-regulation-in-bullet-points/


5

3. RESEARCHINGTRANSPARENCYOVERPERSONALDATASHARING:AFOUR-PHASEPROCESS

Theprojectwasdividedinfourdifferentuser-centredphases.Belowisagraphthatsummarisestheprocesswefollowedthroughoutthethreemonths.

Figure1:Avisualisedsummaryofthemethodologyfollowedduringthewholeproject.

PHASE1:INTERNALRESEARCHInitially,inPhase1wecarriedoutinternalresearch.Morespecifically,wetalkedwithemployeesfromdifferentdepartmentsofDigitalCatapultandobservedvisitorsforaweekinordertomaptheirexperience.WeloggedeachcategoryofvisitorthatcametotheDigitalCatapult,understoodwhatdatatheysharedwithusandtheirexperienceduringtheirvisit.Wecameupwiththemapsillustratedbelow.

Thefirstmap(Figure2)ismoregenericandprovidesasummaryofallthedifferentvisitors’journeyswithinDigitalCatapult,withthemainvariablebeing‘thereasonforvisiting’,whichthendeterminestheotherdatacollected.


6

Thesecondmap(Figure3)presentsaspecificexampleofavisitorexperience–atour/meeting.ItshowstheexactjourneyofavisitorandwhichkindofdataDigitalCatapultcollectseitherthroughitsconciergesystem(Envoy6)orthroughEventbrite7.

VisitReason

- OrganisationTypeMeansofDataCapturingand

DataCapturedNumberof

Visits

Experience

Meeting

Employee

ResearchOrganisation-SME-Enterprise-Public

Sector-DigitalEconomy

ENVOY:

Firsttimevisit/not,fullname,email,Institution/company,persontomeet,newsletter

yes/no(optional),IoTuk(optional).

Firsttimeorbeenherebefore(dataalreadyin)

Asdescribedindetailedmap.

Contributor

Event

Internal

EVENTBRITE:

Prefix,name,surname,email,jobtitle,company/organisation,(not)attended,website,mobile(compulsory),twitter,LinkedIn,

newsletter,passtothirdparty/organisationtype>

optionalandmanualupload:theydon’tgetsaved.

External X Fullname,company,attended/not

Figure2:ThegeneralDigitalCatapult'svisitorexperiencemap.

6https://envoy.com7https://www.eventbrite.co.uk


7

Relatedperson Category

DataCaptured

Experience VisitReason

Operationsmanager(O.M.)

Visitorstours:academiaorforeign

dignitaries/institutes/embassies

&consulates,overseas

universities.

Envoyregistration

Ifbiggroup(20-30)noregistration.Personallog

withthecountry,organisation,organisername,dates,whodoes

thetour.

O.M.welcomesthem.

TouraroundDC

HearaboutwhatDCdoes

Ethosbehindthedesign

Whyit’ssituatedhere

Itdependsontheareaoffocusofthe

group.

O.M.showsthemout.

Explorethevenue/

showcase

Relationshipbuilding

Tryingtosetupsimilarinnovationprogrammeoverseas.

Iftradedelegation:

experttalkforacoupleofhours.

Figure3:Oneexampleofwhereinternalresearchledusintermsofunderstandingthevisitor'sexperiencewithrespecttopersonaldatacapturing.

PHASE2:EXPLORATORYINTERVIEWSAfterunderstandinghowdatacollectionisconductedforeachkindofvisitorandobservingwhatvisitorsobservedabout,howtheyreactedtoandinteractedwiththesign-inexperience,wemovedontoPhase2.Duetothebiggercontrolgroupandthereforeamountofdatacapturedthatwecanutilisethroughouron-sitesign-insystem,wedecidedtofocusonthisgroupofvisitors.

Phase2consistedof19exploratoryinterviewswithrandomvisitorsofDigitalCatapultCentre,aimingtounderstandwhattheyvalueintermsofthecaptureofpersonaldataandhowthedevelopmentofnewformsoftransparencyoverpersonaldatasharing,suchastheconsentreceipt,couldenhancetheirexperience.

Thesamplewasquitediverse(Figure4)withrespecttoagerangeandprofessionalinterest.Thereisaprevalenceofmaleoverfemaleparticipants,whichwasrepresentativeoftheCentre’svisitorsonthespecificdayofdatacollection.Asthe‘Interest’piechartshows,amixtureofdifferentpeople,withdifferentbackgroundsandexpertisewereinterviewed(namelynotonlyexpertsinprivacyandpersonaldataprotection),whichmakesourstudymoreneutralandunbiased.


8

Figure4:Demographicsforthefirstdatacollectionmethod.Somevaluesdifferfromthenumberoftheparticipants(19)astheyhadtheopportunitytoexpressmultiplechoices.

Themainobservationsthatcameoutintheanalysisaresummarisedbelowandcanbesegmentedintwocategories:

Onewasrelatedtothedatacapturingperceptionofthevisitors,wheretheyhadtoanswerquestionssuchas“Doyoutrustsharingdatawithus?”“Whydoyouthinkwecaptureyourdata?”“Whichinformationandhowmuchistoomuchindatasharing?”

Understandingdatacapturing“Youwanttobuildupaprofileofthetypesofvisitors,whoyouaremarketingto,researchiskeytodrivinganybusiness.Iunderstandthevalueofresearch.”(P1)

Sharingdatadependsontrustintheorganisation“Itrustwhattheyaredoingwithmypersonaldata.AnythingItrustin,Iwouldbewillingtogivealltheinformationasked.”(P3)

Quality&quantityofdatashared“Iamgivingprofessionaldetails;Idon’thaveconcernsintermsoftheuseofdata,whenit’smyownpersonaladdressit’sslightlydifferent.”(P4)“Email,name&organisation:nothingtoointimate.”(P2)

Theotheronewasrelatedtothereceiptitselfwherewetalkedaboutitsnecessity,itsdesign,contentandimplementation.Respondentshadtoanswerasetofquestionsincluding“Doyouthinkaconsentreceiptcouldbeuseful?”“Why?”“Howwouldyouimagineit?”

Identification/establishmentoftheproblem“TherearesomeT&Csthatareimpossibletoread,becauseifyouarejustontimeforameetingyoudon’thavetime,andyouwon’tactuallygothroughit.”(P18)

Theendproductmustbe:timeefficient,easilyaccessible,userfriendly“(Makethistool...)verysimpleandquick,notcumbersome,mobileaccessible’(variousparticipants).”


9

HowdidthisPhaseinformourprototype?Oncefeedbackwasreceived,wefocusedonthreemainareasregardingthedesignoftheconsentreceipt:Content,formatandwhenitshouldbegivenintheprocessofthevisit.Inregardstocontent,wehadtomakesurethattheconsentreceiptwouldbeuserfriendlywithiconsthatillustrate:

• Whywecollectthisdata(use/purpose)

• Whereandhowlongwekeepit(storage)

• Whichdatawekeeponthevisitor(content)

• Whohasit(sharing)

• Optionto‘forgetme’(deletion)Withregardstotheformat,itwasapparentfromtheintervieweesthatstatic,on-screenconsentnotificationattimeofsign-in,andanopt-in/outemailasaconsentreceiptwouldbethemostappropriate.Therewerethreeotheroptions:Saveasadigitalwallet,downloadasPDF,saveinDropbox.

Inregardstowhennotificationshouldbegiventovisitors,wedeterminedthatifitwasshownbeforetheysignedinitwouldbeaconsentnotification,andiftheysignedinanddecidedtokeepitintheirarchiveasanemail,itwouldbeaconsentreceipt.Whencoupledwiththeoptiontoaskfordataremoval,weagreedthatissuingaconsentreceiptaftersign-inwasenoughtoachieveourgoalofgivingeasy-to-understandnoticeandarecordofgivenconsent.

PHASE3:EVALUATIONINTERVIEWSAftercreatingthefirstprototypebasedonwhatpeoplewouldvalueinaconsentnotice/receipt,wewentbacktovisitorstoaskfortheirfeedback.Fourinfluencingfactorswereascertained:

1. Context(venue)

2. Scopeoftheconsent(whatpeopleconsentto)

3. Dataquantity(howmuchdatatheygive)

4. Dataquality(whichkindofdatatheygive)

Asvalueinaconsentnotice/receiptisdependentonthecontextthatthepersonaldataiscollected,wedecidedtodesignthreegroupsofquestionsthatwewouldthenrandomlyasktovisitors.GroupAwasthecontrolgroup,GroupBinvestigatedtheboundariesofvisitorsintermsofdatasharing(whichdatais‘toomuchtoask’)andGroupCsetouttoidentifyinwhatcircumstancesintervieweeswouldfindtheideaofaconsentreceiptmorevaluable.

TherewasalreadyquitealotoftrustinDigitalCatapultonthepartofvisitors,aswasrevealedinPhase2.Therefore,wewantedtotestthatifwetweakedthewaywedidthings,howwouldpeopleperceivethevalueofaconsentreceipt?Ourmainresearchquestionwas:‘Doesthereceiptweprototypedincreasevisitors’understandingof,andincreasetrustin,howwecurrentlycollectdata?’Wealsoaskedtherespondentstoanswerwhattheythinkisneededtomakesuchreceiptseffectiveaspractice.


10

Therewere26respondents-nineforgroupA,nineforgroupB,andeightforgroupC.Again,therewasanobviousprevalenceofmaleoverfemaleparticipants,whichisarepresentativenumberoftheCentre’svisitorsonthedayofdatacollection.Theagerangevaried,whichgaveusdiversitywithinthesampleandthechancetoseehowbothyoungerandoldergenerationsthinkaboutdatasharingandprivacy.

Theoverallsentimentwasthatonlysomeoftheparticipantswerepositiveabouttheconcept-theylikedit,butitwasn’tperceivedassomethingthatwillmakehugedifferencetosharingofpersonaldatainsuchcircumstances.

WesuggestthatthisisduetothefactthatDigitalCatapultisalreadytrustedasabrand,sothereisenoughclarityandconfidenceinthewayitoperates.Additionally,italsohastodowiththefactthatthedataprovidedbyvisitorsisminimalandnotsensitive–somethingthatwasindicatedbytheparticipantsthemselveswhentheywereaskedhowtheywouldratethedatacaptured(1forminimal,2fornormal,3fortoomuch).However,therewasagreatunderstandingoftheconceptandofitsnecessity,especiallyinothercontextssuchasthoseinvestigatedingroupBandCwherelevelsoftrustdiffered(e.g.inthecaseofdatacollectedonlinebyarecruitmentagency).

Oneofthemostinterestingconclusionswasthatintimeitisworthgettingthispracticewidelyadoptedandinvestigateifandhowotherorganisationsandusers/citizenswilladapttoit.Thiscameoutofdiscussionswithsomeparticipantsonhowonlyoneconsentreceiptisperhapsnotusefulonitsownbutalongsidemanyconsentreceipts,usedineverydatatransaction,theywillbepowerfulandcanchangethewaywetrustorganisationsandshareourdata.

Figure5:Demographicsfortheseconddatacollectionmethod.Somevaluesdifferfromthenumberoftheparticipants(26)astheyhadtheopportunitytoexpressmultiplechoicesortheydidn’twant

toanswer.

Themainfindingsaresummarisedbelow:• Bigunderstandingandacceptanceoftheconcept• Databreachfrequencyisveryhighbutpeopledon’tknowwhotoaddresswhentheirdatais

breached(aconsentreceiptgivesthisinformation)

• Alternativenamesthatemergedfromtheinterviewees:

• Usernotification|verificationreceipt|trusteenotice|generalconsentform|proofofdatastorage|dataguarantee/assurance|dataconsent|consentconfirmation|dataprotectionform/userprotectionform|datausagesummary|consentsummary


11

• Theintervieweesidentifiedmanybenefitsthattheconsentreceiptwouldhaveforusers,suchas:

o Clearandeasywaytounderstanddatapolicy/T&Cs|reassuringtoknowwhatisbeingdonewithyourdata|bestpracticeforvisitor|morecontroloveryourdata|feelmoreinformed|creationofcommitment|promisetowardseachuser|morewillingtoshareifIknowwhatit’sfor

• Thealternatesettingsthatwereidentifiedbytheintervieweesandwhereaconsentreceiptwouldbe

highlyvaluablewerethefollowing:

o Wi-Fi sign-in | online companies | online purchases | recruiting agencies | home lettingagencies | online networks subscriptions | insurance companies | Oyster card top-up |travelingservices.

• 14outof26intervieweeschosetobesenttheconsentreceiptemailsotheycouldkeepitasan

archive.

HowdidthisPhaseinformourprototype?Thisphaseledustoupdateourprototypeintermsofdesign,wordingandcontent.Weaddedatimestamp,anemailaddressthatuserscouldusetoreachthedatacontrollerteam,changedoneofthesection’sname(fromusetopurpose)andthewaythepurposefordataisexpressed.Users’feedbackalsohelpedustounderstandtherangeofvalueoftheconsentreceipt,dependingontheusers’trustinthevenue/organisation.

Wevalidatedthattheprototypeshouldbeveryshortbutcouldincludelinksthatwouldleadtoawebsitewithmoredetailsforthoseinterestedtoreadmore.

PHASE4:PARTICIPATORYDESIGNWORKSHOPOnFriday15July2016weconductedthefinalPhaseoftheproject:aparticipatorydesignworkshopwith12participants.

Theaimoftheworkshopwastotestthevalidityoftheconsentreceiptproducedalready,bygettingtheperspectiveofpeoplewhowouldreceiveit.Wewantedtoseehowtheywoulddesignit,inordertobeeasilyunderstoodanduserfriendly.Wedividedparticipantsintothreegroupsoffourandgavethemthreepossibleservicescenariostodesignaconsentreceipt:

1)Yourdataisverycontrolled,nosharing(DigitalCatapultevent/highleveloftrust)

2)Yourdataissomehowcontrolled,sharedwithsomeorganisations(trainticketonlinebookingservice/mediumleveloftrust)

3)Yourdataislooselycontrolledandsharedwithmanythirdparties(recruitmentagency/lowleveloftrust).


12

Thereasonwecreatedthreedifferentscenarioswastoinvestigateboundariesandlimitsinpersonaldatasharing.Allgroupswereaskedtoprototypeconsentreceiptsforallthreescenarios.Theparticipants(demographicsindicatedinFigure7)wereshownalistof‘ingredients’thattheyshouldconsiderwhenthinkingaboutwhattoincludeandprioritiseinthecontentsoftheconsentreceipt(Figure6).

Figure6:Thesearetheingredientsthatshouldbeconsideredfortheconsentreceiptstandard.TheaboveisacombinationofthedataanalysisalongwiththeoriginalstandardfromKantaraInitiative.

Figure7:Demographicsfromthethirddatacollectionmethod.


13

Themainfindingsofthisworkshoparesummarisedbelow:

GroupA• Thisteamdidn’tprovideadesignofthereceipt,butratherasummaryofthebasicconceptbehindit• Allscenariossharethesamebasis:theyshouldallhavethesameinformationbutdependingonhow

higherorlowerthelevelofsecurityistheywouldhavemoreorlessinformationtoprotectthemselvesincasethedataisleakedtosomeonetheydon’twanttohaveaccesstoit

• Usesymbolstoshowthelevelofriskforeachcase:Potentiallysimilartothetrafficlightsymbolsused

onpackagedfood-green,amberandred

• Provideweblinkstogivemoreinformationoneachspecificsection.Thisgroupwantedtoseethecontactinformationclearlyandwouldprefertocontactsomeonewithinanorganisationdirectly(byphone)incasesomethingunwantedhappened

GroupB• Expectedthereceipttobeuniversal

• The‘who’mustbestatedfirst(whoiscollectingthedata,theUniqueIDanddate/timestamp)

• Agraphicalrepresentationofwhatexactlyisbeingshared,howit’sbeingsharedandwhowith

• Ifthedataisnotshared,anorganisationshouldatleaststatehowit’susedandstoredsothatusers

knowthisasaminimum

• Toincludeadisclaimer:Howlongandwheredataisbeingstoredandhowtochangethatoroptout

• Includeathankyounoticeattheend

GroupC• Basicinformationhastoappearonthetopforeasyaccess

• Toexplain,inatable,thatcompanyAgetsthisamountofdata,companyBgetsthisamountofdata,

soit’seasiertotrackwhat’ssharedwithwhom

• Createanalgorithmtolimithowlongdataisbeingused,sharedandkept.Forexample,ifapersonislookingforajob,datashouldonlybekeptforaspecifictime,i.e.untiltheyhavefoundemployment

• Adataspecialist/departmenthastobetheretocontactincaseissuesarise

• Thepurposeforthedatacapturingneedstobetransparent.I.e.evenwhenapersongoestoan

event,anorganisationorthird-partycanextrapolatewhattheirlineofworkis,whattheirincomeis,theirlivingstandardsetc


14

• Output/idea:Ifaperson’sdataisusedbyaresearchorganisationtheyshouldknowwhatthis

organisationisdoingwithit.Thereneedstobeaplace/platformthatpeoplecanaccesstoseewhathasbeenproducedexternallywiththeuseoftheirdata(differentfrompurpose)

• Datastoragemightbeoutsourcedbecauseit’sabigorganisation,sousersalsoneedinformation

abouttheoutsourcedcompany

• Morevisibleembodimentofthedatacapturedandthepurposeforcapturingit

4.DISCUSSION:ISACONSENTRECEIPTTHEFUTUREOFDATASHARING?

Thissectionpresentsanddiscussesthefinalprototypeoftheconsentreceiptasformedafterallofthedata-collectionPhases.Amock-upofitisshownbelow.WereiteratethatthisprojectreferredtoDigitalCatapult,however,itexploredhowtheconsentreceiptwouldaffectconsumersinothercircumstancesandcontextsaswell.Therefore,thelistpresentedbelowmightbebroadeneddependingonthedatacollectionthateachorganisationmakes.

Figure8:Thisisthefinalconsentnotificationasitwasstructuredandrefinedafterallthedatacollectionandprototypingphases.

The‘content’sectionreferstothe‘what’(whichkindofdataanorganisationcollects).Eachindividualcanhaveadetailedlistofallofthedatathatanorganisationkeepsaboutthemandrequirestheirconsent.Atransparentorganisationmighteventuallyalsolistallofthepersonaldatacollected,notnecessarilyrequiringexplicitconsent(thusmakingthereceiptnotonlyaconsentreceiptbuta‘PersonalDataReceipt’8).

The‘storage’sectionreferstothe‘where’andpotentiallythe‘when’aswellasthe‘howlong’thedataisstored.Iftheorganisation,forexample,deletesthedataafteroneyearthisshouldbementionedas‘keptfor8https://www.digitalcatapultcentre.org.uk/project/pd-receipt/


15

oneyear’.Itwouldalsobehelpfultomentionwhenexactlythedataisusedincaseanotherorganisationmakesuseofitonaspecificoccasion,e.g.‘usegeolocationdataonlyfrom8-11am’.

Next,the‘purpose’sectionanswersthe‘why’anorganisationasksforaperson’sdata:Whatisthemainpurposebehindtheirdatacollection?Inourcaseitcouldvarybetweenmarketingordevelopmentalpurposesorsimplytocapturehowvisitorsareengagingwiththeorganisationandtokeepstatistics/metrics.Lastbutnotleast,thereisasectionthatwillbemostlydiversifieddependingoneachorganisation’sdatasharingpolicywiththirdparties.

The‘sharing’sectionrefers,therefore,towhethertheorganisationsharesitscustomers’datawithothersandifso,whoshouldbestatedinalisttoprovidetransparency.

Atthispoint,thereneedstobeareminderofamorecomprehensiveandevenmoreinformativeversionoftheconsentreceiptthatwouldincludeaclickablebuttonofeachsectionthatwouldlinktoawebpagewithdetailedexplanationofeachsection.Forexample,the‘sharing’sectionwouldleadtoalistofsharingpartiesandwhyaperson’sdataissharedwitheachone.

Attheendofthereceipt,wecanseetheemailoftheresponsibleperson/teamintheorganisation,whereausershouldaddressanyconcernsorcomplaints.ThereisalsoatimestamptoindicatewhenthereceiptwasissuedandauniqueIDnumbersothattheorganisationcanuseittoenquireaboutanyissuesthatarise.

Althoughaconsentreceiptcouldhavemanyadvantagesforboththeuserandtheorganisation,themainbenefitisperhapssocietal,bytriggeringachangeinthewayweconductdatatransactions.Therearealsosomelimitationsandchallengesthatshouldbetakenintoaccount,whichwelearnedbyconductingapreliminaryPrivacyImpactAssessmentfortheimplementationofaconsentreceiptintooursystems.

Firstofall,beforeimplementation,thereshouldbesetstandardisedformsofthereceipt,whichwouldbefollowedbyallorganisationsthatwanttoadaptthisnewtool.Secondly,theorganisationthatwillimplementtheconsentreceiptfirstshouldbeveryconsiderateaboutprivacypolicies,takemeasuresagainstthepotentialriskofconsentreceipts’hackingandmakesuretheyhavethebusinessprocessesinplacethatensurethedeletionofdatawouldactuallyoccur.

Thirdly,thereisachancethatsomeorganisationswouldn’twanttoimplementconsentreceiptsbecausetheyrevealtoomuchtotheircustomerswithone‘quickread’,butthisisouractualaim:toprovidesomethingthatwouldeventuallymakedatasharingfullytransparentandthatcouldbemoderatedandadoptedtoawiderextentsothatallorganisationswouldcomplywithit.Afterall,transparencyisrequiredbytheimpendingGeneralDataProtectionRegulation9.

9http://www.twobirds.com/~/media/pdfs/gdpr-pdfs/31--guide-to-the-gdpr--information-notices.pdf?la=en


16

Figure9:Thisistheequivalentemailthatwouldbesentouttopeople(afteroptingintoreceivesuchanemail)sothattheycouldhaveanactualproofoftheirconsent.


17

5.ConclusionFollowingauser-centredapproachweexploredhowpeoplecouldgainmoretransparencyandbemoreawareaboutthepersonaldatatheyshare.Toconclude,theprojectwasbuiltonfourdifferentPhases:TheaimofPhase1wastounderstandourdifferentvisitorsandhowwecollectpersonaldata;Phase2tofocusonthevisitorsfromwhichwecollectpersonaldatafromDigitalCatapulton-siteconciergesystem(Envoy)andinterviewthemtounderstandtheirconcernwithsharingpersonaldata(ifany)andifareceipt(asaconcept)increasestrust;Phase3toevaluateafirstrealprototypereceiptandtounderstandifitisclearforvisitors,ifitreallyincreasestrustandtransparencyandfinallytogainfeedbackonthedesign;andlastlytheobjectiveofPhase4wasforpeopletodesignthereceiptandseehowdifferentitisfromwhatwedesigned.

Asanoutcomeofthisprojectanewconcepthasbeenprototypedusingqualitativedatacollectionmethodsandaniterativeprocessofuserexperiencedesign.Thisworkcontributedtothedesignofameaningfulconsentreceipt-inassessingitsvalueincreatingtransparencyandtrustindifferentcontextsandinunderstandingpersonaldatasharingpatternsbytriggeringconsentreceiptsfromdifferentorganisations,andfinallyininformingfutureresearch.

Asaresult,theoutcomeofthisprojectiscurrentlybeingusedanddevelopedfurtherandtheconceptofthePersonalDataReceipt(providingtransparencytoindividualsonalltheirpersonaldatacollectedbyanorganisation)isbeingtrialledwithrealusersatDigitalCatapultCentrewiththehopethatadoptionofsuchtransparencypracticescouldbeafirstfoundationofthefutureofpersonaldatasharing.Evolutionofthisinterventionwillrequiretheneedforsomeonetotaketheleadonbuildingastandardthatcouldbeappliedtomanyorganisations,educatebothinstitutionsandconsumersandestablishcollaborationssothatitbecomesaprerequisiteinpersonaldatatransactions.DigitalCatapult’saimistochampionsuchactivities.

6.References[1]Lizar,M.(2016).ConsentReceiptSpecification.Availableat

https://kantarainitiative.org/confluence/display/infosharing/Consent+Receipt+Specification

[2]Brennan,J.andWunderlich,J.(2016).Consent&InformationSharingWorkGroup(CISWG).Availableathttps://kantarainitiative.org/confluence/display/infosharing/Home

[3]DigitalCatapult(2016).TrustInPersonalData:AUKReview.FollowingandAssessingtheUK’sJourneytoBecomingaData-DrivenNation.Availableat:http://www.digitalcatapultcentre.org.uk/wp-content/uploads/2015/07/Trust-in-Personal-Data-A-UK-Review.pdf

[4]InternetTechnicalAdvisoryCommittee(ITAC)(2010).Fosteringinnovationinprivacyprotection.ITACspeakingnotesfortheOECDprivacyconferenceinIsrael25-26October2010.Availableathttps://www.oecd.org/sti/ieconomy/46952687.pdf

Date post:	10-Jul-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Researching the transparency of personal data sharing FINAL · Michele Nati (Lead Technologist...

Documents