From IdCommons

Draft v.001

This is a brief introduction to the Master Data Controller Access Framework or (MCAF) intended to develop trust and transparency in the use of digital identity management. Drafted for presentation at IIW London on Oct 11, 2010.

The MCAF is the core work item in the Identity Trust WG [1] at Identity Commons.

Simply put, the MCAF is a rights based framework for developing digital identity architecture. A framework intended to bridge the gaps between the use of access rights and Notice infrastructure by the individual (A.K.A. The Data Subject) in order to develop trusted digital services and infrastructure.

The problem:

There are no tools to provide transparency over information sharing activities.

Today there is a lack of notice and transparency around the use of volunteered personal information limiting identity and trust in society. An issue that makes people more vulnerable is becoming a bigger issue every day. As there is an onus on the individual to protect their own data, take responsibility for themselves, there is also a need for the tools and infrastructure to do this with.

The MCAF intends to provide a methodology to address the transparency gap between consent and current legal notice policies. -(See MCAF CCTV Use Case for example: TBD And a Case Study for Subject Access Requests.

Terms Definition

The Master Data Controller Access Framework

Master: Refers to what is commonly know as the data subject,

Data - Data refers to the data that the Master Controller can control, although since Master is explicit in the use of the MCAF, as far as rights go, a master controller is repsonsible for their own actions. The term data doesnt need to be explicitly spelt out accept in particular use. This is why the acronym is (MCAF) not MDCAF.

Controller: refers to the fact that the Master data provider is the person that is responsible for controlling the data that they share

Access: Refers to the physical ability for the individual to gain information regarding the circumstances, process, contracts, technical ramifications, and so on of the information that a person holds.

Framework: Refers to the methods and infrastructure the master controller uses to access the information regarding how their personal information is going to be used, managed, controlled. As an individual in society is responsible for their own actions, responsible for their own security, and responsible to defend their own rights, it is critical that an individual has reasonable access to information regarding the circumstances, technology, and process that surround the use of their personal information, and in fact the information they share.


Master Controller, distinctly refers to a hierarchical concept of responsibility, control and personal ownership in information rights, and more importantly, the natural rights an individual inherently has to control how they communicate.

Currently in law, the explicit requirement for institutions to provide notice to the Master Controller of information is unclear, not standardized and consists of ad-hoc standards. A great deal of existing regulation like the Data Protection Act (DPA) only covers the right for an individual to access information about themselves held by the organization. Although this does not include the technically physical requirements of notice beyond just basic information of purpose, contact details, and who the information is shared with.

In fact, there are many little details that are not covered by data protection regulation, privacy laws and so on, which directly affect the security and responsibility of the Master Controller regarding the environment, context, and process of the existing (rights based) data gathering tools (e.g. Freedom Of Information Requests, Subject Access Requests)

The lack of rights based and user controlled infrastructure and tools for the individual in society is a critical security issue. An issue that is having a chilling effect on communication, commerce and most importantly trust in society.


Develop methodology to objectively scale access, consent, control (consent driven control), security, and choice, for the use of digital identity in information sharing practices across jurisdictions.

Apply methodology to peer to peer access management of a resource

Historical Materials