From IdCommons

This is a brief introduction to the Master Data Controller Access Framework or (MCAF).

Simply put, the MCAF is a rights based framework for developing digital identity architecture.

Today there is a lack of notice and transparency that is becoming a bigger issue every day. As there is an onus on the individual to protect their own data, take responsibility for themselves, there is also a need for the tools to do this with.

Using data protection and technical language this framework adds the word Master to the term Data Controller as a way to bridge technical and legal language gaps. -(See MCAF CCTV Use Case for details) rveillance, regulation, and compliance designed to illustrate hot to evolve the use of rights and privacy until they are suitably operational.

Terms Definition

The Master Controller Access Framework

Master: Refers to what is commonly know as the data subject,

Controller: refers to the fact that the Master data provider is in fact the person that is responsible for controlling the data that they share

Access: Refers to the physical ability for the individual to gain information regarding the circumstances, process, contracts, technical ramifications, and so on of the information that a person holds.

Framework: Refers to the methods and infrastructure the master controller uses to access the information regarding how their personal information is going to be used, managed, controlled. As an individual in society is responsible for their own actions, responsible for their own security, and responsible to defend their own rights, it is critical that an individual has reasonable access to information regarding the circumstances, technology, and process that surround the use of their personal information, and in fact the information they share.


Master Controller, distinctly refers to a hierarchical concept of responsibility, control and personal ownership in information rights, and more importantly, the natural rights an individual inherently have to control how they communicate.

Currently in law, the explicit requirement for institutions to provide notice to the Master Controller of information is unclear, not standised and consists of ad-hoc standards. A great deal of existing regulation like the Data Protection Act (DPA) only covers the right for an individual to access information about themselves held by the organisation. Although this does not include technical physical requirements of notice beyond just basic information of purpose, contact details, and who the information is shared with.

In fact, there are many little details that are not covered by data protetion regulation, privacy laws and so on, which directly affect the security and responsibility of the Master Controller regarding the environment, context, and process of the existing (rights based) data gathering tools (e.g. Freedom Of Information Requests, Subject Access Requests)

The lack of rights based and user controlled infrastructure for the individual in society is becoming ever more apparent and critical as information sharing and technology advances.

Benefits Of This Effort

   * The MCAF provides an identity rights access framework for bridging gaps between security, privacy, the citizen and the community which obstruct current use of information rights.
   * The MCAF explicitly being a framework for 'individually driven rights based access' (IDRBA) to the infrastructure of data subject information
   * The MCAF is a perspective typically represented by processes like the Freedom Of Information Request to government, Subject Access Requests to companies, compulsory notices (mandatory policies)  that are comprised  of current industrial age 'data subject' information architecture. (like CCTV Signs,   Privacy Policies, Terms of Service Agreements, Acceptable Use Policies)
   * Functionally the MCAF contributes a  framework perspective to facilitate appropriate digital identity infrastructure that provides appropriate and reciprocal transparency to the Master Data Controller.
   * Operationally the MCAF is a rights based approach to designing people driven notice with use cases  that cover su
   * This framework, along with the infrastructure development it is meant to inspire, is needed as there frankly has been a lot of lip service to privacy compliance, subject access rights and little in the way of enforcement, access or real usability.  Clearly regulators alone will not solve all of the challenges faced today.  This Framework is designed to bridge these legal gaps.
   * What has in fact happened is principles, guidelines, and regulations for fair information practices are not adhered to in the collection and use of personal information.  Even when these are developed into law, the infrastructure for their use is almost non existent, limited to opt-in/out check boxes, and appeals to toothless privacy commissioners.
   * The most functionally critical of rights, is the right of access, and control of ones own personal information.  This right is the stalwart of autonomy, self-determination, and self motivation. An incredibly important right for community health and human development.
   * Ultimately this MCAF is a framework for evolving the existing rights infrastructure to provide user driven access to information.
   * As a use case Identity Trust CIC has picked CCTV as a long standing issue in privacy, rights and user access.  Representing online and off line issues.
   * This Use Case is also a very defined and practical use case that is a first step towards designing Master Control for individuals on the internet, dealing with Privacy Policies, and Terms Of Service.
   * This use case is intended to illustrate the need for greater transparency, notice, and user involvement for more advance and sensitive information sharing activities that are now emerging in main stream society


This framework is intended to develop the individuals infrastructure for engaging with institutions Developing individually driven access rights, making privacy visible, and providing a personal platform for control and commoditization of personal information.

Challenges: One of the major challenges to developing master controller access has been the issues of identity, both proving that you are the identity of the subject that requires access, but also safe guarding the rights of the individual when using rights. Up until recently this hasnt been solved. In 2010 new R&D in digital identity now makes this framework possible.