Consent

PRINCIPLE: Consent and Purpose Specification

DEFINITON AND DESCRIPTION:

Consent: The capability, including support for Sensitive Information, Informed Consent, Change of Use Consent, and Consequences of Consent Denial, provided to data subjects to allow the collection and/or specific uses of some or all of their personal data either through an affirmative process (opt-in) or implied (not choosing to opt-out when this option is provided). (ISTPA, p.35)

Frameworks Where the Principle Appears Authorization : The act of approving or giving consent.

The official management decision to authorize operation of an information system and explicitly accept the risk operations (including mission, functions, image, or reputation), assets, or individuals, based on the implementation of an agreed-upon set of security controls. (NSTIC Appendix A)

Opt In – Identity Provider must obtain positive confirmation from the End User before any End User information is transmitted to any government applications. The End User must be able to see each attribute that is to be transmitted as part of the Opt In process. Identity Provider should allow End Users to opt out of individual attributes for each transaction. (ICAM; Section 3.3, 2.a.) FROM ISTPA APEC Privacy Framework under “Choice” (Section V) • OECD Guidelines under “Collection Limitation” (Paragraph 7, 52) • EU Data Protection Directive under “Criteria for Making Data Processing Legitimate” (Section II) • Safe Harbor Principles under “Choice” • Health Insurance Portability and Accountability Act (HIPAA) under “Uses and disclosures requiring an opportunity for the individual to agree or to object” (§ 164.510) • US FTC Fair Information Practices under “Choice/Consent” (Section 2) • Japan Personal Information Protection Act under “Prior consent” (Section 16) • Australian National Privacy Principles under “Collection” (Sub clause 1.3) • The Privacy Act of 1974 (US) under “Conditions of disclosure” (Subsection b)

CONTROLS ASSOCIATED WITH THE PRINCIPLE

•	Consent requires notices (see notice principle) and purpose specification.

o	Purpose Specification Appears in numerous frameworks •	Purpose Specification: DHS should specifically articulate the authority that permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used. (DHS 1) •	Whereas certain processing operations involve data which the controller has not collected directly from the data subject; whereas, furthermore, data can he legitimately disclosed to a third party, even if the disclosure was not anticipated at the time the data were collected from the data subject; whereas, in all these cases, the data subject should be informed when the data arc recorded or at the latest when the data are first disclosed to a third party; (EU; Section 39) •	• CSA Model Code under “Consent” An organization may not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified, and legitimate purposes. (Clause 4.3)

Consent for new purposes and uses: If information that was previously collected is to be used for purposes not previously identiﬁed in the privacy notice, the new purpose is documented, the individual is notiﬁed and implicit or explicit con- sent is obtained prior to such new use or purpose. (AIPCA/CICA 3.2.2)

DISCLOSURE TO THIRD PARTIES : Protection of Personal Information Personal information is disclosed only to third par-ties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy policies entity’s privacy policies or other speciﬁc instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements. (AIPCA/CICA 7.2.2)

Consent as a control (ISTPA) 1.	Sensitive Information a.	While there is general agreement on the principle, there are potentially major differences. For example, the EU limits the collection and use of sensitive information by force of law, while others use potentially ambiguous language. b.	Data Subjects must be informed of, and explicitly consent to, the collection, use and disclosure of sensitive information (i.e. medical or health conditions, racial or ethnic origins, political views, religious or philosophical beliefs, trade union membership or information regarding sex life) unless a law or regulation specifically requires otherwise.

2.	Informed Consent a.	The Data Subject must provide informed consent to the collection of personal and sensitive information unless a law or regulation specifically requires otherwise.

3.	Change of Use Consent b.	Consent must be acquired from the Data Subject to use personal information for purposes other than those originally stated at time of collection.

4. Consequences of Consent Denial c.	Data Subjects must be made aware of the consequences of denying consent.

INTERACTIONS WITH OTHER PRINCIPLES

Choice and consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information. (AICPA/CICA, 2011)

Choice/Consent is the second of five Fair Information Practices published by the FTC to guide the collection, use and disclosure of personal information. The FTC states,“ At its simplest, choice means giving consumers options as to how any personal information collected from them may be used.”

APPLIES TO INTERNAL OPERATION OR EXTERNAL PARTICIPANTS BOTH

Additional References Used (some taken from the OIX-Fair Information Practice Principles (FIPP) Comparison Tool)

(AICA/CICA) Summary of the HIPAA Privacy Rule –[Internet http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html}

EU European Union Data Directive Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data http://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm

DHS 1 U.S. Department of Homeland Security, Privacy Policy Guidance Memorandum (2008) (Memo. 2008-1) http://www.dhs.gov/xlibrary/assets/privacy/privacy_policyguide_2008-01.pdf

FTC U.S. Federal Trade Commission http://www.ftc.gov/reports/privacy2000/privacy2000.pdf

ICAM U.S. Identity Credential and Access Management Trust Framework Provider Adoption Process (TFPAP) For Levels of Assurance 1, 2, and Non-PKI 3, Version 1.0.1, Release Candidate September 4, 2009 http://www.idmanagement.gov/documents/TrustFrameworkProviderAdoptionProcess.pdf

Additional Notes – Info RFC “draft-morris-policy-cons-00.txt“ [Internet] http://tools.ietf.org/html/draft-morris-policy-cons-00 [Accessed March 30, 2011] 4.5. User Consent A familiar public policy concern over user consent focuses on the use   of personal data (as discussed more fully below under "Privacy"). The usage here, however, has a broader meaning: the consent (or lack   of consent) of a user regarding an action or function executed by or    within the network. Many actions performed using IETF protocols require the specific   initiation by a user, and the user's consent can fairly be assumed. Thus, if a user transmits a request using SIP, the Session Initiation   Protocol, it is safe to assume that the user consents to the normal    handling and execution of the SIP request. Other actions performed using IETF protocols are not initiated by a   user, but are so inherently a part of normal network operations that    consent can be assumed. For example, if in the middle of the network   certain packets are slowed by congestion, it is safe to assume    sufficient consent for congestion control mechanisms and rerouting of    the packets. Uncertainty about consent arises, however, in areas where IETF   protocols can be viewed as deviating from some conception of    "normal." A simple example relates to the evolution of caching,   where as caching of various types of data became the norm, there    emerged a need to be able to set flags to prevent caching, which in a    sense can be thought of as a form of negative consent. Middle boxes and other functions that deviate from the historic   "norm" -- the end-to-end principle -- also can raise issues of    consent.