Difference between revisions of "Financial User Consent"

From MgmtWiki
Jump to: navigation, search
(Consent Taxonomy)
(Consent Taxonomy)
Line 26: Line 26:
  
 
===Consent Taxonomy===
 
===Consent Taxonomy===
* For the semi-static information the user must be shown a list of categories of [[User Private Information]] one the wiki page [[User Consent#Consent Taxonomy]]] start with a [https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims list] of [[OpenID Connect]] [[Scope]]s and move on from there.
+
* For the semi-static information the user must be shown a list of categories of [[User Private Information]] one the wiki page [[User Consent#Consent Taxonomy]]] start with a [https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims list] of [[OpenID Connect]] [[Scope]]s and move on from there. This is typically user [[Attribute]]s.
* For the transactional information the user must know what value is being transfer, both in terms of the money (or other value tokens) sent in one direction and the goods or services sent in exchange for that money.
+
* For the transactional information the user must know what value is being transfer, both in terms of the money (or other value tokens) sent in one direction and the goods or services sent in exchange for that money. This is typically user [[Behavior]], which can still be very personal especially if the goods or services are related to health care issues.
  
 
==References==
 
==References==

Revision as of 10:10, 15 April 2019

Full Title or Meme

Financial User Consent extends the User Consent use case with significant exchange of value, typically payment data.

Context

Problem

User consent is discussed in the GDPR for transfers of User Information between two Data Controllers on the internet. It is not clear if the GDPR or other regulations apply to a site that collects user data for its own purposes and does not further process or share that User Information. Nor is any temporal relationship between User Consent acts described. So it is not clear if a new User Consent arrives, what action should be taken vis a vis any prior consents. If older consents are not invalidated, it is unclear how to evaluate conflict between the different consents.

Solution

In this wiki it is assumed that there can exist only one active User Consent among three parties on the internet, the Subject (aka User) the Identifier or Attribute Provider and the Relying Party. It is unclear if User Consent has any specific meaning between the Subject and the Identifier or Attribute Provider; that is left for further developments. In other words, if the user updates consent - all prior consents are unavailable for new actions.

Consent Page

In order for the user to grant consent, a consent page must be provided by the Identifier or Attribute Provider.

  • A consent page normally renders the display name of the current user, the display name of the Relying Party (aka client) requesting access, the logo of the client, a link for more information about the client, and the list of resources the client is requesting access to. It’s also common to allow the user to indicate that their consent should be “remembered” so they are not prompted again in the future for the same client.
  • Once the user has provided consent, the consent page must inform Identifier or Attribute Provider of the consent, and then the browser must be redirected back to allow the user to continue where they left off.
  • The user's choice may be stored for later use by the same Web Site if the user opts into that option. If the user does not opt in, the choice as to scopes, date and destination MUST not be saved.

Back at the Relying Party

The User Consent provided might not align exactly with what the RP requested. In that case the RP may accept the consent granted, or it may need to go back to the user for additional Attributes or some Validation of the Attributes. It is important at this point to know if the session with the IAP is still valid, or if a new session would be initiated. The User Experience should be maximized whichever path is chosen.

Consent Taxonomy

  • For the semi-static information the user must be shown a list of categories of User Private Information one the wiki page User Consent#Consent Taxonomy] start with a list of OpenID Connect Scopes and move on from there. This is typically user Attributes.
  • For the transactional information the user must know what value is being transfer, both in terms of the money (or other value tokens) sent in one direction and the goods or services sent in exchange for that money. This is typically user Behavior, which can still be very personal especially if the goods or services are related to health care issues.

References

Other Sources