Difference between revisions of "Data Controller"
From MgmtWiki
(→References) |
(→Problems) |
||
(3 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
==Context== | ==Context== | ||
− | *The [[GDPR]] uses the term term liberally but never defines it. | + | * The [[GDPR]] uses the term term liberally but never defines it. |
− | *Several "Member States" of the EU have defined the [[GDPR]] terms, for example Ireland.<ref>Irish Data Protection Commission, ''Are you a "data controller"?'' https://www.dataprotection.ie/docs/Are-you-a-Data-Controller/y/43.htm</ref> | + | * Several "Member States" of the EU have defined the [[GDPR]] terms, for example Ireland.<ref>Irish Data Protection Commission, ''Are you a "data controller"?'' https://www.dataprotection.ie/docs/Are-you-a-Data-Controller/y/43.htm</ref> |
+ | * In the three party model the [[Verifier]] or [[Relying Party]] will like be either the [[Data Controller]] and/or the [[Data Processor]]. | ||
==Problems== | ==Problems== | ||
− | *The term [[Data Controller]], is not helpful in understanding the practical consequences of the legislation putting the onus on the data controller to | + | *The term [[Data Controller]], is not helpful in understanding the practical consequences of the legislation putting the onus on the data controller to determine which legal jurisdiction applies and what obligations apply to them. |
− | * Even where the user has legal control of their own data, legal | + | * Even where the user has legal control of their own data, legal limitation are often imposed on the retention of that data by an entity that uses that a data in actions that are controlled by laws. Examples of this sort of entity are financial transactions and healthcare. |
− | * The above two examples of exclusions from data protection regulations are part of the 40 exclusions included in the GDPR. One result is the user privacy is primarily a legal exercise that requires high-priced legal | + | * The above two examples of exclusions from data protection regulations are part of the 40 exclusions included in the GDPR. One result is the user privacy is primarily a legal exercise that requires high-priced legal opinions to help the [[Data Controller]] determine its obligations to the user and to the state. |
+ | * Much of the activity about improving [[Privacy]] for [[User Private Information]] has focus strictly on the data handling. For example a new effort start in the IEEE Standards Association in 2024 on [https://ieee-sa.imeetcentral.com/cybersecurityfornextgen/doc/WzIsODI0OTI1Mzld/w-CyberSecurityForNextGenerationConnectivitySystems Cyber Security For Next Generation Connectivity Systems]. This has done little to improve users privacy before that and there is low expectation that a data oriented procedure will do much better in the future. | ||
==Solutions== | ==Solutions== |
Latest revision as of 16:27, 30 August 2024
Full Title or Meme
Some digital Entity on the internet that holds and processes User Information.
Context
- The GDPR uses the term term liberally but never defines it.
- Several "Member States" of the EU have defined the GDPR terms, for example Ireland.[1]
- In the three party model the Verifier or Relying Party will like be either the Data Controller and/or the Data Processor.
Problems
- The term Data Controller, is not helpful in understanding the practical consequences of the legislation putting the onus on the data controller to determine which legal jurisdiction applies and what obligations apply to them.
- Even where the user has legal control of their own data, legal limitation are often imposed on the retention of that data by an entity that uses that a data in actions that are controlled by laws. Examples of this sort of entity are financial transactions and healthcare.
- The above two examples of exclusions from data protection regulations are part of the 40 exclusions included in the GDPR. One result is the user privacy is primarily a legal exercise that requires high-priced legal opinions to help the Data Controller determine its obligations to the user and to the state.
- Much of the activity about improving Privacy for User Private Information has focus strictly on the data handling. For example a new effort start in the IEEE Standards Association in 2024 on Cyber Security For Next Generation Connectivity Systems. This has done little to improve users privacy before that and there is low expectation that a data oriented procedure will do much better in the future.
Solutions
In this wiki we will use two terms that together seem to meet most definitions of Data Controller and provide more context to discuss the practical solutions.
- A Identifier or Attribute Provider is the source of User Information in any covered transaction on the internet.
- A Relying Party is the sink of User Information in any covered transaction on the internet.
Besides the two entities above a User Object containing User Information may exist at other locations, sometimes under the control of one of the above, sometimes not. See the diagram on the User Object Page for an example were the User Object may even be in an Authentication Cookie residing on the User Device.
References
- ↑ Irish Data Protection Commission, Are you a "data controller"? https://www.dataprotection.ie/docs/Are-you-a-Data-Controller/y/43.htm
Other Materiel
- The wiki on Data Controller Options attempts to define a few of the ways that a Data Controller might give the required level of control.