Difference between revisions of "Data Controller Options"
(→User Object Identifier created first) |
(→User Autentication) |
||
| Line 25: | Line 25: | ||
===User Autentication=== | ===User Autentication=== | ||
| + | * User [[Authentication]] is designed to show that the user is in control of a method, or factor, that can be used repeatedly to re-establish connection of the user to the user object controller. | ||
==References== | ==References== | ||
Revision as of 12:09, 14 February 2021
Contents
Full Title or Meme
A description of a few of the ways that a Data Controller might give the required level of control to the user of their information.
Context
- The GDPR started an effort by legal jurisdictions authority to limit the misuse of User Private Information that is spreading around the world.
- The User Object that contains all of the attributes, behaviors and transactions that the Data Controller persists about the user is accessible to the user in its entirely with a few exceptions that are specifically called out in laws or regulations. For the purposes of this wiki, the subject identifier of the user object references the real-word user.
Obligations
Most of these are direct legal obligations but some are derived from best practices to enforce both legal and ethical obligations.
- The user is given increasingly control of their digitally-stored information as a reaction to the misuse of that information to track and annoy that user.
- The user is given notification about the User Object stored by the Data Controller as well as events that impact that information like data breaches.
- While data breaches have been the most significant source of threats against user privacy, the incidents of phishing of user credentials has been significant since at least 2018 and attempts to access user information by previously unknown devices will also generate user notices.
Use Cases
As there are many reasons for a web site to collect User Information so too there are many different design patterns that apply to the way those sites collect it. A few of those patterns are described here as User Experiences which are called user journeys or use cases.
User Object Identifier created first
This use case covers the case where the life of the user object maintained on the site is likely to be of extended duration, say more than a decade or two. Examples are school or medical records where the lifetime of the data is at least as long as the user that owns that identity described in the User Object.
- Site describes to the user what they are and what they do with any User Information that the collect.
- Notification channels and options are established to the user. This could be implicitly covered with the selection of the user subject identifier.
- User is asked to select a user name, which could be an existing email or phone number, if the user understands the limitations of that choice.
User Identity
The totality of the user identity lives in the real world. This section applies to the attributes from the user identity that are requested for inclusion in the User Object.
User Autentication
- User Authentication is designed to show that the user is in control of a method, or factor, that can be used repeatedly to re-establish connection of the user to the user object controller.
References
Other Materiel
- The wiki on Data Controller gives a broader view of the field.
