Developed by Ain Aaviksoo (Estonian Telecommunications Union), Benjamin Balder Bach (fmly Danish Tax & Revenue), Lal Chandran (MyData Global, iGrant.io), Philippe Page (MyData Global, Human Colossus Foundation). And advisors Dr. P. S. Ramkumar (ITU), Max Carlson (GovStack), Sasikumar Ganesan (MOSIP)

For a full changelog, please see this link.

The Consent Building Block enables services for individuals to approve the use of their Personal Data by defining the principles, functions, and architecture of an information system. For organisations that process Personal Data​,​ it provides the ability to know the ​individual's will and legitimately process such Personal Data. The Consent Building Block is a process-oriented GovStack Building Block facilitating auditable bilateral agreements within a multi-agent environment that integrates with most other Building Blocks.

This specification has used several available and recognised open standards below and legal frameworks (such as the GDPR) for laying the groundwork for its approach to consent.

• Kantara Initiative: Consent Specification

• : Online Privacy Notices and Consent

• : Privacy Framework

• : Health informatics — Principles and data requirements for consent in the Collection, Use or Disclosure of personal health information

• : Privacy technologies — Consent record information structure

What Consent Is

In the GovStack context, consent is understood as a voluntary declaration by an individual to approve the processing of their Personal Data. It is one specific justification for Personal Data processing that is assumed to be required by legal or ethical conditions. It assumes that the person can decide on processing their Personal Data, managed in and by other GovStack Building Blocks, and also that the person is free to withdraw their consent at any time.

Some examples of such consent are:

• allowing a healthcare provider to fetch socio-demographic data from a government-run population registry to provide adequate primary healthcare services.

• allowing a government official to fetch relevant data from other/multiple government-run registries to analyse the eligibility for a social benefit programme.

• allow a government official to send Personal Data to a bank for cash transfers on behalf of the government.

What Consent Is Not

The use of consent should be avoided in cases as below, which are not part of this specification:

• When a person is simply informed of the processing of the data by the organisation as part of the service provided under contract or by an authority.

• When consent does not have to be obtained in a situation where the entity does not identify or cannot identify people with reasonable effort.

Assumptions

Lays out the pre-conditions needed for anyone to use the Consent Building Block.

1. Data Disclosure Agreements between organisations are already in place. For example, a healthcare organisation has already got the required authorisation to use the citizen data registry.

2. To link a Consent Agreement with the specific Individual, Consent Building Block assumes the authentication and authorization to be handled in a trusted manner outside of it (see below).

3. Within the early scope of the Consent Building Block, the act of delegating is kept outside the scope of the Consent Building Block. It is assumed that the authorisation to act on behalf of someone else is already resolved.

Consent Agreement Lifecycle

The life cycle of a consent agreement starts and ends within the organisation responsible for the information system. The organisation knows the context in which the information system operates and the intended purpose of the service. The rules and regulations to be applied for a given level of assurance define the functional framework for consent management.

Consent Building Block deals with transparency on data usage in a given context. Thus privacy-by-design of the system's actors is often an excellent guiding principle for interpreting international, national, and organisational policies and governance principles to implement the functional consent framework. A tangible outcome from a Data Protection Impact Analysis (DPIA) is a structured approach that can deliver the input for the actual implementation of the Consent Building Block.

Individual consent is captured within the context of digital interaction. This interaction is composite of all the information systems involved, not solely the Consent Building Block. Thus, the legal and ethical boundaries of consent are defined in the entirety of the interaction. In particular, consent, as defined by ISO/TS 17975:2015(E), should be seen as a "set of agreements and constraints" that an informed and knowledgeable [individual] agrees to apply to their data processing. This definition, not based on the purpose of the data usage, can lead to a consent management framework also incorporating authorisations or unrelated constraints of the system. For example, in health information and healthcare service delivery, consent is also the process whereby a set of constraints is agreed upon so that information may be collected and used or disclosed. However, it is also the outcome of the process. As a rule of thumb, limiting unintended secondary usage of data is helpful to separate "consent" for a purpose from "consent" as an agreement to constraints and authorisation imposed by the system's functional requirements.

As a result, the organisation responsible for the information system is the driver of the definition of the functional consent management framework. It is also the function of the organisation to design the workflow for obtaining and processing the consent in a way that is purposeful, but not annoying for individuals or data processors with unnecessary bureaucratic overhead. From this framework, the Consent Building Block achieves its purpose by employing Consent Agreements that contain the following:

• A data policy that could be reused across multiple consent agreements (for example, based on the General Data Protection Regulation or any specific regulation)

• The purpose of consent, processed data attributes

• Signatures

A consent agreement life-cycle has four main phases, as illustrated in the figure below:

Definition: In this phase, the organisation (a Data Provider or a Data Consumer) adopts and defines a Data Policy that applies to the industry or sector-specific data usage as a template. While this phase is considered a “black box” to the Consent Building Block, it is an essential reference point for configuration and compatibility checks in all following phases.

Preparation: In this phase, the organisation (Data Provider or Data Consumer) that intends to process Personal Data configures the Consent Agreement and relevant rules for its use. An organisation could use Personal Data for third-party data sharing, as an example.

Capture: In this phase, the Individual can review the Consent Agreement and, once agreed upon, it is captured in a Consent Record by the organisation and stored for verification. This allows an auditor to check and ensure records are in place to process the individual's Personal Data. In the future, this phase could also encompass delegation and other individual use cases.

Proof: In this phase, an organisation (A Data Provider or a Data Consumer) can demonstrate that a valid record exists for performing data processing within itself or with other organisations. This allows for internal usage and for an auditor to verify and ensure records are in place to process the individual's Personal Data.

Actors

Consent Building Block enables interaction between three (3) distinct user categories, which in combination create the necessary trust framework for the integrity of Personal Data processing. The actors are defined via distinct human roles to be performed in various consent life-cycle phases:

1. Individual as the subject of Personal Data processing;

2. Administrator of the information system exchanging the Personal Data;

3. Data Processing Auditor maintaining independent oversight of the data processing.

Below is the graphical depiction of the actors and their interactions; a more detailed description of the Consent Building Block capabilities is provided in .

It is important to realize that while the actors are defined via human roles, the consent-related interactions between such roles can be executed in machine-to-machine workflows performing tasks in the interest of the respective actor.

Interactions with other Building Blocks

The overall relationship diagram is shown below.

The table below summarises the key relationships consumed during a consent transaction.

7.1 Resource Model

The resource model shows the relationship between data objects that are used by this Building Block. Data objects are ultimately modelled as OpenAPI schemas, however as the relational model isn’t easy to understand from OpenAPI specification, we start by presenting two high-level Resource Models.

7.1.1 Simplified Resource Model

When an individual gives consent, it is implied that the Organisation from one side and the Individual from the other side digitally sign a Consent Agreement and a respective Consent Record is created. The alternative scenario may be that signing takes place offline on a paper, but in this case, for the Consent Building Block to function properly, it is the responsibility of the Organisation to digitise (e.g. scan) the signed document and create digitally signed artefact to represent the Consent Record.

This Consent Record is a digital instance referencing the Agreement which is consented to or subsequently has consent withdrawn from.

7.1.2 Elaborated Resource Model

This model expands the relationships between resources.

Revisions are maintained for Consent Records + Agreements and Data Policies, together with cryptographic signatures. This means that all changes are captured for auditability.

For a configured Agreement, data elements requiring consent are individually specified as Agreement Data. Agreement Data is not directly relatable to processes and internals of an external system. This architectural choice gives the consent model flexibility and greatly simplifies the architecture and consent lifecycle, but it does not contradict any additional features, allowing for relations to external systems.

• Individual changes Consent Record.

• Individual withdraws/revokes Consent Agreement.

• Consent Record expires.

7.2 Data models

This specification is seen as a minimum requirement, all further implementations may add more structure but should not compromise the minimal integrity laid out. All property types are generic, and a concrete implementation may add further specificity to these models.

The OpenAPI definition file is maintained in YAML format, and OpenAPI schemas may be interactively explored in the next section.

7.3 Example data and mock application

As part of this specification, a set of fully structured example data are provided as a fixtures.json file. These fixtures are maintained and released together with the specification's mock application.

The mock application is an operational Docker Compose environment that satisfies all verification tests.

This section lists workflows that this Building Block must support. Other workflows may be implemented in addition to those listed.

9.1 About universal workflows

The Workflow Building Block triggers the need for consent as part of the general business flow. The assumption is that a consenting process never exists outside of a purposeful comprehensive business process. Hence, it is important to define and control the data processing activities as part of a holistic data service.

This section lays out key universal consent workflows that can be re-used within the various use cases (). This enforces the best practices for organisations to adhere to Personal Data processing standards in any given context and jurisdiction. In these sequences, we have removed the Digital Registries Building Block in the sequence for simplicity. It will store all persistent consent data.

9.2 Universal workflow: Recording consent at initial registration (pre-registration)

The first and somewhat unique use case is related to the need for consent when the Individual is not yet provisioned in the System processing the data. In such cases, the workflow requires the creation of a valid and trusted Foundational ID to be linked with the Consent Record. Below is shown how a pre-registration use of Consent's Workflow works.

9.2.1 Internal workflow

• At the very beginning, the registration process will know which Agreement IDs are eligible for registration and fetch the Agreement(s) and their related objects, such as AgreementPurpose, AgreementData, Controller and Policy.

Signing the draft ConsentRecord

When a draft is created, the Consent BB should issue a pair of object instances that are not saved in the database. They have the same schema as the real database objects, but the id field is left blank.

The Signature object would normally contain the content of a Revision object in its payload field. In this case, it will contain the content of a Revision object that was not stored in the database when it was generated, so it doesn't have an ID yet.

We use the two boolean flags Revision.signed_without_object_id and Signature.signed_without_object_reference to denote that the Revision and Signature objects were hashed and signed without any reference to a database row. However, these fields are filled in later! When Signature and Revision objects are validated by serializing and hashing the data that they claim to represent, we need to note these two flags so we don't generate the wrong hashes or compare serialized values wrongly.

Edge cases

• Agreement and Policy objects are revisioned and if the registration process wishes to initiate a different revision from the latest active revision, it should be equipped with the knowledge of the revision IDs.

• In cases where a valid ConsentRecord and Signature pair already exists in the system, those should be returned instead, and the client-side can understand from the timestamp of the object that it has been created at a previous occasion. This can be resolved by calling /service/individual/record/agreement/{agreementId}/

Sequence diagram

9.2.2 Building block interactions

9.3 Universal workflow: Recording consent after the registration (post-registration)

In more frequent situations, when the individual is already provisioned in the System (post-registration), the consent workflow uses the existing ID tokens, and only the ConsentRecord is to be created.

9.3.1 Internal workflow

• As with the , the Application needs to know IDs of Agreement objects that are eligible for the consent beforehand. It may optionally use a Revision ID for an Agreement to specify a specific version of the Agreement. Essentially, the application developer should embed these IDs in the process as predefined data.

• In this workflow, the Application has authenticated the individual (user), and if the user consents to the presented Agreement, the ConsentRecord will be stored with a relation to an Individual

Edge cases

• The Application may want to check if consent has already been obtained! This can be done at several stages, if there is a need to guard against parallel processes.

• A ConsentRecord may be created at first, but if the signing process fails and no Signature object is created, the Application should perform due diligence and delete the ConsentRecord.

Sequence diagram

9.3.2 Building block interactions

9.4: Universal workflow: Consent Verification

In this universal workflow, we check if a valid ConsentRecord exists or not for a given data processing event within a business process. This may be the immediate continuation of a consenting workflow by the same System that acquired the ConsentRecord or it may be used by a separate business process by a different Application or at a different moment in time. The same verification workflow may be also used for auditing purposes.

9.4.1 Internal workflow

• In order to query for the existence of a ConsentRecord, the Application needs to know about an Individual and an Agreement.

• The Individual can be resolved through a query using the RegistryReference schema as a parameter. The Consent BB will then return matching Individual

Sequence diagram

TODO

9.4.2: Building block interactions

The Consent Building Block enables organisations to enforce Data Policies that require signed consent by Individuals for the use of their Personal Data. Its key purpose is to allow individuals to view Consent Agreements and sign or withdraw their consent on what Personal Data is used and accessible to organisations. It also clarifies the Data Policy applied, such as the purpose, retention period, jurisdiction, third-party data sharing, etc.

The Consent Building Block implements the key functionalities described in the consent management lifecycle. It includes the ability to configure consent agreements by an organisation admin, present consent requests towards individuals, capture consents, enable queries if consent exists, or not, and enable independent audit of consents.

The functionalities are derived from the consent agreement lifecycle and categorised according to the Actors described above. While the consenting workflows (as described above) are implicitly considered the centrepiece of the Consent Building Block, it is important to realise that the integrity of consent management can only be achieved if robust configuration before and auditing after the Consent Agreement signing and Consent Record verification activities are in place. Hence, the functionalities are described following the logical sequence of the consent agreement lifecycle and they are all equally important components of the Consent Building Block.

The Consent process (creating and signing Consent Agreements and Consent Records) is initially managed in the application provided by the Organisation that is legally required to collect the consent. Since it can be either a Data Consuming organisation or a Data Providing organisation, the Consent Building Block allows both to be able to verify their conformance with the underlying Data Policy, both organisations must be able to access and use the application.

While the Actors generally fall in line with the categories of the functionalities, it is important to realise that “auditing” functions in the narrow sense, verifying if data processing is being (or has been) processed according to the Data Policy requiring a consent, is relevant to various entities involved in the data processing. For this reason, the generic “verification” activity may be executed as part of various workflows satisfying the needs of different actors.

Following is the first core set of key functionalities of the Consent Building Block. For potential future developments of the specification follow the work in progress at .

4.1 Administrator User Functionalities

The Administrator (Data Provider or Data Consumer Admin) configures the Consent Building Block on behalf of the organisation. For simplicity, it is foreseen that one organisation involved in the data processing transaction (that is either Data Provider or Data Consumer) takes the responsibility for the configuration of the Data Policy and respective Consent Agreements(s), and so that the organisation’s Administrator maintains the required configurations.

The main Administrator actions expected to perform via Consent Building Block are:

• configuring Data Policies, requesting and signing Consent Agreements with Individuals;

• viewing (reading, exporting) the Consent Agreements and relevant reports;

• event-driven (opt-in or opt-out) subscription to (notifications of) changes in Consent Agreements;

The table below summarises the key use cases identified for an organisation's Administrator. Organisations can be Data Consumers or Data Providers, i.e. the organisations legally delegated the responsibility for collecting consent for the systems handling Personal Data processing.

4.2 Individual User Functionalities

The capabilities for individuals that Consent Building Block supports are:

• viewing and understanding Data Policies applying to their Personal Data processing;

• agreeing and disagreeing with and toggling between the conditions of Personal Data use as described in the Consent Agreement;

• obtaining copies of their Consent Agreement(s);

The scope for the current version of Consent Building Block assumes that the Individual is acting for themselves. Ultimately the Consent Building Block will include in the Consenting Process the capacity to sign a Consent Agreement in the name of another individual - to act as the Delegate, which is used as the criterion for technical implementation. However, the Delegate and the Individual relationship is expected to be maintained outside of the Consent Manager, which assumes that the person signing the Consent Agreement (i.e. Consenter) has been authorised to do so.

The table below summarises the key use cases identified for the Individuals.

4.3 Data Processing Auditor User Functionalities

Important note: In the Consent Building Block, we define the Data Processing Auditor's role (see 1.3 Terminology and 1.5.3 Actor definition) as an organisation's auditor implementing the Consent Building Block. The auditor role will most probably be akin to a Data Protection Officer (DPO), possibly from an external third-party organisation and involve activities outside of the Consent Building Block.

To avoid ambiguity, we use the precise term Data Processing Auditor to stress the specificity of tasks to be performed by and for the Consent Building Block; all other actions not within the Consent Building Block's scope are considered as an external prerequisite and as a “black box” activity. With respect to audit, this role is distinguished from the data policy auditor. The Data Processing Auditor relies on an audit universe defined by the control and risk management of the specific project and context (i.e. outside the Consent Building Block). “Who needs to consent to what” is the outcome of a DPIA (Data Protection Impact Analysis), ensuring that the data policies are compliant with the relevant data protection regulations for the project.

The main actions a Data Processing Auditor (or Data Protection Officer, DPO) is expected to perform via Consent Building Block are:

• auditing tracking the consents (opt-in/opt-out);

• auditing tracking Data Policy changes and configuration conformance with it;

• viewing (reading, exporting) the Consent Agreements and relevant reports in a verifiable form.

For the implementation of a specific use case, it is important to distinguish the Data Processing Auditor, an actor described here, from a data policy auditor, an actor of the risk organisation. It is expected that the two roles are coordinated in the risk management process. Within the Consent Building Block, the Data Processing Auditor performs the tasks that will allow a data policy auditor to confirm that the implemented system complies with existing regulations demanding consent.The table below summarises the key use cases identified for the Data Processing Auditor.

Also to consider: “READ CONSENT STATUS” use-case is also used by any workflow (and Actor) that requires verification of the consent status (for example, before executing the data transfer from Data Providing System to the Data Consuming System).

Scenarios: Consent and Data Access

As described above under , there may be an unlimited number of business processes that require consent. The following scenarios are but a few examples illuminating how appropriate access to data can and should be handled when processing or consuming data with the support of Consent Building Block functionalities.

10.1 Key Decision Log

.

The functional requirements section lists the technical capabilities that this Building Block should have. These requirements should be sufficient to deliver all functionality that is listed in the Key Digital Functionalities section. These functional requirements do not define specific APIs, they provide a list of information about functionality that must be implemented within the Building Block. These requirements should be defined by subject-matter experts and don’t have to be highly technical in this section.

6.1 Administrator User Functionalities

Agreement Configuration Requirements.

• It shall be possible to create a consent agreement, either based on an existing or new data policy template. Each consent agreement shall be under version control (REQUIRED)

• It shall be possible to view an existing consent agreement (REQUIRED)

• It shall be possible to update an existing consent agreement (REQUIRED)

• It shall be possible to terminate an existing consent agreement (REQUIRED)

• It shall be possible to capture and sign all changes to Consent Agreements, Consent Policies and Consent Records in tamper-proof Revisions (REQUIRED)

• It shall be possible to subscribe to enable or disable a change notification towards users (REQUIRED)

• It shall be possible to trigger a change notification when there are changes done to an existing consent agreement (RECOMMENDED)

• The Building Block shall log all administrative functions (REQUIRED)

6.2 Individual User Functionalities

• It shall be possible to view the associated consent agreement if it exists (REQUIRED)

• It shall be possible to agree or opt-in or sign a consent agreement (REQUIRED)

• It shall be possible to opt-out of a previously signed or agreed consent agreement (REQUIRED)

6.3 Data Processing Auditor User Functionalities

• All consent logs shall be tamperproof, Audit logging (REQUIRED)

• It shall be possible to view and verify a shared consent agreement (REQUIRED)

• It shall be possible to view and verify a shared consent agreement (REQUIRED)

Design and Components of Consent Building Block

Within the scope of Consent Building Block version 1.0, the required components are as given.

Consent Agreement Configuration Handler: handles the creation, updation & deletion of consent agreements for organisations. Organisations can be Data Providers or Data Consumers.

Consent Record Handler: enables Individuals to view data usage and consent record.

Notification Handler: handles all notification configurations and notifications requested by different subscribers.

Administrative User Interface and Client Software Development Kit: these are readily available components that can configure and use the services offered, making integration easy and low code.

5.1 Requirements

The cross-cutting requirements described in this section are an extension of the cross-cutting requirements defined in the architecture specification document. Any implementation MUST adhere to all requirements from GovStack Security Requirements.

5.1.1 Privacy

Personal data MUST be kept private and never shared with any parties, except where specific authorisation has been granted. The Consent Building Block shall follow the privacy principles as laid out in the GovStack architecture.

5.1.2 Data Policy Audit Logging

Logs MUST be kept in a database of all created, updated, or deleted records. Logs MUST include timestamps and identify the user and affiliation that performed the transaction.

5.1.3 Access control (RECOMMENDED)

In general, the Consent Building Block shall follow the authentication and authorisation requirements as laid out in the . For clarity, Consent Building Block's API endpoints are invoked with a client-supplied API key which must defer to the Identification and Verification Building Block in order to verify the role and/or scope of the API key matches the API endpoint to which it is supplied. This is mentioned here, as this definition is drafted without clear guidance in the OpenAPI specification for the handling of roles and scopes.

5.2 Exceptions to Architectural Cross-Cutting Specifications

5.2.1 Privacy (REQUIRED)

In general, the Consent Building Block shall follow the authentication and authorisation requirements as laid out in the . For clarity, Consent Building Block's API endpoints are invoked with a client-supplied API key which MUST defer to the Identification and Verification Building Block in order to verify the role and/or scope of the API key matches the API endpoint to which it is supplied. This is mentioned here, as this Definition is drafted without clear guidance in the OpenAPI spec for the handling of roles and scopes.

5.3 Standards

5.3.1 ISO 8601

All dates should follow ISO 8601.

5.3.2 RFC 7159

RFC 7159 - The JavaScript Object Notation (JSON).

5.3.3 OpenAPI

OpenAPI Version 3.1.0.

5.3.4 REST API Design Guidelines Part 1

RESTful APIs follow TM Forum Specification: “REST API Design Guidelines Part 1” (requirement derived from GovStack Architecture and Nonfunctional Requirements).

Table of Contents

8 Service APIs

This section provides a reference for APIs that should be implemented by this Building Block. The APIs defined here establish a blueprint for how the Building Block will interact with other Building Blocks. Additional APIs may be implemented by the Building Block, but the listed APIs define a minimal set of functionality that should be provided by any implementation of this Building Block.

The provides additional information on how 'adaptors' may be used to translate an existing API to the patterns described here. This section also provides guidance on how candidate products are tested and how GovStack validates a product's API against the API specifications defined here.

Table of Contents

UC-C-PIC-AT-001: Consent - Postpartum and infant care (Audit Consent)

UC-C-PIC-AT-002: Consent - Postpartum and infant care (Monitor Policy Update)

UC-C-PIC-AT-003: Consent - Postpartum and infant care (READ Consent Status)

UC-C-PIC-AT-001: Consent - Postpartum and infant care (Audit Consent)

UC-C-PIC-AT-002: Consent - Postpartum and infant care (Monitor Policy Update)

UC-C-PIC-AT-003: Consent - Postpartum and infant care (READ Consent Status)

UC-C-PIC-AT-004: Consent - Postpartum and infant care (VERIFY Consent Integrity)