It would be useful to collect information on
Access Consent & revocation
Is the user in the loop about the use of their data? Do they need to approve sharing before it happens? Does consent course grained, per agency and ongoing, or is it fine grained and short lived (e.g. need new consent for every access)
Possible values:
- Explicit: User explicitly approves sharing with an new agency for a purpose (e.g. DEPA)
- Delegated: User allows "fiduciaries" to manage consent.
- Implicit: Agency-to-Agency sharing by default. (e.g. X-Road)
Access Audit Log
Is it possible to see who accessed your data and why? Is it at the agency level or the individual requestor level?
Possible values:
- audit log available to data principles (the citizen)
- audit log available to data fiduciaries (the agency)
- audit log available to the data controller (the technical operator)
From the DPI measurement paper, both of these help to build trust in the system and contribute specifically to to the transparency & privacy attributes of DPI.
It would be useful to collect information on
Access Consent & revocation
Is the user in the loop about the use of their data? Do they need to approve sharing before it happens? Does consent course grained, per agency and ongoing, or is it fine grained and short lived (e.g. need new consent for every access)
Possible values:
Access Audit Log
Is it possible to see who accessed your data and why? Is it at the agency level or the individual requestor level?
Possible values:
From the DPI measurement paper, both of these help to build trust in the system and contribute specifically to to the transparency & privacy attributes of DPI.