-
Notifications
You must be signed in to change notification settings - Fork 1
Modeling Personal Data Contract Clauses in Context
To shift general practices by offering much more efficient/effective methods of compliance with existing mandatory laws that also reflect the new deal on data. New deal on data laws in the US are a patch work, but add up to cover the entire population several times over.
Most newsworthy today is the idea to use EU Model Clauses instead of the EU-US Safe Harbor but the new deal on data also undergirds FERPA, FCRA, FIPA, Federal Privacy Act, FCC/222, HIPAA and many other laws. With terms that are not auto-negotiated and contracts are not smart, the new deal on data can be established for next-generation research and society at large by based solely on compliance with legal requirements. The subset of common and strategic legal requirements to target are 1) the right to know how has your data and 2) the right to get a copy of your data. Ideally, the overall economic advantage of user owned personal data will eventually become the primary driver of business adoption, but changing ownership is not assumed to be desirable initially.
The initial prototype in this repo focuses on "Standard Law" contract clauses relating to personal data rights, responsibilities, functions and flows. The name "Standard Law" is meant to signal an intention to formulate approaches and practices well suited to become commonplace. The primacy of default display of plain language descriptions of the business context, the legal terms and the technical setup is intended to demonstrate a compelling method of simplifying, streamlining and supercharging the business goals of this use case. The use of CommonAccord is intended to demonstrate a potential technical method for achieving the use case. The stacking of rules into system/umbrella, role/contract and individual/authorizations tiers is intended to demonstrate a potential legal method for achieving the use case. "Standard Law" means common approaches to a very few but strategic business, legal and technical touchpoints intended to remove key inhibitors and support key drivers of adoption.
-
The top layer is for the overarching umbrella agreement, which we can call "System Rules".
-
The middle layer is for the role by role contracts, which we call "Participation Agreements"
-
The bottom layer is for the most detailed and dynamic agreements "Authorization Terms". The OAuth 2 grants of permissions to access protected resources operate at this most granular and rapidly changing third tier.
Having the "scope" of authorizations and current state of permissions exist as data in file form in the GitHub repo in intended to ensure the simplest possible yet realistic design that keeps all the material business, legal and technical aspects of the implementation transparent and understandable. The idea is to promote deep understanding by business, legal and technical stakeholders alike, of the same actual operations and functions of the system. Though permission management would ordinarily be handled by a database and other sets of processes and systems, overall it serves the purpose of this demo best to instantiate the individual grants of authorization as human readable files observable with any standard web browser.
The role-based agreement we are using is to highlight relevant personal data rules
- Coming Soon
- This contract applies the rules of MGL Ch.66A "Fair Information Practices Act" (FIPA) to hospitals that contractually conduct the role of an agent of the state government for purposes of providing this healthcare enrollment related task.
- Here is the source contract document is between MassHealth hospitals and the Commonwealth of Mass, a copy of which is available as Appendix A here: https://github.com/FutureCommerce/StandardLaw/blob/master/RawData/140321-rfa.pdf
- CommonAccord codification of the contract clauses and full document are here: http://new.commonaccord.org/index.php?action=doc&file=/GH/FutureCommerce/StandardLaw/140321/Form/AppendixA_x01.md
- Coming Soon