Subject RE: The Most Important Attribute
From Andrew Cormack <Andrew.Cormack@xxxxxx>
Date Thu, 7 Jul 2011 07:13:50 +0000

> -----Original Message-----
> From: smith@xxxxxxxxxxxxx [mailto:smith@xxxxxxxxxxxxx]
> Sent: 06 July 2011 21:31
> To: David Chadwick; Scott Cantor; Chad La Joie; refeds@xxxxxxxxxx
> REFeds
> Subject: Re: [refeds] The Most Important Attribute
> On 6 Jul 2011, at 21:06, Rhys Smith wrote:
> > On 6 Jul 2011, at 20:57, David Chadwick wrote:
> >
> >> which is what we should be trying to engineer (ie. remove as much
> visibility and complexity from the user as possible).
> >
> >
> > So you're advocating removing any kind of getting consent from the
> user? (when implemented, it's one of the most visible and complex parts
> of the process from a UI perspective...)
> Just replying to myself here, don't mind me...
> I was being flippant, but there is an important point to make.
> The only good UI is one that doesn't interact with the user and
> presents no interface. Transparent is simple. Currently there is no
> consent, which is as invisible and simple as it gets.
> You can have simplification and increased usability, or you can have
> user consent mechanisms of any type. You can't have both...
> (Yes, there are better and worse ways of managing consent (massive open
> question as to which options are which), but they're *all* more complex
> and less usable than no consent at all).

Just a reminder that European law provides five other justifications for processing (FERPA provides even more), all of which have simpler requirements both for compliance and user interaction than consent does. For example Dave's credit card is the perfect example of "processing is necessary for the performance of a contract to which the data subject is a party".

See Schedule 2 of the UK Data Protection Act 1998 for the full list (it's the same list as in the EC law, but is better laid out on the UK website):

Each time you go for consent you're making your life, and that of your users, as hard as it can be :(


PS The law also (perhaps surprisingly) doesn't regard a credit card or debit card number as the most sensitive attribute: racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, commission of offences, and any punishment imposed are all classed by law as significantly more sensitive. Financial details are just common or garden personal data.

> R.
> --
> ----------------------------------------------------------------------
> Dr Rhys Smith                                   e: smith@xxxxxxxxxxxxx
> Engineering Consultant: Identity & Access Management  (GPG:0xDE2F024C)
> Information Services,
> Cardiff University,                            t: +44 (0) 29 2087 0126
> 39-41 Park Place, Cardiff,                     f: +44 (0) 29 2087 4285
> CF10 3BB, United Kingdom.                      m: +44 (0) 7968 087 821
> ----------------------------------------------------------------------