TAS3_D6p2_v2p0.pdf (deprecated)

TAS3 Contractual Framework Accepted by European Commission in June 2009. Executive Summary: The objective of TAS³ is to develop a secure, yet adaptable technical infrastructure that enables the creation, maintenance and exchange of personal information between multiple service providers in a user-centric fashion. TAS³ relies on the concept of a Trust Network that is governed by business requirements, technical requirements, policy requirements and legal requirements. This deliverable focuses on the development of a flexible and adaptable contractual framework for all TAS³ participants and general policy requirements that shall support the Trust Network by defining and enforcing enterprise policies at the level of individual service providers. Changes in jobs, residences, and professional and social relationships are more frequent occurrences than ever before. Information must be portable and accessible to meet the needs of organizations, individuals and society as a whole. Providing this portability and flexibility is also key to remaining competitive and enabling growth in the information society and digital economy. TAS3 enables an infrastructure of trust, security and privacy to meet the needs of today’s more global and mobile society. TAS3’s development is geared to compliance with privacy laws and provides for both user control and organizational functionality of records. TAS3 thus combines security and privacy with technology, policy and law to create a trust infrastructure predicated on verifiable information governance. TAS³’s approach which co-ordinates the development of contract, policy, technology and business requirements at the inception of the project improves on existing models of privacy by design (often limited to embedding privacy technology at the design stage). This broader and earlier collaboration across the 4 elements mentioned above creates a more seamless support of privacy, which in turn enables and enhances trust for data subjects. In many design and development situations the interdependent nature of the 4 elements is insufficiently optimized. In TAS³, interactions across entities are designed to enhance system optimization. Information collection, access and transfer proceed in accordance with data minimization; legal and compliance obligations are supported in audit protocols, and required enterprise policies supplement security, use limitation, and other data protection requirements. This optimization also occurs at the ecosystem rather than just enterprise/organization level, thereby providing more seamless and end-to-end integration of requirements across the 4 elements of the Trust Network. Obviously recourse to national data protection authorities and courts always remains possible in case of non-compliance. TAS³ however also seeks to provide the data subject with more simple paths to compliance enforcement that can be accomplished entirely from within the TAS³ network. The TAS³ contractual framework exists and operates at three levels: Ecosystem, Transaction and Technical. The Ecosystem level provides the general binding of rights and obligations across all parties, including general terms and conditions, required technical implementations and requirements for policies at the level of individual organizations. The Ecosystem contract is drafted in counterpart forms adapted to the role of the individual user/entity, but with large commonalities for the core aspects of the TAS³ Ecosystem. Transaction level contracts provide an opportunity to supplement or enhance controls and instructions related to a specific transaction. Because these contracts need to be tailored to the specific context of the transaction, we are exploring how to develop standard contracts for different types of transactions with attached schedules to provide the customization. This modular drafting will lessen the need to involve legal counsel at every transaction and thus increase speed and reducing cost. Obligations are put in place at the technical level through sticky policies and other privacy management and negotiation elements of the architecture. As these obligations are expressed through technical means that may never be explicated in writing, they are explicitly supported and accepted by the parties as binding through agreement to the Ecosystem contract. Since the contractual framework binds all parties, it is horizontal in its very nature and is relevant to all TAS³ work packages. The contract and policy frameworks, which will be described in this document, are mostly dependent upon both the Legal Requirements previously defined in TAS³ D6.1 as well as the Architecture requirements developed in TAS³ D2.1. The requirements that were identified in WP 1 (TAS³ D1.2, D1.4 as well as the consideration of the current state of the art in TAS³ D1.1) serve as inputs to this document. Conversely, WP6 has in turn identified its own requirements and provided input to both D1.2 and D1.4 (annex 4). The Demonstrator projects set forth in TAS³ D9.1 serve both as inputs to the contractual framework and will serve in continued iterations as proving grounds for testing actual contract terms.

TAS3_D6p2_v2p0.pdf — PDF document, 604Kb