User:AlexLiMSFT/sandbox/Data Use Statement

Data Use Statements
A data use statement is a technical disclosure the form of which has been standardized by ISO/IEC 19944 to provide a transparent, intelligible, and concise description of data use in clear and plain language. Service providers and data controllers can disclose means of gathering personal data, and use of their customers’ personal data in Data Use Statements. A typical data use statement consists of a thorough and comprehensible description of data use, with a specific outline of how each type of data is used and shared, and at which level of anonymization.

Data Use Statement Standards and Guidance
ISO/IEC 19944 is an international standard designed to standardize transparent communication of personal data protection policies and practices by data controllers through a structured taxonomy of Data Use Statements. It also provides an overview of device and cloud data flow. The standard is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 38.

Components of a Data Use Statement
Data use statements as defined in ISO/IEC 19944 is composed of the following major components:

1.      Data used—describing the data applicable to the data use statement

2.      Source Scope—describing where the data is obtained

3.      Use Scope—describing the applications or services that are using the data

4.      Result Scope—describing the resulting outcome of the data

Data Use Statement Structure
An effective data use statement under ISO/IEC 19944 will consist of a series of grammatical sentences, structured in the traditional Modifier-Noun-Passive Verb-Modifier sequence.(FOOTNOTE) Each sentence will identify the specific kind of data being treated, the level of anonymization of the data, the source of the data, the specific use of the data, and the intended result of the identified use. If the data is being shared, the sentence will also identify the recipient of the data and the purpose for which it is being shared. Each kind of data, at each level of identifiability, and each unique use of data, should be specifically treated. Additionally, the data use statement must be adequately comprehensible to an ordinary user of average education.

19944 recommends the following general structure of a data use statement:

(Data identification qualifier) (data category) from (source) is used by (user) to (action) for the purpose of (result).

An example of this data use statement:

Unlinked Pseudonymized telemetry data from app X is used by this service to improve app X’s services     This structure allows controllers to present information in accessible, digestible pieces. By uniquely identifying each use of data, controllers allow readers to understand the entire scope of the way the controller uses and shares his or her data. This results in an increased level of transparency in data use disclosure.

Each statement element identified in Section 10 is accompanied by a corresponding list of terms that can be used to fill in the statement. The lists can be found in Sections 8 and 9 of the standard.

Data Use Statement Terminology
 In addition to outlining a structure for data use statements, ISO 19944 provides a glossary of terminology – the actual words that, put together in the correct order, will form the data use statement. The terminology is broken into two overarching categories: terms relating to Data Taxonomies (Section 8) and terms relating to Data Processing (Section 9). Making use of the 19944 terminology is essential to crafting an understandable data use statement because of the necessity of comprehensible, consistent terminology. By following the standard terms and definitions recommended by 19944, data controllers can achieve precise, transparent, and effective disclosures of data use.

Data Taxonomies

ISO/IEC 19944 identifies and describes data taxonomies, or the types of data being used by controllers. The verbiage provided in Section 8 allows controllers to achieve specificity in their disclosures of data acquired and used. This section provides treatment of the following areas:

-      Data categories

o  Data Categories provides vocabulary to differentiate between substantial categories of data. This refers to the content or substance of the data being processed.

-       Data identification qualifiers

o  Data identification qualifiers refers to the level of identifiability or anonymity of the data. This refers to the ability or disability of data holders and processors to link individual people or groups of people with a particular set of data. In general, data identification qualifiers will be used to modify or describe the data categories.

Each area is accompanied by a list of applicable words and terms that can be used to standardize the language of Data Taxonomy. (Footnote here linking to section 8?)

Data Processing

ISO/IEC 19944 Section 9 considers the various types of data processing that can take place and the scopes of the processing and use (essentially what capabilities, cloud services and parties may be involved).

·        Data Processing Categories

o  This clause describes some of the data processing techniques found in the devices and service ecosystem. These data processing techniques include transformations of the data content and movement or storage without transformation of the content.

·        Data Use Categories

o  This clause uses commonly used, non-technical, words to describe use of the data. It defines the accepted meaning of common terms in the context of the devices and cloud services ecosystem, and any additional scope information needed to fully explain the use.

·        Scope: boundaries of collection and use of data

o  This clause provides a way to clearly describe the boundaries of collection and use of data in the devices and cloud services ecosystem.

Each clause in this section includes a list of applicable words and terms that can be used to standardize the language of Data Processing. (Footnote here to Section 9)

Exceptional Uses
Because the recommended structure of 19944 may not apply to every situation, the standard proposes several option for exceptional uses in Section 10.2.5. An exceptional use statement provides additional information to a data use statement to add transparency and precision about when data use is allowed. In particular, the standard provides direction for crafting a data use statement which includes some form of permissive authority. An exceptional use data use statement should follow the same basic form as the standard data use statement, but should include a few elements not typically included in a more basic statement of use. The structure of exceptional use statements should include and define:

·        The entity granting permission (a grantor).

·        The entity making the exceptional use of the data (a grantee).

·        The exceptional use (a use statement (10)).

·        What can cause or is required for the grant of permission to occur (a grant trigger).

·        How long the grant is in effect (a grant period).

The arrangement of these terms will vary by context in where they are used. A simple exceptional use statement can be constructed as follows:

The [grantor] grants permission to [grantee] to [exceptional use] by [grant trigger.] The grant is effective [grant period.]

Example: The cloud service customer grants permission to the cloud service provider to provide emergency move of customer data from this service to another geographical location ''in case of a natural disaster. This is effective until the consequences of the natural disaster are dealt with, up to a maximum period of 9 months.''

In this example, the cloud service customer is the grantor, the cloud service provider is the grantee, and the grant trigger is “in case of a natural disaster”. The grant period is specified.

Data controllers may also use exceptional use statements to describe exceptions for a narrower use than those defined in the data use categories. This frees controllers from the natural limitations of the recommended standard statement structure while allowing controllers to preserve the spirit of transparency and open communication.

Optional Additions
 In addition to the necessary elements of a data use statement identified in ISO/IEC 19944, data controllers may choose to provide further specificity by including optional elements, as long as those additions do not detract from the clarity or conciseness of the data use statement. Optional additions may include reference to the geographic location where data is collected or used, a specific timeframe within which data is collected or used, etc. For example, a controller can improve the specify of a data use statement by identifying that it applies only to data collected in Europe, or data collected after January 1, 2016.

Data Use Statements as Distinguishable from Privacy Statements
Data Statements are distinguishable from Privacy Statements by their level of precision. Where privacy statements provide a more general overview of data collection and use, data use statements represent a much more specific treatment. Generally, data use statements identify each category of data (personal content, generated data, payment data, etc.), the level of identifiability or anonymization of the data, and a disclosure about how data of each type and level of anonymization is being used or shared (for what purpose it’s being used, with whom it’s being shared, etc.) While privacy statements are widely provided, the inconsistency of privacy statements between controllers makes it difficult to make direct comparisons and many will not meet the bar of transparency and disclosure that may be demanded.