ISWG’s Standard Information Sharing Agreement and DTAs (TH5F)

Session Topic: ISWG's Standard Information Sharing Agreement

Convener: Joe Andrieu and Iain Henderson

Notes-taker(s): Judi

Tags for the session - technology discussed/ideas considered:  trust framework, master agreement, legal framework, standard information sharing agreement, data transaction agreement, contract

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Notes source: http://digitalidcoach.com/2011/10/iiw-xiii-standard-information-sharing-agreement/

Information Sharing Work Group, a group of Kantara Initiative, is working to develop a standard information sharing agreement. Slides are in progress, will be linked to when available.

Joe offered a quick intro to Information Sharing Agreements. The point of Information Sharing Agreements is to improve services for both individuals and organizations through the right data and the right time. Services need data to operate. Personal data is the most relevant, timely and quality data. This is what individuals bring to the table.


 * Criteria. Preferences. Requirements. Queries and Intention
 * Relationships and memberships
 * Age, Address and billing information
 * History: transactions and interactions.

Together, all of this comprises the digital context that people bring to their online experience.

If organizations can access this context, they can provide a bunch of interesting services and improve existing services.


 * Search, recommendations, and discoveries.
 * Personal RFPs and Shopping
 * Discounts, Promotions, Special offers
 * Reviews and Endorsements
 * Socializing and Sharing
 * Geolocation and Self-Tracking
 * Analytics and Dashboards
 * Customer and Technical Support and Service Management

The problem is that there are significant barriers between services and data


 * Privacy issues, Liabilities, and Regulations
 * Problems with Accuracy,
 * Isolated information that is simply unreachable in some offline form,
 * Unstated data trapped in our head
 * And for ethical companies, consent

If we can overcome these barriers, we can unlock significant value for both individuals and organizations. We can personalize services, respond to demand, and even drive product development based on explicit signals of intention in the marketplace. The data is higher quality, more timely and more relevant than proprietary or third party data–resulting in more intimacy and unobtrusive, streamlined interactions. The ends result is higher margins, greater responsiveness, more profit and greater satisfaction.

So how do we do it?


 * We construct a contract governing use before sharing occurs
 * We do that through a trust framework
 * With legally defined roles that any certified entity can play.
 * And the point of the trust framework is solely to govern the use of shared information.

Our approach is essentially a two part contract between individuals and data recipients. First, a master agreement that defines the roles in the framework and the default terms, such as when it is and isn’t sharable with third parties. Second, a data transfer agreement that covers a specific instance of sharing.

First, parties enter into a master agreement prior to engaging with the framework. Then, during their web workflow, both parties construct a mutually favorable data transfer agreement covering information shared just prior to sharing.

Here’s a picture of the overall architecture, showing a particular data exchange. (slides link below)

We have our individual and the data recipient. Prior to this transaction, both the individual and the recipient have signed one or more master agreements, which are registered at a signature authority. In return, those authorities provide both parties with identities suitable for signing data transfer agreements.

This is a typical web-based transaction. The data recipient has published signed offer, requesting specific data for a specific use, under one or more master agreements. If the individual has signed a matching master agreement, they can accept the offer by selecting any optional terms, signing their response and sending it to the recipient. Now, the data can be transferred with clear purpose-binding between that data and those terms.

That’s a typical transaction. In fact, most transactions will occur without the individual needing to even view the specific agreement. The client automatically records the agreements, accepting the default terms.

But if the consumer wants to review the terms or change from the default, they can view them in a standard format we call an Information Sharing Label, based on the Nutrition Facts label on packaged foods in the US. It contains just the details required to make an informed decision. And because we’ve put all the default terms in the master agreement, the details are a complete, user-friendly presentation of all the terms of that Data Transaction Agreement.

Consider Google operating under with Information Sharing Agreements. Most of the time, the software seamlessly records the agreement, accepting the default terms. So, Google search looks and feels pretty much just like it is today.

But if you view the label, it might look something like this:

The recipient is Google. They are getting search queries entered into the search box on the web page, they get them upon submission. The purpose is to recommend websites (which covers both organic results and ads). That particular use only uses the data for the time it takes to generate the search results and the output for that service is the web page resulting from the submission. Google also requests the ability to retain that data for statistical aggregation (the output of which they will be permitted to re-use for other services).

The master agreement is the 2011 Standard Information Sharing Master Agreement and it will be stored locally (presumably by a browser plugin of some kind). This could just as easily be a service provider in the cloud, such as Personal.com or Connect.me. Finally, the client software pulls in ratings from user-selected rating services, which are free rate the data recipient on any criteria. Privacy, trust, security, consumer satisfaction, whatever. The Signature Authority, the Rating Services, and the Assessors are all certified according to ISWG criteria by assessors.

So what does this mean for individuals?

Let’s look at Sally (our user engagement model: http://kantarainitiative.org/confluence/display/infosharing/Car+Buying+Engagement+Model ), a newlywed looking for a new car. She uses her Personal Data Store to collect her shopping activity and research, with notes and captures from car dealers, manufacturers, reviews, articles, and even the Department of Transportation’s safety test results. She also gets a certified proof of available financing from her Credit Union.

When she’s ready to find a dealer, she permissions her research through a simple click of the mouse, to “MyPal” who acts on her behalf to publish a personal Request for Proposal. Sally confirms the suggestions made by MyPal and specifies the timing and terms as well as the way she wants MyPal to communicate with her during the process.

Chryota of London responds to that proposal, through MyPal. Chryota knows that Sally is a qualified buyer, not only because she’s done a lot of research, but she’s also paid a small fee MyPal to manage the pRFP and has pre-arranged financing. As a result, Chryota flags her pRFP as priority. A trained sales consultant checks inventory against Sally’s request, asks a few follow up questions and responds with a firm bid that meets her needs at a competitive price. Sally buys the car and the dealer uses her personal data store to auto-fill the typical paperwork, from title transfer and financing to congestion fees and insurance.

All of these data transfers are fully documented and covered by explicit Information Sharing Agreements. Sally got better, faster service and a great price. The vendor got a qualified, prepared customer, a relatively fast sale, and the beginning of a rich relationship with a new customer. Everyone can rest assured that the information is free from unexpected liabilities.

Everyone benefitted from the right data at the right time.

Here’s the link to the Prezi presentation that went with this talk: http://prezi.com/-nhvrfv8yppv/information-sharing-agreements-20th-oct-2011/