EnCoRe - Ensuring Consent and Revocation

EnCoRe – Ensuring Consent and Revocation – is a research project, being undertaken by UK industry and academia, to give individuals more control over their personal information.

Why improvements in informational privacy are needed
Watch our short videos here and here to find out why, and pass the links on to others!

What we are doing
Our work aims to make an individual’s consent a more powerful means for allowing them to control what happens to the personal information they disclose to organisations. We think that this control should be capable of shaping the purposes this information is used for, with which other organisations it is shared, and for how long and where it is stored. Today, the consent required of individuals for the use, sharing and storage of personal information by others will often be a one-off choice, described in vague terms or given implicitly. This type of consent gives individuals no real control over personal information, nor the ability to revoke their consent and be sure that their wishes are respected. Our work will improve the ease, reliability and rigour with which individuals can grant and, more importantly, revoke their consent to the use, storage and sharing of their personal information by others.

Today's reality around giving and revoking consent
Currently, the law does not require that consent must always have been given before an organisation can use personal information about individuals. In fact, organisations will often avoid relying on consent from individuals to legitimise such use, on the basis that it can be difficult to prove that adequate consent was obtained. It is possible, and more common, for organisations to use personal information on the grounds that they are doing so fairly, legitimately and in a way that would not cause any harm.

What the law does do is to require that those organisations which use personal information in the course of their business – so-called ‘data controllers’ – do so in accordance with certain principles. These include using the personal information fairly and lawfully; using it only for specified purposes; using only the minimum amount of information; not storing information for longer than it is needed; allowing individuals to be provided with details about the information, to object or to update it; keeping the information secure; and not sending the information to countries where it would not be protected. There is, significantly, no clear legal right or procedure that allows an individual to revoke their consent.

Accordingly, data controllers in the public and commercial sectors generally will not feel compelled to agree to give individuals any specific ‘fine-grained’ control of their personal information. For example, to allow a home address to be used for delivery of a purchased item, and then require it to be deleted shortly afterwards, except that the postcode may be used for market research only. It is also the case that any individual’s specific instructions that relate to the use of personal information at one data controller will tend not to be communicated to, or respected by, other parties to which the personal information may be sent. This is because typical information technology and computer systems are not designed to support such features.

So, if an individual wishes to be more specific than giving a simple one-off ‘opt-in/opt-out’ choice, or to change or revoke a previously given consent, they typically have to find the relevant member of staff at a data controller. The contact details for this person will usually not be easy to find online, and composing a letter or email stating the desired changes is impractical and time consuming for the individual. A data controller dealing with such a request would have to determine which of the stated wishes were feasible to respect (often, not all will be) and then undertake a variety of one-off actions to do so. If the individual's wishes refer to personal information that had been forwarded to another party, the original data controller’s task would become even more complicated. Both the inconvenience to the individual of taking such action, and the cost to a data controller of dealing with it, are significant. At present, this situation effectively prevents an individual exerting any meaningful control over their personal information after they have disclosed it.

Our vision
The overall vision of this project is to make giving consent as reliable and easy as turning on a tap, and revoking that consent as reliable and easy as turning it off again. Turning this into reality, for both the individual and the organisation, requires
   ● consent management technologies to be developed,
   ● IT systems architectures that include these to be developed,
    ● organisations' operational processes and systems to be designed or
     enhanced to use them,
● easy-to-use interfaces to be developed and implemented, and
    ● the regulatory regime that underpins all of this to be enhanced and
     strengthened.

EnCoRe is working on all of these areas.

More ...
Click here to learn more about the project.
Click here to access our Deliverables, Papers and other Publications.
Click here for related organisations and relevant activities.
Click here if you have something to say on the topic of Consent & Revocation.

This EnCoRe project website is a key part of the project's strategy for disseminating its results, plans, news and other information. To request more information, or if you would like to take part in our external activities, please let us know via the Contact page.