This article defines the term „Service“ and its
- roles,
- main uses cases,
- benefits and
- restricitions
within the privact framework.
Definition
A service is software, which
- is provided by a privact compliant service provider,
- has an individual agreement with the user, that covers its terms and conditions which are privact compliant
- was granted the right to write, update, delete, process or transferral of user’s personal data.
- allows for the user at any time to cancel the granted rights about the personal data.
- provides some benefit to the user, which requires the personal data for which permissions were granted.
Access to user’s personal data is granted through the terms and conditions of the service provider. These terms and conditions may not violate governance provided by privact.
Access is limited based on various categories and a need-to-know basis, so that the user does not expose all her personal data in case of a malevolent service.
A service may read out some personal data, for example a delivery address or the users mail address. Data that is transferred to the service provider is still under privact governance. In some cases, access to personal data may even be granted by the service to a third party. An example of that would be a health service that allows your doctor to get personal data from you through their service. This is also covered by privact’s personal data governance.
Within the EU, the GDPR also applies to any transferred data, which the service provider has to satisfy, as with any other applicable law.
Roles
A service assumes various fundamental roles / synonyms within the privact framework:
- Data provider: Most service will write or update personal data, including configuration data.
- Service provider: The legal entity which provides the service and is privact compliant.
- Data processor: The service that is creating some benefit from processing user’s personal data.
- Application: The software as it appears to the user.
- Audit target: The service has to undergo regular auditing about privact compliance.
Main Use Cases
Initial setup
The typical first interaction would be, if a user signs up to some service or app and agrees to its terms and conditions of usage. This would initiate or enhance the local database setup.
Accessing the user’s personal database
All access has to respect the user’s privacy settings. Whenever possible the service needs to work locally with user data. Any personal data that still needs to be transferred is covered by privact’s governance.
Audit target
The service has to undergo a regular review that is privact compliant.
Benefits
Services can be granted almost unlimited access to user’s data, allowing for many innovations and better services. And by building user’s trust in a service, a service is more likely to be granted such access. Currently, users may be shy to do so, since the have to give the data out of their hands. By being privact conform, a service provider may be granted access to data, the user otherwise would not have made available.
Data quality is better, since it is more complete data and concurrent.
Restrictions
While service have broad access to the personal user’s database, usage and transferal of all data is always covered by privact’s governance, limiting the service in some cases. This is not a bug. It is a feature.