Like a Consent ReceiptMuch like the "Consent Receipt" work that Kantara has developed. Where the Consent Receipt is a consistent concept that states the facts about a Consent that an individual has agreed to. The first versions of this Consent Receipt was not structured or coded, but had some requirements of the text and would be delivered to the Individual. The main goal of a "Consent Receipt", much like any cash register receipt, has very little use when everything works as expected, but is there as evidence in the case where things do not progress as expected. Specifically when the terms of the Consent are not enforced, the Individual can leverage their Consent Receipt against the violating custodian.
Erasure ReceiptSo an "Erasure Receipt" would be given to the Individual after they have asked for data to be Erased. When that Erasure works as expected, the Erasure Receipt has very little usage. However if at a later time it is found that the data was not properly erased, then the Erasure Receipt can be used against the violating custodian. We also envisioned that the Erasure Receipt might be useful to probe the custodian to check that there is no current evidence of the data that was erased. So the Erasure Receipt is an artifact that shows due diligence, transparency, and trustworthiness.
"... where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, ..."
Requirements of an Erasure Receipt
- Date of Erasure Request
- Date of Erasure Receipt (typically must be within 90 days of request)
- Human Language
- Identification of the individual
- Identification of the data controller
- Description of data to be Erased
- Purpose of Use the data was collected under
- Type of data that was collected
- Identifier of previously capture Consent Receipt
- Reason why data could not be Erased (e.g. Medical Records Retention, Obligation to Report)
- Identification of Purpose and Type of data not deleted
- Identification of Purpose and Type of data deleted
- Method used to Erase (e.g. Deleted, De-Identification, etc)
- Downstream Recipients
- For every downstream Recipients of the data being asked to be Erased.
- Identification of downstream Processer
- Response if any received from request made to downstream Recipient
- Pseudonym -- given the Individual has been Erased, a pseudonym (i.e. GUID) can be assigned to the remaining data, proof of erasure, and the Erasure Receipt.
- This might be useful by the individual in the future to probe the erasure facts
- This might be most useful where the data are de-identified and maintained for other required purposes. A probe of the pseudonym would show integrity of that data, while assuring the Controller no longer knows who the individual is.