Consent Overview
Certain GDC data providers leverage data sources which require consent from individuals or Data Subjects to be referenced for electronic Identity Verification (eIDV) purposes. If you need to add these sources to your configuration of Worldview, the processes and technical requirements contained in this document must be followed to ensure compliance.
Each data provider which provides a controlled access data source in Worldview will have specific forms and requirements. To start the process:
- Begin by completing the form(s) provided to you by the GDC team. These forms will be completed to establish and maintain “delegated consent” and a “chain of custody” between all parties in the eIDV transaction. The contact details and transaction consent data required must be maintained in a secure and compliant manner for future audit purposes.
- Delegated Consent refers to the designation by a Data Subject - individual or business entity allowing additional or third parties authorized use of the personal data for a permitted and intended use. Worldview’s permitted and intended use is eIDV.
- Chain of Custody (CoC) refers to the chronological documentation or electronic trail that records the sequence of custody, control, forward transfer, analysis, and disposition of physical or electronic data. In the case of Worldview CoC is the connection within a transaction of an individual, a Worldview Customer and/or Partner, GDC and the Data Provider providing the data for verification.
- In the future, prepare for the notion of interactive consent which is provided by leveraging specific credentials in some cases to access and consent to a real-time verification query.
NOTE: This is primarily used when leveraging Utility and Telco sources.
Initial Setup With Provider
Each Consortium member/Data Provider which providers a data source integrated into Worldview that requires consent will have an upfront provision process to vet a customer of GDC’s for access. This process will vary by Country and Data Provider.
The information you must provide for the initial setup and credentialing process for consent-based data sources includes but is not limited to:
- Letter or completed forms requesting customer/business partner access to the service and defining permitted use.
- End Customer’s primary contact (Name, title, address, email and Phone Number).
- Confirmed technical integration and/or ability to provide delegated consent for each request.
- For credit-based sources, a unique footprint which is recorded on each data subject's credit report. This is the contact data for each actor in the CoC and a string value with the name or abbreviation for the source chain.
For Example: Acme Bank-GDC-Credit Bureau.
In the case of credit-based footprints, it is required that the source chain description include the name of the company that has direct contact with the Data Subject.
Primary Data Sources For Consent
The primary types of data sources which require consent are Credit (CRD), Telco (TEL), Utility (UTL) and Government (GVT) sources. A comprehensive list is found below:
| Country | Footprint | Source |
|---|---|---|
| Canada | Yes | CRD1 |
| Canada | No | TEL1 |
| Hong Kong | No | CRD4 |
Worldview WSID Importance For Consent
Every inquiry on the Worldview web service returns a unique detail code i.e. WSID. While the detail code is important for support issues, it is extremely important for users with configurations that require consent. The WSID unlocks the audit records and CoC data in Worldview. These Worldview detail codes should be stored for as long as governing law of compliance rules mandate. They are the link for traceability as an audit/transaction key.
"detailCode": "WS-302671.2013.7.15.16.37.29.91"
Delegated Consent Flow - Direct & Reseller
Consent sources in Worldview are licensed as transactions on the platform to either Direct Customers or Resellers with indirect customers. All consent values (flags, names, addresses) as well as all data source types and metadata used in a transaction request are persisted. The basic flow of delegated consent is outlined in the flowing flowcharts.
Direct Customer Delegated Consent
Reseller Delegated Consent
There is little difference between delegated direct customer consent and reseller. There is simply an additional level of pass through in the CoC and additional contract docs and forms to consider.
Required Consent Messages
To process consent data sources, clients/business partners must provide input messages as part of the request transaction to Worldview. These messages are 2-way, but inbound requests must include at a minimum an account number of the end customer/direct customer and a message delineating consent status to access a consent-based data source.
The complete input fields required as part of submitting a request with consent messages include:
- Customer/Partner Account Number
- Consent Flag (CONSENT=YES)
- Company/Business Name
- Phone Number
- Address (for certain consent services)
- Other fields deemed necessary by data provider or a specific country’s policy.
Below is an example of the identity section of an API call that includes the required consent related fields.
"identity": {
"completename": "",
"givenfullname": "",
"surname_prefix_first": "",
"surname_first": "",
"nationalid": "",
"dob": "",
"codes": {
"messages": [
{
"code": "ACCOUNT_NUMBER",
"value": ""
},
{
"code": "CONSENT",
"value": "YES"
},
{
"code": "CUSTOMER",
"value": ""
},
{
"code": "PHONE",
"value": ""
},
{
"code": "EMAIL",
"value": ""
},
{
"code": "ADDRESS",
"value": ""
}
]
}
}