This is a service delivered as a collaboration between the banking system and the governmental DiFi organization.
Additionally, GDPR does not ask for wide use of consent, but it requires insight into which consent was given when for any person that has given a consent. And GDPR also enforces the right to know, and the right to be forgotten. All these tree requirements; insight, right to know and right to be forgotten are more or less infeasible without a mean to get a glance into what consents have I given, to whom and when for any citizen in Norway.
Solution
TSD has, through BigMed utilized the self-service online questionnaire form (“Nettskjema”) to enable any researcher to build a consent form. The consent form may be equipped with any metadata that the researcher chose to enrich the form with. Subsequently TSD enables this form for a level-4 BankID signature. This signature is performed by the person who gives the consent using BankID or equivalent through the DiFi portal. This results in the following:
- A digitally signed PDF ends up in the secure governmental email of the person who consents (70+% of the age group has this enabled), or their snail-mail for those without such a mailbox.
- A copy of the consent is delivered to TSD, interpreted by the TSD consent system, and made visible for the correct PI and the person who consented.
- The consent proves who signed what, when and how.
- The person who consented may log in to the TSD consent portal (using BankID) to view all their consents, info about the consents, download consent PDF if wanted, revoke the consent or consent to new research or previously revoked consents. The full audit trail is kept and visible to this person.
- The PI, and those entitled by her, may log in to (or from the command-line API) the TSD consent portal and at any time access the info about all consents that has been given to their research project (and their research project only). They may see the same audit-trail as the person who consented until this person explicitly asks to get all their history removed.
The consent system is accessible for all TSD-users at a small cost, and the consent portal for PIs will soon be made available in the TSD DMZ so that researchers that does not use the TSD system will anyhow be able to utilize the TSD consent system.
