With the enforcement of different data and privacy rules, the is a growing requirement to address the Consent of users, more specifically for the collection of their biometric data.
This requirement asks that AAF should have means to manage and report consent from corporate users and this would be tied with the user's ability to enroll or use the defined authentication mechanisms.
They envision that this should become a "Consent" area per enrolled method OR portal that must, at minimum:
- Present applicable policies to users - The solution must be able to display a custom html message to the end user. If the html message is changed, all end users must be required to provide consent again but it should not block the user from authenticating. Or this should be an option for the AAF administrator to enforce that consent again must be obtained in the next login.
- Allows for two (2) user roles:
1. Normal User – which allows for self-service consent management with a Consent View (to view and acknowledge consent) and a Retract View (to remove consent but upon retraction of consent, the user should not be allowed to use any authenticator).
2. Admin – which allows an administrator/security person configurable by corporate Directory groups (may NOT be an AAF administrator OR Helpdesk) to maintain the text for the consent message in an Admin View. Consent Administrator access must be controlled by groups and audited.
- Maintain or store a non-repudiable audit trail of all user activity with duration based on data retention policies (User synchronization options and Reporting options):
1. date and time, the user and message text consented to.
2. date and time, the user retracted their consent.
3. any changes to the text of the custom html message (date and time, who made the change and the change made to the text).
- Consider to cater for possible user notifications (e.g. SMS or email):
1. Reminder notification for re-consent.
2. Initial notification to say that user provided consent.
3. confirmation message to say user retracted consent.
- Expose API that allow 3rd party systems to determine whether consent for user was obtained.
- Consider that this consent area or portal must be exposed on the internet and use 2FA with option of google reCAPTCHA.
- Consider a separate ‘consent’ DB that can be accessed by auditor/security or queried via the API by a reporting tool.