The EnCoRe ("Ensuring Consent & Revocation") project, a UK inter-disciplinary research project into informational privacy which I've mentioned before in this blog (e.g. in the Data Dozen of Identity Management for Privacy post), have produced a paper "Technical Architecture for the first realized Case Study" (138 pgs).
This paper defines the EnCoRe Technical Architecture for a case study namely a hypothetical Enhanced Employee Data Scenario - the use by employees of an organisation of a Web 2.0-style service for work-related and personal purposes and its related consent management requirements.
Appendix A of the paper sets out some example Use Cases (e.g. employee gets hired, promoted, changes their personal data, gets demoted etc) and some general legal input (Data Protection Act 1998 and Data Protection Directive principles) on those use cases.
I've not had a chance to read it yet, but from the summary:
"The scope of the EnCoRe Technical Architecture for this first Case Study encompasses all the technical functions required for the management (including capture and revocation) and enforcement of individuals' consents that are pertinent to the Case Study's scenario. The technical architecture is the block-level design of the necessary technical system, at the level of functional blocks (i.e., software and service components) and the data flows between them and to/from humans, other technical systems, compliance and other business processes and regulatory environments. Its goal is to provide the basis for an EnCoRe reference implementation that validates the approach and the technology. To that end this document's approach is to start with contextual information and overviews, and incrementally refine the level of detail."
©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.