Skip to content
OWP

15. Privacy Considerations

The protocol’s audit-grade accountability creates a tension with privacy: the same machinery that makes Workforces accountable also produces detailed records of their work, which may include personal data of customers, employees, counterparties, or third parties.

15.1 Data Minimisation

Capability Providers SHOULD minimise personal data in invocation payloads where feasible. Where a Capability’s purpose requires personal data (e.g. a customer-outreach Capability), the Provider SHOULD return references rather than full payloads where the runtime supports reference resolution.

15.2 Right of Erasure

Some jurisdictions confer a right of erasure on data subjects. The protocol’s append-only Audit Envelope is incompatible with the literal deletion of historical records. Implementations operating in such jurisdictions SHOULD:

  • Maintain Envelopes in a key-encrypted form such that key destruction effects the practical erasure of the contained data while preserving the integrity of the surrounding chain.
  • Document the erasure approach as part of the Compliance Profile attached to relevant Functions.

The protocol does not prescribe a specific erasure implementation; it observes only that erasure is a profile-level concern, not a core-protocol concern.

15.3 Cross-Jurisdiction Data Flow

Where a Workforce’s Workers, Capability Providers, or storage are distributed across jurisdictions, each transit and each storage location is subject to the laws of its jurisdiction. The protocol does not prescribe a data-residency policy. Compliance Profiles are the appropriate vehicle for data-residency constraints; profile authors SHOULD specify Provider whitelists, transit constraints, and storage locality requirements where applicable.

15.4 Aggregation Risk

Even where individual Audit Envelope payloads are minimal, aggregation across Envelopes can create privacy concerns. Implementations MUST gate aggregation queries by authority — only Roles with explicit authority to aggregate may do so — and SHOULD log aggregation queries themselves as part of the runtime’s operational audit log.