§17 — Biometric and Training Data Consent v1.5

When Training Consent Is Required

A training consent token MUST be obtained before collecting TRAINING_DATA (type 10) that involves:

• Biometric data — facial recognition, fingerprints, gait analysis
• Audio data — voice recordings with identifiable individuals
• Video data — recordings that can identify individuals
• Location data — precise location history linked to an individual

Environmental sensor data without identifiable individuals (e.g., lidar point clouds in empty corridors) does NOT require training consent.

Message Types

TRAINING_CONSENT_REQUEST Payload

{
  "request_id":      "uuid-v4",
  "robot_ruri":      "rcan://rcan.dev/hospital/robot/v1/unit-003",
  "subject_id":      "patient-uuid-or-anonymous",   // Who is being recorded
  "data_categories": ["video", "audio"],             // What data will be collected
  "purpose":         "Improve robot navigation in healthcare settings",
  "duration_hours":  1,
  "consent_type":    "training_data",
  "eu_ai_act_basis": "Article 10 — training data governance",
  "data_controller": "Hospital Robotics Team",
  "dpo_contact":     "dpo@hospital.example"
}

TRAINING_CONSENT_GRANT Payload

{
  "request_id":      "uuid-v4",
  "subject_id":      "patient-uuid-or-anonymous",
  "data_categories": ["video"],        // Subject may grant subset of requested categories
  "expires_at":      1741003600,       // Consent expiry (Unix timestamp)
  "consent_token":   "eyJ...",         // JWT token to attach to TRAINING_DATA messages
  "revocable":       true,             // Subject can revoke at any time
  "eu_ai_act_disclosure": true        // Subject received EU AI Act disclosure
}

TRAINING_DATA Message — Consent Token

Every TRAINING_DATA message (type 10) involving personal data MUST carry a consent_token:

{
  "id":            "uuid-v4",
  "type":          10,
  "rcan_version":  "1.5",
  "payload": {
    "data_type":      "video",
    "data_hash":      "sha256:abc123",
    "consent_token":  "eyJ...",         // REQUIRED for personal data
    "data_categories": ["video"]
  }
}

Receivers MUST reject TRAINING_DATA messages that:

• Are missing consent_token when data_categories contains personal data
• Carry an expired consent token
• Carry a consent token issued for a different subject or data category

R2RAM Scope: "training"

The training scope is added to the R2RAM hierarchy between status and chat:

// R2RAM scope hierarchy (v1.5)
discover < status < training < chat < control < safety < creator

A principal with training scope can request training consent and collect training data. chat and higher scopes automatically include training.

Right to Erasure

Subjects MUST be able to query and delete their training data consent records:

// Query consent records for a subject
GET /api/training-data/consent/{subject_id}

// Response
{
  "subject_id": "patient-uuid",
  "consents": [
    {
      "request_id":      "...",
      "data_categories": ["video"],
      "granted_at":      1741000000,
      "expires_at":      1741003600,
      "active":          true
    }
  ]
}

// Revoke consent and request erasure
DELETE /api/training-data/consent/{subject_id}
// Cascades to all robot training data records for this subject

Data Category Definitions

Audit Trail Requirements

All training data collections MUST be logged with:

• Subject identity (or anonymous ID if truly anonymized)
• Data categories collected
• Consent token ID (links to the grant record)
• Collection timestamp and duration
• Robot RURI that performed the collection

This audit trail enables EU AI Act Article 17 compliance reporting.

See Also

• Consent Wire Protocol — base consent message format
• EU AI Act Compliance — TRANSPARENCY requirement
• MessageType 28/29/30 — training consent message types
• §20 Audit Export — compliance reporting