Privacy & usage guidance

PersonSpec describes the shape of a person's professional voice and presence. The format is neutral; how it is used is not. This page sets out how to produce and consume PersonSpec documents responsibly.

The spec describes shape, not authorisation. A document conforming to PersonSpec is structurally valid; it is not, by virtue of conformance, ethically or legally permitted. Producers and consumers are responsible for the use they put it to.

Two kinds of document

Foundational

A PersonSpec document about a real person can come into existence in one of two ways, and they are very different artefacts even when the JSON looks identical.

Subject-authored

The person fills it in themselves, in a tool of their choosing, and exports the result. They have direct control over what is recorded. Consent is given by the act of authoring. The reference implementation for this case is whyso.me.

Inferred or observed

A third party derives the document from material the person has produced — public posts, recorded talks, published articles — without the person necessarily being involved in the production of the file itself. The same JSON shape, materially different epistemic and ethical status.

PersonSpec accommodates both, but treats them as different. The metadata.provenance block is the structural mechanism for distinguishing them.

How to declare provenance

Required

Every PersonSpec document not authored directly by its subject must include a metadata.provenance block. Subject-authored documents should include one for completeness. The block has four fields.

Field	Description
type	self-reported — the subject authored the document. inferred — derived from material the subject produced (writing, posts, talks). observed — derived from observable behaviour (engagement patterns, network signals). hybrid — a mix; document the dominant source.
consent	subject — the person themselves consented. guardian — an authorised representative consented, where applicable under jurisdiction-specific rules (parental consent for minors, lasting power of attorney for incapacitated subjects, executors of estates for deceased subjects). public-figure-doctrine — derived from material the subject made manifestly public. none-claimed — no claim of consent. A transparent admission, not an authorisation.
confidence	high, medium, or low — the producer's honest assessment of how reliably the document represents the subject. Self-reported documents are typically high; sparsely-inferred documents typically low.
inferredFrom	An array of source URLs used when type is `inferred` or `observed`. Recommended for inferred documents; required for transparent-by-design tools.

The honest test: if the subject of the document saw the provenance block, would they recognise it as a fair description of how the document came to exist? If yes, it is honestly declared. If no, the producer is misrepresenting their work.

If you are the subject of a PersonSpec document

Subjects

If someone has produced a PersonSpec document about you — whether you authored it yourself or it was inferred from your public material — there are a few things worth knowing.

Producers are expected to declare how the document was made. If a tool has produced a PersonSpec about you, it should carry a metadata.provenance block describing the type, consent basis, confidence, and source material. If it doesn't, that's a signal the producer hasn't followed the spec's guidance.
You have rights under UK and EU GDPR, including access to data held about you, correction of inaccurate data, deletion in many circumstances, and — for profiling activities — Article 22 transparency about how decisions are being made. ICO guidance for individuals is the place to start in the UK.
If a producer claims consent: "subject" for a document you did not author and did not consent to, that is the producer misrepresenting their work. The provenance field is meant to be honest. Escalate to the producer first; to the relevant regulator if not resolved.
If a producer claims public-figure-doctrine, they are asserting that your material was manifestly made public in a sense that authorises further processing. This has a narrower legal meaning than common usage suggests — a public LinkedIn does not automatically mean public-figure-doctrine applies. If in doubt, challenge it.
The PersonSpec schema does not authorise any specific use of a document. Producers and consumers are responsible for their own compliance with applicable law. A document conforming to the schema is not, by virtue of conformance, lawful.

If you don't recognise yourself in a document about you: the producer has either misjudged or misrepresented. Either way, you are entitled to ask for it to be corrected or removed. Provenance is the spec's mechanism for making the producer's claim visible — use it.

Guidance for producers

Authoring

Fill in provenance honestly

The provenance block is the single most important field for downstream trust. A document with type: "inferred" and consent: "none-claimed" is honest. A document that hides inference behind type: "self-reported" is structurally valid and fundamentally dishonest. The latter is worse than no provenance at all because it actively misleads consumers.

Be cautious with the inner-development scores

The why.innerDevelopment object captures Inner Development Goals self-assessment scores across five dimensions. These are essentially psychological self-assessment data. Inferring them from observation rather than self-report — a coach interpreting a leader's writing, an AI rating sentiment from posts — produces output that looks like the same data but is not. UK and EU producers should note that inferred psychological scoring potentially edges toward the territory of UK GDPR Article 9 special category data; consult ICO guidance if your tool produces these inferentially.

Respect the public-figure boundary

The public-figure-doctrine consent value is for cases where a subject has made material manifestly public — a chief executive's published interviews, an author's books, a politician's speeches. It is not a general permission to profile anyone with a public LinkedIn. The doctrine is narrower than common usage suggests, and producers in the UK and EU should consult Article 9.2.e of the UK GDPR before relying on it.

Provide opt-out for inferred documents

If your tool produces PersonSpec documents about people without their direct involvement, provide a way for those people to view, correct, or remove the document. This is not a PersonSpec requirement; it is a UK GDPR Article 22 transparency requirement and applies regardless of the format you use.

Guidance for consumers

Reading

Check provenance before trusting fields

A PersonSpec consumer should read the provenance block before treating the rest of the document as authoritative. type: "self-reported" with consent: "subject" is a high-confidence document. type: "inferred" with consent: "none-claimed" is a producer's best guess, not a record. Treat them differently.

Do not use inferred IDG scores for consequential decisions

Inferred Inner Development Goals scores should not feed hiring, promotion, partnership, or capital-allocation decisions. The IDG framework is designed for self-assessment as part of personal development; using inferred scores for decisions about a person is both methodologically unsound and a likely Article 22 violation in the UK and EU.

Surface provenance to users

If your tool consumes PersonSpec documents and presents the data to humans — recommendations, matches, summaries — surface the provenance alongside. Users making decisions on the basis of a PersonSpec deserve to know whether they are reading the subject's own words or a third party's inference.

Regulatory context

Reference

This page is informational and not legal advice. Producers and consumers in different jurisdictions face different obligations. A non-exhaustive list of what to consult:

UK GDPR Article 22 — automated decision-making and profiling. Imposes transparency requirements on profiling activities. ICO guidance.
UK GDPR Article 9 — special category data. The "manifestly made public" carve-out (Article 9.2.e) is narrower than commonly assumed.
UK Data Protection Act 2018 — domestic regime supplementing the UK GDPR.
EU GDPR — for producers serving EU subjects, the EU regime applies in parallel.
Platform terms of service — LinkedIn, X, and similar platforms have their own constraints on derivative use of public posts. These bind producers regardless of GDPR.
Sectoral regulation — financial services, healthcare, and education have additional rules on automated profiling that may apply.

If you are unsure: default to consent: "none-claimed" and confidence: "low", document your sources in inferredFrom, and provide a clear opt-out. Honest under-claiming is always preferable to over-claiming, both ethically and legally.

What this page does not do

Limits

This guidance is not a licence and not a compliance certification. PersonSpec is published under Creative Commons CC0 and imposes no usage restrictions on the format itself. A document can conform to the schema without conforming to this guidance; conversely, conforming to this guidance does not make a producer compliant with applicable law.

The purpose of this page is narrower: to make the spec's expectations visible, to give producers a clear model for honest disclosure, and to give consumers a clear model for appropriate caution. Whether any specific use is lawful is a question for the producer, the consumer, where applicable their regulators, and ultimately the courts.