...
As a result, people do not have insights to expertise data rights and controls exercise access controls, use rights to controls and own records of digital of identity relationships, in a meaningful or operational manner.
Why Transparency Performance Indicator’s?
...
TPI’s capture the corresponding digital representations of physical / human requirements for digital transparency, and when required digital consent. .
The 4 indicators specified provide provide a record, that can then be used to ANCR the digital identity relationship with the organization, a basis for higher levels of digital transparency assurance. [2]
What should you expect to find in this document?
...
Required for all data processing (except for explicit legal when legally regulated otherwise [3] derogation) in every privacy instruments a Notice of who is processing your data, who is a accountable and the privacy contact information for access to personal information.
...
Capture of the SSL certificate or security key to compare its meta-data against the required information in TPI 2. For example, does the SSL certificate Organization Unit field and Jurisdiction fields match the captured legal entity information?
TPI
...
Metrics
move for intro text
TPI’s are generated in sequence, captured in sequence;
1. TPI measuring the point when the individual is notified versus when personal information / digital identifiers are collected and processed. Capturing the timing of notice presentation (1) in relations relation to first data capture ,
2. TPI measuring the contents of the notification (2), the accessibility of the notice access for use (3), and the digital trust/security of the notice (4), all of which are
Transparency Performance Indicators
There are 4 TPI’s that are used to asses public service data at an assurance level 0 (self asserted) of 4 privacy assurance levels identified in the ANCR Framework. (ref)
These 4 indicators are bundled together as analogue assessment type, which people can do quickly to understand the transparency state, and that can then be used to measure how dynamic the performance of transparency is, for higher interoperability assurance levels.
...
TPI for when Notice is Provided vs when data is collected
...
TPI for transparency over required PII Controller digital identity and privacy access contact point
for required PII Controller digital attributes that correspond to the physical brick and mortar attributes specified in privacy, security, safety and surveillance legislation. Controller identity and entity information and access point
3.TPI for how accessible the transparency is (transparency of digital transparency)
...
TPI for digital privacy security verification
The first TPI is to capture if a PII Principal is notified before data is collected, the 2nd and 3rd TPI performance indicators measure the transparency of the ‘provided’ PII Controller Identity information.
This is required to measure how accessible the PII Controller Identity and privacy information is, before or at the time of data processing, which is a condition of governance adequacy and privacy compliance for all digital identifier-based processing activities, used to develop data profiles. An ANCR Record of data processing activity in this way provides evidence to demonstrate security and privacy compliance.
Once the capacity for the active state of digital privacy is ascertained, the fourth performance indicator is used to verify the cybersecurity certificate (or token key) to see if the security matches digital privacy information.
...
accessibility of the notice access for use
4.TPI validating the cybersecurity information versus the digital transparency information capturing the SSL certificate or keys and its associated meta-data.
Combined, these TPI’s provide an overall Indication of the operational state of digital privacy.
TPI Methodologies
Timing of Notice vs Data Collection Transparency
TP1 requires monitoring the technical end point to see if PII is captured in relation to when a notice is provided. This measures the notice regulatory performance against legal and human usability requirements.
...
PII Controller
...
Digital Attribute Transparency
Assess if the required information for transparency over who is in control of notice is ‘provided’
The MUST fields identify elements that are required in legislation that MUST be present.
...
Transparency Accessibility
How accessible is the PII Controller and Privacy Contact information?
For example, in the context of a website or a mobile device, how difficult was it to access the ‘provided’ information. How many clicks, or screens, away is the required information?
...
Example — Accessibility Measurement Rating
This transparency accessibility rating score of [1,0, -1 or –3] reflects the number of steps, screens, or clicks required to find the ‘provided’ information within a mobile application or webpage providing the client user interface.
...
Security Validation Certificate (and/or Key) Security Transparency
This security performance indicator requires that the session security layer certificate or key information to be collected and then compared against the information in the notice record to validate the integrity of the security for digital privacy.
to check if the PII Controller Identity information is the same or linked to the controlling entity in the associated security certificate. For example, does the SSL (secure software layer) certificate identify the Controller, and is it secured for the DNS and localization expectation and corresponding jurisdictional information (a ZPN required digital security for privacy measure to implement the international governance interoperability with legal adequacy with eConsent)
Certificate status, and transparency performance, are used to establish session security prior to the collection, use and processing of PII. The security TPI is used to measure the certificate and or cryptographic keys for a specified organizational unit to corroborate and validate the PII Controller’s digital integrity.
Table 1: Transparency Performance Rating
Rating | Description | Instruction |
|---|---|---|
+1 | Controller identity is embedded as a credential linked to authoritative registries. | PII Controller credential is displayed, using a standard format with machine readable language and linked, for example, in an http header in a browser |
0 | PII Controller Identity prominently displayed on first view – prior to processing first page of viewing, the assessment question would be | PII Controller Identity or credential is provided in first notice |
-1 | Privacy signal Is not first presented – but is linked and one click and screen away | The Controller Identity, or screen with the Controller Identity is one screen and click away. For example, the privacy policy link in the footer of a webpage |
- 3 | Identity or credential is two or more screens of view away | PII Controller Identity is not accessible enough to be considered ‘provided’ |
...
This security performance indicator requires that the notice record session certificate is collected and used to check if the PII Controller Identity information is the same or linked to the controlling entity in the associated security certificate. For example, does the SSL (secure software layer) certificate identify the Controller, and is it secured for the DNS and localization expectation and corresponding jurisdictional information (a ZPN required digital security for privacy measure to implement the international governance interoperability with legal adequacy with eConsent)
Certificate status, and transparency performance, are used to establish session security prior to the collection, use and processing of PII. The security TPI is used to measure the certificate and or cryptographic keys for a specified organizational unit to corroborate and validate the PII Controller’s digital integrity.
...
...
Table 2 : Transparency Performance Indicator Record Rating Example
Field Name | Field Description | Requirement: Must | TPI 1 | TPI 2 Not Available | TPI 23 Rate: +1, 0, -1, -3, | TPI 34 |
|---|---|---|---|---|---|---|
Notice Location | Location the notice was read/observed | MUST | Present | +1 | found | |
PII Controller Name | Name of presented organization | MUST | Present | 0 | Match | |
PII Controller Address | Physical organization Address | MUST | Present | 0 | Not match | |
Privacy Contact Point | Location/address of Contact Point | MUST | Present | 1 | Not match | |
Privacy Contact Method | Contact method for correspondence with PII Controller | MUST | Present | -1 | No Match | |
Session key or Certificate | A certificate for monitored practice | MUST | Present (or Not-found) | 1 (or –3 ) | Present (or No Security Detected) |
...