...
There are 4 TPI’s specified here. The TPI’s focus on the point of contact, and the transparency for public accessible digital services. This is publicly required information under nearly all security and privacy requirements. The information here can and should be self asserted by organizations, and the purpose of their services. The Notice Record can be used in surveillance signs, security notices and privacy notifications, and the measure the performance of these. The goal here is to provide transparency as a (new) measure of identity security and privacy assurance.
...
This TPI captures when the Controllers Controller's legal entity digital identifiers and accountable Privacy Officer is notified(digital identifiers) provide notice; Before, just in time, at At the time of, or after After personal data is captured. Ensuring to capture if Dynamic This captures if dynamic transparency is available systematically provided before data is captured and processed, or not. Providing and when. It provides a way for an individual to assess if they can trust a service or not.
...
TPI 2 - Measures Required Data Elements
Required This TPI capatures data elements required for all data processing (except when legally regulated otherwise [3] derogation) in every privacy instruments . In “all” cases a Notice of who is processing your data, who is a accountable and the privacy contact information for access to personal information must be provided.
Notice of who is processing your data is required for all legal justifications for processing personal data in privacy law, as well as a fundamental security requirement, to identify the legal entity, in some cases including all beneficial owners, and the accountable person(s).
TPI 3 - Measure of Transparency Accessibility
Measure This TPI measures the performance of transparency accessibility by capturing how avaialbe the availability of the required information in TPI 2 is. For example, is the information presented in a pop-up notice, or is it required to click a link, e.g. to a standard transparency/privacy policy, (where it is known only 3% of users go to secondary links). Is is it the first screen or is it at a the bottom of a multi-screen display , or at the top of the first screen(with links not highlighted).
TPI 4 - Measures security information integrity
Capture of the SSL certificate or security key This TPI captures the (Secure Socket Layer/Transport Layer Security) SSL/TLS (e.g. 1.3) certificate or security keys (e.g. JOSE) to compare its meta-data against the required information in TPI 2. For example, This is very much along the lines of Certificate Transparency but looking specifically at whether the policies cover the Notice, e.g. does the SSL certificate Organization Unit field and Jurisdiction fields match the captured legal entity information? , how does the policy and jurisdiction here related to other beneficial entities. Importantly does this align with the policy expectations of the person.
TPI Metrics
move for intro text
...
2. TPI measuring the contents of the notification for required PII Controller digital attributes that correspond to the physical brick and mortar attributes specified in privacy, security, safety and surveillance legislation. This is the Controller identity and entity information and access point
3.TPI for how accessible the transparency is (transparency of digital transparency)and the accessibility of the notice access for use
...
This security performance indicator requires that the session security layer certificate or key information to be collected and then compared against the information in the notice record Notice Record to validate the integrity of the security necessary for digital privacy.
to check This checks if the PII Controller Identity identity information is the same or linked to the controlling entity in the associated security certificate. For example, does the SSL (secure software layer) certificate identify the Controller, and is it secured for the DNS and localization expectation and corresponding jurisdictional information (a ZPN . This provides required digital security for privacy measure to implement the international governance , measured for governance accountability and interoperability with legal adequacy with for eConsent (electronic or digital consent).
Certificate status, and transparency performance, are used to establish session security prior to the collection, use and processing of PII. The security TPI is used to measure also measures the certificate and or cryptographic keys for a specified organizational unit to corroborate and validate the PII Controller’s digital integrity.
...
Field Name | Field Description | Requirement: Must | TPI 1 | TPI 2 Not Available | TPI 3 Rate: +1, 0, -1, -3, | TPI 4 |
---|---|---|---|---|---|---|
Notice Location | Location the notice was read/observed | MUST | Present | +1 | found | |
PII Controller Name | Name of presented organization | MUST | Present | 0 | Match | |
PII Controller Address | Physical organization Address | MUST | Present | 0 | Not match | |
Privacy Contact Point | Location/address of Contact Point | MUST | Present | 1 | Not match | |
Privacy Contact Method | Contact method for correspondence with PII Controller | MUST | Present | -1 | No Match | |
Session key or Certificate | A certificate for monitored practice | MUST | Present (or Not-found) | 1 (or –3 ) | Present (or No Security Detected) |
Summary
In summary, transparency performance indicators summary, Transparency Performance Indicators, TPI’s are specified here for people to use depending on context, location, security, and other out of session elements. TPI’s are an indicator for used to determine with ones one's own Soverign soverign reasoning how whether to trust able a service sessions is.. , not an external framing, opinion or forced default.
These TPI’s use open standards, with an open license , but unlike the consent record, is specified for people to be able to use and create records they can own and keep across and independently of service providers.
The first TPI 1 is a measure of trust, so that when asked, “Do you trust a service is you (accept) a service”, you necessarily know who is processing your data before, during or after” people overwhelming indicated after.” Overwhelimingly people indicate trust would be higher. if notified prior to data capture, which only makes sense.
TPI 2 indicated is the legally required information, is it present, providing a and then used as a, generally available, standardized, and open metric for compliance.
TPI 3 is an indicator for how accessible and inclusive is digital transparency is.
TPI 4 validates for the individual if security adds up? address “adds up” for the them and in doing so addresses a critical security gap that exist widely overlooked today.
Roadmap
References
Appendix A: Notice Record Schema
...