...
Table 1: Transparency Performance Rating
...
Rating
...
TPI 1 - Timing (wrt to processing)
...
TP2
...
TPI3 Accessibility (trans performance)
...
TPI4 - digital security
...
+1 (assured)
Before [Transparency of control/governance - Before, during or after processing ]
...
+1 - credential is registered and present
...
Controller identity is presented prior to data collection - e
Security is required prior to collection (digital wallet based)
...
0(dynamic assurance)
...
Just In time
...
0 credential is presented just in time (automated check and first time notice)
Embedded as a credential linked to authoritative registries.
...
is assured -e.g. certificate is specific to and matches controller and context
...
-1 (analogue assurance - online)
...
During
...
controller information is accessible during collection
PII Controller Identity prominently displayed on first view – prior to processing first page of viewing, the assessment question would be
...
not-specific to controller - does not match jurisdiction
...
-2 - (not mandatory in flow)
...
Available
...
Controller information is linked
...
is linked not presented
...
does not match ou
...
- 3 ( non operative)
...
After
...
Controller information not present
...
Identity or credential is not accessible in context - e.g. two or more screens of view away, or privacy contact is mailing g address and non operative in context of data collection.
...
is not valid or secure provider
...
The TPI Rating system is designed to measure the operational performance of the information. This rating is unique as it allows for an assurance levels that account for pre-assured, dynamically assured metric.
+1 refers to a technical framework and PII Controller transparency prior to the initiation of a session providing security based trust assurances.
0 refers to dynamic a measure of providing dynamic transparency in the context of once a technical session starts (which is at the time of collection), in context transparency over purpose and disclosures,
-1 provides for analogue legal expectations, represented by legal requirements not specific to a digital context.
-2 provides for low quality provision
-3 provides a metric for non-operable transparency and digital privacy.
Rating | TPI 1 - Timing (wrt to processing) | TP2 | TPI3 Accessibility (trans performance) | TPI4 - digital security |
---|---|---|---|---|
+1 (assured) | Before [Transparency of control/governance - Before, during or after processing ] | +1 - credential is registered and present | Controller identity is presented prior to data collection - e | Security is required prior to collection (digital wallet based) |
0(dynamic assurance) | Just In time | 0 credential is presented just in time (automated check and first time notice) | Embedded as a credential linked to authoritative registries. | is assured -e.g. certificate is specific to and matches controller and context |
-1 (analogue assurance - online) | During | controller information is accessible during collection | PII Controller Identity prominently displayed on first view – prior to processing first page of viewing, the assessment question would be | not-specific to controller - does not match jurisdiction |
-2 - (not mandatory in flow) | Available | Controller information is linked | is linked not presented | does not match ou |
- 3 ( non operative) | After | Controller information not present | Identity or credential is not accessible in context - e.g. two or more screens of view away, or privacy contact is mailing g address and non operative in context of data collection. | is not valid or secure provider |
TPI Instruction and Guidance
The TPI Rating system is designed to measure the operational performance of the information, for example if only a mailing address is provided for a privacy contact, on a website, this is considered non-operable according to the context. This means that privacy access and specific information is not retrievable in the context of data collection. Demonstrating a non-performant form of data governance.
Rating - Instruction | TPI 1 - Timing (wrt to processing) | TP2 - Required Info Presentation | TPI3 Accessibility (trans performance) | TPI4 - Digital Security |
---|---|---|---|---|
+1 (assured) | PII Controller credential is displayed, using a standard format with machine readable language and linked, for example, in an http header in a browser | Controller is discoverable automatically prior to session (out of band) in a machine readable format. Number of ways | Controller identity is presented prior to data collection | Security is required prior to collection (digital wallet based) |
0(dynamic assurance) | PII Controller Identity or credential is provided in first notice | 0 credential is presented just in time (automated check and first time notice) | Embedded as a credential and dynamically available upon access (almost just in time) | is assured -e.g. certificate is specific to and matches controller and context |
-1 (analogue assurance - online) | The Controller Identity, or screen with the Controller Identity is one screen and click away. For example, the privacy policy link in the footer of a webpage | controller information is accessible (not presented) during collection | PII Controller Identity prominently displayed on first view – prior to processing first page of viewing, the assessment question would be | not-specific to controller - does not match jurisdiction |
-2 - (not mandatory in flow) | Controller Credential information is linked during collection | is linked not presented | does not match ou | |
-3 ( non operative) | PII Controller Identity is not accessible enough to be considered ‘provided’ | Controller information not present | Identity or credential is not accessible in context - e.g. two or more screens of view away, or privacy contact is mailing g address and non operative in context of data collection. | is not valid, secure, or recognized provider. |
...