CR v1.2 Framework

the receipt is further defined and fields and broken down for use by privacy framework for conformance assessment, which is based on the lifecycle of a specific notice for processing personal data and a specified consent grant for digital identity management system. 

• Core Flow -→ PII Principal generates an Anchor Record for Receipt Generation 

• Conformance assessment for 27560 for the PII Principal: 
  - use of receipt as evidence for user
  - use of receipts as proof of awareness for identity management system
  - use of receipt to see the state of privacy / consent lifecycle - so that people can automatically see what to expect without reading a privacy policy or terms - with access directly to digital use of privacy rights .

• Consent Grants -  Scope protocol for Identity management system permissioning 
  - Consent Grant (human scope) - Identity Management = technoal permission and access controls

Updated Updating from v1.1 -  CISWG - represented by submission to ISO 27560

• delegation 
• jurisdictions 
• personal data categories
• consent record structions 
  • purpose finger print 
  • purpose 

V1.2 : Consent Receipt Conformance Framework

...

• Privacy as Expected - Signalling Conformance Protocol
  • comparing two receipts - generated by the human user agent - provide independent transparency over the state of control of personal data 
    • people can control their own data - so that it doesn't need protection 
  • using DPV for notice and notifications 
  • human interaction with notice creates records and receipts 
• IP Contribution
  • From NGI-Trust PasE:CG Project
    • applies conformance criteria to consent record structure  
• HLT Field Requirements to Required Notice of Control & Accountability Record Fields - the capture of the identity of the controller, and the physical context of the notice for processing provided by the controller

...

• comparing 2 receipts to see active state provide and active state fore more dynamic controls in identity management systems 
• part of the NGI funded project condition was on the contribution of the protocol to the ANCR WG which would then be reflected in comments to ISO 27560
• Description for this contribution 
  • PaE includes a stack of semantic standards 
    • 29100 is open - 
    • CR v1.1 written with 29184 
    • PaE protocol includes these control sets and through its contribution opens this work in application
  •  Dynamic Protocol for the control of personal data 
  • standardized the presentation of rights 

...

• Legal Justification and what privacy rights apply for each
• Purpose Specified with data privacy control vocabulary 
• record format specified with ISO 29100 
• notice controls and record specification format ISO 29184 

...

• 2FC 
  • First Factor - Generated standards 
  • Second Factor (link) - existing Factor - the sign or notice or notification form the provider

Semantic Standards Stack for Human Centric -  user centric - control semantics

...

• stakeholders - 

...

• requirements against privacy by design and default. 
• 27550 - Privacy Engineering - C.4 - and C.5 - \

...

• Core Record - or Credential Record for a legal entity
• Receipt of. notice of credential record 
• core record id - linked reference id - PII Controller Credential
• Consent Receipt generated for each purpose specification and linked to anchor record
  • each purpose is specifies by legal justification
  • each purpose specification uses the DPV

...

• PII Principal controls the ANCR Record
• 3rd Party N&C Processor - Network Facilitator 
• Consent Grant Validation 
  • Status of the PII Controller 
  • Status of the Consent 
  • Scope of Consent Grant Permissions 
  • Privacy Framework Governance 
    • required notice, timing, formats, parties according to Privacy Law

...

Intro - Implements PasE Protocol with 2FC

V1.2.1 :  ANCR Record Conformance

• First Factor Notice for PII Principal 
• Fields for DS location require a verifier
  •  verifying (or synthetic) attribute 
  • a specified legal jurisdiction 
  • quality of notice of control receipt 
  • quality of service purpose specification receipt
• PII Controller
  • notice location
  • legal jurisdiction
  • governing framework - e.g. t&c's? 

V1.2.2 : Consent (Notice) Receipt:27560

• Extend with Legal justification to specify purpose for a service 
  1. Specifying the Legal Justification for data processing in a notification 
  2. Specifying Data Categories
  3. Specifying Data Treatment   
  4. Specifying Security 

V 1.2.3 : Rights Access & Automation 

• rights with ANCR Record
  • universal context right
    • right to information about privacy and security 
      • right to see contoller and purpose(s)
      • legal requirement for presenting risk 

V 1.2.4 : Consent Validation - The Life cycle of a consent 

• Active State of Consent Validation 
  • identity governance controls and scope
• Consent Grant for Identity Protocol Governance 
  • Scope of a Consent Grant Represented in the User Managed Access Protocol 
    • use of consent gateway for consent grant validation

• Protocol Scope Use Cases

  • UMA

  • SAML / eIDAS

  • FAPI
  • GNAP

V 1..2.5 : 

1. Privacy as Expected - Part 3:  Consent by Design - operational conformance - standardizing  signalling - UI interaction point conformance - proof of notice and transparency/accountability assurance 
   1. 29184 notice controls and consent structure 

V 1.2.6 Data Governance Interoperability 

• Privacy Framework for Gov interop for Security/Surveillance, Evidence and Policing
• Re-Issuing Identity Credentials with a native and local identity service - rather than exporting a federation into foreign governance models (e.g. Contracts / T&C's) 

1. Transparency Assurance

V 1.2.6 Topics Raised to be Reviewed / Refined and Addressed in Roadmap to V2

• Delegation
• Jurisdiction (physical location proof) 
• Consent Types Defined in v1.2
  • explicit
  • implied
  • directed
  • altruistic

WKD ISSUES

The CR v1,1 as published known challenges have been addressed and are specified here in the v1.2 update.  

• See V1.1 Update https://kantarainitiative.org/confluence/x/VYSVC
  • V1.1 (2017) addressed with GDPR and then adopted to ISO 
  • V1.1 completed with comments to ISO 
    • delegation 
    • Jurisdiction 
    • PII categories 

CR v1.2  Format Structure and fields

...

1. Consent Notice Receipts 

1. Anchor receipt