...
...
ANCR: Digital Transparency Performance Conformance & Compliance Scheme 1: Parts 1 and 2
| Anchor | ||||
|---|---|---|---|---|
|
An ANCR: refers to an Anchored Notice & Consent Receipt, which is a record of a PII Processing or generating activity,
Editors:
Mark Lizar, WG Editor
Contributors:
Sal D’Agostino, ANCR WG Chair
Reviewers:
Gigi Agassini, ANCR WG Secretary
...
This specification relies on (open access to) ISO/IEC 29100 Security and privacy techniques, to generate a notice receipt, which is stored in an ANCR consent record format for conformity assessment as specified in the Kantara Initiative Consent Receipt v1.1.3
| Anchor | ||||
|---|---|---|---|---|
|
License Condition: This specification is solely used for assessing conformance to the Transparency Code of Conduct (Appendix C), for implementing the Council of Europe 108+ Chapter III, Rights of the Data Subject, Section 1 Transparency, and modalities, Article 14, 1 – 8. This Transparency Code of Conduct is internationally representative of notice and consent legal and social requirements. It can be represented today in the forms of privacy policy links, physical signage, digital cookies and security or privacy notices. These are found when accessing public and digital service spaces, in all domains and jurisdictions, are to be referenced as practices, which MUST implement, or support the implementation of this Transparency Code of Conduct for transparency modalities.
...
For people, consent by default requires assurances that personal data is being processed and transparency in a meaningful and operationally manner Standard and operational transparency enabled by standardized schema, and record formats (Notice Receipts) so that people keep and own to control personal information and private AI. what can makes consent meaningful by default. To create and scale trust in digital contexts a Digital Transparency Code of Conduct is introduced to simplify and clarify requirements and the use of CoE 108+ Chapter 1 Transparency Modalities, which is mirrored in the GDPR Article 12, ‘Transparent information, communication and modalities for the exercise of the rights of the data subject’.
| Anchor | ||||
|---|---|---|---|---|
|
All data processing must have a record of notified processing activity. In order to be digitally transparent, unless required not to be by legal derogation. In such an instance, the processing must be transparent to the appropriate regulatory authority, according to the context of processing.
This applies to all services and every stakeholder, PII Controller, PII Processor, PII Principal’s, the PII Co-Regulating Authority and delegates.
All processing with consent requires a record of the privacy notice and privacy policy link, which in this document is referred to as a Notice Receipt, also known as the ANCR record of consent, and referred to as a consent record in ISO/IEC 27560 Consent record information structure.
Records and receipts provided as specified in Convention 108+, Art 31 Record of Processing Activity (RoPA). The consent receipt is effectively a digital twin, which is a mirrored notice and consent record, which is also held by the individual. This Record can then effectively becomes the authoritative consent record.
A Notice Receipt can be created by any stakeholder to identify a PII Controller.
An Anchored Notice and Consent Receipt can be used as a record of consent to access data subjects' rights for example, and/or to test and assess the operational performance of PII Controllers’ digital privacy in digital contexts.
Part 1 of the scheme introduces 4 Transparency Performance Indicators, these are used to measure and rate the conformance of transparency. In Part 2 of the scheme (in the Appendix A) a transparency information request is sent to the controller to; a) test the controller information and, b) measure how compliant the performance of digital transparency is, to both legal expectations and the personal privacy expectations of PII Principal.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
The normative language for the TPI Scheme is defined by Convention 108+ the Common wealth privacy convention the GDPR (General Data Protection Regulation) mirrors. . Originally convened to establish a set of principles and rules to effectively safeguard personal data and facilitate cross-border data flows
...
TPI 4 validates for the individual if security “matching the controller jurisdiction” to addresses a critical cross-border security challenge widely overlooked today.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
TPI – Operational Transparency Performance assurance test,
...
Transparency required to be available in context, during the time when PII is obtained (found in Transparency Statement or Privacy Policy [note]
Period of time data stored
Existence of rights/controls to access and rectify
Existence of right to manage consent
Existence of right to lodge a complaint with a DPA
Whether processing is based under a statutory, or contractual context or whether necessary for entering a contract, if the PII is obliged and the consequences of failure to provide this data,
Note: (Added by Editor) and who controls access to the authoritative version of the data processed.
Existence of
AI, or any Automated decision-making technology,
digital identity management surveillance technologies
any profiles generated
Meaningful information about the logic involved, [Note]
its significance
Expected consequences for and to Data subject
| Anchor | ||||
|---|---|---|---|---|
|
The TPI Rating system is designed to measure the operational performance of the information, for example if only a mailing address is provided for a privacy contact on a website, this is considered non-operable according to the context. This means that privacy access and specific information is not retrievable in the context of data collection. Demonstrating a non-performant form of data governance.
Conformity Assessment: utilizing the ISO/IEC 29100 security
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
1. TPI measuring the point when the individual is notified versus when personal information/digital identifiers are collected and processed. Capturing the timing of notice presentation in relation to first data capture
...
Combined, these TPIs provide an overall Indication of the operational state of digital privacy.
| Anchor | ||||
|---|---|---|---|---|
|
Rating - Instruction | TPI 1 - Timing (wrt to processing) | TP2 - Required Info Presentation | TPI3 Accessibility (trans performance) | TPI4 - Digital Security |
+1 (assured) | PII Controller credential is displayed, using a standard format with machine readable language and linked, for example, in an http header in a browser | The Controller is discoverable automatically prior to session (out of band) in a machine-readable format. Number of ways | Controller identity is presented prior to data collection | Security is required prior to collection (digital wallet based)
|
0(dynamic assurance) | PII Controller Identity or credential is provided in first notice | 0 credential is presented just in time (automated check and first-time notice) | Embedded as a credential and dynamically available upon access (almost just in time)
| is assured -e.g., certificate is specific to and matches controller and context |
-1 (analogue assurance - online) | The Controller Identity, or screen with the Controller Identity is one screen and click away. For example, the privacy policy link in the footer of a webpage | controller information is accessible (not presented) during collection | PII Controller Identity prominently displayed on first view – prior to processing first page of viewing, the assessment question would be
| not-specific to controller - does not match jurisdiction |
-2 - (not mandatory in flow) |
| Controller Credential information is linked during collection | is linked not presented | does not match ou |
-3 (non-operative) | PII Controller Identity is not accessible enough to be considered ‘provided’ | Controller information not present | Identity or credential is not accessible in context - e.g., two or more screens of view away, or privacy contact is mailing g address and non-operative in context of data collection. | It is not a valid, secure, or recognized provider. |
| Anchor | ||||
|---|---|---|---|---|
|
In this appendix, here is a notice record template to fill out when recording a rating, along with a rating template, and analysis results format.
...
FIELD NAME | FIELD DESCRIPTION | REQUIREMENT: MUST, SHALL, MAY | FIELD DATA EXAMPLE |
Notice Location | Location the notice was read/observed | MUST | |
PII Controller Name | Name of presented business | MUST | Walmart |
Controller Address | The physical address of controller and/or accountable person | MUST | 1940 Argentina Road Mississauga, Ontario L5N 1P9 |
PII Controller Contact Type | Contact method for correspondence with PII Controller | MUST | Email, phone |
PII Controller-Correspondence Contact | General contact point | SHALL | |
Privacy Contact Type | The Contact method provided for access to privacy contact | MUST | |
Privacy Contact Point | Location/address of Contact Point | MUST | |
Session Certificate | A certificate for monitored practice | Optional | SSL Certificate Security (TLS) and Transparency |
| Anchor | ||||
|---|---|---|---|---|
|
These digital transparency code of conduct rules coincide with the TPIs presented and reference the international adequacy requirements for transparency required for digital identifier management. In reference to Report on the Adequacy of Digital Identity Governance, for cross border transparency and consent.
...
5 This is the most common legislated privacy element in the world, required and mappable to all privacy legislation and instruments. (ISTPA 2007)p.64
I