Version: 0.7
...
Public international laws and standards for digital record and receipts promise to dramatically lower the cost of security and increase the effectiveness of privacy. The use of ISO 29100 security and privacy framework for consented data access, control and transfer adequacy proposes a low cost, or free notice record framework for PII Principles (and Controllers). To facilitate the governance and regulation by all privacy stakeholders, by regulating authorities.
The Legal Rules Codified
In this framework, the privacy, notice and consent, transparency code of conduct is the law that is developed into open source code, and required to access un-linked data silo’s, across jurisdictional and technically -networked disparate systems.
digital privacy transparency with
Consent by Default: the common mode of governance
Digital Consent is required by default, an individual is notified if PII is needed, for what purpose, and what permissions are required.
Privacy law as derived and matured from principle, in civil and common law is in the context of the legitimate interests of the individual, it’s most primary tenant being that of openness, proportionate and fair transparency, required to secure ones self and the autonomy to make choices.
An easy way to understand, develop and deploy digital privacy is with consent by default, code as law, digital transparency
Digital privacy – as a universal standard requires a common digital transparency standard, and in this way human consent, understanding, control and choice can be used to govern the flows of information,
o Concentric Transparency
§ From the context of consent, a notice, notification or disclosure is presented to the individual, to inform them if there is surveillance which uses a different legal justification, other than consent.
§ Interaction with this transparency gateway, is what is recorded, and what is provided to the individual as a knowledge receipt
Purpose Defined
6 Legal Categories of Authority
Consent
Contract
Public Interest
Best Interest
Legal Obligation
Legitimate Interest
Types of Consent
a. Types of Consent
Expressed
Implicit
Explicit
Directed
Altruistic
Concentric Notice Labels
It is very difficult for stakeholders to know what law, rules and obligations apply in any given context, to address this, Concentric Notice Labels map the legal justification, and the type of consent to rights, and digital rights controls that reduce liability and mitigate risks.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
...
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", “NOT RECOMMENDED”, "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119].
The following abbreviations and set of stakeholders are used to frame a mutually exclusive and collectively exhaustive set of terms for providing transparency over what organization controls the processing of perosnal information, and who is accountable for enforcement,
...
Table A.1 — Matching ISO/IEC 29100 concepts to ISO/IEC 27000 concepts | |
ISO/IEC 29100 concepts | Correspondence with ISO/IEC 27000 concepts |
Privacy stakeholder | Stakeholder |
PII | Information asset Information security incident Control |
Privacy breach Privacy control Privacy risk | Risk |
Privacy risk management | Risk management |
Privacy safeguarding requirements | Control objectives |
...
Field Cat Name | Name | Object Description | Presence Requirement |
PII Controller Identity | Object | _ | Required |
| Presented Name of Service Provider | name of service. E.g. Microsoft | May |
| PII Controller Name | Company / organization name | MUST |
| PII Controller address | _ | MUST |
| PII Controller contact email | correspondence email | MUST |
| PII Controller jurisdiction legal reference | PII Controller Operating Privacy Law | MUST |
| PII Controller Phone | The general correspondence phone number | SHOULD |
| PII Controller Website | URL of website (or link to controller application) | MUST |
| PII Controller Certificate | A capture Website SSL | OPTIONAL |
Privacy Contact Point Location | pcpL |
|
|
Privacy Contact Point Types (pcpT) | Object | Must have at least one field for the PCP object | MUST |
| PCP-Profile | Privacy Access Point Profile | ** |
| PCP-InPerson | In-person access to privacy contact | ** |
| PCP-Email | PAP email | ** |
| PCP-Phone | Privacy access phone | ** |
| PCP -PIP- URI | privacy info access point, URI | ** |
| PCP-Form | Privacy access form URI | ** |
| |||
| PCP-Bot | privacy bot, URI | ** |
| |||
| PCP-CoP | code of practice certificate, URI of public directory with pub-key | ** |
| |||
| PCP-Other | Other | ** |
PCP Policy | pcpp | privacy policy, URI with standard consent label clauses | MUST |
...
This legally required information for proof of notice. This event information is needed for legal chain of evidence, in which PII is added to the record but blinded, and secure. Starting with the Private ANCR Record ID which the PII Principal can use to aggregate operational transparency information for more advanced use in context.
Field Cat | Field Name | Description | Presence |
ANCR Record ID | Blinded identifier secret to the PII Principal | Required | |
Schema version |
|
| |
Timestamp |
| _the time and date when the ANCR record was created | Required |
Legal Justification |
| One of six legal justifications used for processing personal data |
|
Notice Record | Object labels |
|
|
| Notice Type | Notice, notification, disclosure | Required |
Notice legal location | The location ore region that the PII Principal read the information., | ||
| Notice presentation method | Website | MUST |
| online notice -location | Notice location e.g.ip address | MUST |
| location Certificate |
| MAY |
| Notice Language | The language notice provided in | MUST |
| Notice Text File | URL – and or Hashlink for the notice text | MUST |
| Notice text | The capture of a copy of the notification text | MUST |
| Notified legal Justification | Implied or explicit notified legal justification based on the text of a notice and its context | MUST |
Concentric Notice Label | cnl | a label that is mapped to legal justifications, rights and controls that can be provided by default, for a specified purpose | SHALL |
...