...
For Operational Transparency
Version: 0.8.8.3.1
Document Date: Aug 24, 2022
...
Finally, the Anchored Notice Record, private information records is specified here as a separate record. Requiring security considerations for generating consent records for identity management systems.
In this specification the PII Principles manage Principal manages consent and identity systems manage a permission grant defined by the notified purpose and what people expect in accordance with the PII Principal expects in context. This To this point, this specification focuses on transparency of control, with extensions for extending this transparency to services with a the transparency of a controller with purpose specification protocol as outlined in the attached Annex. Impacting security to reduce and eliminate the exchange and exposure of PII, its need for protection and it’s future attack surfaces.
Abstract:
Currently, when online service services are involved, the PII Principal (referred to as the Data Subject or Individual in this proposed standard) is unable to see who is in control of processing their personal data before it is processed, shared or disclosed. No way to assert authority upfront, to determine, imply or negotiate the conditions of data processing, identifier generation, its management or to even establish a trust protocol to engage with.
...
This Kantara Initiative work effort began when Liberty Alliance became the Kantara Initiative, becoming the Consent and Information Sharing WG in 2015. Creates to standardize transparency as an alternate to custom terms and conditions, user license, contracts. This standard recommends a methodology to leverage legal and technical standards for transparency to supersede or at least be comparative too, the use of terms and conditions, Security breach + lack of Transparency + dual records and receipt system for a common landscape for data control interoperability.
KPI 1 – Notice of Identity of Controller
KPI 2 – Accessibility of Notice
KPI 3 – Security Certificate of Notified Controller
IPR Option:
...
Public international laws and standards for digital record records and receipts promise to dramatically lower the cost of security and increase the effectiveness of digital privacy. The use of ISO/IEC 29100 security Security and privacy framework for consented data access, control and transfer adequacy proposes a low cost, or free notice record framework for PII Principles (and Controllers). To facilitate the governance and regulation by all privacy stakeholders, by regulating authorities.
Key perspective: An Internationally standard notice record information structure to enable the PII Principal to generate records independently of the PII Controller. Greatly decreasing the cost of security and increasing the effectiveness of privacy data controls for all stakeholders.
This ANCR WG – Notice Record specification is introduced with a operational assessment of transparency over who is in control, and how accessible is access to privacy rights information prior to processing personal data and before generating identifiers. A record to access the authority before authentication, and the authorizations created to processing personal data. This specification is a contribution to ongoing a contribution to ongoing work at ISO/IEC SC27 WG5, utilizing 29100 Security and privacy techniques ISO/IEC 29100 to create a standardized record of processing for personal data control format for notice records and conent receipts, through engaging with notice. Generating a dual Notice
The record, is specified for use with generating operational transparency with the use of the controls in ISO/IEC 29184 Online privacy notices and consent structure and controls. For example, operational transparency measurements are introduced in the introduction, while the Notice records is specified in the body pf the document. This specification has been developed in parallel with the work on ISO/IEC 27560 Consent record information structure to operationalize transparency with Consent Notice Receipts, (Annex b of ISO/IEC 29184) and presentation in September –2022 to complete the contribution made by Kantara of the Consent Receipt in 2018.
**
Operational Transparency
A steppingstone to digital privacy, in which human consent scales on line –(is interoperable) with rights to control data processing in multiple systems based on context.
...
The PII Controller identity and privacy contact point
The Accessibility of PII Controller Identity and Contact information,
The security and integrity of the controller’s transparency
Notice Record Specification
elements assed to provide a ‘Proof of Notice’ record for distributing evidence of consent. Generating a record utilizing ISO/IEC 29100 security and privacy techniques to assess ‘controls regarding the content and the structure of online privacy notices. (The scope of ISO/IEC 29184 Online privacy notices and consent standard)
...
Controller Identity and Contact information,
The security and integrity of the controller’s transparency
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
This specification is being created proposed to standardizecapture, the capture measure and measure standardize transparency over the security and security privacy practices of the PII Controller. Starting with the identity and Controller contact information for operational use by the PII Principal. Correspondingly it presents two legal requirements for implementing privacy and security, which are found in standards, laws, and principles. One, to provide a notice prior to processing with PII Controller Identity and 2. privacy Contact informationPII Principal.
This ANCR WG specification introduces the Notice Record used a method to capture a record of Notice and verify Consented Notice Records and Consent Receipts in the flow and exchange of personal dataits credential. It specifies with what, and how a PII Principal can capture a record of notice with and assess digital transparency for and the state of security and status of consent. to measure if transparency is operational for the PII Principal transparency, requires knowing who the PII Controller is and if PII Controller contact information can be used to query status of privacy and consent.
The ANCR Notice Record is specified for PII Principals, using terms, semantics and laws that champion the legal utility of data control and its management. As such, representing a shift in the architecture of digital identity semantics to legal semantics specific to human centric transparency, usability, and control.
To For this point, purpose the ANCR record is first specified as a single use record, that the Individual controls , with 3 transparency performance indicators. First defined as a single use record to generate a record the Individual can own, control and trust. The KPI’s provided here are specified to provide transparency over data control and it’s governance. (Operational Transparency),
...
Anchor | ||||
---|---|---|---|---|
|
Field Name | Field Description | Requirement: Must, Shall, May | Field Data Example |
Notice Location | Location the notice was read/observed | MUST | |
PII Controller Name | Name of presented business | MUST | Walmart |
Controller Address | The physical address of controller and/or accountable person | MUST | 1940 Argentina Road Mississauga, Ontario L5N 1P9. |
PII Controller Contact Type | Contact method for correspondence with PII Controller | MUST | Email, phone |
PII Controller-Correspondence Contact | General contact point | SHALL | |
Privacy Contact Type | The Contact method provided for access to privacy contact | MUST | |
Privacy Contact Point | Location/address of Contact Point | MUST | |
Session Certificate | A certificate for monitored practice | Optional | E.g., SSL Certificate Security (TLS) and Transparency |
Anchor | ||||
---|---|---|---|---|
|
...
Anchor | ||||
---|---|---|---|---|
|
Field Name | Field Description | Requirement: Must, Shall, May | KPI 1 Available Not-Available | KPI 2 Rate: -3, –1, 0, +1, +2 | KPI 3 Certificate or Key CN-Matches |
Notice Location | Location the notice was read/observed | MUST | present | +2 | found |
PII Controller Name | Name of presented organization | MUST | present | 1 | Match |
PII Controller Address | Physical organization Address | MUST | present | 0 | Not match |
Privacy Contact Point | Location/address of Contact Point | MUST | Present | 1 | Not match |
Privacy Contact Method | Contact method for correspondence with PII Controller | MUST | Present | -1 | No Match |
Correspondence Contact Method | General contact point | SHALL | present | 1 | Not match |
Session key or Certificate | A certificate for monitored practice | MUST | Not-found | 2 |
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Table A.1 — Matching ISO/IEC 29100 concepts to ISO/IEC 27000 concepts | |
ISO/IEC 29100 concepts | Correspondence with ISO/IEC 27000 concepts |
Privacy stakeholder | Stakeholder |
PII | Information asset Information security incident Control |
Privacy breach Privacy control Privacy risk | Risk |
Privacy risk management | Risk management |
Privacy safeguarding requirements | Control objectives |
[Source: ISO/IEC 29100: Annex A]
...
This is the schema elements that are used to generate a un-anchored notice record and do not contain any PII, or digital identifiers.
Field Cat Name | Name | Object Description | Presence Requirement |
PII Controller Identity | Object | _ | Required |
| Presented Name of Service Provider | name of service. E.g. Microsoft | May |
| PII Controller Name | Company / organization name | MUST |
| PII Controller address | _ | MUST |
| PII Controller contact email | correspondence email | MUST |
| PII Controller jurisdiction legal reference | PII Controller Operating Privacy Law | MUST |
| PII Controller Phone | The general correspondence phone number | SHOULD |
| PII Controller Website | URL of website (or link to controller application) | MUST |
| PII Controller Certificate | A capture Website SSL | OPTIONAL |
Privacy Contact Point Location | pcpL |
|
|
Privacy Contact Point Types (pcpT) | Object | Must have at least one field for the PCP object | MUST |
| PCP-Profile | Privacy Access Point Profile | ** |
| PCP-InPerson | In-person access to privacy contact | ** |
| PCP-Email | PAP email | ** |
| PCP-Phone | Privacy access phone | ** |
| PCP -PIP- URI | privacy info access point, URI | ** |
| PCP-Form | Privacy access form URI | ** |
| |||
| PCP-Bot | privacy bot, URI | ** |
| |||
| PCP-CoP | code of practice certificate, URI of public directory with pub-key | ** |
| |||
| PCP-Other | Other | ** |
PCP Policy | pcpp | privacy policy, URI with standard consent label clauses | MUST |
Anchor | ||||
---|---|---|---|---|
|
...
This legally required information for proof of notice. This event information is needed for legal chain of evidence, in which PII is added to the record but blinded, and secure. Starting with the Private ANCR Record ID which the PII Principal can use to aggregate operational transparency information for more advanced use in context.
Field Cat | Field Name | Description | Presence |
ANCR Record ID | Blinded identifier secret to the PII Principal | Required | |
Schema version |
|
| |
Timestamp |
| _the time and date when the ANCR record was created | Required |
Legal Justification |
| One of six legal justifications used for processing personal data |
|
Notice Record | Object labels |
|
|
| Notice Type | Notice, notification, disclosure | Required |
Notice legal location | The location ore region that the PII Principal read the information., | ||
| Notice presentation method | Website | MUST |
| online notice -location | Notice location e.g.ip address | MUST |
| location Certificate |
| MAY |
| Notice Language | The language notice provided in | MUST |
| Notice Text File | URL – and or Hashlink for the notice text | MUST |
| Notice text | The capture of a copy of the notification text | MUST |
| Notified legal Justification | Implied or explicit notified legal justification based on the text of a notice and its context | MUST |
Concentric Notice Label | cnl | a label that is mapped to legal justifications, rights and controls that can be provided by default, for a specified purpose | SHALL |
Anchor | ||||
---|---|---|---|---|
|
...
*** PII COntroller Consent record must have consent first before making . E.g. Authority to use this for security, -- (non-compliant). ***
ANCR Record Field Name | Description | Required/Optional | Security Consideration |
schema version | A number used by the PII Principal to track the PII Controller Record | Optional (unless shared or used further) | Blinded Pseudonymized Anonymized Verified Credential Attribute |
Anchor Notice Record id # | MUST | ||
Date/Time | Required | ||
Notice Collection method | Notice presentation UI Type | optional | |
Notice Collection Location | URL or digital address and location of the notice UI | required | |
Notice Legal Justification | One of the six legal justifications(ISO, GDPR, C108) | ||
PII Principal Legal Location | optional | ||
Device Type | May | ||
PII Principal Private- Key | |||
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
...
[GDPR] General Data Protection Regulation, http://www.eugdpr.org/article-summaries.html
[ISO 639] ISO 639-1:2002, Codes for the representation of names of languages — Part 1: Alpha-2 code https://www.iso.org/standard/22109.html
...
A notice that is used to generate granular consent receipts using standards that specify purpose in the same way. Those generated with the same schema based can be compared to automate notice for operational transparency over changes to privacy state.
A 2fN, is used to produce a dual record an receipt upon engaging with a standardized notice with access to admin privacy rights from the notice, prior to processing with consent.
The consent receipts produced from a 2fN, can be compared independently for difference in the state and status of privacy, to automatically produce a notification based on the difference in state.
Differential Transparency, produced with a tactile signal, or layer 1 notice indicator, standardized with machine readable data privacy vocabulary. (concentric and synchronic transparency)
Anchor | ||||
---|---|---|---|---|
|
...
These are mapped here
Anchor | ||||
---|---|---|---|---|
|
Legal Justification | Description | Concentric Notice Type | Privacy Rights / PII Controls | Reference |
Vital Interest | refers to processing ‘which is essential for the life of the data subject or that of another natural person. Processing of personal data | Implied/implicit | Transparency, Access, Rectify, Forget/Erase, Withdraw, Restrict, | ISO/IEC 29184, 5.4.2 Conv.108+ 10.2(c) GDPR art 6.1(d) art 49(f) |
Explicit Consent Notice | Explicit consent to processing one or more specified2 purpose | Explicit , Directed, Altruistic Consent | Access, Rectify, Forget/Erase, Object, / Withdraw, Restrict, Portability | 29184, 5.4.2 Conv.108+ 10.2(a) GDPR art 6.1(a) |
Implicit consent notice | And where manifestly published by the PII Principal | Implicit Consent | Con 108 + 10.2(e) | |
Implied consent notice | By Controller or Principal in the field of employment and social security and social protection law | Implied Consent | CoE 108+ 10.2(b) | |
Contractual Necessity | Implied consent | Restrict Processing, Object to | 29184, 5.4.2 Con. 108+(43) | |
Legitimate Interest | Implied consent | Object and restrict processing | 29184, 5.4.2 GDPR Recital 47 Con.108+ 10.2(d) | |
Public Interest | Democratically framed | Implied Consent/Consensus | 29184, 5.4.2 Con. 108+ 10.2(I,g,j) | |
Legal Obligation | ISO/IEC 29184, 5.4.2 | |||
Processing is necessary for the establishment, exercise or defense of legal claims | Con.108+ (f) |
Note: Participatory Consensus, and Concentric data control are two outcome specific conditions that will be added to this specification to include an assessment for operational evidence of these two outcomes.
...
access to privacy rights and information. meaningful through a direct mapping with specific rights, obligations and customs for interaction for data processing, which are enforceable with the references
Concentric Notice Type | Description | Legal Justification | Privacy Rights | Legal Ref |
Non-Operational Notice N/O | Not enough notice/security information for digital privacy | Not compliant with any if unable to determine or confirm Controller, or contact | Withdraw, Object, Restrict, | Con.108+ 79.1(a) GDPR Art 13/14 1a,b, |
Consensus Notice | Notice of Legitimate Processing. Surveillance Notification , | Legitimate interest | ||
Implied Consent Notice | Implied through PII Principals participation in a specific context. | consent | ISO/IEC GDPR Art 50 1 c Con 108+ -Supplement- IPC, Canada3 | |
Implicit consent notice | Refers to governance that is implicit to the action of the PII Principal. | Legitimate interest, Contract, Legal obligation | Object , Restrict | |
Expressed Consent notice | Expressed through the implicit action of a Notified individual. | Informed Consent | Withdraw | |
Explicit Consent Notice | Provided in such a way that the is Informed, freely given, knowledgeable consent,. | Consent witch is knowledgeable of risk | Withdraw | Con 108+.1(4)1b GDPR Art 7.1 |
Directed Consent | A consent directive is consent explicitly defined by the PII Principal for specific purposes, according to disclosures of risks that are notified. | meaningful consent, in which the individual has specified the consented purpose | GDPR 9.1(h) | |
Altruistic Consent | Not knowing who the Controller of PII will be. Consent to a purpose and public benefit governance framework, without knowing who is the beneficiary | Consent | DGA, Recital 1,2,4,36,39 |
Anchor | ||||
---|---|---|---|---|
|
...
Anchor | ||||
---|---|---|---|---|
|
ANCR Consent Receipt Section | Label | Variations | Description | 27560 Term | Reference | ||||||||||||||||||||||||
| ANCR ID | Specified to be a toot recorded identifier | Notice record id is used as root identifier for linking records about the status of privacy with that controller | Record id | |||||||||||||||||||||||||
schema version | same | ||||||||||||||||||||||||||||
PII Controller Identity Object
| Non-operational privacy contact point | ||||||||||||||||||||||||||||
Privacy Contact Point Object
| ANCR focuses on a KPI – for the transparency performance of privacy contact access point | ||||||||||||||||||||||||||||
Proof of Notice Object
| Uses notice type which would be equivalent to event type in 27560 | ||||||||||||||||||||||||||||
Concentric Notice Label | Different but incorporates how to fame 27560 defined consent types | Categorizes Notice Labels to indicate protocol for rights access and inherent risks | 29184 – purpose specification | ||||||||||||||||||||||||||
| Purpose ID | ||||||||||||||||||||||||||||
Service Name | |||||||||||||||||||||||||||||
Purpose name | |||||||||||||||||||||||||||||
Purpose Description | Plausible RiSK - *can data control impact assessment) | ||||||||||||||||||||||||||||
Purpose Type | |||||||||||||||||||||||||||||
Legal justification | Lawful basis | ||||||||||||||||||||||||||||
Sensitive PII Categpry | |||||||||||||||||||||||||||||
Special PII Category | |||||||||||||||||||||||||||||
PII Principal Category | |||||||||||||||||||||||||||||
PII Processors | |||||||||||||||||||||||||||||
PII Sub-processors | New | ||||||||||||||||||||||||||||
Risk notice disclosure | ISO-29184 | ||||||||||||||||||||||||||||
Service Notice Risks | |||||||||||||||||||||||||||||
PII Principal Category | |||||||||||||||||||||||||||||
| Attribute Id | ||||||||||||||||||||||||||||
Notified Collection method | Collection method | ||||||||||||||||||||||||||||
expiration | |||||||||||||||||||||||||||||
Storage location | |||||||||||||||||||||||||||||
Retention period | |||||||||||||||||||||||||||||
Processing location Restrictions | |||||||||||||||||||||||||||||
Duration | |||||||||||||||||||||||||||||
State | Justification for processing (state of privacy) | ||||||||||||||||||||||||||||
status | |||||||||||||||||||||||||||||
termination | |||||||||||||||||||||||||||||
| Inherent to concentric labels - Rights Objects: withdraw, object, restrict, access and rectification, termination of justification, | Regulated practice, approved be regulator or legislated | |||||||||||||||||||||||||||
Rights | |||||||||||||||||||||||||||||
Notice Defaults | |||||||||||||||||||||||||||||
Data portability | |||||||||||||||||||||||||||||
FoI-Access & Rectification | |||||||||||||||||||||||||||||
4.b)Code of Practice | Cop-ID | ||||||||||||||||||||||||||||
Surveillance Code of practice | Certified practice, | ||||||||||||||||||||||||||||
Children’s Design Code of Practice | |||||||||||||||||||||||||||||
Operational Privacy Code of Practice |
Anchor | ||||
---|---|---|---|---|
|
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Version | Date | Summary of Substantive Changes | |
0.1 DRAFT | 2021-02-28 | Initial v1.1 draft | |
0.5 | 2022-02-02 | Draft – updating scope to Notice and eConsent | |
0.8 | 2022-07-04 | Full outline / 70% drafted | |
0.8.5 | 2022-08-04 | Outline 100% Draft - Posted to Kantara Wiki | |
8.8.2 | Annex Updates | ||
8.8.3 | Restructured Sections and schema, cleaned schema up a little – practice what preaching by making spec structural human centric |
8.8.3.1
2022-08-24
Operational Privacy - Notice Record -
8.8.5
full reference draft
8.8.9
1
I