ANCR Consent Token: Mirrored Record Information Structure v0.7
Consent Receipt V1.1 work can be found here
Version: 0.7
Document Date: Dec 6, 2023
...
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", “NOT RECOMMENDED”, "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119].
The following abbreviations and set of stakeholders are used to frame a mutually exclusive and collectively exhaustive set of terms for providing transparency over what organization controls the processing of perosnal information, and who is accountable for enforcement,
...
Table A.1 — Matching ISO/IEC 29100 concepts to ISO/IEC 27000 concepts | |
ISO/IEC 29100 concepts | Correspondence with ISO/IEC 27000 concepts |
Privacy stakeholder | Stakeholder |
PII | Information asset Information security incident Control |
Privacy breach Privacy control Privacy risk | Risk |
Privacy risk management | Risk management |
Privacy safeguarding requirements | Control objectives |
...
Field Cat Name | Name | Object Description | Presence Requirement |
PII Controller Identity | Object | _ | Required |
| Presented Name of Service Provider | name of service. E.g. Microsoft | May |
| PII Controller Name | Company / organization name | MUST |
| PII Controller address | _ | MUST |
| PII Controller contact email | correspondence email | MUST |
| PII Controller jurisdiction legal reference | PII Controller Operating Privacy Law | MUST |
| PII Controller Phone | The general correspondence phone number | SHOULD |
| PII Controller Website | URL of website (or link to controller application) | MUST |
| PII Controller Certificate | A capture Website SSL | OPTIONAL |
Privacy Contact Point Location | pcpL |
|
|
Privacy Access Point Types (pcpT) | Object | Must have at least one field for the PCP object | MUST |
| PAP-Profile | Privacy Access Point Profile | ** |
| PAP-InPerson | In-person access to privacy contact | ** |
| PAP-Contact-Email | PAP email | ** |
| PAP-Contact-Phone | Privacy access phone | ** |
| PAP -PIP- URI | privacy info access point, URI | ** |
| PAP-Form | Privacy access form URI | ** |
| |||
| PCP-Bot | privacy bot, URI | ** |
| |||
| PCP-CoP | code of practice certificate, URI of public directory with pub-key | ** |
| |||
| PCP-Other | Other | ** |
PaP Policy | papp | privacy policy, URI with standard consent label clauses | MUST |
...
This legally required information for proof of notice. This event information is needed for legal chain of evidence, in which PII is added to the record but blinded, and secure. Starting with the Private ANCR Record ID which the PII Principal can use to aggregate operational transparency information for more advanced use in context.
Field Cat | Field Name | Description | Presence |
ANCR Record ID | Blinded identifier secret to the PII Principal | Required | |
Schema version |
|
| |
Timestamp |
| _the time and date when the ANCR record was created | Required |
Legal Justification |
| One of six legal justifications used for processing personal data |
|
Notice Record | Object labels |
|
|
| Notice Type | Notice, notification, disclosure | Required |
Notice legal location | The location ore region that the PII Principal read the information., | ||
| Notice presentation method | Website | MUST |
| online notice -location | Notice location e.g.ip address | MUST |
| location Certificate |
| MAY |
| Notice Language | The language notice provided in | MUST |
| Notice Text File | URL – and or Hashlink for the notice text | MUST |
| Notice text | The capture of a copy of the notification text | MUST |
| Notified legal Justification | Implied or explicit notified legal justification based on the text of a notice and its context | MUST |
Concentric Notice Label | cnl | a label that is mapped to legal justifications, rights and controls that can be provided by default, for a specified purpose | SHALL |
...