...
ANCR Notice
...
Records & Consent Receipt
...
For Operational Transparency
Version: 0.8.8.5
Document Date: Sept 07, 2022
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Table of Contents |
---|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Public international laws and standards now provide an opportunity for digital records and receipts to dramatically improve (at a much lower cost) the security of personal data control to then increase the effectiveness of digital privacy. Here, e.g., the ISO/IEC 29100 Security and privacy framework is the international framework for creating records for trustworthy ‘consented data access’, for Adequate data transfers internationally.
...
To operationalize the TPI’s, this specification introduces a concentric notice label field, which is provided by context. It simplifies the understanding and use of rights for people in context of data processing, To present legal justification for processing and rights in order to present a consistent set of notice based controls, fprivacy right defaults and expectations.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
This specification is proposed to capture, measure and standardize transparency over the security and privacy practices of the PII Controller. Starting with the identity and Controller contact information for operational use by the PII Principal.
...
A trust protocol of transparency before surveillance. In which a notice or notification is presented to the PII principal that generates a. receipt from an ANCR record. presenting significant security and privacy benefits that assist in distributing and decentralizing stronger security decisions.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
The notice record is first specified as a static, one-time use notice record that is created by the PII Principal and used to initiate a state of operational transparency in context measured by access to, and performance of rights.
Anchor | ||||
---|---|---|---|---|
|
...
Anchor | ||||
---|---|---|---|---|
|
Field Name | Field Description | Requirement: Must, Shall, May | Field Data Example |
Notice Location | Location the notice was read/observed | MUST | |
PII Controller Name | Name of presented business | MUST | Walmart |
Controller Address | The physical address of controller and/or accountable person | MUST | 1940 Argentina Road Mississauga, Ontario L5N 1P9. |
PII Controller Contact Type | Contact method for correspondence with PII Controller | MUST | Email, phone |
PII Controller-Correspondence Contact | General contact point | SHALL | |
Privacy Contact Type | The Contact method provided for access to privacy contact | MUST | |
Privacy Contact Point | Location/address of Contact Point | MUST | |
Session Certificate | A certificate for monitored practice | Optional | E.g., SSL Certificate Security (TLS) and Transparency |
Anchor | ||||
---|---|---|---|---|
|
Without a record identifier, added to each record, this initial record is an unanchored notice record. This record can be extended for use as a Trust Anchor for the PII Principal by adding an ANCR Record ID used to track the PII Controller and the data processing relationship over time.
As a trust anchor, it becomes a record the individual can use to verify the digital identity relationship and validated by the person for a digital privacy context in a system that can be expected. In this way an anchored notice record is a gateway to scale consent online and internationally.10574
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
...
The first 2 performance indicators measure the transparency of the PII Controller identity information that is required to be ‘provided’, as provision of this information on, or before data processing is a condition of Adequacy and compliance for all digital identifier-based processing activities. An ANCR Record is a record if processing activity that demonstrates this compliance,
...
Once the capacity for digital privacy is measured to be operational the 3rd performance indicator can then be used to measure the security certificate or key for its contextual integrity for the specific session or context.
Anchor | ||||
---|---|---|---|---|
|
Assess if the required information for transparency over who is in control of notice is ‘provided’
The MUST fields identify elements that are required in legislation that MUST be present.
Is there a
Anchor | ||||
---|---|---|---|---|
|
How Accessible is the PII Controller and Privacy Contact information?
...
This rating, a score of; [1,0, -1 or –3] is used to determine the number of steps, screens, or clicks required to find the ‘provided’ information.
Anchor | ||||
---|---|---|---|---|
|
Rating | Description | Instruction |
+1 | is embedded and linked for - auto discovery | PII Controller credential is displayed –using a standard format with machine readable language and linked, for example in an http header |
0 | PII Controller identity prominently displayed on first view – prior to processing first page of viewing, the assessment question would be | PII Controller Identity or credential is provided in first notice |
-1 | Privacy signal Is not first presented – but is linked and one click and screen away | The controller identity, or screen with the controller identity is one screen and click away. For example, the privacy policy link in the footer of a webpage |
| Identity or credential is two or more screens of view away | PII Controller identity is not accessible enough to be considered ‘provided’ |
Anchor | ||||
---|---|---|---|---|
|
This security performance indicator requires that the notice record session certificate is collected and used to check if the PII Controller identity information is the same or linked to the controlling entity in the associated security certificate. For example, does the SSL (secure software layer) certificate identify the controller and is it secured for the jurisdictional domain and DNS information. (as a required digital privacy measure of Adequacy)
Certificate status and transparency are used to establish session security prior to the collection, use and processing of PII. The security TPI is used to measure the certificate and or cryptographic keys for a specified organizational unit to corroborate and validate the PII Controller’s digital integrity.
Anchor | ||||
---|---|---|---|---|
|
Field Name | Field Description | Requirement: Must, Shall, May | TPI 1 Available Not-Available | TPI 2 Rate: +1, 0, -1, -3, | TPI 3 Certificate or Key CN-Matches |
Notice Location | Location the notice was read/observed | MUST | present | +1 | found |
PII Controller Name | Name of presented organization | MUST | present | 0 | Match |
PII Controller Address | Physical organization Address | MUST | present | 0 | Not match |
Privacy Contact Point | Location/address of Contact Point | MUST | Present | 1 | Not match |
Privacy Contact Method | Contact method for correspondence with PII Controller | MUST | Present | -1 | No Match |
Session key or Certificate | A certificate for monitored practice | MUST | Present (or Not-found) | 1 (or –3 ) | Present (or No Security Detected) |
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
For the purposes of this specification, the following terms and definitions apply as, normative, non-normative to be used per context, and additive, in that they aid human understanding and data control.
...
— IEC Electropedia: available at http://www.electropedia.org/
Anchor | ||||
---|---|---|---|---|
|
For the international and cross-domain use of the records and receipts here, this document refers to the following:
ISO/IEC 29100:2011 Security and privacy techniques
ISO/IEC 29184 Online privacy notices and consent,
Fair Information Practice Principles (FTC) foundational principles
Anchor | ||||
---|---|---|---|---|
|
1980/2013 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data [OECD]
Kantara Initiative Consent Receipt v1.116455
Kantara Initiative: Blinding Identity Taxonomy (Bit)6574
For input to ISO/IEC 27561:2022 POMME (Privacy operationalization model and method for engineering)\
Anchor | ||||
---|---|---|---|---|
|
General Data Protection Regulation (GDPR)
Council of Europe Convention 108+ (Conv. 108+)
PIPEDA – Individual, Meaningful Consent
Anchor | ||||
---|---|---|---|---|
|
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", “NOT RECOMMENDED”, "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119].
...
Array – an array of field objects
Anchor | ||||
---|---|---|---|---|
|
The definitions reference terms that are used in this specification to indicate what is normative, non-normative, and additive.
If a jurisdiction’s privacy terms are not compatible with this specification, these internationally defined terms can be mapped to jurisdiction and context specific terms. For example, PII Principal in this document maps to the term Data Subject in European GDPR legislation and the term individual in Canadian PIPEDA.
Code of Conduct
A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.
...
[Source Conv. 108+ Art 29.5]
Anchor | ||||
---|---|---|---|---|
|
This field is a new field – normative in this specification.
...
The concentric notice label types are specified in Annex B, which spans the spectrum of legally defined consent types, defined from for the individual’s context and perspective.
Anchor | ||||
---|---|---|---|---|
|
Not Concentric: Legal obligation or legitimate interest independent of PII Principal
Implied Consent, PII Controller defines the purpose
Expressed Consent
Explicit Consent
‘Directed Consent’, where in a PII Principle specifies in part, or in whole a purpose. Ensuring a higher quality of understanding.
‘Altruistic Consent’, which requires a certified code of practice (in this framework – for a directed consent in which the legal obligation to identify the controller prior to processing is derogated.
...
[Source Conv 108+ Rec.20]
Anchor | ||||
---|---|---|---|---|
|
Adhering to the openness, transparency and notice principles means:
...
[ANCR Notice Record Annex B]
Anchor | ||||
---|---|---|---|---|
|
The organization may implement the control using different techniques: layered notices, dashboards, just-in-time notices and icons, and may provide notices in a machine-readable format so that the software which is presenting it to the PII principal can parse it to optimize the user interface and help PII principals make decisions.
...
That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.
[Conv 108+ Rec 35]
Anchor | ||||
---|---|---|---|---|
|
When organizations should seek consent for changes such as those outlined here, they should consider whether the PII principal has access to a record (of some kind) of their original consent, as well as how much time has elapsed between the original consent and the present. If the PII principal is able to access a record of their prior consent readily and if the elapsed time is not significant, organizations may provide notice of the changes and seek consent for same. Otherwise, the organization should seek reconfirmation of the original consent in addition to consent to the notified changes.
...
[Source: ISO/IEC 29100 Table 3]
Anchor | ||||
---|---|---|---|---|
|
A Consent Notice Receipt, for a proof of notice, used as evidence of consent to demonstrate compliant records of processing activities.
[Source ISO/IEC 29184 Appendix B]
A record of notice that is generated to provide proof of an informed individual supersedes terms and conditions (contract), to implement overarching privacy rights based control.
[Source: ANCR Notice Record v1 – Specification]
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Any information that (a) can be used to identify the PII Principal to whom such information relates, or (b) is or might be directly or indirectly linked to a PII Principal.
...
[Source: Conv. 108+ Rec 16]
Anchor | ||||
---|---|---|---|---|
|
what constitutes sensitive PII is also defined explicitly in legislation. Examples include information revealing race, ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, sexual lifestyle or orientation, and the physical or mental health of the PII principal. In other jurisdictions, sensitive PII might include information that could facilitate identity theft or otherwise result in significant financial harm to the natural person (e.g., credit card numbers, bank account information, or government-issued identifiers such as passport numbers, social security numbers or drivers’ license numbers), and information that could be used to determine the PII principal’s real time location.
...
[Source Conv. 108+ Rec, 29]
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
The natural person to whom the personally identifiable information (PII) relates.
...
Individual: Upon request, an individual shall be informed of the exis- tence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
[Additive: PIPEDA 4.9]
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
A privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing personally identifiable information (PII) other than natural persons who use data for personal purposes.
...
[Source Conv 108+ Art 3(8)]
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Covers multiple joint controller relationships including co-controllers, hierarchical, fiducial, and code.
...
[Source: Conv 108+ Art 86.1]
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
A privacy stakeholder that processes personally identifiable information (PII) on behalf of and in accordance with the instructions of a PII controller.
...
[Source: Conv. 108+ Art 3(12)]
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Refers to the PII Controller type in the ANCR record specificationl
...
[Additive: W3C DPV 2.3.1.6 https://w3c.github.io/dpv/dpv/ ]
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
An operation or set of operations performed on personally identifiable information (PII).
...
[Source. Convention 108+]
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
A natural or legal person, public authority, agency or any other body that can affect, be affected by, or perceive themselves to be affected by a decision or activity related to personally identifiable information (PII) processing.
...
[Source: Conv.108+ Art 51(c)]
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Table Security & Privacy Terminology Mapping
...
[Source: ISO/IEC 29100: Annex A]
Anchor | ||||
---|---|---|---|---|
|
A privacy stakeholder other than the personally identifiable information (PII) principal, the PII controller and the PII processor, and the natural persons who are authorized to process the data under the direct authority of the PII controller or the PII processor.
...
[Source: Convention 108 Art 3.14]
Anchor | ||||
---|---|---|---|---|
|
The ANCR notice record is fundamentally a layered record schema, the first record layer is the minimum viable notice record (MVNR) a PII Principal can make to capture the organisation/institution that controls their personal data as well as the accountable person and for that legal entity. This record collects no additional data, except what the PII Principal is required to see and understand in order to be legally informed of the risks of generating a digital identifier.
...
Layer 1 - Notice Record Schema.
The PII Principal's private record of a notice without digital identifiers, also called a minimum viable record notice. This record is un-anchored and used for contextual purposes when it does not contain an ANCR Record ID, in the ancr record id field.
Layer 2 – Private Notice Record Micro-Data
The meta data that can, and must be collected with the notice record to make a digital record of the notice record
Is kept private and not directly accessible, exposed or made public.
The PII Principal private record collects personal data specific to the use of the notice
Layer 3 - A Proof of Notice (PoN) record is generated
A secured anchored notice record generated upon engagement with a notice to demonstrate that the PII Principal is informed. Not an opt-in or opt-out check box – which is linked to a notice. But check-box to confirm a notice clause is read, with a button on the notice dialogue that generates a record and receipt when used by the PII Principal
A proof of notice record can then be used by processing stakeholders to generate subsequent linked notice, notification and dislosure records pertinent to the context of notice.
Personal identifiers and attributes are encrypted, secured, verified and validated by linking to the private notice record.
Anchor | ||||
---|---|---|---|---|
|
This is the schema elements that are used to generate a un-anchored notice record and do not contain any PII, or digital identifiers.
...
Field Cat Name | Name | Object Description | Presence Requirement |
PII Controller Identity | Object | _ | Required |
| Presented Name of Service Provider | name of service. E.g. Microsoft | May |
| PII Controller Name | Company / organization name | MUST |
| PII Controller address | _ | MUST |
| PII Controller contact email | correspondence email | MUST |
| PII Controller jurisdiction legal reference | PII Controller Operating Privacy Law | MUST |
| PII Controller Phone | The general correspondence phone number | SHOULD |
| PII Controller Website | URL of website (or link to controller application) | MUST |
| PII Controller Certificate | A capture Website SSL | OPTIONAL |
Privacy Contact Point Location | pcpL |
|
|
Privacy Contact Point Types (pcpT) | Object | Must have at least one field for the PCP object | MUST |
| PCP-Profile | Privacy Access Point Profile | ** |
| PCP-InPerson | In-person access to privacy contact | ** |
| PCP-Email | PAP email | ** |
| PCP-Phone | Privacy access phone | ** |
| PCP -PIP- URI | privacy info access point, URI | ** |
| PCP-Form | Privacy access form URI | ** |
| |||
| PCP-Bot | privacy bot, URI | ** |
| |||
| PCP-CoP | code of practice certificate, URI of public directory with pub-key | ** |
| |||
| PCP-Other | Other | ** |
PCP Policy | pcpp | privacy policy, URI with standard consent label clauses | MUST |
Anchor | ||||
---|---|---|---|---|
|
These fields can be asserted by the PII Principle to extend the functionality beyond the transparency TPI’s specified.
These private record fields are separated from the Proof of Notice schema, as these are kept and controlled by the PII Principal and are used to provide defaults.
Anchor | ||||
---|---|---|---|---|
|
This is the data source for consented records of processing that is directed (and securely) verified by the PII Principal, with secure localized data source and device.
...
Record Field Name | Field Description | Verifier/Validator |
schema version | A number used by the PII Principal to track the PII Controller Record | Verifier |
Anchor Notice Record id # | An identifier unique to the controller, used to identify the legal entity accountable for relying parties and affiliated services | Verifier |
Date/Time | The date and time a notice was read by PII Principal | Validator |
Notice Delivery method | Notice presentation delivery method is also known as a user-interfaceType | Validator |
Notice Location | URL or digital address and location the notice was presented to the PII Principal | Verifier |
Notice Legal Justification | One of the six legal justifications(ISO, GDPR, C108) | Validator |
PII Principal Legal Location | Refers the privacy rules in the local context | Validator |
Device Type Identifier | device identifier or fingerprint used to verify the physical method of delivery -.eg. sign, mobile ph, desktop computer | Verifier |
PII Principal Private/Public - Key Pair | The cryptographic key pair used to sign and encrypt fields in a consent record | Verifier |
Anchor | ||||
---|---|---|---|---|
|
For consented digital identity management, a proof of notice record is used as an alternative to terms and conditions, which refer to the contract-based policy for the governance of identifiers and credentials.
...
Note: ANCR Notice record ID is utilized to create and link new receipts ensuring the providence of the PII Principals control of the ANCR record
Anchor | ||||
---|---|---|---|---|
|
The proof of notice record builds upon the PII Controller identity fields and contact fields with PII Controller identifiers used to digitally track the state of privacy .
...
A notice that is used to generate granular consent receipts using standards that specify purpose in the same way. Those generated with the same schema based can be compared to automate notice for operational transparency over changes to privacy state.
A 2fN, is used to produce a dual record an receipt upon engaging with a standardized notice with access to admin privacy rights from the notice, prior to processing with consent.
The consent receipts produced from a 2fN, can be compared independently for difference in the state and status of privacy, to automatically produce a notification based on the difference in state.
Differential Transparency, produced with a tactile signal, or layer 1 notice indicator, standardized with machine readable data privacy vocabulary. (concentric and synchronic transparency)
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Overview
The ANCR Record represents the online privacy notice control record that is used to assess conformance with privacy expectations using controls and structure for consent from ISO/IEC 29184 Online privacy notice and consenr
Rules used to secure, protect and safeguard personal data; .
The only identifier is the identifier the PII Principal (optionally provided) to extend the functionality of the anchored record for receipts.
Only the PII Principal owns, controls, and delegates technical access to this identifier.
Whenever it is exchanged, it must use the blinding identifier taxonomy, cryptographically hashed with PII Principal public key.
As a result. Only attributes from the corresponding records can be used with a verified credential.
The record MUST not be generated or managed by any other stakeholder or delegate, apart from the PII Principal in order to be a trustworthy id.
...
the PII Principal keeps a personal and private record of the identity relationship metadata.
Anchor | ||||
---|---|---|---|---|
|
Personal data kept by individual
...
Differential Privacy [ not to be confused with Differential Transparency]
A method to produce noise in a personal data profile, and data sets so that the output cannot be used as conclusive evidence, or used to attack systems. A safeguard that is described as a way to provide a ‘buffer’ to protect the PII Principal from harms.
A relevant topic defined in the ANCR Record used in a different context, not as a tool used by a PII Controller, but as a control for PII Principal to use when engaging with PII Controller Services,
Synthetic personal data can be generated from the Anchored Private Notice record and linked eConsent receipts with the use of verified micro-credentialing
These records and receipts can be used to provide safe environments to model future personal data, anonymize PII Principles own data before use, provide statistical data to services and trusts, safeguard Altruistic Consent (see concentric data types) can be employed to open certain data types for a specific purpose to help people and society.
Differential privacy can be used to evaluate structural deficiencies in existing data models (online profiles) and invalidate data sets through access rights which are near universal.
Differential privacy tools can generate synthetic personal data can be generated to increase the size of a personal data set, and to employ machine learning systems on behalf of the PII Principal to address and secure the use of PII in machine learning systems to enable the individual address contextual and even adversarial scenarios
Anchor | ||||
---|---|---|---|---|
|
Non-national standards are used in this specification to mediate transborder data controls and policy and provide extra-territorial governance. National standards are limited in terms of governance policy.
...
ISO/IEC 29100 - Security and Privacy schema, information structure
Mutually exclusive an collectively exhaustive framework matured over X years
Used to identify security and privacy stakeholder roles in data governance
The ANCR record is specified to propose a standard method, to secure records that can be self-asserted by people to control, use, and trust online.
It is envisioned that the only data ever seen by the PII Principal and accessible only via verification are those delegated as such specifically by the PII Principal.
PII Controller uses privacy stakeholders as a mutually inclusive and collectively exhaustive technology governance framework for cross-border identifier exchanges
All data processing is required to be transparent by default and provide notice, notifications and disclosures, which can be automated with this specification.
Transparency defaults are provided in relation to Adequacy with international best practice in order to be interoperable with EU-GDPR and Convention 108 to operationalize transparency with enforcement.
Every non-person entity, or delegate, processing personal data is a PII Controller. An un-identified PII Controller, is a 3rd Party, and requires PII Controller Category with a scope of authority for the context of processing personal data.
The PII Controller can have many roles, according to context of processing. E.g., Joint Controller, PII Processor, and PII-Sub-processor. 3rd Party
3rd Party Recipients,
All 3rd parties MUST be identified as a PII Controller to
A stakeholder without a controller id, or role in direct purpose of processing. Using a different legal justification, like legal obligation. For automated discovery of security events, like mis-information and fraud detection.
Assurances that 3rd parties, can also be identified as a PII Controler.
Assurances that all PII Joint Controllers, Processors or Sub-Processors, are accountable and identifiable as a PII Controller.
PII Controller identity credential (is required to produce a consent notice receipt for verification, validation and authorisation by the PII Principle.
There are interoperable with IAM system roles 0 Holder, Verifier, and Issuer in Self Sovereign Identifiers (SSIs) and Distributed Identifiers (DIDs) can be directly mapped to PII controller roles.
ANCR notice records can be generated by the PII Principal and notarized by a 3rd Party authority, on behalf of the PII Principal, for use independently of a PII Controller.
Differential Privacy
An editorial use case – in which a recovered is made of who controls the choice to use differential privacy. Presented in the context that the PII Principal is in control of record and the choice to use the method. As opposed to the PII Controller being in control and deciding when to use this without proof in the form of electronic consent.
To address a security gap – dis-empowering 3rd Party data processing without consent, the creation of an identifier for system access and management, any type of tracking, is referred to as profiling, which constitutes a high-risk privacy activity.
To mitigate the substantial risks, of digital identifier management technologies, any secondary use of the data – including ‘Differential Privacy’ must a) be transparent (specified with the consent information structure) and b) consented with a proof of notice receipt for evidence of consent,
This means processing is specific to purpose of the consent (Note: unless derogated in law which is also provided in notice and a represented in a code of practice, for the service.
Best Practice - Consent for the service to re-use a PII Principal profile for a secondary purpose, is a specific explicit consent, not an opt-in, or out governance control.
Trustworthy ID Compliance
without explicit consent for the generation of identifiers, the use of PII for big-data, machine learning, including differential privacy is arguably a breach of PII and clearly un-ethical as it violates the privacy expectations of the Individual.
To this over-arching point of providence of authority through consent.
The use of digital identity technology requires electronic notice and when required electronic consent,
In this regard, ethical use of differential privacy would require a record of consent to identify and profile and personal identity, then, sn explicit consent for the purpose of use.
In this way PII Principals can be secure, safeguarded, and empower their choices through the control of who benefits from their personal and why.
Bottom Line
PII Principal identifying information MUST never be included without being secured at the attribute level. When a consent receipt is provided, all PII Principal identifiers MUST be blinded and, in this way, pseudonymized, in a format in which identifiers can be made portable (data portability) e.g., with a verifiable credential using zero-knowledge proof.
Any PII Controller consent records that combine raw personal identifiers with a consent record are therefore insecure and those systems are considered to have non-operational transparency
Anchor | ||||
---|---|---|---|---|
|
The anchored notice record can be extended with the standardized consent record information structure by utilizing 3 extensions.
Anchor | ||||
---|---|---|---|---|
|
The concentric notice label is used to identify the default legal justification for processing which is used for the default data processing practices.
...
The extension is written for the PII Controller, to enable the anchored record to be used as a verifiable data source for operationalizing a channel (exchange) where PII Principals can advertise a consent grant to the controller. (see Appendix 1 )
Anchor | ||||
---|---|---|---|---|
|
Extension 2 is focused on data treatment and rights of the purpose specified in Extension1. This extension utilizes some of the ISO/IEC 27560 schema, as well as the W3C Data Privacy Vocabulary, and some additional elements regarding delegation, cross-border adequacy, definition of data privacy rights data controls.
Anchor | ||||
---|---|---|---|---|
|
Extending the security code of conduct, purpose specification (ext 1) and data treatment sections (ext 2) with a transparency code of practice.
...
[Note: The appendices introduce the new elements found in this specification, as well as a schema map for interoperability with ISO/IEC 27560 for contribution.]
Anchor | ||||
---|---|---|---|---|
|
Kantara Community, DIACC, ToiP, W3C DPV and Consent,
The ISO/IEC 27560 committee
Standards Council of Canada
PasE; Consent Gateway Team and the NGI – Next Generation Internet Grant contribution
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
[Conv 108+] Council of Europe, Convention 108 +
...
[Kantara Initiative] Consent Receipt v1.1
Annex (WiP to v8.9.9)
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Note: This ANCR Record uses a record data type for MySQL as the example data type for records, unlike consent notice receipt tokens, which use jason-ld web-token data types. (ISO/IEC 28184 Annex B: Consent [Notice] Receipt)
The Notice Record utilizes data types for a record in a database, this maps to MySQL, unlike the consent receipt which utilizes JSON token data types.
Anchor | ||||
---|---|---|---|---|
|
Attribute Name
data types, for attribute … machine readable element
...
Notice Record Example Field Category | Label | Data Type | Attribute name | Field Description | Presence Requirement | TPI 1 Cntrl Id Present | TPI 2 Accessibility Example | Security TPI 3: Digital Context Integrity | ISO/IEC 29100-Ref | ISO/IEC 29184-Ref | GDPR Ref | Conv 108 Ref |
PII Controller Identity | Controller ID Object | String | controller_id_object | _ | Required | Security key or Cert | 4.2.2 | 5.3.4 | ||||
Presented Name of Service Provider | String | presented_name_of_service_provider | name of service. E.g. Microsoft | May | ||||||||
PII Controller Name | String | piiController_name | Company / organization name | MUST | ||||||||
PII Controller address | String | piiController_address | _ | MUST | ||||||||
PII Controller contact email | Varchar(n) | piiController_contact_email | correspondence email | MUST | ||||||||
PII Controller legal location | String | piiController_legal_loc | PII Controller Operating Privacy Law | MUST | ||||||||
PII Controller Phone | Char | piiController_phone | The general correspondence phone number | SHOULD | Issuer Statement | |||||||
PII Controller Website | Varchar | piiController_www | URL of website (or link to controller application) | MUST | ||||||||
PII Controller Certificate | BLOB | piiController_certificate | A capture Website SSL | OPTIONAL | ||||||||
Privacy Contact Point Location | VarChar(max) | pcpL | Public Key base64 (human readable - kind of...) | |||||||||
Privacy Contact Point Types (pcpT) | Object | pcpType | ||||||||||
Must have at least one field for the PCP object | MUST | |||||||||||
PCP-Profile | String | pcpProfile | Privacy Access Point Profile | ** | ||||||||
PCP-InPerson | String | pcpInperson | In-person access to privacy contact | ** | CRL and OSCP endpoints | |||||||
PCP-Email | Varchar | pcpEmail | PAP email | ** | ||||||||
PCP-Phone | char | pcpPhone | Privacy access phone | ** | ||||||||
PCP -PIP- URI | Varchar | pcpPip_uri | privacy info access point, URI | ** | ||||||||
PCP-Form | Varchar | pcpForm | Privacy access form URI | ** | ||||||||
PCP-Bot | String | pcpBot | privacy bot, URI | ** | ||||||||
PCP-CoP | String | pcpCop-loc | code of practice certificate, URI of public directory with pub-key | ** | ||||||||
PCP-Other | string | pcp_other | Other | ** | ||||||||
PCP Policy | pcpp | string | pcpp | privacy policy, URI with standard consent label clauses | MUST | |||||||
Anchored Notice Record Field Categories | Name | Type | Attribute Name | Description | Presence | |||||||
ANCR Record ID | string | ancr_id | Blinded identifier secret to the PII Principal | Required | ||||||||
Schema version | string | V x.xx.x schema_version | ||||||||||
Timestamp | DATETIME | time_stamp | _the time and date when the ANCR record was created | Required | ||||||||
Legal Justification | string | legal_justiication | One of six legal justifications used for processing personal data | |||||||||
Notice Record | Object labels | VarChar(max) | notice_record | |||||||||
Notice Type | string | notice_type | Notice, notification, disclosure | Required | ||||||||
Notice method | string | notice_method | Link / URL to the UI that was used to present the notice e.g. website home page | MUST | ||||||||
-digital-Notice-location | string | digital_notice_location | Notice location e.g.ip address | MUST | ||||||||
location Certificate | BLOB | location_certificate | MAY | |||||||||
Notice Language | string | notice_language | The language notice provided in | MUST | ||||||||
Notice Text File | string | notice_text_file | URL – and or Hashlink for the notice text | MUST | ||||||||
Notice text | string | notice_text | The capture of a copy of the notification text | MUST | ||||||||
Notified legal Justification | string | notice_legal_justification | Implied or explicit notified legal justification based on the text of a notice and its context | MUST | ||||||||
Concentric Notice Label Type | string | cnl | a label that is mapped to legal justifications, rights and controls that can be provided by default, for a specified purpose | SHALL | 5.3.12 | |||||||
Not-Consent | Refers to laws and democratic consensus (legitimate Interest, Legal Obligation, Public Interest & Vital Interest) | |||||||||||
Private Anchored Notice Record Field Category | Label | Type | Attribute name | Field Name | Required/Optional | |||||||
Private Record | schema version # | V | Optional (unless shared or used further) | |||||||||
Anchor Notice Record id # | Int | Ancr_id | MUST | |||||||||
Date/Time | DEATETIME | Required | ||||||||||
Notice Collection method | optional | |||||||||||
Notice Collection Location | VarChar(max) | required | ||||||||||
Notice Legal Justification | VarChar(max) | |||||||||||
PII Principal Legal Location | VarChar(max) | ploc | ||||||||||
Device ID | NVarChar(max) | |||||||||||
PII Principal Private- Key | VarChar(max) |
Anchor | ||||
---|---|---|---|---|
|
The object of the ANCR record is to enable operational transparency. A concentric notice type is used to provide a human centric label to a record or a receipt.
...
. Referencing the corresponding ISO/IEC 29184 control to enhance interoperability of operational transparency. Interoperability that is realized through the extension of transparency with records of processing to establish and maintain a shared understanding of security and privacy risks. Affording people choice which mitigate risks and transfer liability.
Anchor | ||||
---|---|---|---|---|
|
These are mapped here to provide a set of operational transparency defaults to set and support privacy as expected by the PII Principal. Expectations that provide a privacy notice starting point, where PII Principal and PII Controller can gain a shared understanding, or where a PII Principal can assert a legal justification for processing to access privacy rights.
...
Concentric digital transparency is a design principle of electronic Notice and evidence of consent. The outcomes are for a shared / concentric understanding of a relationship and the purpose of digital interaction, the data control impact, and associated risks centric to the PII Principal.
Anchor | ||||
---|---|---|---|---|
|
Concentric Notice Types are you to create a digital notice label to enable that can be applied to digital processing context which are understood from a human centric perspective.
...
Concentric Notice Type | Description | Legal Justification | Privacy Rights | Legal Ref |
Non-Operational Notice N/O | Not enough notice/security information for digital privacy | Not compliant with any if unable to determine or confirm Controller, or contact | Withdraw, Object, Restrict, | Con.108+ 79.1(a) GDPR Art 13/14 1a,b, |
Consensus Notice | Notice of Legitimate Processing. Surveillance Notification , | Legitimate interest | ||
Implied Consent Notice | Implied through PII Principals participation in a specific context. | consent | ISO/IEC GDPR Art 50 1 c Con 108+ -Supplement- IPC, Canada3 | |
Implicit consent notice | Refers to governance that is implicit to the action of the PII Principal. | Legitimate interest, Contract, Legal obligation | Object , Restrict | |
Expressed Consent notice | Expressed through the implicit action of a Notified individual. | Informed Consent | Withdraw | |
Explicit Consent Notice | Provided in such a way that the is Informed, freely given, knowledgeable consent,. | Consent witch is knowledgeable of risk | Withdraw | Con 108+.1(4)1b GDPR Art 7.1 |
Directed Consent | A consent directive is consent explicitly defined by the PII Principal for specific purposes, according to disclosures of risks that are notified. | meaningful consent, in which the individual has specified the consented purpose | GDPR 9.1(h) | |
Altruistic Consent | Not knowing who the Controller of PII will be. Consent to a purpose and public benefit governance framework, without knowing who is the beneficiary | Consent | DGA, Recital 1,2,4,36,39 |
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
(for latest draft of this extension or to get involved in working on it visit ANCR WG-Kantara Wiki ANCR - Extension 1 – 27560- Consent record information structure)
...
These refer to 27560 line – 362 WD4, where it calls out the need to reference the schema(s) information structure used, in addition to demonstrating the capacity to maintain documentation for its correct technical implementation. - and conformance to the requirements specified in the 27560 documents.
Anchor | ||||
---|---|---|---|---|
|
In summary, elements from 27560 frame the data treatment elements are found in Extension 3 in addition to
Anchor | ||||
---|---|---|---|---|
|
The ANCR record is specified in this information structure according to legally defined code of conduct, each element that is required is referenced to standards and legislation which constitute the code of conduct for operational transparency trustworthy id protocol.
The legal code of conduct is extended by codes of practice which are often recognized as certifications and represented by certificates and certifications.
Anchor | ||||
---|---|---|---|---|
|
Terms, definitions, filed data, record examples, machine readable privacy vocabulary, used to generate notice, notifications, and disclosures are provided here.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Version | Date | Summary of Substantive Changes | |
0.1 DRAFT | 2021-02-28 | Initial v1.1 draft | |
0.5 | 2022-02-02 | Draft – updating scope to Notice and eConsent | |
0.8 | 2022-07-04 | Full outline / 70% drafted | |
0.8.5 | 2022-08-04 | Outline 100% Draft - Posted to Kantara Wiki | |
8.8.2 | Annex Updates | ||
8.8.3 | Restructured Sections and schema, cleaned schema up a little – practice what preaching by making spec structural human centric | ||
8.8.5 | First Full Draft for Review |
...