...
| Anchor | ||||
|---|---|---|---|---|
|
License Condition:
This document has been prepared by participants of Kantara Initiative Inc. ANCR-WG. No rights are granted to prepare derivative works of this ANCR Scheme outside of the ANCR WG. Entities seeking permission to reproduce this document, in whole or in part, for other uses must contact the Kantara Initiative to determine whether an appropriate license for such use is available.
...
Copyright: The content of this document is copyright of Kantara Initiative, Inc.
© 2024 Kantara Initiative, Inc.Anchor
Abstract
Since the first signatory in 1980, the international standardisation of security and privacy law has been underway to become formalised into regulation that is now enforceable upon its implemented as legislation in Commonwealth countries, like the EU through the General Data Protection Regulation and Canada through Quebec Law 25. This has paved the way for the ratification of the updated to the 108 Convention from the Council of Europe to Convention 108+. The international commonwealth privacy framework, which is interoperable with the ISO/iEC 29100 security and privacy framework, also widely adopted and open access.
...
The ANCR Record Framework is used to specify Transparency Performance Indicators (TPIs)
Stakeholder | ISO/IEC 29100 | Conv 108+ | GDPR | PIPEDA | Quebec Law 25[1] |
Regulator | Privacy Supervising Authority | Supervisory Authority | Data Protection Authority | Privacy Commissioner | Commission d’accès à l’information du Québec
|
Principal | PII Principal | Data Subject | Data Subject | Individual | Concerned Person (or person concerned) |
Controller | PII Controller | Data Controller | Data Controller | Organisation | Person in Charge of the Protection of Personal Information |
Joint Controller | Joint PII Controller | Joint Data Controller | Joint-Controller | Organisations | Person in Charge of the Protection of Personal Information |
Processor | PII Processor | Processor | Data Processor | 3rd Party | Service Provider (prestataire de services) |
Sub-Processor | Sub-Processor | Sub-Contractor | Sub-Processor | 3rd Party / Service Provider | Service Provider (prestataire de services) |
3rd Party | Any entity or individual other than the Data Subject, Controller or Processor | Any entity or individual other than the Data Subject, Controller or Processor | Any entity or individual other than the Data Subject, Controller or Processor | 3rd Party | Any individual or organisation other than the person concerned or the organisation in charge of data protection |
...
[1] An Act to modernize legislative provisions as regards the protection of personal information, SQ 2021, c 25,
...
The TPI’s are employed to assess digital privawcy transparency for human context.
About the Scheme
The TPI Scheme presented here is scoped to international/internet scale digital commonwealth transparency adequacy baseline for trans-border digital consent capable records of transparency. The TPS includes:
...
How Does the scheme Operate?
an An ANCR (Anchored Notice and Consent Receipt) refers to Notice Receipt Record, which is assessed as a ‘proof of notice’ (or knowledge record ) claim, conformant as a Consent Notice Receipt as a record format to perform an ISO/IEC conformant digital privacy transparency compliance assessment, against international technical and legal baselines.
The Scheme scheme employs TPI’s to measure the operational performance of transparency and accountability This is used to determine the capacity for dynamic control of personal data, in an online service context. .
The ANCR record is produced from a TPI Assessment which captures the identity of the controller and accountable person, contact and physical address. In this way the presented digital governance and surveillance context can be assessed for compliance for transborder flows of data, .
What Do TPI’s Measure
There are 4 Indicators specified in this scheme used to measure the existence and performance of the publicly required digital service information. The TPIs check digital components, and identify the governance model, authority, and security framework to assure the validity of the privacy state in an online service context. This provides privacy risk assurance for people.
Indicators are captured at the point of notice presentation to capture the required PII Controller privacy rights access point(s), and the governance framework personal data processing is being governed.
How Does the Scheme Work
The TPI’s for conformance in the capture of privacy information or services are mapped to analogue legal requirements which measure response times in days, out of technical context. TPIs all measure how dynamic privacy service information is in context, and provide a rating, from -3 to +1, in which +1 is for a Dynamic, in context transparency performance indicator. This introduces the concept of a shared active privacy state transparency, comprised of the signal that indicates if the privacy as expected in context.
...
| Anchor | ||||
|---|---|---|---|---|
|
...
Overview of 4 Transparency Performance Indicators (TPIs)
The 4 Transparency Performance Indicators capture transparency and data capture practices in context and are used to test the self-asserted information for its operational usability.
...
TPIs specified focus is on the initial point of contact. This includes the publicly required information that MUST be provided and refers to the PII Controller Identity and Contact information, which is required in all legal privacy instruments. Transparency, in this regard, is a universal requirement, and required for the free, prior, and informed consent necessary to scale digital privacy online and as a means of governing and providing trust in authority. Anchor
The TPIs here are used to assess session-based data capture and self-asserted information by organizations to specify a public level of trust assurance that is provided in an online context.
| Anchor | ||||
|---|---|---|---|---|
|
TPI 1 - Measuring Measures the Timing of PII Controller Identity Notification:
This TPI captures when the Controller's legal entity and accountable Accountable Person or Privacy Officer (digital identifiers) provide notice of their identityprovides their identifiers. This is measured to see if the notice is delivered
...
Personally identifiable information is captured.3
By assessing dynamic and operational transparency, as opposed to static, infrequent information, it provides a way for an individual to assess if they can trust a service or not. This is also assessing compliance with Article 14.1, and specifically defined in Article, 15 1, a) and b)
...