CR v1.2 Framework
the receipt The Consent Receipt Framework exposes the legal requirements that are required to administrate consent, further define the governance of permissions and application of preference. Online, or with sensory infrastructure, consent (and consensus) is implied in public spaces when processing personally identifiable information.
The CR CV1.2. WD 2, generates a consent record from an interaction with a Notice or Sign, which for security, the PII Controller needs to be identifiable, and verifiable. The ANCR Record is an iteration of the prefix of the CR V1.1.
The consent receipt framework is consent by default and the anchor record is the Consent Receipt prefix and is used to capture legal entity information and used to generate a consent notice receipt.
The receipt is further defined and fields and broken down intobroken down for use by privacy framework for conformance assessment, which is based on the lifecycle of a specific notice for processing personal data and a specified purpose, the purpose is used to define the consent grant which provide the scope of permissions for a digital identifier management system.
Flow of Architecture PII Principle Creates and controls Anchored privacy notice records for Privacy Assurance
For Example
a self-asserted PII Controller ANCR record provides a tier 0 privacy assurance,
- if held by PII Controller, on behalf of the PII Subject then this is not compliant
- must be witnessed by 3rd Party Privacy Assurance Provider
- if held by PII Controller, on behalf of the PII Subject then this is not compliant
- a self-asserted PII Principle ANCR Record
- is held by PII Principle, used to generate consent notice receipts
- a self-asserted PII Principle ANCR Record
Conformance assessment use cases for 27560 for the PII Principal:
- use of receipt as evidence for proof of notice and consent.
- use of receipts as proof of awareness for identity management system
- use of receipt to see the state of privacy / consent lifecycle - so that people can automatically see what to expect without reading a privacy policy or terms - with access directly to digital use of privacy rights .Consent Grant Roadmap - Scope protocol for Identity management system permissioning
- Consent Grant (human scope) - Identity Management = technoal permission and access controls
Updating from v1.1 - represented by submission to ISO 27560
- delegation
- jurisdictions
- personal data categories
- consent record structions
- purpose finger print
...
- purpose
V1.2 : Consent Receipt Framework
Intro - Implements PasE Protocol with 2FC
V1.2.1 : Anchor Receipt
...
ANCR Record Conformance
- First Factor Notice for PII Principal
- Fields for DS location require a verifier
- verifying (or synthetic) attribute
- a specified legal jurisdiction
- quality of notice of control receipt
- quality of service purpose specification receipt
- PII Controller
- notice location
- legal jurisdiction
- governing framework - e.g. t&c's?
V1.2.2 : Consent (Notice) Receipt:27560
- Extend with Legal justification to specify purpose for a service
- Specifying the Legal Justification for data processing in a
...
- notification
- Specifying Data Categories
- Specifying Data Treatment
- Specifying Security
V 1.2.3 : Rights Access & Automation
- rights with ANCR Record
- universal context right
- right to information about privacy and security
- right to see contoller and purpose(s)
- legal requirement for presenting risk
- right to information about privacy and security
- universal context right
V 1.2.4 : Consent Validation - The Life cycle of a consent
- Active State of Consent Validation
- identity governance controls and scope
- Consent Grant for Identity
...
- Protocol Governance
- Scope of a Consent Grant Represented in the User Managed Access Protocol
- use of consent gateway for consent grant validation
- Scope of a Consent Grant Represented in the User Managed Access Protocol
Protocol Scope Use Cases
UMA
SAML / eIDAS
- FAPI
- GNAP
V 1..2.5 :
- Privacy as Expected - Part 3: the human interaction point - in which proof of notice being provided/read is captured and a Consent Notice Receipt is generated.
Additional information for data control & accountability providence can be nested in the receipt to provide a higher level of automated privacy assurance to better mitigate risk and liability
...
- Consent by Design - operational conformance - standardizing signalling - UI interaction point conformance - proof of notice and transparency/accountability assurance
- 29184 notice controls and consent structure
V 1.2.6 Data Governance Interoperability
- Privacy Framework for Gov interop for Security/Surveillance, Evidence and Policing
- Re-Issuing Identity Credentials with a native and local identity service - rather than exporting a federation into foreign governance models (e.g. Contracts / T&C's)
- Transparency Assurance
V 1.2.6 Topics Raised to be Reviewed / Refined and Addressed in Roadmap to V2
- Delegation
- Jurisdiction (physical location proof)
- Consent Types Defined in v1.2
- explicit
- implied
- directed
- altruistic
WKD ISSUES
The CR v1,1 as published known challenges have been addressed and are specified here in the v1.2 update.
- See V1.1 Update https://kantarainitiative.org/confluence/x/VYSVC
...
- V1.1 (2017) addressed with GDPR and then adopted to ISO
- V1.1 completed with comments to ISO
- delegation
- Jurisdiction
- PII categories
CR v1.2 Format Structure and fieildsand fields
- Notice field object
- Location & Time
- Location – twin -
- Physical Device -
- PII Controller object
- Jurisdictions,
- Link to physical notice
- Extend it (Legal Justification)
- Privacy Stakeholders
- Categories of controllers
- Consent Purpose Specification (v.1.1)
- Purpose Category
- Purpose Descriptions
- Purpose Sensitive Categories of Data
- Sensitive data category
- Personal Data Category
- Personal Data Types/attributes etc
- Personal Data Processing Treatment
- Storage
- Security (cert/sighed key)
- Extensions –Requirements (according to Context)
Notice & Notifications
A Notice can itself be extended with a Notification for the maintenance of a consent record, and consent based relationship. Notice Receipts facilitate a Semantic Governance Framework
...