Commonly referred to as the ANCR TPA Scheme : Parts 1 and 2 for measuring conformance, compliance, performance and security of
...
transparency and
...
consent.
| Anchor | ||||
|---|---|---|---|---|
|
...
08.
...
1
Note: the ANCR Notice and Consent Receipt Specification, Consent Receipt V2, is currently in drafting with the aim for a review in September 2024.
This specification uses the v2 specification to define t the schema for a PII Controller Identity Record, it is this record that is generated using the Transparency Performance Indicator assessment, which provides a standard measure of operational performance of the present PII Controller’s security and privacy session information.in the use of this specification, which is used to create a record of notice, (not a receipt, which is a proof of notice). A record of notice, is notational, and not authoritative - which means it cannot be used for consent assurance.
See Page , Consent Receipt v1.9(Aug 2023) - for Updates -
Editor(s):
Mark Lizar, WG Co-Chair, WG Editor
...
Sal D’Agostino, WG Co-Chair
Gigi Agassini, WG Secretary
| Table of Contents |
|---|
IPR Option:
This ANCR Record Specification TPA Scheme is a specification that is required to be open, as specified under a the ANCR WG IP License, Patent & Copyright: Reciprocal Royalty Free with Opt-out to Reasonable and Non-discriminatory (RAND) license agreement at the Kantara Initiative for submission contribution to ISO/IEC SC 27 WG 5.
Any derivative use of this specification must not create any dependency that limits or restricts the use, accessibility, and availability of the scheme and/or its use to evaluate the performance of transparency and/or the ability for the PII Principal to provide and manage consent records.
Suggested Citation: (upon WG approval)
ANCR Digital Identity Trust: Transparency Performance Assessment Scheme, Part 1 & 2 v1.0
| Anchor | ||||
|---|---|---|---|---|
|
This specification relies on (open access to) ISO/IEC 29100 Security techniques, Privacy framework and ISO/IEC 29184 online privacy notices and consent, and ISO/IEC 27560 the Consent Notice Receipt in the Appendix B, further specified by ANCR Mirrored Record Information Structure ,3 and a Consent Notice Receipt Format as specified in the Kantara Initiative ANCR WG Mirrored Record information structure, extending the CISWG MVCR and , which is a digitally twinned record information structure based on the Consent Receipt v1.1.4
| Anchor | ||||
|---|---|---|---|---|
|
License Condition:
This document has been prepared by participants of Kantara Initiative Inc. ANCR-WG. No rights are granted to prepare derivative works of this ANCR Scheme outside of the ANCR WG. Entities seeking permission to reproduce this document, in whole or in part, for other uses must contact the Kantara Initiative to determine whether an appropriate license for such use is available.
Implementation or use of this document may require licenses under third party intellectual property rights, including without limitation, patent rights. The Participants participants and any other contributors to the Specification specification are not and shall not be held responsible in any manner for identifying or failing to identify any or all such third-party intellectual property rights. This Specification is provided "AS IS," and no Participant in Kantara Initiative makes any warranty of any kind, expressed or implied, including any implied warranties of merchantability, non-infringement of third-party intellectual property rights, or fitness for a particular purpose. Implementers of this Specification Digital Trust Transparency Scheme specification are advised to review the Kantara Initiative’s website (Kantara Initiative: Trust through ID Assurance ) for information concerning any Necessary Claims Disclosure Notices that have been received by the Kantara Initiative Board of Directors.
| Anchor | ||||
|---|---|---|---|---|
|
Thank you for downloading reviewing this publication prepared by the international community of experts that comprise the Kantara Initiative. Kantara specification in its preparation for publication and contribution. The Kantara Initiative is a global non-profit ‘commons dedicated to improving secure, private and trustworthy use of digital identity and personal data identifier surveillance through innovation, standardizationstandardisation, and good practice.
The Kantara is known around the world Initiative, known internationally for incubating innovative concepts, operating an Identity Trust Frameworks Assurance Framework to assure digital identity and privacy service providers and developing community-led best practices and specifications. Its efforts are acknowledged by OECD ITAC, UNCITRAL, ISO SC27, other consortia and governments around the world. “Nurture, Develop,
| Anchor | ||||
|---|---|---|---|---|
|
...
Copyright: The content of this document is copyright of Kantara Initiative, Inc.
© 2024 Kantara Initiative, Inc.Anchor
Abstract
Since the first signatory in 1980, the international standardisation of Security security and Privacy privacy law has been underway to become formalised into regulation , and as of March 2024, into enforceable law, which that is now enforceable upon its implemented as legislation in Commonwealth countries, like the EU through the General Data Protection Regulation and Canada through Quebec Law 25. This has paved the way for the ratification of the updated to the 108 Convention from the Council of Europe to Convention 108+. The international commonwealth privacy framework, which is interoperable with the ISO/iEC 29100 security and privacy framework, also widely adopted and open access.
This Digital Trust Assessment Scheme, first identity management trust assessment scheme creates a PII Controller Record, using the Kantara Consent Receipt Schema, now also found in the ISO/IEC 27560 (2023) - Consent Record information structure.
...
In Part 2 of the scheme (in the Appendix A) a transparency information request is sent to the controller using the PII Controller Record that is generated in Part 1 of the assessment scheme to; a) test the operational performance of transparency and consent information by making a rights request or complaint and, b) assess compliance in accordance to the international adequacy baseline.
...
Application
4 Transparency Performance Indicators asses
...
assess transparency signaling in Part 1,
Timing: When PII Controller Identity information is provided in accordance to with when data is captured, to assess the security and privacy risk and complianceWhat , to determine the legal validity of consent.
Content: If required PII Controller Identity information is provided and its operational performance the assess ability . to assess operational compliance for any legal justification or authority.
Usability: Accessibility & Authenticity: of the PII Controller Information and Privacy Notice in digital context, and the terms and definitions used in the notice, notification or disclosure.
assess data sovereignty security risk, - digital security certificate integrirty, its OU, Jurisdiction, and Name, match the PII Controller Information, registration or notice.
These are used to asses if
consent is valid
how operation it is
how inclusive and authentic
how secure the transparency and consent is
...
Normative
CoE Convention 108+
ISO/IEC 29100 security and privacy framework standard maps terms in the standard itself, for example PII Principal is mapped to the Data Subject.
Term Mapping
The ANCR Record Framework is used to specify Transparency Performance Indicators (TPIs)
...
Stakeholder
...
ISO/IEC 29100
...
Conv 108+
...
GDPR
...
PIPEDA
...
Data Protection Authority
...
PII Principal
...
Data Subject
...
Individual
...
PII Controller
...
Controller
...
Data Controller
...
Processor
...
Data Processor
...
Joint-Controller
...
Sub-Processor
Identity Information, taking into account device accessibility, the language and number of “screens” to access privacy information, and policy, in order to then assess terms and definitions against the legal (and expected) terms and definitions.
Contextual Security Integrity: In particular to the contents and policy of digital certificate and keys and related tokens used. Cryptographic soundness, and policy (and its endpoint) for the purpose, e.g. browsing versus consent to processing PII. Further examples, OU match to the PII Controller, Jurisdiction, and (Common) Name, and as match of policy to notice of risk.
In Part 2, the record is used to send a digital privacy rights request, which is then made to operational performance and integrity of the notice, notification and disclosures.
| Anchor | ||||
|---|---|---|---|---|
|
Normative
CoE Convention 108+
ISO/IEC 29100 security and privacy framework standard maps terms in the standard itself, for example PII Principal is mapped to the Data Subject.
Term Mapping
The ANCR Record Framework is used to specify Transparency Performance Indicators (TPIs)
Stakeholder | ISO/IEC 29100 | Conv 108+ | GDPR | PIPEDA | Quebec Law 25[1] |
Regulator | Privacy Supervising Authority | Supervisory Authority | Data Protection Authority | Privacy Commissioner | Commission d’accès à l’information du Québec
|
Principal | PII Principal | Data Subject | Data Subject | Individual | Concerned Person (or person concerned) |
Controller | PII Controller | Data Controller | Data Controller | Organisation | Person in Charge of the Protection of Personal Information |
Joint Controller | Joint PII Controller | Joint Data Controller | Joint-Controller | Organisations | Person in Charge of the Protection of Personal Information |
Processor | PII Processor | Processor | Data Processor | 3rd Party | Service Provider (prestataire de services) |
Sub-Processor | Sub-Processor | Sub-Contractor | Sub-Processor | 3rd Party / Service Provider | Service Provider (prestataire de services) |
3rd Party | Any entity or individual other than the Data Subject, Controller or Processor | Any entity or individual other than the Data Subject, Controller or Processor | Any entity or individual other than the Data Subject, Controller or Processor | 3rd Party | Any individual or organisation other than the person concerned or the organisation in charge of data protection |
...
[1] An Act to modernize legislative provisions as regards the protection of personal information, SQ 2021, c 25,
(compliance roles, mapped to be interoperable within any data privacy framework)
...
Transparency Performance Indicator’s (TPI’s) are introduced here as an object of conformity used to capture the presentation of that captures the presented PII Controller (Credential) information, to measure this information to determine its completenesstiming, content, accessibility and security. Its The operational data governance context and capacity per context can then be assessed measured against the existing international adequacy baseline for compliance.
In this way TPI’s can quickly be used to determine the validity, quality, and governance of data process for digital and physical assessment contexts.
The TPI’s are employed to assess digital privawcy transparency for human contextnotice and consent compliance.
About the Scheme
The TPI Scheme presented here is scoped to international/internet scale digital commonwealth transparency adequacy baseline for trans-border digital consent capable records of transparency. The TPS includes:
...
Part 2 is Appendix A and uses the ANCR record to audit the Adequacy adequacy of the captured controller elements as specified in the Council of Europe, Conv. 108+. Article 14, Transparency Modalities.
How Does the scheme Operate?
an An ANCR (Anchored Notice and Consent Receipt) refers to Notice Receipt Record, which is assessed as a ‘proof of notice’ (or knowledge record ) claim, conformant as a Consent Notice Receipt as a record format to perform an ISO/IEC conformant digital privacy transparency compliance assessment, against international technical and legal baselines.
The Scheme scheme employs TPI’s to measure the operational performance of transparency and accountability. This is used to determine the capacity for dynamic control of personal data, in an online service context. .
The ANCR record is produced from a TPI Assessment assessment which captures the identity of the controller and accountable person, contact and physical address. In this way the presented digital governance and surveillance context can be assessed for compliance for (transborder) flows of data, .
What Do TPI’s Measure
There are 4 Indicators specified in this scheme used to measure the existence and performance of the publicly required digital service information. The TPIs check digital components, and identify the governance model, authority, and security framework to assure the validity of the privacy state in an online service context. This provides privacy risk assurance for people.
Indicators are captured at the point of notice presentation to capture of the required PII Controller privacy rights information access point(s), and the governance framework under which personal data processing is being governed.
How Does the Scheme Work
The TPI’s for conformance in the capture of privacy information or services are mapped to analogue legal requirements which measure response times in days, out of technical context. TPIs all measure how dynamic privacy service information is in context, and provide each provides a rating, from -3 to +1, in which +1 is for a Dynamic, dynamic data in context in context transparency performance indicator. This introduces the concept of a shared active privacy state transparency, comprised of the signal that transparency state. This dial tone/signal indicates if the privacy is as expected in context.
| Anchor | ||||
|---|---|---|---|---|
|
...
| Anchor | ||||
|---|---|---|---|---|
|
...
Overview of 4 Transparency Performance Indicators (TPIs)
The 4 Transparency Performance Indicators capture transparency and data capture practices in context and are used to test the self-asserted information for its operational usability.
...
TPIs specified focus is on the initial point of contact. This includes the publicly required information that MUST be provided and refers to the PII Controller Identity and Contact information, which is required in all legal privacy instruments. Transparency, in this regard, is a universal requirement, and required for the free, prior, and informed consent necessary to scale digital privacy online and as a means of governing and providing trust in authority. Anchor
The TPIs here are used to assess session-based data capture and self-asserted information by organizations to specify a public level of trust assurance that is provided in an online context.
| Anchor | ||||
|---|---|---|---|---|
|
TPI 1 -
...
Measures the Timing of PII Controller Identity Notification:
This TPI captures when the Controller's legal entity and accountable Accountable Person or Privacy Officer (digital identifiers) provide notice of their identityprovides their identifiers. This is measured to see if the notice is delivered
...
Personally identifiable information is captured.3
By assessing dynamic and operational transparency, as opposed to static, infrequent information, it provides a way for an individual to assess if they can trust a service or not. This is also assessing compliance with Article 14.1, and specifically defined in Article, 15 1, a) and b).
Information to be provided where personal data are collected from the data subject
Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
(a) the identity and the contact details of the controller;
(b) the contact details of the data protection officer;
...
...
TPI 2 - Measures Required Data Elements
This TPI captures whether the required security and privacy attributes are provided,6 These are required to provide the PII Controller information for all accountable parties. Namely who and what information about them is legally required. In “all” cases, there is a requirement for a Notice of who is processing your data, who is accountable, and the privacy contact information for access to personal information and rights and as required. [Art 14.1]
...
Legal Entity Identity Name,
Address, Contact information
Name or role of Data Privacy Officer (or the authoritative owner and Accountable Person (AP) in charge of that legal entity.
Privacy services access and contact point information.
Privacy or other policy governing the processing of personal information.
Transparency information before use
Digital governance framework
Legal Basis for Purpose of initial Processing of PII
Recipients or categories of recipients if any
Transfer of data on networks out of Country, to a 3rd Country,
The existence of adequacy,
Existence of safeguards, where to get a copy of them, or where they have been made available.7
...
TPI 3 - Measure of Transparency Accessibility
This TPI measures the performance of transparency in terms of accessibility to the information in TPI 2. For example, is the information readily available, ideally prior to the digital session and capture of PII. For example, is TPI-2 information presented in a pop-up notice at the initiation of a digital service session, or is it required to click a link, e.g., to a privacy policy, and then access additional link. , Is the operational transparency information on the first screen, or is it at the bottom reached only after scrolling multi-pages, with links not highlighted, and not accessible to children or parents.
...
Cookie = Digital receipt - nmis-information - cause mass damage - liable -
...
TPI 4: A Measures security information integrity
This TPI captures the relevant digital certificates, (e.g. x.509), or security token (e.g. JOSE) and keys to compare the security meta-data, and policy objects against the required information in TPI 2. It checks for consistency and continuity in the security provided and is it adequate for the task. E.g., does an SSL certificate Organization Unit and Jurisdiction fields match the captured legal entity information? How do the policy and jurisdiction there relate to other beneficial entities? Importantly does this align with the policy expectations of the person?
...
This is a 1.0 document; we look forward to its evolution.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
The following describes an assessment using the TPIs to measure Operational Transparency and assurance.
...
Transparency is required to be available in context, i.e., during the time when PII is obtained (found in Transparency Statement or Privacy Policy).8
Time period data stored.
Existence of rights/controls to access and rectify.
Existence of right to manage consent.
Existence of right to lodge a complaint with a Data Protection Authority (DPA).
Whether processing is based under a statutory, or contractual context, or whether necessary for entering a contract, if the PII is obliged, and the consequences of failure to provide this data.9
Existence of
AI, or any automated decision-making technology
Digital identity management surveillance technologies
Any profiles, or graphs generated
Meaningful information about the logic involved
Significance in overall policy or processing and decision making
Expected consequences for and to PII Principal - Data Subject
| Anchor | ||||
|---|---|---|---|---|
|
The TPI Rating system is designed to measure the operational performance of the information, for example if only a mailing address is provided for a privacy contact on a website, this is considered non-operable according to the context. This means that privacy access and specific information is not retrievable in the context of data collection. The TPIs measure adequacy and demonstrate non-performance by PII Controllers as a form of data co-governance.
The associated Conformity Assessment: uses the open ISO/IEC 29100 security framework for generating interoperable records and receipts of data processing activity, according to transparency in context.
| Anchor | ||||
|---|---|---|---|---|
|
a. TPI 1 measuring the point when the individual is notified versus when personal information/digital identifiers are collected and processed. The scheme starts by capturing the timing of notice presentation in relation to first data capture, and first contact.10
...
Combined, these TPIs provide an overall Indication of the operational state of digital privacy.
| Anchor | ||||
|---|---|---|---|---|
|
Rating - Instruction | TPI 1 Timing (with regards to processing) | TPI 2 Required Information | TPI 3 Accessibility | TPI 4 - Digital Security |
+1 (assured) | PII Controller credential is displayed, using a standard format with machine readable language, and linked, for example, in an http header in a browser | The Controller is discoverable prior to session (out of band) in a machine-readable format: 1.Controller Registry 2.A client-side record of processing (via a wallet or browser) | Controller identity is presented prior to data collection | Security is required prior to collection (digital wallet based)
|
0 (dynamic assurance) | PII Controller Identity or credential is provided in first notice | Credential is presented just in time (automated check and first-time notice) | Embedded as a credential and dynamically available upon access (almost just in time) | Assurance provided– e.g., certificate is specific to and matches controller and context. |
-1 (analogue assurance - online) | The Controller Identity, or screen with the Controller Identity is one screen and click away. For example, the privacy policy link in the footer of a webpage | Controller information is accessible (not presented) during collection | PII Controller Identity prominently displayed on first view – prior to processing first page of viewing | Not-specific to controller - does not match jurisdiction. |
-2 - (not mandatory in flow) |
| Controller Credential information is linked during collection | is linked not presented | Does not match OU |
-3 (non-operative) | PII Controller Identity is not accessible enough to be considered ‘provided’ | Controller information not present | Identity or credential is not accessible in context - e.g., two or more screens of view away, or privacy contact is mailing g address and non-operative in context of data collection. | It is not a valid, secure, or recognized provider. |
| Anchor | ||||
|---|---|---|---|---|
|
This appendix is an example of a notice record and the schema and can be used as a template for the information record, rating, and analysis.
...
FIELD NAME | FIELD DESCRIPTION | REQUIREMENT: MUST, SHALL, MAY | FIELD DATA EXAMPLE |
Notice Location | Location the notice was read/observed | MUST | http://Walmart.com (actual link) |
PII Controller Name | Name of presented business | MUST | Walmart |
Controller Address | The physical address of controller and/or accountable person | MUST | 1940 Argentina Road Mississauga, Ontario L5N 1P9 |
PII Controller Contact Type | Contact method for correspondence with PII Controller | MUST | Email, phone |
PII Controller-Correspondence Contact | General contact point | SHALL | |
Privacy Contact Type | The Contact method provided for access to privacy contact | MUST | Email, or other |
Privacy Contact Point | Location/address of Contact Point | MUST | |
Session Certificate | A certificate for monitored practice | Optional | TLS, Transparency, Policy (OID) Context |
| Anchor | ||||
|---|---|---|---|---|
|
These digital transparency code of conduct rules coincide with the TPIs presented and reference the international adequacy requirements for transparency required for digital identifier management. In Report on the Adequacy of Digital Identity Governance for cross border transparency and consent:
...
Provide their PII Controller Notice Credentials, before or at the time of processing personal information (TPI 1), Article 14.1
PII Controller credential information must be accessible
PII Controller credential information must be operationally capable for access to rights with evidence of notice & consent
The security context must match the controller’s jurisdiction where it is assumed PII is processed
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...
3 Mirrored Record Information Structure, 2024, ANCR WG Kantara Initiative { ANCR: Consent Receipt V2: Consent Token Information StructureNotice Receipt }
4 Consent receipt v1, CISWG Kantara Initiative https://kantarainitiative.org/download/7902/
...