Objective
...
Spec for ANCR Record
...
- Provide a set of instructions for recording a notice in a consent(ric) record information structure derived for a Consent Receipt (ref)
- To then compare the conformance of the record with a control from ISO/IEC 29183 (a set of rules set by regulations for notice & consent transparency)
Methodology
This method describes, how to audit a notice to generate an ANCR- Notice Record using ISO/IEC 29100 derived receipt format, which is now published in the ISO/IEC 29184 Annex D,
The resulting audit is then used for assessing conformance with an ISO/IEC 29184 Online Privacy Notice and Consent control. In order to demonstrate how the ANCR Notice Record for assessing conformance when creating a digital identifier and processing personal data.
...
- For Security
- here is a record for identifying if there is enough security for privacy
- who is the controller,
- what are the applicable laws, and rights
- and how are these accessed.
Here are fieilds
- to create this security audit record, including locations of people and processing sufficient to provide jurisdiction
PASP - Privacy Access Service Point - define defines digital service contact point and information , for proportionate access to rights information
- there are different performance levels for privacy information access and rights which is captured in this assessment,
- Performance
- if online and access is provided with a
- Performance
...
- PASP which is an api access fore in conxt privacy then privacy information and controls can be dynamic
- this field has dynamic,
- out-of-band,
- static
- Access Conformance
- access to information in the information according to context
- linked data -
- access to information in the information according to context
- PASP which is an api access fore in conxt privacy then privacy information and controls can be dynamic
- Confromance
- a) if using standards, information access has a higher level of transparency
- a person,
- self-service
- bot
- mailbox
- answering machine
- a) if using standards, information access has a higher level of transparency
Consent Type
...
Defaults
Consent Types refers to the context of Notice which covers the array of concentric engagement points in which humans provide permissions to generate digital identifiers.
...
- Other: Not Consent,
- delegated
- Implied
- implicit
- expressed
- explicit
- directed
- altruistic
****
Here is how to use it →
Audit / use for conformance
Objective
This ANCR Record specification provides a methodology to audit a notice to produce a Notice Record for generating a Consent Receipt. The objective of this documents is to
- Provide a set of instructions for recording a notice in a consent(ric) record information structure derived for a Consent Receipt (ref)
- To then compare the conformance of the record with a control from ISO/IEC 29183 (a set of rules set by regulations for notice & consent transparency)
Methodology
This method describes, how to audit a notice to generate an ANCR- Notice Record using ISO/IEC 29100 derived receipt format, which is now published in the ISO/IEC 29184 Annex D,
The resulting audit is then used for assessing conformance with an ISO/IEC 29184 Online Privacy Notice and Consent control. In order to demonstrate how the ANCR Notice Record for assessing conformance when creating a digital identifier and processing personal data.
New Field - name, description, reference
*****************
Field Glossary
(Note: all terms refer to ISO/IEC 29100 and ISO/IEC 29184, Kantara Consent Receipt, adopted for - for terms, unless they are specified here to further extend terms or definitions in a more granular manner,
...
Field Name | Type | PII(Y) | Field Label | Description | Required/Optional |
version | string | Schema Version | The version of specification used to which the receipt conforms. To refer to this version of the specification, the string "v1" or the IRI "https://w3id.org/OPN/v1" should be used. | Required | |
profile | string | Privacy Profile URI | Link to the controller's profile in its registry. | Required | |
Notice ReceiptLocation | string Array | Type of Notice ReceiptRecord | Label Notice Receipt | Required | |
id | string | Receipt ID | A unique number for each Notice Receipt. SHOULD use UUID-4 [RFC 4122]. | Required | |
timestamp | integer | Timestamp | Date and time of when the notice was generated and provided. The JSON value MUST be expressed as the number of seconds since 1970-01-01 00:00:00 GMT (Unix epoch). | Required | |
key | string | Signing Key | The Controller’s profile public key. Used to sign notice icons, receipts and policies for higher assurance. | Optional | |
language | string | Language | Language in which the consent was obtained. MUST use ISO 639-1:2002 [ISO 639] if this field is used. Default is 'EN'. | Required | |
controllerID | string | Controller Identity | The identity (legal name) of the controller. | Required | |
Controller Address | |||||
jurisdiction | string | Legal Jurisdiction | The jurisdiction(s) applicable to this notice | Required | |
controllerContact | string | Controller Contact | Contact name of the Controller. Contact could be a telephone number or an email address or a twitter handle. | Required | |
notice | string | Link to Notice | Link to the notice the receipt is for | Optional | |
policy | string | Link to Policy | Link to the policies relevant to this notice e.g. privacy policy active at the time notice was provided | Required | |
context | string | Context | Method of notice presentation, sign, website pop-up etc | Optional | |
Receipt Type | The human understandable label for a record or receipt for data processing. This is used to extend the schema with profile for the type of legal processing - and is Used to identify data privacy rights and controls | ||||
PASP | array | Privacy access service points of contact and access, email, ph, etc. - or PaeCG signal
| |||
Consent Type | |||||
Payload | Notice Text | Accountable Person Role |
****
(To be Moved Later) Case Study: privacy cafe
- Privacy Cafe Narrative
- Scenario 1 imagine - first time to a privacy cafe
- new country, different language, different types of coffee, different currency, different technology, different measures, different ingrediants eg. type of sugar, cream, milk and cup size measures
- Scenario 2 - a known regular at a privacy cafe close to your home or work
- the user experience with high level of consensus
- Scenario 3 - Digital Twin - Transparency - creating a record and providing receipts
- withdraw consent
- access to use surveillance
- audit to see who benefits from personal data in the cafe, out of the cafe
- audit of the providence of authority
- Scenario 1 imagine - first time to a privacy cafe
- Main functionality point is focused on how dynamic and operational privacy performance is, in proportion to the data processing surveillance.
- capacity for the notice to transfer liability for data processing and access to privacy to enable people with controls to mitigate risk
- difference between permission for a purpose, or permission for a data base field
- having to go into each service and change or withdraw permission
- or pressing one button to withdraw consent, for many services
- The Priavcy Cafe Experience
- Human XU - physical governance defaults - notice of (expected) defaults
- in this context - there can be consent
- Using the video surveillance in (or public camera outside) a privacy cafe to make a police report, without the need for an information request
- Privacy Cafe cookie (session cookies available to visitors)
- Human XU - physical governance defaults - notice of (expected) defaults
...