Versions Compared

Old Version 3

changes.mady.by.user Mark Lizar

Saved on

compared with

New Version Current

changes.mady.by.user Mark Lizar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

ANCR Consent Token: Mirrored Record Information Structure v0.7
Consent Receipt V1.1 work can be found here

Version: 0.7

Document Date: Dec 6, 2023

...

Status: WG Draft v0.7 (updated from Sept 2022-Archive-Next version Feb-March 2024)

Editor Note

A Record of processing provides transparency over who is accountable and is a pre-condition for processing PII with scalable governance and security. Operational transparency , with mirrored records of processing requires that the identity of the controller, the legal justification, governance framework and jurisdiction be presented prior to data processing. The AuthC Protocol utilises this mirrored record and receipt standard record information structure, now standardized in tprocessing scales human context and understanding into systems. Transparency over data control ensures a consent by default methodology enabling individuals to regulate surveillance. Brining together two very mature regulatory instruments, standard for records, and compliance for receipts, with a new technical standard of digital credentials.

...

Anchor
_gjdgxs
_gjdgxs

Anchor
_Toc243379787
_Toc243379787
Anchor
_Toc244482062
_Toc244482062
Anchor
_Toc260291045
_Toc260291045
Contents

Table of Contents

Anchor
_30j0zll
_30j0zll
Anchor
_Toc815404337
_Toc815404337
Anchor
_Toc108928868
_Toc108928868
Preface

Public international laws and standards for digital record and receipts promise to dramatically lower the cost of security and increase the effectiveness of privacy. The use of ISO 29100 security and privacy framework for consented data access, control and transfer adequacy proposes a low cost, or free notice record framework for PII Principles (and Controllers). To facilitate the governance and regulation by all privacy stakeholders, by regulating authorities.

The Legal Rules Codified

In this framework, the privacy, notice and consent, transparency code of conduct is the law that is developed into open source code, and required to access un-linked data silo’s, across jurisdictional and technically -networked disparate systems.

   digital privacy transparency with

[Anonymous] Consent by Default: the common mode of governance

  • Digital Consent is required by default, an individual is notified if PII is needed, for what purpose, and what permissions are required.

...

§  Interaction with this transparency gateway, is what is recorded, and what is provided to the individual as a knowledge receipt

Purpose Defined

6 Legal Categories of Authority

Contract

Public Interest

Best Interest

Legal Obligation

Legitimate Interest

Types of Consent

a.     Types of Consent

Expressed

Implicit

Explicit

Directed

Altruistic

Concentric Notice Labels

It is very difficult for stakeholders to know what law, rules and obligations apply in any given context, to address this, Concentric Notice Labels map the legal justification, and the type of consent to rights, and digital rights controls that reduce liability and mitigate risks.

Anchor
_Toc498675767
_Toc498675767
Anchor
_Toc108928897
_Toc108928897
Anchor
_Toc756684090
_Toc756684090
ANCR Record

An ANCR Record, is the initial digital identity rep relationship record in a linked chain of records, in which a record of a processing activity captures a; notice, notification or disclosure, in a standard record, using data privacy vocabulary. The record is a snapshot of the state of digital privacy transparency provided by a PII Controller, or a PII Controller’s delegate processor.

The notice record is first specified as a static, one-time use notice record that is created by the PII Principal and used to initiate a state of operational transparency in context measured by access to, and performance of rights.

Anchor
_Toc2008526199
_Toc2008526199
Table1: Single Use Notice Record: PII Controller Identity & Contact Transparency Report

Field Name

Field Description

Requirement: Must, Shall, May

Field Data Example

Notice Location

Location the notice was read/observed

MUST

https://www.walmart.com

PII Controller Name

Name of presented business

MUST

Walmart

Controller Address

The physical address of controller and/or accountable person

MUST

1940 Argentina Road Mississauga, Ontario L5N 1P9.

PII Controller Contact Type

Contact method for correspondence with PII Controller

MUST

Email, phone

PII Controller-Correspondence Contact

General contact point

SHALL

Privacy@org.com

Privacy Contact Type

The Contact method provided for access to privacy contact

MUST

email

Privacy Contact Point

Location/address of Contact Point

MUST

Org.com/privacy.html

Session Certificate

A certificate for monitored practice

Optional

E.g., SSL Certificate Security (TLS) and Transparency

Anchor
_Toc2104346831
_Toc2104346831
Anchoring the Notice Record for Trust

Without a record identifier, added to each record, this initial record is un-anchored notice record. This record can be extended for use as a Trust Anchor for the PII Principal by adding an ANCR Record ID used to track the PII Controller and the data processing relationship over time.

As a trust anchor, it becomes a record the individual can use to verify the digital identity relationship to secure a privacy context in a system.

Anchor
_Toc108928874
_Toc108928874
Anchor
_Toc498675757
_Toc498675757
Anchor
_Toc959348517
_Toc959348517
Notice Record References

For the purposes of this specification, the following terms and definitions apply as, normative, non-normative to be used per context, and additive, in that they aid human understanding and data control.

...

— IEC Electropedia: available at http://www.electropedia.org/

Anchor
_Toc624870929
_Toc624870929
Normative References

For the international and cross-domain use of the records and receipts here, this document refers to the following:

  • ISO/IEC 29100:2011 Security and privacy techniques

  • ISO/IEC 29184 Online privacy notices and consent,

  • Fair Information Practice Principles (FTC) foundational principles

Anchor
_Toc1499868010
_Toc1499868010
Non-Normative References

1980/2013 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data [OECD]

Kantara Initiative Consent Receipt v1.1

Anchor
_Toc2008269942
_Toc2008269942
Additive Reference

  • General Data Protection Regulation (GDPR)

  • Council of Europe Convention 108+ (Conv. 108+)

    • PIPEDA – Individual, Meaningful Consent,

Anchor
_Toc552851266
_Toc552851266
Notations and Abbreviations

The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", “NOT RECOMMENDED”, "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119].

The following abbreviations and set of stakeholders are used to frame a mutually exclusive and collectively exhaustive set of terms for providing transparency over what organization controls the processing of perosnal information, and who is accountable for enforcement,

...

Array – an array of field objects

Anchor
_Toc521066688
_Toc521066688
Terms and definitions

The definitions reference terms that are used in this specification to indicates what is normative, non-normative, and additive.

If a jurisdiction’s privacy terms are not compatible with this specification, these internationally defined terms can be mapped to jurisdiction and context specific terms. For example, PII Principal in this document maps to the term Data Subject in European GDPR legislation and the term individual in Canadian PIPEDA.

Anchor
_Toc1004157259
_Toc1004157259
Concentric Notice Types

For Individual participation and access

...

[Source Conv 108+ Rec.20]

Anchor
_Toc1951581593
_Toc1951581593
Notice

Adhering to the openness, transparency and notice principle means:

...

Broadly refers to any surveillance or privacy notice, notification, disclosure, statement, policy, sign or signal used to indicate personal data processing.

[ANCR Notice Record ]

Anchor
_Toc153448219
_Toc153448219
Notice Modalities

The organization may implement the control using different techniques: layered notices, dashboards, just-in-time notices and icons, and may provide notices in a machine-readable format so that the software which is presenting it to the PII principal can parse it to optimize the user interface and help PII principals make decisions.

...

That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.

[Conv 108+ Rec 35]

Anchor
_Toc1832292683
_Toc1832292683
Notice Record

When organizations should seek consent for changes such as those outlined here, they should consider whether the PII principal has access to a record (of some kind) of their original consent, as well as how much time has elapsed between the original consent and the present. If the PII principal is able to access a record of their prior consent readily and if the elapsed time is not significant, organizations may provide notice of the changes and seek consent for same. Otherwise, the organization should seek reconfirmation of the original consent in addition to consent to the notified changes.

...

[Source: ISO/IEC 29100 Table 3]

Anchor
_Toc438824126
_Toc438824126
Proof of Notice

Providing a record of notice

    1. [Source ISO/IEC 29184

Anchor
_z337ya
_z337ya
Anchor
_Toc108928885
_Toc108928885
Anchor
_Toc498545136
_Toc498545136
Personally Identifiable Information (PII)

Any information that (a) can be used to identify the PII Principal to whom such information relates, or (b) is or might be directly or indirectly linked to a PII Principal.

...

(‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(Source: Con. 108+)

Anchor
_3j2qqm3
_3j2qqm3
Anchor
_Toc108928886
_Toc108928886
Anchor
_Toc1951361816
_Toc1951361816
PII Principal, Data Subject or (Individual)

The natural person to whom the personally identifiable information (PII) relates.

...

Individual

[Additive: PIPEDA]

Anchor
_1y810tw
_1y810tw
Anchor
_Toc108928887
_Toc108928887
Anchor
_Toc2071785810
_Toc2071785810
PII Controller

A privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing personally identifiable information (PII) other than natural persons who use data for personal purposes.

...

Note: it may also be called data controller.

Anchor
_4i7ojhp
_4i7ojhp
Anchor
_Toc108928888
_Toc108928888
Anchor
_Toc730670413
_Toc730670413
PII Joint Controller

Covers multiple joint controller relationships including co-controllers, hierarchical, fiducial, and code. Likely a type.

Anchor
_2xcytpi
_2xcytpi
Anchor
_Toc108928889
_Toc108928889
Anchor
_Toc356138764
_Toc356138764
PII Processor

A privacy stakeholder that processes personally identifiable information (PII) on behalf of and in accordance with the instructions of a PII controller.

[SOURCE: ISO 29100]

Anchor
_1ci93xb
_1ci93xb
Anchor
_Toc108928890
_Toc108928890
Anchor
_Toc2127985996
_Toc2127985996
PII Sub-Processor

An additional field to indicate a delegated processor.

Anchor
_3whwml4
_3whwml4
Anchor
_Toc108928891
_Toc108928891
Anchor
_Toc1112563695
_Toc1112563695
Processing of PII

An operation or set of operations performed on personally identifiable information (PII).

...

[Source. Convention 108+]

Anchor
_2bn6wsx
_2bn6wsx
Anchor
_Toc108928892
_Toc108928892
Anchor
_Toc2075980450
_Toc2075980450
Privacy Stakeholder

A natural or legal person, public authority, agency or any other body that can affect, be affected by, or perceive themselves to be affected by a decision or activity related to personally identifiable information (PII) processing.

[SOURCE: ISO 29100]

[GDPR

[Conv

Anchor
_qsh70q
_qsh70q
Anchor
_Toc108928893
_Toc108928893
Anchor
_Toc1178936335
_Toc1178936335
Security

Table A.1 — Matching ISO/IEC 29100 concepts to ISO/IEC 27000 concepts

ISO/IEC 29100 concepts

Correspondence with ISO/IEC 27000 concepts

Privacy stakeholder

Stakeholder

PII

Information asset Information security incident Control

Privacy breach Privacy control Privacy risk

Risk

Privacy risk management

Risk management

Privacy safeguarding requirements

Control objectives

[Source: ISO/IEC 29100: Annex A]

Anchor
_Toc312554877
_Toc312554877
Third Party

A privacy stakeholder other than the personally identifiable information (PII) principal, the PII controller and the PII processor, and the natural persons who are authorized to process the data under the direct authority of the PII controller or the PII processor.

...

[Source: Convention 108 Art 3.14]

Anchor
_Toc1080768447
_Toc1080768447
Notice Record Information Structure

The ANCR Record is essentially a layered record schema, the first record is the minimum viable consent receipt record, This record collects no additional data, except what the PII Principal would require to see in order to initiate electronic notice and consent dialogue with some operational security assurance.

...

Note: ANCR Notice record ID is utilized to create and link new receipts ensuring the providence of the PII Principals control of the ANCR record

Anchor
_Toc1396619427
_Toc1396619427
Notice Record Schema: PII Controller Identity & Privacy Contact Point Schema

This is the schema elements that are used to generate a un-anchored notice record and do not contain any PII, or digital identifiers.

...

Field Cat Name

Name

Object Description

Presence Requirement

PII Controller Identity

Object

_

Required

 

Presented Name of Service Provider

name of service. E.g. Microsoft

May

 

PII Controller Name

Company / organization name

MUST

 

PII Controller address

_

MUST

 

PII Controller contact email

correspondence email

MUST

 

PII Controller jurisdiction legal reference

PII Controller Operating Privacy Law

MUST

 

PII Controller Phone

The general correspondence phone number

SHOULD

 

PII Controller Website

URL of website (or link to controller application)

MUST

 

PII Controller Certificate

A capture Website SSL

OPTIONAL

Privacy Contact Point Location

pcpL

 

 

Privacy Access Point Types (pcpT)

Object

Must have at least one field for the PCP object

MUST

 

PAP-Profile

Privacy Access Point Profile

**

 

PAP-InPerson

In-person access to privacy contact

**

 

PAP-Contact-Email

PAP email

**

 

PAP-Contact-Phone

Privacy access phone

**

 

PAP -PIP- URI

privacy info access point, URI

**

 

PAP-Form

Privacy access form URI

**

 

 

PCP-Bot

privacy bot, URI

**

 

 

PCP-CoP

code of practice certificate, URI of public directory with pub-key

**

 

 

PCP-Other

Other

**

PaP Policy

papp

privacy policy, URI with standard consent label clauses

MUST

Anchor
_Toc1475437488
_Toc1475437488
Proof of Notice Record Schema

A consent receipt, when provisioned with is Proof of Notice record, builds on the PII Controller Identity and Contact field base to generate a proof of notice record with PII fields to a corresponding private proof of notice record.

This legally required information for proof of notice. This event information is needed for legal chain of evidence, in which PII is added to the record but blinded, and secure. Starting with the Private ANCR Record ID which the PII Principal can use to aggregate operational transparency information for more advanced use in context.

Field Cat

Field Name

Description

Presence

ANCR Record ID

Blinded identifier secret to the PII Principal

Required

Schema version

 

 

Timestamp

 

_the time and date when the ANCR record was created

Required

Legal Justification

 

One of six legal justifications used for processing personal data

 

Notice Record

Object labels

 

 

 

Notice Type

Notice, notification, disclosure

Required

Notice legal location

The location ore region that the PII Principal read the information.,

 

Notice presentation method

Website

MUST

 

online notice -location

Notice location e.g.ip address

MUST

 

location Certificate

 

MAY

 

Notice Language

The language notice provided in

MUST

 

Notice Text File

URL – and or Hashlink for the notice text

MUST

 

Notice text

The capture of a copy of the notification text

MUST

 

Notified legal Justification

Implied or explicit notified legal justification based on the text of a notice and its context

MUST

Concentric Notice Label

cnl

a label that is mapped to legal justifications, rights and controls that can be provided by default, for a specified purpose

SHALL

Anchor
_Toc1217379690
_Toc1217379690
Private Notice Record Schema

These fields can be asserted by the PII Principle to extend the functionality beyond the transparency KPI’s specified.

...

ANCR Record Field Name

Description

Required/Optional

Security Consideration

schema version

A number used by the PII Principal to track the PII Controller Record

Optional (unless shared or used further)

Blinded

Pseudonymized

Anonymized

Verified Credential Attribute

Anchor Notice Record id #

MUST

Date/Time

Required

Notice Collection method

Notice presentation UI Type

optional

Notice Collection Location

URL or digital address and location of the notice UI

required

Notice Legal Justification

One of the six legal justifications(ISO, GDPR, C108)

PII Principal Legal Location

optional

Device Type

May

PII Principal Private- Key

Anchor
_Toc498675771
_Toc498675771
Anchor
_Toc108928904
_Toc108928904
Anchor
_Toc878728950
_Toc878728950
Notice Record Security

Notice Record is first a tool of transparency, a private record with this minimal purpose. It is then extended into two records, 1. being a private proof of notice record proof of notice record, which provides assurance that the PII Principal has read the notice. Impl

...

The KPIs provide transparency and security assurance to qualify the PII Controller before the controller processes personal information.

Anchor
_Toc687541636
_Toc687541636
Conclusion –

Anchor
_Toc1484248266
_Toc1484248266
Towards Privacy

PII Principal identifying information MUST never be included in this specified ANCR Record. When a consent receipt is provided, all PII Principal identifiers MUST be either blinded or pseudonymized, e.g., with a verifiable credential using zero-knowledge proof. Any PII Controller consent records that combine raw personal identifiers with a consent record are therefore insecure and those systems are considered non-operational and insecure.

This categorizes most of the current internet and identity infrastructure as non-operational from a security perspective. As a result nearly all digital identifiers in an identifier management relationship produce raw PII for all parties that require security considerations. Access and use of this record as a data source in these cases are achieved through extensions. Annex A

Anchor
_Toc493268152
_Toc493268152
Notice Record Extensions

Anchor
_Toc771236585
_Toc771236585
Extension 1

ISO/IEC 27560 is used to generate a standard purpose-based notice and consent information and identifier structure. This is utilized by the ANCR Record schema and protocol to specify or audit a purpose for any legal justification.

The extension is written for the PII Controller, to enable the anchored record to be used as a verifiable data source for operationalizing a channel (exchange) where PII Principals can advertise a consent grant to the controller. (see Annex C)

Anchor
_Toc1964662622
_Toc1964662622
Extension 2

Once specified, the W3C Data Privacy Vocabulary is used to specify the treatment of personal data.

Anchor
_Toc120345008
_Toc120345008
Extension 3

Extending the ANCR Notice record, purpose specification and data treatment sections with a code of conduct (transparency practices) specified by industry, trade associations and civil registries (referred to as code of conduct as it references the legal requirements).

...

[Note: The appendices introduce the new elements found in this specification, as well as a schema map for interoperability with ISO/IEC 27560 for contribution.]

Anchor
_Toc831205195
_Toc831205195
Acknowledgements

  • Kantara Community, DIACC, ToiP, W3C DPV and Consent,

  • The ISO/IEC 27560 committee

  • Standards Council of Canada

  • PasE; Consent Gateway Team and the NGI – Next Generation Internet Grant contribution

Anchor
_1v1yuxt
_1v1yuxt
Anchor
_Toc498675772
_Toc498675772
Anchor
_Toc108928905
_Toc108928905
Anchor
_Toc1716347183
_Toc1716347183
References

[Conv 108+] Council of Europe, Convention 108 +

...

[OECD]OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm

Annex (WiP to v8.9.9)

Anchor
_Toc446483100
_Toc446483100
ANNEX A : ANCR OPERATIONAL SCHEMA

ANCR Record, with these annex show the human centric transparency ontology, This annex focuses on the data technical semantics of the ontology from a Human (label), for legal reference, to a machine readable attribute, for an operational transparency schema.

...

  • Text: a data type that defines a human-readable sequence of characters and the words they form, subsequently encoded into computer-readable formats such as ASCII.

  • Numeric: a data type that defines anything of, relating to, or containing numbers. The numbering system consists of ten different digits: 0, 1, 2, 3, 4, 5, 6, 7, 8,and 9.

  • Reference: a data type that defines a self-addressing identifier (SAID) that references a set of attributes through its associated parent. SAID is an identifier that is deterministically generated from and embedded in the content it identifies, making it and its data mutually tamper-evident.

  • Boolean:a data type where the data only has two possible variables: true or false. In computer science, Boolean is an identification classifier for working out logical truth values and algebraic variables.

  • Binary:a data type that defines a binary code signal, a series of electrical pulses representing numbers, characters, and performed operations. Based on a binary number system, each digit position represents a power of two (e.g., 4, 8, 16, etc.). In binary code, a set of four binary digits or bits represents each decimal number (0 to 9). Each digit only has two possible states: off and on (usually symbolised by 0 and 1). Combining basic Boolean algebraic operations on binary numbers makes it possible to represent each of the four fundamental arithmetic operations of addition, subtraction, multiplication, and division.

  • DateTime: a data type that defines the number of seconds or clock ticks that have elapsed since the defined epoch for that computer or platform. Common formats (see 'Format Overlay') include dates (e.g., YYYY-MM-DD), times (e.g., hh:mm:ss), dates and times concatenated (e.g., YYYY-MM-DDThh:mm:ss.sss+zz:zz), and durations (e.g., PnYnMnD).

  • Array [attribute type]: a data type that defines a structure that holds several data items or elements of the same data type. When you want to store many pieces of data that are related and have the same data type, it is often better to use an array instead of many separate variables (e.g. array[text], array[numeric], etc.).

Anchor
_Toc869135868
_Toc869135868
ANNEX B

Anchor
_Toc716553674
_Toc716553674
Two Factor Notice (for differential transparency)

  • A notice that is used to generate granular consent receipts using standards that specify purpose in the same way. Those generated with the same schema based can be compared to automate notice for operational transparency over changes to privacy state.

  • A 2fN, is used to produce a dual record an receipt upon engaging with a standardized notice with access to admin privacy rights from the notice, prior to processing with consent.

  • The consent receipts produced from a 2fN, can be compared independently for difference in the state and status of privacy, to automatically produce a notification based on the difference in state.

  • Differential Transparency, produced with a tactile signal, or layer 1 notice indicator, standardized with machine readable data privacy vocabulary. (concentric and synchronic transparency)

Anchor
_Toc1127471363
_Toc1127471363
ANNEX B

Anchor
_Toc1899188690
_Toc1899188690
Concentric Notice Types

The object of the ANCR record is to enable operational transparency. A concentric notice type is used to provide a human centric label to a record or a receipt.

...

. Referencing the corresponding ISO/IEC 29184 control to enhance interoperability of operational transparency. Interoperability that is realized through the extension of transparency with records of processing to establish and maintain a shared understanding of security and privacy risks. Affording people choice which mitigate risks and transfer liability.

Anchor
_Toc740624698
_Toc740624698
Mapping Legal Justifications to Concentric Notice Types

These are mapped here

Anchor
_Int_Sp0obXJY
_Int_Sp0obXJY
to provide a set of operational transparency defaults to set and support privacy as expected by the PII Principal. Expectations that provide a privacy notice starting point, where PII Principal and PII Controller can gain a shared understanding, or where a PII Principal can assert a legal justification for processing to access privacy rights.

...

Concentric digital transparency is a design principle of electronic Notice and evidence of consent. The outcomes are for a shared / concentric understanding of a relationship and the purpose of digital interaction, the data control impact, and associated risks centric to the PII Principal.

Anchor
_Toc622732986
_Toc622732986
Concentric Notice Types mapped to Privacy Rights

Concentric Notice Types are you to create a digital notice label to enable that can be applied to digital processing context which are understood from a human centric perspective.

...

Concentric Notice Type

Description

Legal Justification

Privacy Rights
(GDPR)

Legal Ref

Non-Operational Notice

N/O

Not enough notice/security information for digital privacy

Not compliant with any if unable to determine or confirm Controller, or contact

Withdraw, Object, Restrict,
Access/Edit, Forget,

Con.108+ 79.1(a) GDPR Art 13/14 1a,b,

Consensus Notice

Notice of Legitimate Processing. Surveillance Notification ,

Legitimate interest

Implied Consent Notice

Implied through PII Principals participation in a specific context.
Or through a notice from PII Controller for a specific purpose context. Can also refer to an existing state of privacy and its established status. aka ‘applied consent’ to data processing.

consent

ISO/IEC

GDPR Art 50 1 c

Con 108+

-Supplement- IPC, Canada3

Implicit consent notice

Refers to governance that is implicit to the action of the PII Principal.

Legitimate interest, Contract,

Legal obligation

Object , Restrict

Expressed Consent notice

Expressed through the implicit action of a Notified individual.

Informed Consent

Withdraw

Explicit Consent Notice

Provided in such a way that the is Informed, freely given, knowledgeable consent,.

Consent witch is knowledgeable of risk

Withdraw

Con 108+.1(4)1b

GDPR Art 7.1

Directed Consent

A consent directive is consent explicitly defined by the PII Principal for specific purposes, according to disclosures of risks that are notified.

meaningful consent, in which the individual has specified the consented purpose

GDPR 9.1(h)


Altruistic Consent

Not knowing who the Controller of PII will be. Consent to a purpose and public benefit governance framework, without knowing who is the beneficiary

Consent

DGA, Recital 1,2,4,36,39

Anchor
_Toc1410560730
_Toc1410560730
Annex C: ANCR Record Extension Protocol

The anchor record is captured or generated for the explicit control of the PII Principal.  This record, standardized with ISO/IEC 29100 security and privacy technique framework, can then be used for transparency interoperability.  

The Anchor record and linked consent ledger is used by the PII Principal to track the state of privacy and status of consent for dynamic data controls for bilateral (peer to peer) interaction.    The anchor record is minted with the PII Controller ANCR record and in this way extended by a product or service purpose specification. 

Anchor
_Toc1126715548
_Toc1126715548
Privacy State (tentative)

  • The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller....

    • At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing

    • The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

  • (GDPR Rec 47

Anchor
_Toc1518461767
_Toc1518461767
Privacy State Notification Types (tentative)

reference the expected processing for a specified purpose in reference to common law (

  • The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

    • Processing is ‘as expected’ Notification

      • unverified

      • As expected,

      • not as expected,

      • minor change in state,

      • material change in state ,

    • PII Principal

Anchor
_Toc493120022
_Toc493120022
Transparency Status

  • Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, inter alia, as appropriate:

(Conv. 108+ Art 33.1)

Anchor
_Toc1616929881
_Toc1616929881
Transparency Status Types

  • Not-Available

  • In-Active

  • Active

  • Active & Operational

  • Active & Dynamic

Anchor
_Toc1863592325
_Toc1863592325
Annex C.1 Purpose Specification with 27560 Consent Record Information Structure

Anchor
_Toc1267244369
_Toc1267244369
SUMMARY

An Anchored Notice Record is specified to capture the data control relationship between the PII Principal and the PII Controller, utilizing the international ISO/IEC 29100 standard.

...

  • This purpose spec schema is specified for the PII Controller, (data protection) but can also be used as record to assess a purpose by a Privacy Stakeholder.

  • 7560 Notes

  • The ANCR protocol is for generating a record of notice containing controller id and contact, this is always the event, in this regard the ancr_id maps to event id. To this extend event schema section is not required

  • The ANCR record is specified to 29100, in which the ‘privacy and security stakeholders’ are defined, in the context of the ANCR record, this means that any role (other than PII Principal) has a Controller id, relative to the PII Principal, in addition to the role for the specific context of processing - e.g. - Processor, recipient, 3rd party, which represent the processing role and activity relative to the ANCR record. This enables liability and risks to be delegated and transferred amongst the stakeholders specified to a per process instance. As a result the party_ID schema is incorporated in the ANCR Record ID, which is specific to a PII Controller, not a service or purpose.

Anchor
_Toc1317520166
_Toc1317520166
Introduction

Consent receipt – and record info structure – was conceived as a record which capture the notice of a PII Controller, or the notice context of the PII Principal.

...

In this regard, 27560 is specified with the utility of the consent receipt in mind, which is to specify the purpose of personal data use and risks so that people can make informed choices and control personal data.

Anchor
_Toc690203607
_Toc690203607
Schema Interoperability

  1. The ANCR protocol is for generating a record of notice containing controller id and contact, this is always the schema ‘event’ indicator, in this regard the ancr_id field maps to and replaces the event id field in ISO/IEC 27560 WD 5 consent record information structure (ref; 27560)

    1. To this extent the 27560 ‘event schema’ section is not required.

  2. The ANCR record is specified to ISO/IEC 29100 (ref;29100), in which the ‘privacy and security stakeholders’ are defined, in the context of the ANCR record, this means that any role (other than PII Principal) has a Controller id, and stakeholder role, relative to the PII Principal,

    1. As a result the party_schema is incorporated in the ANCR Record ID, which is specific to a PII Controller, not a service or purpose.

  3. A 27560 consent record, which contains the PII Principal identifier in the same record, this would first need a consent receipt, with this purpose as proof of notice – or the record would demonstrate non-compliance with sources referenced in the ANCR record and rendered not interoperable with the ANCR record schema and spec.

    1. In this regard, ANCR specification is interoperable for 27560, but 27560 is not interoperable with the ANCR record, as this breaks ANCR Record Security, and contravenes privacy considerations for management of the ANCR Record.

    2. To address this we have introduced the missing link, which are the fields for a Proof of Notice ANCR record and receipt required to be blinded, consent to combine the records in such a way is evidenced. Hence providing proof, securing the PII Principals data under the Principal’s control, as well as being compliant with legislation and 29184.

  4. The ANCR record can itself be extended in to a Controller Credential When the ANCR record is used in a consent receipt flow it can also be used to. ToiP-Controller Credential - https://wiki.trustoverip.org/pages/viewpage.action?pageId=27722576

Anchor
_Toc72621961
_Toc72621961
Schema Mapping

The following mapping of the ANCR record schema is provide to conform to instructions provided in ISO/IEC 27560. To this extent, and accordance with ISO/IEC 27560 Art 6.2.3, this annex publishes the ANCR Record Schema’s at Kantara and hosted at the Human Colossus Foundation, for the Global Privacy Rights, public benefit Initiative.

...

Codes of practice can be approved and monitored which are used to combine multiple purposes together for an expected code of practice. A “Purpose Bundles” operated with a code practice can be approved and to operationalize privacy.

Anchor
_Toc1640094781
_Toc1640094781
Anchored Record Schema ‘Structure’ Sections

In addition to the consent receipt schema, the ANCR record schema provides a protocol for its operation.

...

These refer to 27560 line – 362 WD4, where it calls out the need to reference the schema(s) information structure used, in addition to demonstrating the capacity to maintain documentation for its correct technical implementation. - and conformance to the requirements specified in the 27560 documents.

Anchor
_Toc438176202
_Toc438176202
ANCR to 27560 Schema (in draft for v08.6 - 0.9)

ANCR Consent Receipt Section

Label

Variations

Description

27560 Term

Reference

1. Header- Control Object

ANCR ID

Specified to be a toot recorded identifier

Notice record id is used as root identifier for linking records about the status of privacy with that controller

Record id



schema version


same





PII Controller Identity Object

PII Controller Name

PII Controller address

correspondence contact email

correspondence jurisdiction privacy regulation

correspondence phone

Correspondence website

Correspondence website ssl certificate

Non-operational privacy contact point





Privacy Contact Point Object

Object

Must have at least one field for the PCP object

PCP-Profile

Privacy Access Point Profile

PCP-InPerson

In-person access to privacy contact

PCP-Email

PCP email

PCP-Phone

Privacy access phone

PCP -PIP- URI

privacy info access point, URI

PCP-Form

Privacy access form URI

PCP-Bot

privacy bot, URI

PCP-CoPC

code of practice certificate, URI

PCP-Social

Network:handle

PCP-Other

Other

PCP Policy

PCP privacy policy, URI

ANCR focuses on a KPI – for the transparency performance of privacy contact access point





Proof of Notice Object

Object labels

Description

Notice Type

Notice, notification, disclosure

Notice method

Link / URL to the UI that was used to present the notice e.g. website home page

-digital-Notice-location

Notice location e.g.ip address

location Certificate


Notice Language

The language notice provided in

Notice Text File

URL – and or Hashlink for the notice text

Notice text

The capture of a copy of the notification text

Notified legal Justification

Implied or explicit notified legal justification based on the text of a notice and its context


PII controller risks

Uses notice type which would be equivalent to event type in 27560





Concentric Notice Label

Different but incorporates how to fame 27560 defined consent types

Categorizes Notice Labels to indicate protocol for rights access and inherent risks



29184 – purpose specification

2. Purpose Spec - Object

Purpose ID





Service Name


Purpose name





Purpose Description

Plausible RiSK - *can data control impact assessment)


Purpose Type






Legal justification



Lawful basis



Sensitive PII Categpry





Special PII Category


PII Principal Category






PII Processors






PII Sub-processors

New





Risk notice disclosure

ISO-29184





Service Notice Risks





PII Principal Category

3. Treatment

Attribute Id






Notified Collection method



Collection method



expiration






Storage location






Retention period






Processing location Restrictions






Duration






State

Justification for processing (state of privacy)





status





termination

4. a) Code of Conduct/

Inherent to concentric labels - Rights Objects: withdraw, object, restrict, access and rectification, termination of justification,

Regulated practice, approved be regulator or legislated




Rights


Notice Defaults






Data portability






FoI-Access & Rectification





4.b)Code of Practice

Cop-ID




Surveillance Code of practice

Certified practice,


Children’s Design Code of Practice






Operational Privacy Code of Practice





Anchor
_Toc1372879530
_Toc1372879530
Terms (wip)

Purpose Bundle

  • Code of Practice Certification -

    • Badge -

      • Pre-Consent Notice Lable Type

        • Notify to confirm or change -

          • Then start -

      • Purpose Description – medical

        • Vital interest

        • Legal obligation

        • Operational personal data handle (3rd Party)

      • Approved by Regulator (yes/no)

      • Certified Body - ? - Certification

        • SSI – Gov – Principles – Codes of Conduct

...

  • An Anchor record is a PII Controller Relationship Notice Record, very similar to a PII Controller Credential, but instead of being provided by a specific stakeholder, this – micro-credential can be created as an ANCR Notice Record by the PII Principal.

  • When a record or receipt is generated, it can use either this record, or a PII Controller provided record as the source record, for linking all of the subsequent record and receipts together. This way both the PII Controller and Principal have corresponding (mirrored) records which are not directly linked and separately controlled.

Anchor
_4f1mdlm
_4f1mdlm
Anchor
_Toc498675774
_Toc498675774
Anchor
_Toc108928906
_Toc108928906
Anchor
_Toc301756454
_Toc301756454
Revision history

Version

Date

Summary of Substantive Changes

0.1 DRAFT

2021-02-28

Initial v1.1 draft

0.5

2022-02-02

Draft – updating scope to Notice and eConsent

0.8

2022-07-04

Full outline / 70% drafted

0.8.5

2022-08-04

Outline 100% Draft - Posted to Kantara Wiki

8.8.2

Annex Updates

8.8.3

Restructured Sections and schema, cleaned schema up a little – practice what preaching by making spec structural human centric

...