...

Parts 1 and 2 for measuring conformance, compliance, and performance of Dynamic of Transparency and Consent

Anchor
_Toc155867426 _Toc155867426

Conformity & Compliance

...

Scheme Framework v0.9.3.8

ANCR refers to an Anchored Notice & Consent Receipt, it is a record that is generated using the Transparency Performance Indicator assessment, which provides a standard measure of operational performance of the present PII Controller’s security and privacy session information.

...

Mark Lizar, WG Co-Chair, WG Editor

ContributorsContributor(s):

• Sal D’Agostino, WG Co-Chair

• Gigi Agassani Agassini, WG Secretary

IPR Option:

...

Any derivative use of this specification must not create any dependency that limits or restricts the use, accessibility, and availability of the scheme for and/or its used use to evaluate the performance of transparency and/or the ability for the PII Principal to provide and manage consent records.

...

This specification relies on (open access to) ISO/IEC 29100 Security and privacy techniques, to provide Privacy framework and ISO/IEC 29184 Online Privacy Notice information structure, online privacy notices and consent, and the Consent Notice Receipt in the Appendix B, further specified by ANCR Mirrored Record Information Structure,³ Consent Notice Receipt Format as specified in the Kantara Initiative ANCR WG Mirrored Record information structure, extending the CISWG MVCR and Consent Receipt v1.1.⁴

Anchor
_Toc155867428 _Toc155867428

Conditions for use

License Condition:

This document has been prepared by participants of Kantara Initiative Inc. ANCR-WG. No rights are granted to prepare derivative works of this Scheme outside of the ANCR WG. Entities seeking permission to reproduce this document, in whole or in part, for other uses must contact the Kantara Initiative to determine whether an appropriate license for such use is available.

...

Abstract 

In the context of processing personally identifiable information (PII) a PII Principal is not able to see who is processing their data, nor are they notified when their data is disclosed or scraped off the internet, with no indication of purpose. As a result the ability for all stakeholders, in particular the PII Principal, or Individual, is limited in their capacity to trust the use of digital identifying and tracking technologies.

The TPS addresses this issue by providing a standard transparency assessment scheme captures operational relationships and measures digital trust conformance and compliance record harness for assessing the performance of transparency and . In doing so it provides a basis for trust and operational accountability when PII Controllers Controller(s) process personal data.   

<snip>

The ANCR mirrored record information structure defines 3 types of digital trust, and provides transparency assessment scheme for primary digital trust, (also referred to as a human centric), data control, and accountable transparency.

1. Primary Digital Trust –

   1. when When the PII Principle Controls their own PII, enabling transparency over processing, like on a local device

2. Secondary Digital Trust

   1. When the PII is held by a PII Controller

3. Exterritorialy  

   1. When PII is disclosed and controlled by a 3^rd party (not a PII Processor)

      1. Emergency services

      2. Security Services

  

If the PII Principal is not able to “see” how PII (Personally Identifiable Information) is shared, disclosed, or managed it is not possible to make the choice to trust the service processing PII.  

For people, consent by default requires assurances that personal data is being processed and transparency exists in a meaningful and operationally manner   StandardStandardized, and operational transparency enabled by standardized schema, and record formats (Notice Receipts) are needed so that people can keep,  and own, and  to control personal information and private its use by “AI”.   what  

This requires can makemaking meaningful consent meaningful  by default.  To support  this, and Tto create and scale trust in digital contexts a Digital Transparency Code of Conduct is introduced. The goal is to leverage, simplify,  and clarify, and standardize requirements and for the use of CoE 108+ Chapter 1 Transparency Modalities, which is mirrored in the GDPR Article 12, ‘Transparent information, communication and modalities for the exercise of the rights of the data subject’. 

 
Simply summarized 

If the PII Principal is not able to understand and “see” how PII (Personally Identifiable Information) is shared, disclosed, or managed it is not possible to trust the service processing PII with any additional assurancs.

Data Control and the expectations of that control are assessed in this Scheme by making a record, called a consent notice receipt, of the transparency provided in context,  From what is generally referred to as a notice notification, sign, policy, privacy policy, contract, web-page, web-page link and or icon, or any type of governing framework agreement.  

Scheme Applicability   

1. All data processing must have a record of notified processing activity. In order toThis is a requirement to be digitally transparent. The exception is when it is , unless required not to bethere is a by legal derogation, which is required notification, often as risk that is provided prior to consent based processing of PII.  Even  Iin such an instance, the processing must be transparent to the appropriate regulatory authority, according to the context of processing.  

2. This assessment scheme in this way, can be applieds to all any services context and every stakeholder; , PII Controller, PII Processor, PII Principal’s, the PII Co-Regulating Authority and delegates.  

3. All processing with consent already requires a record of the privacy notice and privacy policy link, which in this assessment scheme, the record that is generated for assessment  in this document is referred to asis called a Notice Receipt, also known a in the s the ANCR mirrored record of consentinformation structure. , and referred to as a consent record in ISO/IEC 27560 Consent record information structure.  

4. In GDPR and Records and receipts provided in this scheme as are specified in Convention 108+, Art 31 these records are called a Record of Processing Activity (RoPA), used in this framework as proof of transparency/knowledge.  . The consent receipt is effectively a digital twin, of this RoPA, which is a mirrored – linked notice and consent micro-data record, which is also held by the individual. This Record can then effectively become the authoritative consent record.  

  

A Notice Receipt can be created by anyis created to assess in this framework stakeholder to identify a PII Controller. 

An Anchored Notice and Consent Receipt can be used as a record of consent to access data subjects' rights, for example, and/or to test and assess the operational performance of PII Controllers’ digital privacy performance in digital contexts.  

Part 1 of the scheme introduces 4 Transparency Performance Indicators; these are used to measure and rate the conformance of transparency.  In Part 2 of the scheme (in the Appendix A) a transparency information request is sent to the controller to; a) test the controller information and, b) measure how compliant the performance of digital transparency is, to both legal expectations, and the personal privacy expectations of the PII Principal.   

, n

...

The normative language for the TPI Scheme is defined by Convention 108+, the commonwealth privacy convention the GDPR (General Data Protection Regulation) 108+ was created to establish a set of principles and rules to effectively safeguard personal data and facilitate cross-border data flows

Normative terms for roles defined in national law are mapped to the roles which are defined according to an international adequacy baseline.

ISO/IEC 29100 is also normative, this security and privacy framework standard maps terms in the standard itself, for example PII Principal is mapped to the Data Subject.

The ANCR Record Framework is used to specify Transparency Performance Indicators (TPIs) and is based on the consent receipt work where roles are mapped to standards and laws.

...

Stakeholder

...

ISO/IEC 29100

...

Conv 108+

...

GDPR

...

PIPEDA

...

Data Protection Authority

...

PII Principal

...

Data Subject

...

Individual

...

PII Controller

...

Controller

...

Data Controller

...

Processor

...

Data Processor

...

Joint-Controller

...

Sub-Processor

(compliance roles, mapped to be interoperable within any data privacy framework)

Roles in this document refer to a record of relationship between the Individual and any digital service, as documented by identifiers. Primary digital trust is technically identified

...

Transparency Performance Indicator’s (TPI’s) are introduced here as an object of conformity used to capture the presentation of PII Controller (Credential) information, to measure this information to determine its completeness,, accessibility and security. Its operational data governance capacity per context can then be assessed against international adequacy baseline for compliance.

In this way TPI’s can quickly be used to determine the validity, quality, and governance of data process for digital and physical assessment contexts.

The TPI’s are employed to assess digital privawcy transparency for human context.

About the Scheme

The TPI Scheme presented here is scoped to international/internet scale digital commonwealth transparency adequacy baseline for trans-border digital consent capable records of transparency. The TPS includes:

A conformity and compliance assessment scheme, implemented in 2 parts to generate a full operational transparency report.

• TPI Scheme 1 Part 1 - Conformance

  • Initial test to diagnose the operational capacity of privacy services in any specific context.

• TPI Scheme 1 Part 2 – Compliance (found in Appendix A)

  • Specifies an example operational transparency compliance performance test, in which the transparency is tested by generating a privacy rights-based request, to access privacy services.

Part 1 refers to conformance with digital identifier elements of the PII Controller required to be presented to initiate a session and is the body of this document.

Part 2 is Appendix A and uses the ANCR record to audit the Adequacy of the captured controller elements as specified in the Council of Europe, Conv. 108+. Article 14, Transparency Modalities.

How Does the scheme Operate?

an ANCR (Anchored Notice and Consent Receipt) Notice Receipt Record, which is assessed as a ‘proof of notice’ (or knowledge record ) claim, conformant as a Consent Notice Receipt as a record format to perform an ISO/IEC conformant digital privacy transparency compliance assessment, against international technical and legal baselines.

The Scheme employs TPI’s to measure the operational performance of transparency and accountability This is used to determine the capacity for dynamic control of personal data, in an online service context. .

The ANCR record is produced from a TPI Assessment which captures the identity of the controller and accountable person, contact and physical address. In this way the presented digital governance and surveillance context can be assessed for compliance for transborder flows of data,

What Do TPI’s Measure

There are 4 Indicators specified in this scheme used to measure the existence and performance of the publicly required digital service information. The TPIs check digital components, and identify the governance model, authority, and security framework to assure the validity of the privacy state in an online service context. This provides privacy risk assurance for people.

Indicators are captured at the point of notice presentation to capture the required PII Controller privacy rights access point(s), and the governance framework personal data processing is being governed.

How Does the Scheme Work

The TPI’s for conformance in the capture of privacy information or services are mapped to analogue legal requirements which measure response times in days, out of technical context.  TPIs all measure how dynamic privacy service information is in context, and provide a rating, from -3 to +1, in which +1 is for a Dynamic, in context transparency performance indicator. This introduces the concept of a shared active privacy state transparency, comprised of the signal that indicates if the privacy as expected in context.

...

At the time of writing this Scheme, transparency, and consent is governed predominately by commercial governance frameworks that utilize digital identity management technologies to identify people. At the same time the associated services do not identify themselves in a standard way online, which is neither compliant nor conformant, introducing critical cybersecurity risks.

Individuals are forced to give up digital privacy to access analog privacy rights and services online. All the records of digital relationships (like cookies) are managed by services. Without personal records of digital relationships Individuals are not able to access the information independent of a relying party, which is necessary to measure privacy and security transparency performance of a notice its basis for processing, including and importantly the validity of digital consent.

These risks and harms are exacerbated when PII Principals use privacy services online. PII identifiers, by default, is micro-data that is captured and collected at an attribute level (then aggregated into meta-data).

The end result, individuals must provide raw data attributes, create a profile to access services online. These “security” technologies themselves are used to scrape, profile and track data subjects presenting a systemic challenges to digital privacy for the PII Principal.

The second systemic obstacle to second party management of first party data, is that individuals do not have a copy of their own records of digital identity relationships. The lack of record standards have prevented people from being able to exercise rights outside of a service context.

A standard notice receipt and consent record address this systemic challenge, producing a proof of notice and evidence of consent, for consent tokenization (consent receipt v2).

This Transparency Performance Scheme is extensible, Part 1, is the data commons level first step to generating the digital evidence for authentic consent in online services using terms and conditions based privacy poicy frameworks..

Scheme Applicability   

1. All data processing must have a record of notified processing activity. In order toThis is a requirement to be digitally transparent. The exception is when it is , unless required not to bethere is a by legal derogation, which is required notification, often as risk that is provided prior to consent based processing of PII.  Even  Iin such an instance, the processing must be transparent to the appropriate regulatory authority, according to the context of processing.  

2. This assessment scheme in this way, can be applieds to all any services context and every stakeholder; , PII Controller, PII Processor, PII Principal’s, the PII Co-Regulating Authority and delegates.  

3. All processing with consent already requires a record of the privacy notice and privacy policy link, which in this assessment scheme, the record that is generated for assessment  in this document is referred to asis called a Notice Receipt, also known a in the s the ANCR mirrored record of consentinformation structure. , and referred to as a consent record in ISO/IEC 27560 Consent record information structure.  

4. In GDPR and Records and receipts provided in this scheme as are specified in Convention 108+, Art 31 these records are called a Record of Processing Activity (RoPA), used in this framework as proof of transparency/knowledge.  . The consent receipt is effectively a digital twin, of this RoPA, which is a mirrored – linked notice and consent micro-data record, which is also held by the individual. This Record can then effectively become the authoritative consent record.  

  

A Notice Receipt can be created by anyis created to assess in this framework stakeholder to identify a PII Controller. 

An Anchored Notice and Consent Receipt can be used as a record of consent to access data subjects' rights, for example, and/or to test and assess the operational performance of PII Controllers’ digital privacy performance in digital contexts.  

Part 1 of the scheme introduces 4 Transparency Performance Indicators; these are used to measure and rate the conformance of transparency.  In Part 2 of the scheme (in the Appendix A) a transparency information request is sent to the controller to; a) test the controller information and, b) measure how compliant the performance of digital transparency is, to both legal expectations, and the personal privacy expectations of the PII Principal.   

Anchor
_Toc155867432 _Toc155867432

Terms & Definitions

ISO/IEC 29100 is also normative, this security and privacy framework standard maps terms in the standard itself, for example PII Principal is mapped to the Data Subject.

The ANCR Record Framework is used to specify Transparency Performance Indicators (TPIs) and is based on the consent receipt work where roles are mapped to standards and laws.

(compliance roles, mapped to be interoperable within any data privacy framework)

Roles in this document refer to a record of relationship between the Individual and any digital service, as documented by identifiers. Primary digital trust is technically identified

Transparency Performance Indicator’s (TPI’s) are introduced here as an object of conformity used to capture the presentation of PII Controller (Credential) information, to measure this information to determine its completeness,, accessibility and security. Its operational data governance capacity per context can then be assessed against international adequacy baseline for compliance.

In this way TPI’s can quickly be used to determine the validity, quality, and governance of data process for digital and physical assessment contexts.

The TPI’s are employed to assess digital privawcy transparency for human context.

About the Scheme

The TPI Scheme presented here is scoped to international/internet scale digital commonwealth transparency adequacy baseline for trans-border digital consent capable records of transparency. The TPS includes:

A conformity and compliance assessment scheme, implemented in 2 parts to generate a full operational transparency report.

• TPI Scheme 1 Part 1 - Conformance

  • Initial test to diagnose the operational capacity of privacy services in any specific context.

• TPI Scheme 1 Part 2 – Compliance (found in Appendix A)

  • Specifies an example operational transparency compliance performance test, in which the transparency is tested by generating a privacy rights-based request, to access privacy services.

Part 1 refers to conformance with digital identifier elements of the PII Controller required to be presented to initiate a session and is the body of this document.

Part 2 is Appendix A and uses the ANCR record to audit the Adequacy of the captured controller elements as specified in the Council of Europe, Conv. 108+. Article 14, Transparency Modalities.

How Does the scheme Operate?

an ANCR (Anchored Notice and Consent Receipt) Notice Receipt Record, which is assessed as a ‘proof of notice’ (or knowledge record ) claim, conformant as a Consent Notice Receipt as a record format to perform an ISO/IEC conformant digital privacy transparency compliance assessment, against international technical and legal baselines.

The Scheme employs TPI’s to measure the operational performance of transparency and accountability This is used to determine the capacity for dynamic control of personal data, in an online service context. .

The ANCR record is produced from a TPI Assessment which captures the identity of the controller and accountable person, contact and physical address. In this way the presented digital governance and surveillance context can be assessed for compliance for transborder flows of data,

What Do TPI’s Measure

There are 4 Indicators specified in this scheme used to measure the existence and performance of the publicly required digital service information. The TPIs check digital components, and identify the governance model, authority, and security framework to assure the validity of the privacy state in an online service context. This provides privacy risk assurance for people.

Indicators are captured at the point of notice presentation to capture the required PII Controller privacy rights access point(s), and the governance framework personal data processing is being governed.

How Does the Scheme Work

The TPI’s for conformance in the capture of privacy information or services are mapped to analogue legal requirements which measure response times in days, out of technical context.  TPIs all measure how dynamic privacy service information is in context, and provide a rating, from -3 to +1, in which +1 is for a Dynamic, in context transparency performance indicator. This introduces the concept of a shared active privacy state transparency, comprised of the signal that indicates if the privacy as expected in context.

...

Digital transparency requires a record to provide a standardized standardised purpose specification so as to include who the beneficiary of data is, how they benefit, and where the benefit and value originates. This information once collected in a standard credential, record, and receipt format can be assessed in the Scheme.

...

4 TPI’s

The 4 Transparency Performance Indicators capture transparency and data capture practices in context and are used to test the self-asserted information for its operational usability.

...

The TPI Rating system is designed to measure dynamically the operational transparency and performance of the required security and privacy information and its usability. The scale applied penalizes penalise bad behavior behaviour more than it rewards conformance and compliance from +1 “good” to -3 “bad”. These are presented one by one and then in a table for comparison followed by an example in the next section.

...

This is a 1.0 document; we look forward to its evolution.

Anchor
_Toc155867448 _Toc155867448

TPI Compliance Assessment Scheme Part 2

Anchor
_Toc155867449 _Toc155867449

Operational Transparency Assessment

The following describes an assessment using the TPIs to measure Operational Transparency and assurance.

...

1. Transparency is required to be available in context, i.e., during the time when PII is obtained (found in Transparency Statement or Privacy Policy).⁸

   1. Time period data stored.

   2. Existence of rights/controls to access and rectify.

   3. Existence of right to manage consent.

   4. Existence of right to lodge a complaint with a Data Protection Authority (DPA).

   5. Whether processing is based under a statutory, or contractual context, or whether necessary for entering a contract, if the PII is obliged, and the consequences of failure to provide this data.⁹

   6. Existence of

      1. AI, or any automated decision-making technology

      2. Digital identity management surveillance technologies

      3. Any profiles, or graphs generated

      4. Meaningful information about the logic involved

         1. Significance in overall policy or processing and decision making

         2. Expected consequences for and to PII Principal - Data Subject

Anchor
_Toc155867450 _Toc155867450

TPI Assessment Guidance

The TPI Rating system is designed to measure the operational performance of the information, for example if only a mailing address is provided for a privacy contact on a website, this is considered non-operable according to the context. This means that privacy access and specific information is not retrievable in the context of data collection. The TPIs measure adequacy and demonstrate non-performance by PII Controllers as a form of data co-governance.

The associated Conformity Assessment: uses the open ISO/IEC 29100 security framework for generating interoperable records and receipts of data processing activity, according to transparency in context.

Anchor
_Toc155867451 _Toc155867451

TPIs are captured in sequence

a. TPI 1 measuring the point when the individual is notified versus when personal information/digital identifiers are collected and processed. The scheme starts by capturing the timing of notice presentation in relation to first data capture, and first contact.¹⁰

...

Combined, these TPIs provide an overall Indication of the operational state of digital privacy.

Anchor
_Toc155867452 _Toc155867452

TPI – Scheme 1, Part 1(S1-P1) metric logic

Anchor
_Toc155867453 _Toc155867453

1.2.    Table 2: ANCR Mirrored Record Schema Example

This appendix is an example of a notice record and the schema and can be used as a template for the information record, rating, and analysis.

...

Anchor
_Toc155867454 _Toc155867454

Digital Transparency Code of Conduct

These digital transparency code of conduct rules coincide with the TPIs presented and reference the international adequacy requirements for transparency required for digital identifier management. In Report on the Adequacy of Digital Identity Governance for cross border transparency and consent:

...

1. Provide their PII Controller Notice Credentials, before or at the time of processing personal information (TPI 1), Article 14.1

2. PII Controller credential information must be accessible

3. PII Controller credential information must be operationally capable for access to rights with evidence of notice & consent

4. The security context must match the controller’s jurisdiction where it is assumed PII is processed

Anchor
_Toc155867455 _Toc155867455

Appendix D. References

Council of Europe 108+

Anchor
_Toc155867456 _Toc155867456

Appendix F. ISO scheme Profile

...

³ Mirrored Record Information Structure, 2024, ANCR WG Kantara Initiative { ANCR: Mirrored Record : Consent Receipt V2: Consent Token Information Structure v0.7 }

⁴ Consent receipt v1, CISWG Kantara Initiative https://kantarainitiative.org/download/7902/

...