Versions Compared

Old Version 31

changes.mady.by.user Mark Lizar

Saved on

compared with

New Version Current

changes.mady.by.user Mark Lizar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Kantara Initiative : ANCR WG

...

Contributors: Sal D’Agostino

Abstract:

At the present time, when online services are involved, Individuals have no way of seeing or knowing who is in control of collecting, using, processing, or disclosing their personal information before the collection, use, processing, or disclosure takes place. Individuals are powerless to resist or object to the one-size-fits-all contracts presented on websites that are called ‘terms and conditions’, ‘user licenses’, with corresponding ‘privacy policies’ or ‘data sharing agreements’, that do not implement or provide privacy rights or data control people expect. Expectation which don’t scale online.

...

The ANCR specification provides a mechanism to implement legal and technical standards for transparency that supersede ‘terms and conditions’, ‘user licenses’, ‘privacy policies’ and ‘data sharing agreements’. Specifying an active technical object for managing the rules of data and its consented exchange in accordance to international data governance convention.

NOTES TO READER

This Kantara Initiative work effort began when Liberty Alliance became the Kantara Initiative, and the Consent and Information Sharing Working Group formally began in 2015. That Working Group’s activities carried on through the ANCR Working Group.

In this specification and proposed standard the term “PII Principal” is used interchangeably with Data Subject and “Individual”.

Introduction

This documents specifies the core credential schema using the ANCR Notice record schema to generate a digital record which acts as a digital envelop for the digital privacy information, attributes, identifiers and notice text it is used with.

...

The Notice Credentials Scope of authority is restricted to the notice it is embedded to and the context it is provided in.

Credential Purpose of Use

Operationally, the embedded Notice Credential is used to dynamically generate micro-notice credentials and to receive consent receipt tokens, as well as to render an active state digital privacy signal

Notice Credential Binding

To generate a credential, these core notice fields are bound to the accountable authority, which can be delegated (and by default is referred to in this as the PII Privacy Officer).

...

The credential type is also required. fields added to the notice record to become a credential must be crypto-graphically signed with a public private key pair.

Notice Record Schema

Notice Record Credential fields are added to the notice record schema and used to bind and generate an Open Notice PII Controller Credential

...

  • Notice Record ID

  • Key Pair

  • Controller Type

  • Delegated Authority Attributes for Controller & Principal - DPO

  • Serialization - the controller id# used to generate a record id, which is used to generate a consent receipt id - 1.

Normative References

For the international and cross-domain use of the records and receipts reflected in this specification, this document refers to the following:

  • ISO/IEC 29100:2011 Security and privacy techniques

  • ISO/IEC 29184: Online privacy notices and consent

  • 31700-1:2023 : Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements

  • Fair Information Practice Principles (FTC) foundational principles

Non-Normative References

  • 1980/2013 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data [OECD]

  • Kantara Initiative Consent Receipt v1.11

  • Kantara Initiative: Blinding Identity Taxonomy (Bit)2

  • For input to ISO/IEC 27561:2022 POMME (Privacy operationalization model and method for engineering)

Additive Reference

  • General Data Protection Regulation (GDPR)

  • Council of Europe Convention 108+ (Conv. 108+)

  • PIPEDA – Individual, Meaningful Consent

Terms and definitions

The definitions and reference terms that are used in this specification to indicate what is normative, non-normative, and additive.

If this specification is not compatible with a jurisdiction’s privacy laws, the internationally‑defined terms reflected in this specification can be mapped to jurisdiction’s laws and context specific terms. For example, PII Principal in this document maps to the term ‘Data Subject’ in European GDPR legislation and the term ‘individual’ in Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

NOTATIONS

In this document the keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", “NOT RECOMMENDED”, "MAY", and "OPTIONAL" are to be interpreted as described in [RFC 2119].

ABBREVIATIONS

The following abbreviations and set of stakeholders are used to frame a mutually exclusive and collectively exhaustive set of terms for providing transparency over what organization controls the processing of personal information, and who is accountable for enforcement.

  • ANCR Record — means the Anchored Notice Record and Consent Receipt Record

  • ANCR WG — means the Advanced Notice and Consent Receipt Work Group

  • Array — means an array of field objects

  • Conv. 108+ — means the Council of Europe Convention 108+

  • FIPP — means Fair Information Practice Principles

  • IRM — means Identifier Relationship Management

  • ISO/IEC — means International Organization for Standardization/International Electrotechnical Commission

  • Object — means a field object

  • PII — means Personally Identifiable Information

  • PbD- Privacy by Design

  • TPI - Transparency Performance Indicators -

  • ZPN – Zero Public Network – a network in which each processor of personal information has a controller credential and the PII Principal has a private record of the credential

Terms & Definitions

Code of Conduct

A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.

...

[Source: Conv. 108+ Art 29.5]

Concentric Notice Label

This a new field – normative in this specification.

...

The types of Concentric Notice Label are specified in Annex B, which spans the spectrum of legally defined consent types, defined from for the individual’s context and perspective.

Concentric Notice Label Types

Not Concentric: Legal obligation or legitimate interest independent of PII Principal

...

[Source: Conv 108+ Rec.20]


Digital Privacy [Proposed]

The reference to digital privacy specifies the not only the data category for a specific element, but also the field format, record structure, the attributes that populate the field elements, the attributes used in those fields, the ontology and vocabulary used to specify the attributes.

...

  • representation of individual physical privacy online

  • proportional and reciprocal access to privacy rights information, controls, mitigations and remedies

  • access to privacy services and controls without identification

  • use of privacy services and controls for security and commerce

  • transparency over the active state of digital privacy in context

    • dynamic transparency and data control capacity

Digital Privacy Transparency (DPT) [Proposed]

The transparency over digital representation of active state of privacy in a specific context

  • digital identity of Organization

  • digital Identity of Privacy Officer

  • digital privacy access point for information and control

  • digital Privacy Transparency; Laws & Standards

    • references enforceable and standardized regulations

      • GDPR [General Data Protection Regulation]

      • Convention 108+/GDPR - Transparency Adequacy Legal Code of Conduct

    • Digital Privacy Transparency (DPT)Standards reference:

      • ISO/IEC 29100 security + privacy techniques for ISO 27k Framework

      • ISO/iEC 29184 Online privacy notice and consent, Consent Notice Receipt (record) in the appendix B

      • W3C - Data Privacy Vocabulary V1

      • Kantara Consent Receipt v1.1

    • accretive to the ISO/IEC 31700, Privacy by Design standard. Contributing high performance data privacy transparency metrics, which are referenced as - K-DPI’s (Key Digital Privacy Indicators) indicating the active state of digital transparency.

    • Transparency Performance Indicators:

      • transparency data capture and assessment criteria for assessing the performance of digital privacy elements.

Notice

Adhering to the openness, transparency and notice principles means providing PII Principals with clear and easily accessible information about the PII Controller’s policies, procedures and practices with respect to the processing of PII;

...

The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

[GDPR Rec.58]

Notice Modalities

The organization may implement the control using different techniques: layered notices, dashboards, just-in-time notices, or icons, and may provide notices in a machine-readable format so that the software which is presenting it to the PII Principal can parse it to optimize the user interface and help PII Principals make decisions

...

That information may be provided in combination with standardised icons in order to better provide an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.

[Conv 108+ Rec 35]

Notice Record

Organizations should seek consent for changes such as those outlined here, and should consider whether the PII Principal has access to a record (of some kind) of their original consent, as well as how much time has elapsed between the original consent and the present. If the PII Principal is able to access a record of their prior consent readily and if the elapsed time is not significant, organizations may provide notice of the changes and seek consent for same. Otherwise, the organization should seek reconfirmation of the original consent in addition to consent to the notified changes.

...

[Source: Conv 108+ Art 31]

Principles relating to processing of personal data

Personally identifiable information must be processed lawfully, fairly, and in a transparent manner in relation to the Data Subject (‘lawfulness, fairness and transparency’);

...

[ANCR Notice Record Annex B]

Privacy by Design [Proposed]

In reference to privacy design methodologies in which privacy is considered and integrated into the initial design stage and throughout the complete lifecycle of products, processes or services (3.3) that involve processing of personally identifiable information (3.2), including product retirement (3.15) and the eventual deletion (3.26) of any associated personally identifiable information (3.2)

...

[31700-1:2023 : Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements]

Privacy Principles

The privacy principles articulated in ISO/IEC 29100 are now embodied in international standards and laws.

...

[Source: ISO/IEC 29100 Table 3]

Proof of Notice

A Consent Notice Receipt, for a proof of notice, used as evidence of consent and to ...demonstrate compliant records of processing activities.

...

[Source: ANCR Notice Record v1 – Specification]

Personally Identifiable Information (PII)

Any information that (a) can be used to identify the PII Principal to whom Personally Identifiable Information relates, or (b) is or might be directly or indirectly linked to a PII Principal.

...

[Source: Conv. 108+ Rec 16]

PII that is in a Sensitive (or Special) Category

What constitutes Sensitive PII is defined explicitly in legislation; however, the definition might vary across jurisdictions. Sensitive PII might include information revealing race, ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, sexual lifestyle or orientation, and the physical or mental health of the PII Principal. In other jurisdictions, sensitive PII might include information that could facilitate identity theft or otherwise result in significant emotional, psychological, or financial harm to the natural person (e.g., credit card numbers, bank account information, or government-issued identifiers such as passport numbers, social security numbers or drivers’ license numbers), and information that could be used to determine the PII Principal’s real time location.

...

[Source: Conv. 108+ Rec, 29]

PII Principal (also Data Subject or Individual)

The natural person to whom the personally identifiable information (PII) relates.

...

Individual: Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

[Additive: PIPEDA 4.9]

PII Controller

A PII controller determines why (purpose) and how (means) the processing of PII takes place. The PII controller should ensure adherence to the privacy principles in this framework during the processing of PII under its control (e.g., by implementing the necessary privacy controls). There might be more than one PII controller for the same PII set or set of operations performed upon PII (for the same or different legitimate purposes). In this case the different PII controllers shall work together and make the necessary arrangements to ensure the privacy principles are adhered to during the processing of PII. A PII controller can also decide to have all or part of the processing operations carried out by a different privacy stakeholder on its behalf. PII controllers should carefully assess whether or not they are processing sensitive PII and implement reasonable and appropriate privacy and security controls based on the requirements set forth in the relevant jurisdiction as well as any potential adverse effects for PII principals as identified during a privacy risk assessment.

...

[Source: Conv 108+ Art 3(8)]

PII Sub-Controller [Proposed]

in IoT use case of a smart building, in which the building controller leases a space to a bank, the building Controller delegates PII Controller Credential to the bank for that space and defined geo-location for data governance of security and privacy.

PII Joint Controller

Covers multiple joint controller relationships including co-controllers, hierarchical, fiducial, and code.

...

[Source: Conv 108+ Art 86.1]

PII Processor

A privacy stakeholder that processes personally identifiable information (PII) on behalf of and in accordance with the instructions of a PII Controller.

...

[Source: Conv. 108+ Art 3(12)]

PII Sub-Processor [Additive]

Refers to the PII Controller type in the ANCR record specification.

...

[Additive: W3C DPV 2.3.1.6 http://w3c.github.io/dpv/dpv/ ]

Processing of PII

An operation or set of operations performed on personally identifiable information (PII).

...

[Source. Convention 108+]

PII Regulator

Refers to a government authority responsible for the enforcement of privacy and data protection regulation. Referred to also as a Data Governance Authority, a Data Protection Authority (DPA) or simply Privacy Regulator.

Privacy Stakeholder

A natural or legal person, public authority, agency or any other body that can affect, be affected by, or perceive themselves to be affected by a decision or activity related to personally identifiable information (PII) processing.

...

[Source: Conv.108+ Art 51(c)]

ISO/IEC 29100 to 27000: Security Framework Mapping

Table A.1 — Mapping ISO/IEC 29100 concepts to ISO/IEC 27000 concepts

ISO/IEC 29100 concepts

Correspondence with ISO/IEC 27000 concepts

Privacy stakeholder

Stakeholder

PII

Information asset Information security incident Control

Privacy breach Privacy control Privacy risk

Risk

Privacy risk management

Risk management

Privacy safeguarding requirements

Control objectives

[Source: ISO/IEC 29100: Annex A]

Standard Concentric clauses

Standard Concentric Clauses implement 29184 compliance controls and Privacy Service Agreements [ISO/IEC TS 27570: 3.22]

...

These clauses MUST be employed in a manner to scale the expectations of the PII Principal online, to facilitate data governance interoperability and transborder adequacy of electronic consent.

Third Party (or 3rd Party)

A privacy stakeholder other than the personally identifiable information (PII) principal, the PII Controller and the PII processor, and the natural persons who are authorized to process the data under the direct authority of the PII Principal, PII Controller or the PII processor. Referring to government, police, telecoms, relying parties. In all roles, the stakeholder is also considered to have a controller identity.

...

[Source: Convention 108 Art 3.14]

Open Notice PII Controller Credential Schema

TABLE1: NOTICE RECORD SCHEMA

  1. adds the technical attributes

...