...
Table 1: Transparency Performance Rating
Rating |
|---|
Description
Instruction
TPI 1 - Timing (wrt to processing) | TP2 | TPI3 Accessibility (trans performance) | TPI4 - digital security |
|---|---|---|---|
+1 (assured) | Before [Transparency of control/governance - Before, during or after processing ] | +1 - credential is registered and present | Controller identity is |
PII Controller credential is displayed, using a standard format with machine readable language and linked, for example, in an http header in a browser
presented prior to data collection - e | Security is required prior to collection (digital wallet based) | |||
0(dynamic assurance) | Just In time | 0 credential is presented just in time (automated check and first time notice) | Embedded as a credential linked to authoritative registries. | is assured -e.g. certificate is specific to and matches controller and context |
-1 (analogue assurance - online) | During | controller information is accessible during collection | PII Controller Identity prominently displayed on first view – prior to processing first page of viewing, the assessment question would be | not-specific to controller - does not match jurisdiction |
-2 - (not mandatory in flow) | Available | Controller information is linked | is linked not presented | does not match ou |
- 3 ( non operative) | After | Controller information not present | Identity or credential is not accessible in context - e.g. two or more screens of view away, or privacy contact is mailing g address and non operative in context of data collection. | is not valid or secure provider |
TPI Instruction and Guidance
Rating - Instruction | TPI 1 - Timing (wrt to processing) | TP2 - Required Info Presentation | TPI3 Accessibility (trans performance) | TPI4 - Digital Security |
|---|---|---|---|---|
+1 (assured) | PII Controller credential is displayed, using a standard format with machine readable language and linked, for example, in an http header in a browser | Controller is discoverable automatically prior to session (out of band) in a machine readable format. Number of ways | Controller identity is presented prior to data collection | Security is required prior to collection (digital wallet based) |
0(dynamic assurance) | PII Controller Identity or credential is provided in first notice | 0 credential is presented just in time (automated check and first time notice) | Embedded as a credential and dynamically available upon access (almost just in time) | is assured -e.g. certificate is specific to and matches controller and context |
-1 (analogue assurance - online) | The Controller Identity, or screen with the Controller Identity is one screen and click away. For example, the privacy policy link in the footer of a webpage | controller information is accessible (not presented) during collection | PII Controller Identity prominently displayed on first view – prior to processing first page of viewing, the assessment question would be |
PII Controller Identity or credential is provided in first notice
-1
Privacy signal Is not first presented – but is linked and one click and screen away
The Controller Identity, or screen with the Controller Identity is one screen and click away. For example, the privacy policy link in the footer of a webpage
- 3
not-specific to controller - does not match jurisdiction | ||||
-2 - (not mandatory in flow) | Controller Credential information is linked during collection | is linked not presented | does not match ou | |
-3 ( non operative) | PII Controller Identity is not accessible enough to be considered ‘provided’ | Controller information not present | Identity or credential is not accessible in context - e.g. two or more screens of view away |
, or privacy contact is mailing g address and non operative in context of data collection. | is not valid, secure, or recognized provider. |
Table 2: TPI Schema
TPI 1 | ||
|---|---|---|
Notification Timing | ||
Timing of Data Collection |
...