Versions Compared

Old Version 5

changes.mady.by.user Mark Lizar

Saved on

compared with

New Version 6

changes.mady.by.user Mark Lizar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For Operational Transparency

Version: 0.8.8.3.1

Document Date: Aug 24, 2022

...

Finally, the Anchored Notice Record, private information records is specified here as a separate record. Requiring security considerations for generating consent records for identity management systems.

In this specification the PII Principles manage Principal manages consent and identity systems manage a permission grant defined by the notified purpose and what people expect in accordance with the PII Principal expects in context. This To this point, this specification focuses on transparency of control, with extensions for extending this transparency to services with a the transparency of a controller with purpose specification protocol as outlined in the attached Annex. Impacting security to reduce and eliminate the exchange and exposure of PII, its need for protection and it’s future attack surfaces.

Abstract:

Currently, when online service services are involved, the PII Principal (referred to as the Data Subject or Individual in this proposed standard) is unable to see who is in control of processing their personal data before it is processed, shared or disclosed. No way to assert authority upfront, to determine, imply or negotiate the conditions of data processing, identifier generation, its management or to even establish a trust protocol to engage with.

...

This Kantara Initiative work effort began when Liberty Alliance became the Kantara Initiative, becoming the Consent and Information Sharing WG in 2015. Creates to standardize transparency as an alternate to custom terms and conditions, user license, contracts. This standard recommends a methodology to leverage legal and technical standards for transparency to supersede or at least be comparative too, the use of terms and conditions, Security breach + lack of Transparency + dual records and receipt system for a common landscape for data control interoperability.

KPI 1 – Notice of Identity of Controller

KPI 2 – Accessibility of Notice

KPI 3 – Security Certificate of Notified Controller

IPR Option:

...

Public international laws and standards for digital record records and receipts promise to dramatically lower the cost of security and increase the effectiveness of digital privacy. The use of ISO/IEC 29100 security Security and privacy framework for consented data access, control and transfer adequacy proposes a low cost, or free notice record framework for PII Principles (and Controllers). To facilitate the governance and regulation by all privacy stakeholders, by regulating authorities.

Key perspective: An Internationally standard notice record information structure to enable the PII Principal to generate records independently of the PII Controller. Greatly decreasing the cost of security and increasing the effectiveness of privacy data controls for all stakeholders.

This ANCR WG – Notice Record specification is introduced with a operational assessment of transparency over who is in control, and how accessible is access to privacy rights information prior to processing personal data and before generating identifiers. A record to access the authority before authentication, and the authorizations created to processing personal data. This specification is a contribution to ongoing a contribution to ongoing work at ISO/IEC SC27 WG5, utilizing 29100 Security and privacy techniques ISO/IEC 29100 to create a standardized record of processing for personal data control format for notice records and conent receipts, through engaging with notice. Generating a dual Notice

The record, is specified for use with generating operational transparency with the use of the controls in ISO/IEC 29184 Online privacy notices and consent structure and controls. For example, operational transparency measurements are introduced in the introduction, while the Notice records is specified in the body pf the document. This specification has been developed in parallel with the work on ISO/IEC 27560 Consent record information structure to operationalize transparency with Consent Notice Receipts, (Annex b of ISO/IEC 29184) and presentation in September –2022 to complete the contribution made by Kantara of the Consent Receipt in 2018.

**

Operational Transparency

A steppingstone to digital privacy, in which human consent scales on line –(is interoperable) with rights to control data processing in multiple systems based on context.

...

  1. The PII Controller identity and privacy contact point

  2. The Accessibility of PII Controller Identity and Contact information,

  3. The security and integrity of the controller’s transparency

Notice Record Specification

elements assed to provide a ‘Proof of Notice’ record for distributing evidence of consent. Generating a record utilizing ISO/IEC 29100 security and privacy techniques to assess ‘controls regarding the content and the structure of online privacy notices. (The scope of ISO/IEC 29184 Online privacy notices and consent standard)

...

  1. Controller Identity and Contact information,

  2. The security and integrity of the controller’s transparency

Anchor
_1fob9te
_1fob9te
Anchor
_Toc108928869
_Toc108928869
Anchor
_Toc2131101478
_Toc2131101478
Introduction

Anchor
_Toc1859400891
_Toc1859400891
2 things to Preface

This specification is being created proposed to standardizecapture, the capture measure and measure standardize transparency over the security and security privacy practices of the PII Controller. Starting with the identity and Controller contact information for operational use by the PII Principal. Correspondingly it presents two legal requirements for implementing privacy and security, which are found in standards, laws, and principles. One, to provide a notice prior to processing with PII Controller Identity and 2. privacy Contact informationPII Principal.

This ANCR WG specification introduces the Notice Record used a method to capture a record of Notice and verify Consented Notice Records and Consent Receipts in the flow and exchange of personal dataits credential. It specifies with what, and how a PII Principal can capture a record of notice with and assess digital transparency for and the state of security and status of consent. to measure if transparency is operational for the PII Principal transparency, requires knowing who the PII Controller is and if PII Controller contact information can be used to query status of privacy and consent.

The ANCR Notice Record is specified for PII Principals, using terms, semantics and laws that champion the legal utility of data control and its management. As such, representing a shift in the architecture of digital identity semantics to legal semantics specific to human centric transparency, usability, and control.

To For this point, purpose the ANCR record is first specified as a single use record, that the Individual controls , with 3 transparency performance indicators. First defined as a single use record to generate a record the Individual can own, control and trust. The KPI’s provided here are specified to provide transparency over data control and it’s governance. (Operational Transparency),

...

Anchor
_Toc2008526199
_Toc2008526199
Table1: Single Use Notice Record: PII Controller Identity & Contact Transparency Report

Field Name

Field Description

Requirement: Must, Shall, May

Field Data Example

Notice Location

Location the notice was read/observed

MUST

https://www.walmart.com

PII Controller Name

Name of presented business

MUST

Walmart

Controller Address

The physical address of controller and/or accountable person

MUST

1940 Argentina Road Mississauga, Ontario L5N 1P9.

PII Controller Contact Type

Contact method for correspondence with PII Controller

MUST

Email, phone

PII Controller-Correspondence Contact

General contact point

SHALL

Privacy@org.com

Privacy Contact Type

The Contact method provided for access to privacy contact

MUST

email

Privacy Contact Point

Location/address of Contact Point

MUST

Org.com/privacy.html

Session Certificate

A certificate for monitored practice

Optional

E.g., SSL Certificate Security (TLS) and Transparency

Anchor
_Toc2104346831
_Toc2104346831
Anchoring the Notice Record for Trust

...

Anchor
_Toc1254046614
_Toc1254046614
Table 2 : Notice Record Assessment

Field Name

Field Description

Requirement: Must, Shall, May

KPI 1

Available Not-Available

KPI 2

Rate: -3, –1, 0, +1, +2

KPI 3 Certificate or Key

CN-Matches
OU – Match
Jurisdiction – Match (optional_

Notice Location

Location the notice was read/observed

MUST

present

+2

found

PII Controller Name

Name of presented organization

MUST

present

1

Match

PII Controller Address

Physical organization Address

MUST

present

0

Not match

Privacy Contact Point

Location/address of Contact Point

MUST

Present

1

Not match

Privacy Contact Method

Contact method for correspondence with PII Controller

MUST

Present

-1

No Match

Correspondence Contact Method

General contact point

SHALL

present

1

Not match

Session key or Certificate

A certificate for monitored practice

MUST

Not-found

2

Anchor
_1t3h5sf
_1t3h5sf
Anchor
_Toc108928874
_Toc108928874
Anchor
_Toc498675757
_Toc498675757
Anchor
_Toc959348517
_Toc959348517
Notice Record References

...

Anchor
_qsh70q
_qsh70q
Anchor
_Toc108928893
_Toc108928893
Anchor
_Toc1178936335
_Toc1178936335
Security

Table A.1 — Matching ISO/IEC 29100 concepts to ISO/IEC 27000 concepts

ISO/IEC 29100 concepts

Correspondence with ISO/IEC 27000 concepts

Privacy stakeholder

Stakeholder

PII

Information asset Information security incident Control

Privacy breach Privacy control Privacy risk

Risk

Privacy risk management

Risk management

Privacy safeguarding requirements

Control objectives

[Source: ISO/IEC 29100: Annex A]

...

This is the schema elements that are used to generate a un-anchored notice record and do not contain any PII, or digital identifiers.

Field Cat Name

Name

Object Description

Presence Requirement

PII Controller Identity

Object

_

Required

 

Presented Name of Service Provider

name of service. E.g. Microsoft

May

 

PII Controller Name

Company / organization name

MUST

 

PII Controller address

_

MUST

 

PII Controller contact email

correspondence email

MUST

 

PII Controller jurisdiction legal reference

PII Controller Operating Privacy Law

MUST

 

PII Controller Phone

The general correspondence phone number

SHOULD

 

PII Controller Website

URL of website (or link to controller application)

MUST

 

PII Controller Certificate

A capture Website SSL

OPTIONAL

Privacy Contact Point Location

pcpL

 

 

Privacy Contact Point Types (pcpT)

Object

Must have at least one field for the PCP object

MUST

 

PCP-Profile

Privacy Access Point Profile

**

 

PCP-InPerson

In-person access to privacy contact

**

 

PCP-Email

PAP email

**

 

PCP-Phone

Privacy access phone

**

 

PCP -PIP- URI

privacy info access point, URI

**

 

PCP-Form

Privacy access form URI

**

 

 

PCP-Bot

privacy bot, URI

**

 

 

PCP-CoP

code of practice certificate, URI of public directory with pub-key

**

 

 

PCP-Other

Other

**

PCP Policy

pcpp

privacy policy, URI with standard consent label clauses

MUST

Anchor
_Toc1475437488
_Toc1475437488
Proof of Notice Record Schema

...

This legally required information for proof of notice. This event information is needed for legal chain of evidence, in which PII is added to the record but blinded, and secure. Starting with the Private ANCR Record ID which the PII Principal can use to aggregate operational transparency information for more advanced use in context.

Field Cat

Field Name

Description

Presence

ANCR Record ID

Blinded identifier secret to the PII Principal

Required

Schema version

 

 

Timestamp

 

_the time and date when the ANCR record was created

Required

Legal Justification

 

One of six legal justifications used for processing personal data

 

Notice Record

Object labels

 

 

 

Notice Type

Notice, notification, disclosure

Required

Notice legal location

The location ore region that the PII Principal read the information.,

 

Notice presentation method

Website

MUST

 

online notice -location

Notice location e.g.ip address

MUST

 

location Certificate

 

MAY

 

Notice Language

The language notice provided in

MUST

 

Notice Text File

URL – and or Hashlink for the notice text

MUST

 

Notice text

The capture of a copy of the notification text

MUST

 

Notified legal Justification

Implied or explicit notified legal justification based on the text of a notice and its context

MUST

Concentric Notice Label

cnl

a label that is mapped to legal justifications, rights and controls that can be provided by default, for a specified purpose

SHALL

Anchor
_Toc1217379690
_Toc1217379690
Private Notice Record Schema

...

*** PII COntroller Consent record must have consent first before making . E.g. Authority to use this for security, -- (non-compliant). ***

ANCR Record Field Name

Description

Required/Optional

Security Consideration

schema version

A number used by the PII Principal to track the PII Controller Record

Optional (unless shared or used further)

Blinded

Pseudonymized

Anonymized

Verified Credential Attribute

Anchor Notice Record id #

MUST

Date/Time

Required

Notice Collection method

Notice presentation UI Type

optional

Notice Collection Location

URL or digital address and location of the notice UI

required

Notice Legal Justification

One of the six legal justifications(ISO, GDPR, C108)

PII Principal Legal Location

optional

Device Type

May

PII Principal Private- Key

Anchor
_Toc498675771
_Toc498675771
Anchor
_Toc108928904
_Toc108928904
Anchor
_Toc878728950
_Toc878728950
Notice Record Security

...

[GDPR] General Data Protection Regulation, http://www.eugdpr.org/article-summaries.html

[ISO 639] ISO 639-1:2002, Codes for the representation of names of languages — Part 1: Alpha-2 code https://www.iso.org/standard/22109.html

...

  • A notice that is used to generate granular consent receipts using standards that specify purpose in the same way. Those generated with the same schema based can be compared to automate notice for operational transparency over changes to privacy state.

  • A 2fN, is used to produce a dual record an receipt upon engaging with a standardized notice with access to admin privacy rights from the notice, prior to processing with consent.

  • The consent receipts produced from a 2fN, can be compared independently for difference in the state and status of privacy, to automatically produce a notification based on the difference in state.

  • Differential Transparency, produced with a tactile signal, or layer 1 notice indicator, standardized with machine readable data privacy vocabulary. (concentric and synchronic transparency)

Image RemovedImage Added

Anchor
_Toc1127471363
_Toc1127471363
ANNEX B

...

These are mapped here

Anchor
_Int_Sp0obXJY
_Int_Sp0obXJY
to provide a set of operational transparency defaults to set and support privacy as expected by the PII Principal. Expectations that provide a privacy notice starting point, where PII Principal and PII Controller can gain a shared understanding, or where a PII Principal can assert a legal justification for processing to access privacy rights.

Legal Justification

Description

Concentric Notice Type

Privacy Rights / PII Controls

Reference

Vital Interest

refers to processing ‘which is essential for the life of the data subject or that of another natural person. Processing of personal data

Implied/implicit

Transparency, Access, Rectify, Forget/Erase, Withdraw, Restrict,

ISO/IEC 29184, 5.4.2

Conv.108+ 10.2(c)

GDPR art 6.1(d) art 49(f)

Explicit Consent Notice

Explicit consent to processing one or more specified2 purpose

Explicit , Directed, Altruistic Consent

Access, Rectify, Forget/Erase, Object, / Withdraw, Restrict, Portability

29184, 5.4.2

Conv.108+ 10.2(a)

GDPR art 6.1(a)

Implicit consent notice

And where manifestly published by the PII Principal

Implicit Consent

Con 108 + 10.2(e)

Implied consent notice

By Controller or Principal in the field of employment and social security and social protection law

Implied Consent

CoE 108+ 10.2(b)

Contractual Necessity

Implied consent

Restrict Processing, Object to

29184, 5.4.2

Con. 108+(43)

Legitimate Interest

Implied consent

Object and restrict processing

29184, 5.4.2

GDPR Recital 47

Con.108+ 10.2(d)

Public Interest

Democratically framed

Implied Consent/Consensus

29184, 5.4.2

Con. 108+ 10.2(I,g,j)

Legal Obligation

ISO/IEC 29184, 5.4.2

Processing is necessary for the establishment, exercise or defense of legal claims

Con.108+ (f)

Note: Participatory Consensus, and Concentric data control are two outcome specific conditions that will be added to this specification to include an assessment for operational evidence of these two outcomes.

...

access to privacy rights and information. meaningful through a direct mapping with specific rights, obligations and customs for interaction for data processing, which are enforceable with the references

Concentric Notice Type

Description

Legal Justification

Privacy Rights
(GDPR)

Legal Ref

Non-Operational Notice

N/O

Not enough notice/security information for digital privacy

Not compliant with any if unable to determine or confirm Controller, or contact

Withdraw, Object, Restrict,
Access/Edit, Forget,

Con.108+ 79.1(a) GDPR Art 13/14 1a,b,

Consensus Notice

Notice of Legitimate Processing. Surveillance Notification ,

Legitimate interest

Implied Consent Notice

Implied through PII Principals participation in a specific context.
Or through a notice from PII Controller for a specific purpose context. Can also refer to an existing state of privacy and its established status. aka ‘applied consent’ to data processing.

consent

ISO/IEC

GDPR Art 50 1 c

Con 108+

-Supplement- IPC, Canada3

Implicit consent notice

Refers to governance that is implicit to the action of the PII Principal.

Legitimate interest, Contract,

Legal obligation

Object , Restrict

Expressed Consent notice

Expressed through the implicit action of a Notified individual.

Informed Consent

Withdraw

Explicit Consent Notice

Provided in such a way that the is Informed, freely given, knowledgeable consent,.

Consent witch is knowledgeable of risk

Withdraw

Con 108+.1(4)1b

GDPR Art 7.1

Directed Consent

A consent directive is consent explicitly defined by the PII Principal for specific purposes, according to disclosures of risks that are notified.

meaningful consent, in which the individual has specified the consented purpose

GDPR 9.1(h)

Altruistic Consent

Not knowing who the Controller of PII will be. Consent to a purpose and public benefit governance framework, without knowing who is the beneficiary

Consent

DGA, Recital 1,2,4,36,39

Anchor
_Toc1410560730
_Toc1410560730
Annex C: ANCR Record Extension Protocol

...

Anchor
_Toc438176202
_Toc438176202
ANCR to 27560 Schema (in draft for v08.6 - 0.9)

ANCR Consent Receipt Section

Label

Variations

Description

27560 Term

Reference

  1. Header- Control Object

ANCR ID

Specified to be a toot recorded identifier

Notice record id is used as root identifier for linking records about the status of privacy with that controller

Record id

schema version

same

PII Controller Identity Object

PII Controller Name

PII Controller address

correspondence contact email

correspondence jurisdiction privacy regulation

correspondence phone

Correspondence website

Correspondence website ssl certificate

Non-operational privacy contact point

Privacy Contact Point Object

Object

Must have at least one field for the PCP object

PCP-Profile

Privacy Access Point Profile

PCP-InPerson

In-person access to privacy contact

PCP-Email

PCP email

PCP-Phone

Privacy access phone

PCP -PIP- URI

privacy info access point, URI

PCP-Form

Privacy access form URI

PCP-Bot

privacy bot, URI

PCP-CoPC

code of practice certificate, URI

PCP-Social

Network:handle

PCP-Other

Other

PCP Policy

PCP privacy policy, URI

ANCR focuses on a KPI – for the transparency performance of privacy contact access point

Proof of Notice Object

Object labels

Description

Notice Type

Notice, notification, disclosure

Notice method

Link / URL to the UI that was used to present the notice e.g. website home page

-digital-Notice-location

Notice location e.g.ip address

location Certificate


Notice Language

The language notice provided in

Notice Text File

URL – and or Hashlink for the notice text

Notice text

The capture of a copy of the notification text

Notified legal Justification

Implied or explicit notified legal justification based on the text of a notice and its context


PII controller risks

Uses notice type which would be equivalent to event type in 27560

Concentric Notice Label

Different but incorporates how to fame 27560 defined consent types

Categorizes Notice Labels to indicate protocol for rights access and inherent risks

29184 – purpose specification

  1. Purpose Spec - Object

Purpose ID

Service Name

Purpose name

Purpose Description

Plausible RiSK - *can data control impact assessment)

Purpose Type

Legal justification

Lawful basis

Sensitive PII Categpry

Special PII Category

PII Principal Category

PII Processors

PII Sub-processors

New

Risk notice disclosure

ISO-29184

Service Notice Risks

PII Principal Category

  1. Treatment

Attribute Id

Notified Collection method

Collection method

expiration

Storage location

Retention period

Processing location Restrictions

Duration

State

Justification for processing (state of privacy)

status

termination

  1. a) Code of Conduct/

Inherent to concentric labels - Rights Objects: withdraw, object, restrict, access and rectification, termination of justification,

Regulated practice, approved be regulator or legislated

Rights

Notice Defaults

Data portability

FoI-Access & Rectification

4.b)Code of Practice

Cop-ID

Surveillance Code of practice

Certified practice,

Children’s Design Code of Practice

Operational Privacy Code of Practice

Anchor
_Toc1372879530
_Toc1372879530
Terms (wip)

...

Anchor
_4f1mdlm
_4f1mdlm
Anchor
_Toc498675774
_Toc498675774
Anchor
_Toc108928906
_Toc108928906
Anchor
_Toc301756454
_Toc301756454
Revision history

Version

Date

Summary of Substantive Changes

0.1 DRAFT

2021-02-28

Initial v1.1 draft

0.5

2022-02-02

Draft – updating scope to Notice and eConsent

0.8

2022-07-04

Full outline / 70% drafted

0.8.5

2022-08-04

Outline 100% Draft - Posted to Kantara Wiki

8.8.2

Annex Updates

8.8.3

Restructured Sections and schema, cleaned schema up a little – practice what preaching by making spec structural human centric

8.8.3.1

2022-08-24

Operational Privacy - Notice Record -

8.8.5

full reference draft

8.8.9

Annex

1

I