Anchored Notice and Consent Receipt (ANCR) Record
For Operational Transparency
Version: 0.8.8.4
Document Date: Aug 26xx, 2022
Editor(s): Mark Lizar
...
Contributing Orgs: Global Privacy Rights, Human Colossus Foundation,
Produced by: ANCR-WG m
Status: WG Draft v0.8.7 – 8.9 (completing and polishing)
...
A Record of processing provides transparency over who is accountable and is a pre-condition for processing PII with scalable governance and security. Operational transparency scales into systems human context and understanding into systems. Transparency over data control is used here to regulate online surveillance much like transaction receipts, bank accounts and currency is regulated and tracked today.
...
Currently, when online services are involved, the PII Principal (referred to as the Data Subject or Individual in this proposed standard) is unable to see who is in control of processing their personal data before it is processed, shared or disclosed. No There is no way to assert authority upfront, to determine, imply or negotiate the conditions of data processing, identifier generation, its management or to even establish a trust protocol to engage with.
...
This Kantara Initiative work effort began when Liberty Alliance became the Kantara Initiative, becoming the Consent and Information Sharing WG in 2015. Creates to standardize standardized transparency as an alternate alternative to custom terms and conditions, user license, contracts. This standard recommends a methodology to leverage legal and technical standards for transparency to supersede or at least be comparative too, the use of terms and conditions,
KPI TPI 1 – Notice of Identity of Controller
KPI TPI 2 – Accessibility of Notice
KPI TPI 3 – Security Certificate of Notified Controller
...
Patent & Copyright: Reciprocal Royalty Free with Opt-out to Reasonable And and Nondiscriminatory (RAND)
Suggested Citation:
ANCR Specification v0vX.8X.5.3 X
NOTICE
This document has been prepared by Participants of Kantara Initiative; Inc. Permission is hereby granted to use the document solely for the purpose of implementing the Specification. No rights are granted to prepare derivative works of this Specification. Entities seeking permission to reproduce portions of this document for other uses must contact Kantara Initiative to determine whether an appropriate license for such use is available.
...
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Table of Contents |
|---|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||
|---|---|---|
|
...
|
...
|
| Anchor | ||||
|---|---|---|---|---|
|
Public international laws and standards for digital records and receipts promise to dramatically lower the cost of security and increase the effectiveness of digital privacy. The use of ISO/IEC 29100 Security and privacy framework for consented data access, control and transfer adequacy proposes a low cost, or free notice record framework for PII Principles (and Controllers). To facilitate the governance and regulation by all privacy stakeholders, by regulating authorities.
...
This specification is a contribution to ongoing work at ISO/IEC SC27 WG5, utilizing ISO/IEC 29100 to create a standardized record of processing format for notice records and conent consent receipts, through engaging with notice.
...
A steppingstone to digital privacy, in which human consent scales on line –(is interoperable) with rights to control data processing in multiple systems based on context.
In the ‘introduction’ the aim is to operationalize this specification by providing an example notice record, along with 3 transparency performance indicators, which are used to provide context for the Notice Record Information Structure contribution.
This notice record is specified with the freely available ISO/IEC 29100 security and privacy techniques framework standardized digital notice is the gateway that scale human consent scales online. Electronic consent includes the digital identifier governance defaults for human to technical dynamic data control and governance Interoperability.
The notice record information structure is specified in this document with the freely available ISO/IEC 29100 Security and privacy techniques framework, and used to measure the performance of transparency with the controls specified in ISO/IEC 29184. Specifically,
In the ‘introduction’ of this specification, an example notice record along with 3 transparency performance indicators (TPI’s) are used to demonstrate how a minimum notice record Information structure can be used to create a transparency record the PII Principal controls and trusts.
These TPI’s are;
The PII Controller identity and privacy contact point
The Accessibility of PII Controller Identity and Contact information,
The security and integrity of the controller’s transparency
...
To operationalize the TPI’s, this specification introduces a concentric notice label field, which is used specify the overlapping ‘expectations’ based on the legal justification for processing. These are used to present a consistent transparency notice of control and community/contextual privacy right defaults from the context of process. This is used to supersede terms and condition with privacy defaults and personal data controls.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
This specification is proposed to capture, measure and standardize transparency over the security and privacy practices of the PII Controller. Starting with the identity and Controller contact information for operational use by the PII Principal.
...
The ANCR Notice Record is specified for PII Principals, using terms, semantics and laws that champion the legal utility of data control and its management. As such, representing a shift in the architecture of digital identity semantics to legal semantics specific to human centric transparency, usability, and control.
For this purpose, the ANCR record is first specified as a single use record, that the Individual controls with 3 transparency performance indicators. First defined as a single use record to generate a record the Individual can own, control and trust. The KPI’s provided here are specified to provide transparency over data control and it’s governance. (Operational Transparency),
A trust protocol of transparency before surveillance. In which a notice or notification is presented to the PII principal that generates a. receipt from an ANCR record. presenting significant security and privacy benefits that assist in distributing and decentralizing stronger security decisions.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||
|---|---|---|
|
...
|
...
|
The notice record is first specified as a static, one-time use notice record that is created by the PII Principal and used to initiate a state of operational transparency in context measured by access to, and performance of rights.
| Anchor | ||
|---|---|---|
|
...
|
...
|
Field Name | Field Description | Requirement: Must, Shall, May | Field Data Example |
Notice Location | Location the notice was read/observed | MUST | |
PII Controller Name | Name of presented business | MUST | Walmart |
Controller Address | The physical address of controller and/or accountable person | MUST | 1940 Argentina Road Mississauga, Ontario L5N 1P9. |
PII Controller Contact Type | Contact method for correspondence with PII Controller | MUST | Email, phone |
PII Controller-Correspondence Contact | General contact point | SHALL | |
Privacy Contact Type | The Contact method provided for access to privacy contact | MUST | |
Privacy Contact Point | Location/address of Contact Point | MUST | |
Session Certificate | A certificate for monitored practice | Optional | E.g., SSL Certificate Security (TLS) and Transparency |
| Anchor | ||
|---|---|---|
|
...
|
...
|
Without a record identifier, added to each record, this initial record is an un-anchored notice record. This record can be extended for use as a Trust Anchor for the PII Principal by adding an ANCR Record ID used to track the PII Controller and the data processing relationship over time.
As a trust anchor, it becomes a record the individual can use to verify the digital identity relationship to secure a and validated by the person for a digital privacy context in a system .
...
that can be expected. In this way an anchored notice record is a gateway to scale consent online and internationally.10574
| Anchor | ||||
|---|---|---|---|---|
|
The first 2 Key Performance Indicators performance indicators measure the transparency of the required PII Controller Identity identity information that is required to be ‘provided’, as provision of this information on, or before data processing is a condition of Adequacy and compliance for all data digital identifier-based processing activities. In addition, An ANCR Record is a record if processing activity that demonstrates this compliance,
Referenced to the standards referenced maintained by ISO/IEC and the GDPR and Convention 108+, which are references for enforceable multi-national (or international) privacy laws.
Once qualified as operational there is an optional 3rd KPI
The 3rd KPI, which is optional, is used to assess the contextual integrity of the security of the transparency assessed in KPI 1 &2, but only if the transparency ‘provided’ is operational.
The security KPI requires that the ANCR notice record is compared to a session certificate, to see if the PII Controller Identity information is the same, or mutually linked to the controlling entity in the associated security certificate e.g., SSL Certificate and domain DNS information match the PII Controller Identity.
...
and regulation evolved from Fair Information Privacy Principles to be enforceable in multinational regulation, the GDPR (General Data Protection Regulation and international regulation, Council of Europe, Convention 108+.
Once the capacity for digital privacy is measured to be operational the 3rd performance indicator can then be used to measures the security certificate or key for it’s contextual integrity for the specific session or context.
| Anchor | ||||
|---|---|---|---|---|
|
Assess if the required information is ‘provided’ - Transparency for transparency over who is in control of notice and personal information. MUST fields, is there enough information to verify the controller identity and contact the PII controller to access and use privacy rights? is ‘provided’
The MUST fields identify elements that are required in legislation that MUST be present.
Is there a
| Anchor | ||
|---|---|---|
|
...
|
...
|
...
TPI 2: Transparency Accessibility
...
How Accessible is the PII Controller and Privacy Contact information?
For example, in the context of a website, or a mobile device, how difficult was it to access the ‘provided’ information. How many clicks, or screens away is the required information?
KPI TPI 2 – Example Accessibility Measurement ScaleRating
This example transparency accessibility rating is provided in the context of a browser / mobile device with a mobile application or webpage providing the client user interface.
This scalerating, a score of; [2,1,0, -1 or –3] is used to determine the number of steps, screens, or clicks required to find the ‘provided’ information.
Scale;
2 – is automatically or dynamically discoverable
...
Transparency Accessibility Rating description table 2
Rating | Description | Instruction |
+1 | is embedded and linked for - auto discovery | PII Controller credential is displayed –using a standard format with machine readable language and linked, for example in an http header |
0 | PII Controller identity prominently displayed on first view – prior to processing first page of viewing, the assessment question would be | PII Controller Identity or credential is provided in first notice |
-1 | Privacy signal Is not first presented – but is linked and one click and screen away | The controller identity, or screen with the controller identity is one screen and click away. For example, the privacy policy link |
...
0 – is identity or contact info two clicks away
...
-1 – is 3 clicks away from signal (fail)
...
in the footer of a webpage | ||
| Identity or credential is two or more screens of view away | PII Controller identity is not accessible enough to be considered ‘provided’ |
| Anchor | ||
|---|---|---|
|
...
|
...
|
...
TPI 3: Certificate
...
Certificate status and transparency are further indicators to the security and appropriateness of processing. This KPI uses standards to measure the certification. This includes checking things such as the SSL certificate, cryptography, organizational unit (e.g., for corroboration and integrity), object identifier, Common Name, and Jurisdiction -
Do these align
...
& Key Security Integrity Performance
This security performance indicator requires that the notice record session certificate is collected and used to check if the PII Controller identity information is the same or linked to the controlling entity in the associated security certificate. For example, does the SSL (secure software layer) certificate identify the controller and is it secured for the jurisdictional domain and DNS information. (as a required digital privacy measure of Adequacy)
Certificate status and transparency are used to establish session security prior to the collection, use and processing of PII. The security TPI is used to measure the certificate and or cryptographic keys for a specified organizational unit to corroborate and validate the PII Controller’s digital integrity.
| Anchor | ||||
|---|---|---|---|---|
|
...
KPI Report
Field Name | Field Description | Requirement: Must, Shall, May | KPI 1 Available Not-Available | KPI 2 Rate: -3, –1, 0, +1, +2 | KPI 3 Certificate or Key CN-Matches |
Notice Location | Location the notice was read/observed | MUST | present | +2 | found |
PII Controller Name | Name of presented organization | MUST | present | 1 | Match |
PII Controller Address | Physical organization Address | MUST | present | 0 | Not match |
Privacy Contact Point | Location/address of Contact Point | MUST | Present | 1 | Not match |
Privacy Contact Method | Contact method for correspondence with PII Controller | MUST | Present | -1 | No Match |
Correspondence Contact Method | General contact point | SHALL | present | 1 | Not match |
Session key or Certificate | A certificate for monitored practice | MUST | Present (or Not-found) | 2 | Present (or No Security Detected) |
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||
|---|---|---|
|
...
|
...
|
For the purposes of this specification, the following terms and definitions apply as, normative, non-normative to be used per context, and additive, in that they aid human understanding and data control.
...
— IEC Electropedia: available at http://www.electropedia.org/
| Anchor | ||
|---|---|---|
|
...
|
...
|
For the international and cross-domain use of the records and receipts here, this document refers to the following:
ISO/IEC 29100:2011 Security and privacy techniques
ISO/IEC 29184 Online privacy notices and consent,
Fair Information Practice Principles (FTC) foundational principles
| Anchor | ||
|---|---|---|
|
...
|
...
|
1980/2013 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data [OECD]
...
ISO/IEC 27561:2022 POMME
ISO/IEC 27560: WD5 2022
| Anchor | ||
|---|---|---|
|
...
|
...
|
General Data Protection Regulation (GDPR)
Council of Europe Convention 108+ (Conv. 108+)
PIPEDA – Individual, Meaningful Consent,
| Anchor | ||
|---|---|---|
|
...
|
...
|
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", “NOT RECOMMENDED”, "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119].
...
Array – an array of field objects
| Anchor | ||
|---|---|---|
|
...
|
...
|
The definitions reference terms that are used in this specification to indicates indicate what is normative, non-normative, and additive.
If a jurisdiction’s privacy terms are not compatible with this specification, these internationally defined terms can be mapped to jurisdiction and context specific terms. For example, PII Principal in this document maps to the term Data Subject in European GDPR legislation and the term individual in Canadian PIPEDA.
| Anchor | ||
|---|---|---|
|
...
|
...
|
...
Type
For Embeds Individual participation and access into engagement
The last field in the ANCR record is the concentric notice type, . This refers to a notice label that is provided by or to the PII Principal according to the data processing default legal context . The labela act as for a presented notice. A label is used like a short code to quickly see. or signal , the legal context of data processing and what digital privacy rights are typically accessible for the context.
Note: Should link to notice modality risks, derogations and obligations
[Source: , and the associated rights available in context in order to start a session with the privacy expected by the PII Principle. This enables the PII principle to negotiate and control the processing of personal data prior to being identified.
The concentric notice types are specified in Annex C, which spans the breadth concentric notice contexts from the individual’s context and perspective.
the full scope of legal consent types, and to also include ‘Directed Consent’, where in a PII Principle specified in part, or in whole a consented purpose, for high quality meaningful consent. Included as well is ‘Altruistic Consent’, which requires a certified code of practice (in this framework – extension 3) to derogate the legal obligation to identify the controller prior to processing.
Note: Should link to notice modality risks, derogations and obligations
[Source: ANCR Notice Record Annex C]
...
[Source Conv 108+ Rec.20]
| Anchor | ||
|---|---|---|
|
...
|
...
|
Adhering to the openness, transparency and notice principle means:
...
Broadly refers to any surveillance or privacy notice, notification, disclosure, statement, policy, sign or signal used to indicate personal data processing.
[ANCR Notice Record ]
| Anchor | ||
|---|---|---|
|
...
|
...
|
The organization may implement the control using different techniques: layered notices, dashboards, just-in-time notices and icons, and may provide notices in a machine-readable format so that the software which is presenting it to the PII principal can parse it to optimize the user interface and help PII principals make decisions.
...
That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.
[Conv 108+ Rec 35]
| Anchor | ||
|---|---|---|
|
...
|
...
|
When organizations should seek consent for changes such as those outlined here, they should consider whether the PII principal has access to a record (of some kind) of their original consent, as well as how much time has elapsed between the original consent and the present. If the PII principal is able to access a record of their prior consent readily and if the elapsed time is not significant, organizations may provide notice of the changes and seek consent for same. Otherwise, the organization should seek reconfirmation of the original consent in addition to consent to the notified changes.
...
A record of a notice utilizing 29100 and 29184 for schema structure, and controls regarding notice content. It is used to implement operational defaults to (concentric notice types) and demonstrate conformance to regulation, local and/or contextual, to practice surveillance in the processing of personally identifiable information
[Source ANCR Notice Record]
Privacy Principles
The privacy principles of ISO/IEC 29100 originatedin 1973 and have matured into international standards and laws.
Consent and choice
Purpose legitimacy and specification
Collection limitation
Data minimization
Use, retention and disclosure limitation
Accuracy and quality
Openness, transparency and notice
Individual participation and access
Accountability
Information security
Privacy compliance
[Source: ISO/IEC 29100 Table 3]
| Anchor | ||
|---|---|---|
|
...
|
...
|
...
[Source ISO/IEC 29184
A record of notice that is generated to provide proof of how informed the individual is, replaces terms and conditions, which have very little integrity and do not implement privacy rights.
evidence of consent enables consent defaults
[Source ISO/IEC 29184ANCR WG
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||
|---|---|---|
|
...
|
...
|
Any information that (a) can be used to identify the PII Principal to whom such information relates, or (b) is or might be directly or indirectly linked to a PII Principal.
...
(‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(Source: Con. 108+)
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||
|---|---|---|
|
...
|
...
|
...
Individual
...
The natural person to whom the personally identifiable information (PII) relates.
...
Individual
[Additive: PIPEDA]
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||
|---|---|---|
|
...
|
...
|
A privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing personally identifiable information (PII) other than natural persons who use data for personal purposes.
...
Note: it may also be called data controller.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||
|---|---|---|
|
...
|
...
|
Covers multiple joint controller relationships including co-controllers, hierarchical, fiducial, and code. Likely a type.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||
|---|---|---|
|
...
|
...
|
A privacy stakeholder that processes personally identifiable information (PII) on behalf of and in accordance with the instructions of a PII controller.
[SOURCE: ISO 29100]
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||
|---|---|---|
|
...
|
...
|
An additional field to indicate a delegated processor.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||
|---|---|---|
|
...
|
...
|
An operation or set of operations performed on personally identifiable information (PII).
...
[Source. Convention 108+]
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||
|---|---|---|
|
...
|
...
|
A natural or legal person, public authority, agency or any other body that can affect, be affected by, or perceive themselves to be affected by a decision or activity related to personally identifiable information (PII) processing.
[SOURCE: ISO 29100]
[GDPR
[Conv
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||
|---|---|---|
|
...
|
...
|
Table A.1 — Matching ISO/IEC 29100 concepts to ISO/IEC 27000 concepts | |
ISO/IEC 29100 concepts | Correspondence with ISO/IEC 27000 concepts |
Privacy stakeholder | Stakeholder |
PII | Information asset Information security incident Control |
Privacy breach Privacy control Privacy risk | Risk |
Privacy risk management | Risk management |
Privacy safeguarding requirements | Control objectives |
[Source: ISO/IEC 29100: Annex A]
| Anchor | ||
|---|---|---|
|
...
|
...
|
A privacy stakeholder other than the personally identifiable information (PII) principal, the PII controller and the PII processor, and the natural persons who are authorized to process the data under the direct authority of the PII controller or the PII processor.
...
[Source: Convention 108 Art 3.14]
| Anchor | ||
|---|---|---|
|
...
|
...
|
The ANCR Record is essentially a layered record schema, the first record is the minimum viable consent receipt record, This record collects no additional data, except what the PII Principal would require to see in order to initiate electronic notice and consent dialogue with some operational security assurance.
...
Note: ANCR Notice record ID is utilized to create and link new receipts ensuring the providence of the PII Principals control of the ANCR record
| Anchor | ||
|---|---|---|
|
...
|
...
|
This is the schema elements that are used to generate a un-anchored notice record and do not contain any PII, or digital identifiers.
Field Cat Name | Name | Object Description | Presence Requirement |
PII Controller Identity | Object | _ | Required |
| Presented Name of Service Provider | name of service. E.g. Microsoft | May |
| PII Controller Name | Company / organization name | MUST |
| PII Controller address | _ | MUST |
| PII Controller contact email | correspondence email | MUST |
| PII Controller jurisdiction legal reference | PII Controller Operating Privacy Law | MUST |
| PII Controller Phone | The general correspondence phone number | SHOULD |
| PII Controller Website | URL of website (or link to controller application) | MUST |
| PII Controller Certificate | A capture Website SSL | OPTIONAL |
Privacy Contact Point Location | pcpL |
|
|
Privacy Contact Point Types (pcpT) | Object | Must have at least one field for the PCP object | MUST |
| PCP-Profile | Privacy Access Point Profile | ** |
| PCP-InPerson | In-person access to privacy contact | ** |
| PCP-Email | PAP email | ** |
| PCP-Phone | Privacy access phone | ** |
| PCP -PIP- URI | privacy info access point, URI | ** |
| PCP-Form | Privacy access form URI | ** |
| |||
| PCP-Bot | privacy bot, URI | ** |
| |||
| PCP-CoP | code of practice certificate, URI of public directory with pub-key | ** |
| |||
| PCP-Other | Other | ** |
PCP Policy | pcpp | privacy policy, URI with standard consent label clauses | MUST |
| Anchor | ||
|---|---|---|
|
...
|
...
|
A consent receipt, when provisioned with is Proof of Notice record, builds on the PII Controller Identity and Contact field base to generate a proof of notice record with PII fields to a corresponding private proof of notice record.
This legally required information for proof of notice. This event information is needed for legal chain of evidence, in which PII is added to the record but blinded, and secure. Starting with the Private ANCR Record ID which the PII Principal can use to aggregate operational transparency information for more advanced use in context.
Field Cat | Field Name | Description | Presence |
ANCR Record ID | Blinded identifier secret to the PII Principal | Required | |
Schema version |
|
| |
Timestamp |
| _the time and date when the ANCR record was created | Required |
Legal Justification |
| One of six legal justifications used for processing personal data |
|
Notice Record | Object labels |
|
|
| Notice Type | Notice, notification, disclosure | Required |
Notice legal location | The location ore region that the PII Principal read the information., | ||
| Notice presentation method | Website | MUST |
| online notice -location | Notice location e.g.ip address | MUST |
| location Certificate |
| MAY |
| Notice Language | The language notice provided in | MUST |
| Notice Text File | URL – and or Hashlink for the notice text | MUST |
| Notice text | The capture of a copy of the notification text | MUST |
| Notified legal Justification | Implied or explicit notified legal justification based on the text of a notice and its context | MUST |
Concentric Notice Label | cnl | a label that is mapped to legal justifications, rights and controls that can be provided by default, for a specified purpose | SHALL |
| Anchor | ||
|---|---|---|
|
...
|
...
|
These fields can be asserted by the PII Principle to extend the functionality beyond the transparency KPI’s specified.
...
*** PII COntroller Consent record must have consent first before making . E.g. Authority to use this for security, -- (non-compliant). ***
ANCR Record Field Name | Description | Required/Optional | Security Consideration |
schema version | A number used by the PII Principal to track the PII Controller Record | Optional (unless shared or used further) | Blinded Pseudonymized Anonymized Verified Credential Attribute |
Anchor Notice Record id # | MUST | ||
Date/Time | Required | ||
Notice Collection method | Notice presentation UI Type | optional | |
Notice Collection Location | URL or digital address and location of the notice UI | required | |
Notice Legal Justification | One of the six legal justifications(ISO, GDPR, C108) | ||
PII Principal Legal Location | optional | ||
Device Type | May | ||
PII Principal Private- Key | |||
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||
|---|---|---|
|
...
|
...
|
Notice Record is first a tool of transparency, a private record with this minimal purpose. It is then extended into two records, 1. being a private proof of notice record proof of notice record, which provides assurance that the PII Principal has read the notice. Impl
...
The KPIs provide transparency and security assurance to qualify the PII Controller before the controller processes personal information.
| Anchor | ||
|---|---|---|
|
...
|
...
|
| Anchor | ||
|---|---|---|
|
...
|
...
|
PII Principal identifying information MUST never be included in this specified ANCR Record. When a consent receipt is provided, all PII Principal identifiers MUST be either blinded or pseudonymized, e.g., with a verifiable credential using zero-knowledge proof. Any PII Controller consent records that combine raw personal identifiers with a consent record are therefore insecure and those systems are considered non-operational and insecure.
This categorizes most of the current internet and identity infrastructure as non-operational from a security perspective. As a result nearly all digital identifiers in an identifier management relationship produce raw PII for all parties that require security considerations. Access and use of this record as a data source in these cases are achieved through extensions. Annex A
| Anchor | ||
|---|---|---|
|
...
|
...
|
| Anchor | ||
|---|---|---|
|
...
|
...
|
ISO/IEC 27560 is used to generate a standard purpose-based notice and consent information and identifier structure. This is utilized by the ANCR Record schema and protocol to specify or audit a purpose for any legal justification.
The extension is written for the PII Controller, to enable the anchored record to be used as a verifiable data source for operationalizing a channel (exchange) where PII Principals can advertise a consent grant to the controller. (see Annex C)
| Anchor | ||
|---|---|---|
|
...
|
...
|
Once specified, the W3C Data Privacy Vocabulary is used to specify the treatment of personal data.
| Anchor | ||
|---|---|---|
|
...
|
...
|
Extending the ANCR Notice record, purpose specification and data treatment sections with a code of conduct (transparency practices) specified by industry, trade associations and civil registries (referred to as code of conduct as it references the legal requirements).
...
[Note: The appendices introduce the new elements found in this specification, as well as a schema map for interoperability with ISO/IEC 27560 for contribution.]
| Anchor | ||
|---|---|---|
|
...
|
...
|
Kantara Community, DIACC, ToiP, W3C DPV and Consent,
The ISO/IEC 27560 committee
Standards Council of Canada
PasE; Consent Gateway Team and the NGI – Next Generation Internet Grant contribution
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||
|---|---|---|
|
...
|
...
|
[Conv 108+] Council of Europe, Convention 108 +
...
[OECD] OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm
Annex (WiP to v8.9.9)
| Anchor | ||
|---|---|---|
|
...
|
...
|
ANCR Record, with these annex show the human centric transparency ontology, This annex focuses on the data technical semantics of the ontology from a Human (label), for legal reference, to a machine readable attribute, for an operational transparency schema.
...
Text: a data type that defines a human-readable sequence of characters and the words they form, subsequently encoded into computer-readable formats such as ASCII.
Numeric: a data type that defines anything of, relating to, or containing numbers. The numbering system consists of ten different digits: 0, 1, 2, 3, 4, 5, 6, 7, 8,and 9.
Reference: a data type that defines a self-addressing identifier (SAID) that references a set of attributes through its associated parent. SAID is an identifier that is deterministically generated from and embedded in the content it identifies, making it and its data mutually tamper-evident.
Boolean:a data type where the data only has two possible variables: true or false. In computer science, Boolean is an identification classifier for working out logical truth values and algebraic variables.
Binary:a data type that defines a binary code signal, a series of electrical pulses representing numbers, characters, and performed operations. Based on a binary number system, each digit position represents a power of two (e.g., 4, 8, 16, etc.). In binary code, a set of four binary digits or bits represents each decimal number (0 to 9). Each digit only has two possible states: off and on (usually symbolised by 0 and 1). Combining basic Boolean algebraic operations on binary numbers makes it possible to represent each of the four fundamental arithmetic operations of addition, subtraction, multiplication, and division.
DateTime: a data type that defines the number of seconds or clock ticks that have elapsed since the defined epoch for that computer or platform. Common formats (see 'Format Overlay') include dates (e.g., YYYY-MM-DD), times (e.g., hh:mm:ss), dates and times concatenated (e.g., YYYY-MM-DDThh:mm:ss.sss+zz:zz), and durations (e.g., PnYnMnD).
Array [attribute type]: a data type that defines a structure that holds several data items or elements of the same data type. When you want to store many pieces of data that are related and have the same data type, it is often better to use an array instead of many separate variables (e.g. array[text], array[numeric], etc.).
| Anchor | ||
|---|---|---|
|
...
|
...
|
| Anchor | ||
|---|---|---|
|
...
|
...
|
A notice that is used to generate granular consent receipts using standards that specify purpose in the same way. Those generated with the same schema based can be compared to automate notice for operational transparency over changes to privacy state.
A 2fN, is used to produce a dual record an receipt upon engaging with a standardized notice with access to admin privacy rights from the notice, prior to processing with consent.
The consent receipts produced from a 2fN, can be compared independently for difference in the state and status of privacy, to automatically produce a notification based on the difference in state.
Differential Transparency, produced with a tactile signal, or layer 1 notice indicator, standardized with machine readable data privacy vocabulary. (concentric and synchronic transparency)
| Anchor | ||
|---|---|---|
|
...
|
...
|
...
C: Concentric Notice Types
The object of the ANCR record is to enable operational transparency. A concentric notice type is used to provide a human centric label to a record or a receipt.
...
. Referencing the corresponding ISO/IEC 29184 control to enhance interoperability of operational transparency. Interoperability that is realized through the extension of transparency with records of processing to establish and maintain a shared understanding of security and privacy risks. Affording people choice which mitigate risks and transfer liability.
| Anchor | ||
|---|---|---|
|
...
|
...
|
These are mapped here
| Anchor | ||||
|---|---|---|---|---|
|
Legal Justification | Description | Concentric Notice Type | Privacy Rights / PII Controls | Reference |
Vital Interest | refers to processing ‘which is essential for the life of the data subject or that of another natural person. Processing of personal data | Implied/implicit | Transparency, Access, Rectify, Forget/Erase, Withdraw, Restrict, | ISO/IEC 29184, 5.4.2 Conv.108+ 10.2(c) GDPR art 6.1(d) art 49(f) |
Explicit Consent Notice | Explicit consent to processing one or more specified2 purpose | Explicit , Directed, Altruistic Consent | Access, Rectify, Forget/Erase, Object, / Withdraw, Restrict, Portability | 29184, 5.4.2 Conv.108+ 10.2(a) GDPR art 6.1(a) |
Implicit consent notice | And where manifestly published by the PII Principal | Implicit Consent | Con 108 + 10.2(e) | |
Implied consent notice | By Controller or Principal in the field of employment and social security and social protection law | Implied Consent | CoE 108+ 10.2(b) | |
Contractual Necessity | Implied consent | Restrict Processing, Object to | 29184, 5.4.2 Con. 108+(43) | |
Legitimate Interest | Implied consent | Object and restrict processing | 29184, 5.4.2 GDPR Recital 47 Con.108+ 10.2(d) | |
Public Interest | Democratically framed | Implied Consent/Consensus | 29184, 5.4.2 Con. 108+ 10.2(I,g,j) | |
Legal Obligation | ISO/IEC 29184, 5.4.2 | |||
Processing is necessary for the establishment, exercise or defense of legal claims | Con.108+ (f) |
Note: Participatory Consensus, and Concentric data control are two outcome specific conditions that will be added to this specification to include an assessment for operational evidence of these two outcomes.
Concentric digital transparency is a design principle of electronic Notice and evidence of consent. The outcomes are for a shared / concentric understanding of a relationship and the purpose of digital interaction, the data control impact, and associated risks centric to the PII Principal.
| Anchor | ||
|---|---|---|
|
...
|
...
|
Concentric Notice Types are you to create a digital notice label to enable that can be applied to digital processing context which are understood from a human centric perspective.
...
access to privacy rights and information. meaningful through a direct mapping with specific rights, obligations and customs for interaction for data processing, which are enforceable with the references
Concentric Notice Type | Description | Legal Justification | Privacy Rights | Legal Ref |
Non-Operational Notice N/O | Not enough notice/security information for digital privacy | Not compliant with any if unable to determine or confirm Controller, or contact | Withdraw, Object, Restrict, | Con.108+ 79.1(a) GDPR Art 13/14 1a,b, |
Consensus Notice | Notice of Legitimate Processing. Surveillance Notification , | Legitimate interest | ||
Implied Consent Notice | Implied through PII Principals participation in a specific context. | consent | ISO/IEC GDPR Art 50 1 c Con 108+ -Supplement- IPC, Canada3 | |
Implicit consent notice | Refers to governance that is implicit to the action of the PII Principal. | Legitimate interest, Contract, Legal obligation | Object , Restrict | |
Expressed Consent notice | Expressed through the implicit action of a Notified individual. | Informed Consent | Withdraw | |
Explicit Consent Notice | Provided in such a way that the is Informed, freely given, knowledgeable consent,. | Consent witch is knowledgeable of risk | Withdraw | Con 108+.1(4)1b GDPR Art 7.1 |
Directed Consent | A consent directive is consent explicitly defined by the PII Principal for specific purposes, according to disclosures of risks that are notified. | meaningful consent, in which the individual has specified the consented purpose | GDPR 9.1(h) | |
Altruistic Consent | Not knowing who the Controller of PII will be. Consent to a purpose and public benefit governance framework, without knowing who is the beneficiary | Consent | DGA, Recital 1,2,4,36,39 |
| Anchor | ||
|---|---|---|
|
...
|
...
The anchor record is captured or generated for the explicit control of the PII Principal. This record, standardized with ISO/IEC 29100 security and privacy technique framework, can then be used for transparency interoperability.
The Anchor record and linked consent ledger is used by the PII Principal to track the state of privacy and status of consent for dynamic data controls for bilateral (peer to peer) interaction. The anchor record is minted with the PII Controller ANCR record and in this way extended by a product or service purpose specification.
...
The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller....
At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing
The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
(GDPR Rec 47
...
reference the expected processing for a specified purpose in reference to common law (
...
The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
...
Processing is ‘as expected’ Notification
unverified
As expected,
not as expected,
minor change in state,
material change in state ,
PII Principal
...
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, inter alia, as appropriate:
(Conv. 108+ Art 33.1)
...
Not-Available
In-Active
Active
Active & Operational
Active & Dynamic
...
An Anchored Notice Record is specified to capture the data control relationship between the PII Principal and the PII Controller, utilizing the international ISO/IEC 29100 standard.
In this schema, this record is extended by a service which presents the purpose specification to the ANCR record, to generate a notice, notification or disclosure as required.
For a person to specify and direct an electronic consent, or by a service to present a grant of consent for a specified purpose.
As a source of authority for the PII Controller to process personal data.
Linked, and presented / captured to record the state of security and privacy by default.
This can then always be used to identify the Controller and link subsequent notifications. The PII Controller details. And by linking it to a notice, the record header is embedded in the notice, in a standard format.
[Source ISO/IEC 29184 5.3.4][GDPR Art 13&14.1 (a)(b)][Convention 108+,
...
This purpose spec schema is specified for the PII Controller, (data protection) but can also be used as record to assess a purpose by a Privacy Stakeholder.
...
7560 Notes
...
The ANCR protocol is for generating a record of notice containing controller id and contact, this is always the event, in this regard the ancr_id maps to event id. To this extend event schema section is not required
...
The ANCR record is specified to 29100, in which the ‘privacy and security stakeholders’ are defined, in the context of the ANCR record, this means that any role (other than PII Principal) has a Controller id, relative to the PII Principal, in addition to the role for the specific context of processing - e.g. - Processor, recipient, 3rd party, which represent the processing role and activity relative to the ANCR record. This enables liability and risks to be delegated and transferred amongst the stakeholders specified to a per process instance. As a result the party_ID schema is incorporated in the ANCR Record ID, which is specific to a PII Controller, not a service or purpose.
...
Consent receipt – and record info structure – was conceived as a record which capture the notice of a PII Controller, or the notice context of the PII Principal.
It is apart of an effort to standardized notice to open consent in order to decentralize data governance in identity management.
In this regard, 27560 is specified with the utility of the consent receipt in mind, which is to specify the purpose of personal data use and risks so that people can make informed choices and control personal data.
...
The ANCR protocol is for generating a record of notice containing controller id and contact, this is always the schema ‘event’ indicator, in this regard the ancr_id field maps to and replaces the event id field in ISO/IEC 27560 WD 5 consent record information structure (ref; 27560)
To this extent the 27560 ‘event schema’ section is not required.
The ANCR record is specified to ISO/IEC 29100 (ref;29100), in which the ‘privacy and security stakeholders’ are defined, in the context of the ANCR record, this means that any role (other than PII Principal) has a Controller id, and stakeholder role, relative to the PII Principal,
As a result the party_schema is incorporated in the ANCR Record ID, which is specific to a PII Controller, not a service or purpose.
A 27560 consent record, which contains the PII Principal identifier in the same record, this would first need a consent receipt, with this purpose as proof of notice – or the record would demonstrate non-compliance with sources referenced in the ANCR record and rendered not interoperable with the ANCR record schema and spec.
In this regard, ANCR specification is interoperable for 27560, but 27560 is not interoperable with the ANCR record, as this breaks ANCR Record Security, and contravenes privacy considerations for management of the ANCR Record.
To address this we have introduced the missing link, which are the fields for a Proof of Notice ANCR record and receipt required to be blinded, consent to combine the records in such a way is evidenced. Hence providing proof, securing the PII Principals data under the Principal’s control, as well as being compliant with legislation and 29184.
The ANCR record can itself be extended in to a Controller Credential When the ANCR record is used in a consent receipt flow it can also be used to. ToiP-Controller Credential - https://wiki.trustoverip.org/pages/viewpage.action?pageId=27722576
...
The following mapping of the ANCR record schema is provide to conform to instructions provided in ISO/IEC 27560. To this extent, and accordance with ISO/IEC 27560 Art 6.2.3, this annex publishes the ANCR Record Schema’s at Kantara and hosted at the Human Colossus Foundation, for the Global Privacy Rights, public benefit Initiative.
This schema is intended to support the PII Principal to aggregate purposes per controller, per record. providing technical features to manage multiple legal justifications in a single service context.
Section1
Section 2 Purpose Specification is followed by
Section 3: Data Treatment and
Section: 4 Code of practice
Codes of practice can be approved and monitored which are used to combine multiple purposes together for an expected code of practice. A “Purpose Bundles” operated with a code practice can be approved and to operationalize privacy.
...
In addition to the consent receipt schema, the ANCR record schema provides a protocol for its operation.
Section 1: Header: Proof of Notice
Section 2: Purpose Specification, (ANNEX C –is also Extension 1)
Section 3: Treatment Specification, W3C DPV
Section 4: Code of Practice Profiles
Section 5: Field Data Sources
These refer to 27560 line – 362 WD4, where it calls out the need to reference the schema(s) information structure used, in addition to demonstrating the capacity to maintain documentation for its correct technical implementation. - and conformance to the requirements specified in the 27560 documents.
...
ANCR Consent Receipt Section
...
Label
...
Variations
...
Description
...
27560 Term
...
Reference
...
Header- Control Object
...
ANCR ID
...
Specified to be a toot recorded identifier
...
Notice record id is used as root identifier for linking records about the status of privacy with that controller
...
Record id
...
schema version
same
PII Controller Identity Object
...
PII Controller Name
...
PII Controller address
...
correspondence contact email
...
correspondence jurisdiction privacy regulation
...
correspondence phone
...
Correspondence website
...
Correspondence website ssl certificate
...
Non-operational privacy contact point
Privacy Contact Point Object
...
Object
...
Must have at least one field for the PCP object
...
PCP-Profile
...
Privacy Access Point Profile
...
PCP-InPerson
...
In-person access to privacy contact
...
PCP-Email
...
PCP email
...
PCP-Phone
...
Privacy access phone
...
PCP -PIP- URI
...
privacy info access point, URI
...
PCP-Form
...
Privacy access form URI
...
PCP-Bot
...
privacy bot, URI
...
PCP-CoPC
...
code of practice certificate, URI
...
PCP-Social
...
Network:handle
...
PCP-Other
...
Other
...
PCP Policy
...
PCP privacy policy, URI
...
ANCR focuses on a KPI – for the transparency performance of privacy contact access point
Proof of Notice Object
...
Object labels
...
Description
...
Notice Type
...
Notice, notification, disclosure
...
Notice method
...
Link / URL to the UI that was used to present the notice e.g. website home page
...
-digital-Notice-location
...
Notice location e.g.ip address
...
location Certificate
...
Notice Language
...
The language notice provided in
...
Notice Text File
...
URL – and or Hashlink for the notice text
...
Notice text
...
The capture of a copy of the notification text
...
Notified legal Justification
...
Implied or explicit notified legal justification based on the text of a notice and its context
...
PII controller risks
...
Uses notice type which would be equivalent to event type in 27560
...
Concentric Notice Label
...
Different but incorporates how to fame 27560 defined consent types
...
Categorizes Notice Labels to indicate protocol for rights access and inherent risks
29184 – purpose specification
...
Purpose Spec - Object
...
Purpose ID
...
Service Name
...
Purpose name
...
Purpose Description
...
Plausible RiSK - *can data control impact assessment)
...
Purpose Type
...
Legal justification
...
Lawful basis
...
Sensitive PII Categpry
...
Special PII Category
...
PII Principal Category
...
PII Processors
...
PII Sub-processors
...
New
...
Risk notice disclosure
...
ISO-29184
...
Service Notice Risks
...
PII Principal Category
...
Treatment
...
Attribute Id
...
Notified Collection method
...
Collection method
...
expiration
...
Storage location
...
Retention period
...
Processing location Restrictions
...
Duration
...
State
...
Justification for processing (state of privacy)
...
status
...
termination
...
a) Code of Conduct/
...
Inherent to concentric labels - Rights Objects: withdraw, object, restrict, access and rectification, termination of justification,
...
Regulated practice, approved be regulator or legislated
...
Rights
...
Notice Defaults
...
Data portability
...
FoI-Access & Rectification
...
4.b)Code of Practice
...
Cop-ID
...
Surveillance Code of practice
...
Certified practice,
...
Children’s Design Code of Practice
...
Operational Privacy Code of Practice
...
Purpose Bundle
Code of Practice Certification -
Badge -
Pre-Consent Notice Lable Type
Notify to confirm or change -
Then start -
Purpose Description – medical
Vital interest
Legal obligation
Operational personal data handle (3rd Party)
Approved by Regulator (yes/no)
Certified Body - ? - Certification
SSI – Gov – Principles – Codes of Conduct
Purpose Name
Purpose Label
Ancor Notice Record ID
ANCR Record Protocol
...
An Anchor record is a PII Controller Relationship Notice Record, very similar to a PII Controller Credential, but instead of being provided by a specific stakeholder, this – micro-credential can be created as an ANCR Notice Record by the PII Principal.
...
|
Extension 1: Purpose Specification
SUMMARY
An Anchored Notice Record is specified to capture the data control relationship between the PII Principal and the PII Controller, utilizing the international ISO/IEC 29100 standard.
In this schema, this record is extended by a service which presents the purpose specification to the ANCR record, to generate a notice, notification or disclosure as required.
For a person to specify and direct an electronic consent, or by a service to present a grant of consent for a specified purpose.
As a source of authority for the PII Controller to process personal data.
Linked, and presented / captured to record the state of security and privacy by default.
This can then always be used to identify the Controller and link subsequent notifications. The PII Controller details. And by linking it to a notice, the record header is embedded in the notice, in a standard format.
[Source ISO/IEC 29184 5.3.4][GDPR Art 13&14.1 (a)(b)][Convention 108+,
This purpose spec schema is specified for the PII Controller, (data protection) but can also be used as record to assess a purpose by a Privacy Stakeholder.
7560 Notes
The ANCR protocol is for generating a record of notice containing controller id and contact, this is always the event, in this regard the ancr_id maps to event id. To this extend event schema section is not required
The ANCR record is specified to 29100, in which the ‘privacy and security stakeholders’ are defined, in the context of the ANCR record, this means that any role (other than PII Principal) has a Controller id, relative to the PII Principal, in addition to the role for the specific context of processing - e.g. - Processor, recipient, 3rd party, which represent the processing role and activity relative to the ANCR record. This enables liability and risks to be delegated and transferred amongst the stakeholders specified to a per process instance. As a result the party_ID schema is incorporated in the ANCR Record ID, which is specific to a PII Controller, not a service or purpose.
Introduction
Consent receipt – and record info structure – was conceived as a record which capture the notice of a PII Controller, or the notice context of the PII Principal.
It is apart of an effort to standardized notice to open consent in order to decentralize data governance in identity management.
In this regard, 27560 is specified with the utility of the consent receipt in mind, which is to specify the purpose of personal data use and risks so that people can make informed choices and control personal data.
Schema Interoperability
The ANCR protocol is for generating a record of notice containing controller id and contact, this is always the schema ‘event’ indicator, in this regard the ancr_id field maps to and replaces the event id field in ISO/IEC 27560 WD 5 consent record information structure (ref; 27560)
To this extent the 27560 ‘event schema’ section is not required.
The ANCR record is specified to ISO/IEC 29100 (ref;29100), in which the ‘privacy and security stakeholders’ are defined, in the context of the ANCR record, this means that any role (other than PII Principal) has a Controller id, and stakeholder role, relative to the PII Principal,
As a result the party_schema is incorporated in the ANCR Record ID, which is specific to a PII Controller, not a service or purpose.
A 27560 consent record, which contains the PII Principal identifier in the same record, this would first need a consent receipt, with this purpose as proof of notice – or the record would demonstrate non-compliance with sources referenced in the ANCR record and rendered not interoperable with the ANCR record schema and spec.
In this regard, ANCR specification is interoperable for 27560, but 27560 is not interoperable with the ANCR record, as this breaks ANCR Record Security, and contravenes privacy considerations for management of the ANCR Record.
To address this we have introduced the missing link, which are the fields for a Proof of Notice ANCR record and receipt required to be blinded, consent to combine the records in such a way is evidenced. Hence providing proof, securing the PII Principals data under the Principal’s control, as well as being compliant with legislation and 29184.
The ANCR record can itself be extended in to a Controller Credential When the ANCR record is used in a consent receipt flow it can also be used to. ToiP-Controller Credential - https://wiki.trustoverip.org/pages/viewpage.action?pageId=27722576
Schema Mapping
The following mapping of the ANCR record schema is provide to conform to instructions provided in ISO/IEC 27560. To this extent, and accordance with ISO/IEC 27560 Art 6.2.3, this annex publishes the ANCR Record Schema’s at Kantara and hosted at the Human Colossus Foundation, for the Global Privacy Rights, public benefit Initiative.
This schema is intended to support the PII Principal to aggregate purposes per controller, per record. providing technical features to manage multiple legal justifications in a single service context.
Section1 – ANCR Record - Operational Transparnec
Section 2 Purpose Specification is followed by
Section 3: Data Treatment and Rights
Section: 4 Code of practice
Codes of practice can be approved and monitored which are used to combine multiple purposes together for an expected code of practice. A “Purpose Bundles” operated with a code practice can be approved and to operationalize privacy.
Anchored Record Schema ‘Structure’ Sections
In addition to the consent receipt schema, the ANCR record schema provides a protocol for its operation.
Section 1: Header: Proof of Notice
Section 2: Purpose Specification, (ANNEX C –is also Extension 1)
Section 3: Treatment Specification, W3C DPV
Section 4: Code of Practice Profiles
Section 5: Field Data Sources
These refer to 27560 line – 362 WD4, where it calls out the need to reference the schema(s) information structure used, in addition to demonstrating the capacity to maintain documentation for its correct technical implementation. - and conformance to the requirements specified in the 27560 documents.
| Anchor | ||||
|---|---|---|---|---|
|
In summary, elements from 27560 frame the data treatment elements are found in Extension 3 in addition to
| Anchor | ||||
|---|---|---|---|---|
|
The ANCR record is specified in this information structure according to legally defined code of conduct, each element that is required is referenced to standards and legislation which constitute the code of conduct for operational transparency trustworthy id protocol.
The legal code of conduct is extended by codes of practice which are often recognized as certifications and represented by certificates and certifications.
| Anchor | ||||
|---|---|---|---|---|
|
Terms, definitions, filed data, record examples, machine readable privacy vocabulary, used to generate notice, notifications, and disclosures are provided here.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||
|---|---|---|
|
...
|
...
|
Version | Date | Summary of Substantive Changes | |
0.1 DRAFT | 2021-02-28 | Initial v1.1 draft | |
0.5 | 2022-02-02 | Draft – updating scope to Notice and eConsent | |
0.8 | 2022-07-04 | Full outline / 70% drafted | |
0.8.5 | 2022-08-04 | Outline 100% Draft - Posted to Kantara Wiki | |
8.8.2 | |||
8.8.3 | Restructured Sections and schema, cleaned schema up a little – practice what preaching by making spec structural human centric | ||
8.8.4 | Stabilized draft - with a initial edit - added accessibility rating table | ||
1
10574 Lizar, M, Pandit, H, Jesus, V, “Privacy as expected Consent Gateway”, Next Generation Internet (NGI) Grant [Access July 4] https://privacy-as-expected.org/
I