Anchored Notice and Consent Receipt (ANCR) Record for Operational Transparency
Version: 0.8.9.2
Document Date: September 1923, 2022
Editor(s): Mark Lizar, Sharon Polsky
Contributors: Sal D’Agostino,
Contributing Orgs: Open Consent Group/0PN C.I.C, Privacy & Access Council of Canada,
...
At the present time, when online services are involved, Individuals have no way of seeing or knowing who is in control of collecting, using, processing, or disclosing their personal information before the collection, use, processing, or disclosure takes place. Individuals are powerless to resist or object to the one-size-fits-all contracts presented on websites that are called ‘terms and conditions’, ‘user licenses’, ‘privacy policies’ or ‘data sharing agreements’, but which that do not facilitate human-centric dynamic data exchangesimplement privacy people expect.
No mechanism is currently available for Individuals to assert authority in advance of disclosing their personal information; and no way for them to determine, control, or negotiate the conditions or sources under which data about them may be processed, used, managed, or associated with other data consent.
Individuals are prevented Lack of transparency and consent defaults prevent Individuals from knowing or seeing (therefore trusting or controlling) when digital identifiers and related meta data metadata about themselves is are created, used, or disclosed, or , for additional purposes
Systemically prohibiting interaction, access and participation required for individuals to see how information about themselves is used, when, by whom, and for what purposes.
Enabling individuals to see how information about themselves is used, when, by whom, and for what purposes, requires a standardized transparency mechanism as a way to provide data governance that scales when decentralized.
The ANCR Record provides standardized transparency that enables Individuals to know Anchored Notice and Consent Record implements a standard of transparency to enable Individuals to see if PII about them is kept being used in ways that are private and whether, when, where, and to whom it is disclosed — locally, domestically, or internationally.
The ability to direct and control the collection, use and disclosure of information about themselves is essential for Individuals to have reason technical capacity to trust the management of surveillance, personal identity, and advanced digital data analysis technologies.
This specification provides a mechanism to provide implement legal and technical standards for transparency to supplant that supersede ‘terms and conditions’, ‘user licenses’, ‘privacy policies’ and ‘data sharing agreements’, to facilitate human-centric dynamic data exchanges. Specifying an active technical object for managing the rules of data and its consented exchange.
The ANCR process creates a record of operational transparency over data control and processing that works to regulate surveillance from offline and online activities, in much the same way as financial transactions are now regulated and tracked.
The Anchored Notice and Consent Receipt (ANCR) Record specification enables individuals (i.e., a PII Principal) to create employ a single-use Record of Notice 3-layer notice record schema to indicate their consent for a specific data exchange. PII Principals can enhance the single use Record of Notice record schema with a layer 2 schema that incorporates a digital identifier to serve as proof of notice for the repeated use of a consented data exchange.A receipt and record of processing provides transparency of a ‘proof of notice’ record for repeated use in concentric data exchanges.
The 3rd notice record schema is the anchored notice records is a private information (identity relationship) record, which considers security requirements as a pre-condition for generating records and receipts in identifier management systems.
Finally, an active technical record of processing activities provides for the PII Principal in context transparency over who is accountable for — and is a pre-condition of — processing Personally Identifiable Information (PII) , and provides scalable governance and security. Finally, the Anchored Notice and Consent Record is a private information record, specified here as a separate record, which takes into account security requirements not as considerations but, rather, as a pre-condition for generating consent records in identity management and other systemsfor human interoperable governance and security.
In this first rendition of the ANCR framework specification it is the PII Principal who manages consentconsented surveillance, and the processors who each manage and comply with the permission grant defined by the PII Principal. To this point, this specification focuses on transparency of control, with extensions for extending the transparency of a controller with purpose specification as outlined in Annex.
Specification Components
The ANCR Record specification provides the permissions granted for a specified purpose and scope. To this point, this specification focuses on transparency performance for the assessment of data control and it’s impact. Including 3 ANCR Framework Extensions summarized in the Appendix for extending the transparency over data control with,
Extension 1: consented purpose specification
Extension 2: data treatment and right based controls
Extension 3: bundling codes of conduct and practice in implementation
Subsequent iterations and extension of this specification focus on a Controller Credential agnostic to identifier technology. The use of notice records as a Micro- credentials and consent receipt as tokens for proof of notice for any of the 6 legal justifications for processing as well as evidence of electronic consent.
Specification Components
This introduction demonstrates the use of a 29100 record for processing to illustrate the use of 29184 controls to assess performance of this record.
The ANCR Record specification introduces three (3) transparency performance indicators (TPIs) that an Individual can use to assess an organization’s transparency — in particular how it collects, uses, and discloses Personally Identifiable Information — before electing to provide their personally identifiable information or authorize its collection, use, processing, or disclosure.
...
This document has been prepared by Participants of Kantara Initiative , Inc. Permission is hereby granted to use the document solely for the purpose of implementing the Specification. No rights are granted to prepare derivative works of this Specification. Entities seeking permission to reproduce this document, in whole or in part, for other uses must contact the Kantara Interative Initiative to determine whether an appropriate license for such use is available.
...
International laws and standards — including ISO/IEC 29100 Security and Privacy Framework — are the international framework for creating records for trustworthy ‘consented data access’, for adequate data transfers internationally; and provide an opportunity to implement a low-cost digital records (twin) record and receipt mechanism and thus dramatically improve the security of personal data control, thereby increasing the effectiveness of cyber physical security and digital privacy.
...
The Notice Record is specified for generating operational transparency with the use of the controls in ISO/IEC 29184 Online Privacy Notices and Consent and evidenced with anchored notice and consent receipts. [ISO/IEC 29184, Appendix B]
Why was this specification written?
An internationally - standardized notice and consent record information structure provides the standard for a PII Principal to generate records independently of the PII Controller, and to hold, control and manage, separately from the PII Controller access to withdraw consent. This specification is proposed to capture, measure, and standardize the transparency of PII Controllers’ security and privacy practice through the entire lifecycle of personal information collected from a PII Principal.
...
Standardized digital notice is a steppingstone to digital operational privacy and is required to scale human to system (electronic) consent online. A record that is provided by default using standard digital identifier governance defaults, designed for self-sovereign/human centric transparency and interoperability, between people and systems.
...
For this purpose, the ANCR record is first specified as a single use record, that the Individual controls with 3 transparency performance indicators. First defined as a single use record to generate a record the Individual can own, control and trust. The KPI’s provided here are specified to provide transparency over data control and it’s human/decentralized data governance. (specified Specified as Operational Transparency),
...
The Notice Record is first specified as a static, one-time use notice record that is created by the PII Principal and used to initiate a state of operational transparency in context measured by access to, and performance of, rights.
Diagram 1: Notice Record
...
(TBD_
Anchor | ||||
---|---|---|---|---|
|
PII Controller Identity AND Contact Transparency Report
Field Name | Field Description | Requirement: Must, Shall, May | Field Data Example |
---|---|---|---|
Notice Location | Location the notice was read/observed | MUST | |
PII Controller Name | Name of presented business | MUST | Walmart |
Controller Address | The physical address of controller and/or accountable person | MUST | 1940 Argentina Road Mississauga, Ontario L5N 1P9 |
PII Controller Contact Type | Contact method for correspondence with PII Controller | MUST | Email, phone |
PII Controller-Correspondence Contact | General contact point | SHALL | |
Privacy Contact Type | The Contact method provided for access to privacy contact | MUST | |
Privacy Contact Point | Location/address of Contact Point | MUST | |
Session Certificate | A certificate for monitored practice | Optional | SSL Certificate Security (TLS) and Transparency |
Anchor | ||||
---|---|---|---|---|
|
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Rating | Description | Instruction |
---|---|---|
+1 | Controller identity is embedded as a credential linked to authoritative registries. | PII Controller credential is displayed, using a standard format with machine readable language and linked, for example, in an http header in a browser |
0 | PII Controller Identity prominently displayed on first view – prior to processing first page of viewing, the assessment question would be | PII Controller Identity or credential is provided in first notice |
-1 | Privacy signal Is not first presented – but is linked and one click and screen away | The Controller Identity, or screen with the Controller Identity is one screen and click away. For example, the privacy policy link in the footer of a webpage |
| Identity or credential is two or more screens of view away | PII Controller Identity is not accessible enough to be considered ‘provided’ |
TPI 3: Certificate (and/or Key) Security Transparency
...
Anchor | ||||
---|---|---|---|---|
|
Field Name | Field Description | Requirement: Must | TPI 1 Available Not Available | TPI 2 Rate: +1, 0, -1, -3, | TPI 3 CN-Matches |
---|---|---|---|---|---|
Notice Location | Location the notice was read/observed | MUST | Present | +1 | found |
PII Controller Name | Name of presented organization | MUST | Present | 0 | Match |
PII Controller Address | Physical organization Address | MUST | Present | 0 | Not match |
Privacy Contact Point | Location/address of Contact Point | MUST | Present | 1 | Not match |
Privacy Contact Method | Contact method for correspondence with PII Controller | MUST | Present | -1 | No Match |
Session key or Certificate | A certificate for monitored practice | MUST | Present (or Not-found) | 1 (or –3 ) | Present (or No Security Detected) |
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
...
ANCR Record — means the Anchored Notice Record and Consent Receipt Record
ANCR WG — means the Advanced Notice and Consent Receipt Work Group
Array — means an array of field objects
Conv. 108+ — means the Council of Europe Convention 108+
FIPP — means Fair Information Practice Principles
IRM — means Identifier Relationship Management
ISO/IEC — means International Organization for Standardization/International Electrotechnical Commission
Object — means a field object
PII — means Personally Identifiable Information
POMME — means Privacy Operationalization Model and Method for Engineering
ZPN – Zero Public Network – a network in which each processor of personal information has a controller credential and the PII Principal has a private record of the credential
Anchor | ||||
---|---|---|---|---|
|
...
The types of Concentric Notice Label are specified in Annex B, which spans the spectrum of legally defined consent types, defined from for the individual’s context and perspective.
Anchor | ||||
---|---|---|---|---|
|
...
ConCentric Notice Label Types
Not Concentric: Legal obligation or legitimate interest independent of PII Principal
...
Anchor | ||||
---|---|---|---|---|
|
A Consent Notice Receipt, for a proof of notice, used as evidence of consent and
...
to ...demonstrate compliant records of processing activities.
[Source: ISO/IEC 29184 Appendix B]
A Record of Notice that is generated to provide proof of an informed individual supersedes terms and conditions (contract), to implement overarching privacy rights‑based control.
[Source: ANCR Notice Record v1 – Specification]
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Any information that (a) can be used to identify the PII Principal to whom Personally Identifiable Information relates, or (b) is or might be directly or indirectly linked to a PII Principal.
NOTE: To determine whether or not an individual should be considered identifiable, several factors need to be taken into account. (Equivalent with personal data)
[Source: ISO/IEC 29100]
Descriptor for a type of Personally Identifiable Information, or a set of types of Personally Identifiable Information
[Source: ISO/IEC 29184 3.3]
Personal Data means any information relating to an identified or identifiable natural person.
Data Subject means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
[Source: Conv. 108+ Rec 16]
Anchor | ||||
---|---|---|---|---|
|
What constitutes Sensitive PII is defined explicitly in legislation; however, the definition might vary across jurisdictions. Sensitive PII might include information revealing race, ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, sexual lifestyle or orientation, and the physical or mental health of the PII Principal. In other jurisdictions, sensitive PII might include information that could facilitate identity theft or otherwise result in significant emotional, psychological, or financial harm to the natural person (e.g., credit card numbers, bank account information, or government-issued identifiers such as passport numbers, social security numbers or drivers’ license numbers), and information that could be used to determine the PII Principal’s real time location.
[Source: ISO/IEC 29100 4.4.7]
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
[Source: GDPR Art 9.1]
Sensitive PII should not be processed unless the specific conditions set out in this Regulation are met. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. In addition to the specific requirements for processing of sensitive data, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the Data Subject gives his or her explicit consent or in respect of specific needs, in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.
[Source: Conv. 108+ Rec, 29]
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
...
(also Data Subject or Individual)
The natural person to whom the personally identifiable information (PII) relates.
NOTE: Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym “Data Subject” can also be used instead of the term “PII Principal.”
[Source: ISO 29100 2.11]
PII Principals provide their PII for processing to PII Controllers and PII processors and, when it is not otherwise provided by applicable law, they give consent and determine their privacy preferences for how their PII should be processed. PII Principals can include, for example, an employee listed in the human resources system of a company, the consumer mentioned in a credit report, and a patient listed in an electronic health record. It is not always necessary that the respective natural person is identified directly by name in order to be considered a PII Principal. If the natural person to whom the PII relates can be identified indirectly (e.g., through an account identifier, social security number, or even through the combination of available attributes), he or she is considered to be the PII Principal for that PII set.
[Source: ISO 29100 4.2.1]
Personal Data means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
[Source: GDPR: Article 4.1]
Individual: Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
[Additive: PIPEDA 4.9]
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
A privacy stakeholder (or privacy stakeholders) who determines the purposes and means for processing Personally Identifiable Information (PII) other than natural persons who use data for personal purposes.
NOTE: A PII Controller sometimes instructs others (e.g., PII processors) to process PII on its behalf while the responsibility for the processing remains with the PII Controller.
[Source: ISO 29100]
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Note: Also known as a Data Controller.
[Source: GDPR Art. 4(7)]
‘Controller’ means the Union institution or body or the directorate-general or any other organisational entity which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by a specific Union act, the controller or the specific criteria for its nomination can be provided for by Union law;
[Source: Conv 108+ Art 3(8)]
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Covers multiple joint controller relationships including co-controllers, hierarchical, fiducial, and code.
Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the Data Subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for Data Subjects.
[Source: GDPR Art 26.1]
Where two or more controllers or one or more controllers together with one or more controllers other than Union institutions and bodies jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with their data protection obligations, in particular as regards the exercise of the rights of the Data Subject and their respective duties to provide the information referred to in Article 79, by means of an arrangement between them, unless and in so far as the respective responsibilities of the joint controllers are determined by Union or Member State law to which the joint controllers are subject. The arrangement may designate a contact point for Data Subjects.
[Source: Conv 108+ Art 86.1]
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
A privacy stakeholder that processes personally identifiable information (PII) on behalf of and in accordance with the instructions of a PII Controller.
[Source: ISO 29100]
'processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
[Source: GDPR Art 4(8)]
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
[Source: Conv. 108+ Art 3(12)]
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Refers to the PII Controller type in the ANCR record specification.
[ANCR Notice Record Specification v0.9]
An additional field to indicate a delegated PII Processor (rather than 3rd Party). Used to distinguish between, a legally authorized 3rd Party, like a public health authority, who would themselves be a PII Controller, for that legal justification. Also found in the W3C Data Privacy Vocabulary.
[Additive: W3C DPV 2.3.1.6 http://w3c.github.io/dpv/dpv/ ]
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
An operation or set of operations performed on personally identifiable information (PII).
NOTE: Examples of processing operations of PII include, but are not limited to, the collection, storage, alteration, retrieval, consultation, disclosure, anonymization, pseudonymization, dissemination or otherwise making available, deletion or destruction of PII.
[Source: ISO 29100]
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
[Source: GDPR Art 4.2]
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
[Source. Convention 108+]
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Refers to a government authority responsible for the enforcement of privacy and data protection regulation. Referred to also as a Data Governance Authority, a Data Protection Authority (DPA) or simply Privacy Regulator.
Privacy Stakeholder
A natural or legal person, public authority, agency or any other body that can affect, be affected by, or perceive themselves to be affected by a decision or activity related to personally identifiable information (PII) processing.
[Source: ISO 29100]
Engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data;
[Source: GDPR Art. 50(c)]
Engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data;
[Source: Conv.108+ Art 51(c)]
...
Table A.1 — Mapping ISO/IEC 29100 concepts to ISO/IEC 27000 concepts
| Correspondence with ISO/IEC 27000 concepts | ||||||
Privacy stakeholder | Stakeholder | ||||||
PII | Information asset Information security incident Control | ||||||
Privacy breach Privacy control Privacy risk | Risk | ||||||
Privacy risk management |
Risk management
Privacy safeguarding requirements
Control objectives
[Source: ISO/IEC 29100: Annex A]
...
Risk management | |
Privacy safeguarding requirements | Control objectives |
[Source: ISO/IEC 29100: Annex A]
Anchor | ||||
---|---|---|---|---|
|
Standard Concentric Clauses implement 29184 compliance controls and Privacy Service Agreements [ISO/IEC TS 27570: 3.22]
These clauses are used to implement the PII Principals expectations of privacy, data control, localization and security according to context and notified purpose. These clauses are introduced in contracts, terms and conditions and refer to the concentric notice label controls and requirements as specified in this document Annex X.
These clauses MUST be employed in a manner to scale the expectations of the PII Principal online, to facilitate data governance interoperability and transborder adequacy of electronic consent.
Third Party (or 3rd Party)
A privacy stakeholder other than the personally identifiable information (PII) principal, the PII Controller and the PII processor, and the natural persons who are authorized to process the data under the direct authority of the PII Controller or the PII processor.
[Source: ISO 29100 2.27]
Third party means a natural or legal person, public authority, agency or body other than the Data Subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
[Source: GDPR Art 4.10]
Third party means a natural or legal person, public authority, agency or body other than the Data Subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
[Source: Convention 108 Art 3.14]
...
This schema is cumulative, where each schema layer can be added upon the previous layer.
3 Layer ANCR Notice Schema
Layer 1 - Notice Record Schema.
The PII Principal's private record of a notice without digital identifiers, also called a ‘minimum viable record notice’. This record is un-anchored and used for contextual purposes when it does not contain an ANCR Record ID, in the ancr record id field.
Layer 2 – Private Notice Record Micro-Data
The meta data that can, and must be collected with the notice record to make a digital record of the notice record
Is kept private and not directly accessible, exposed or made public.
The PII Principal private record collects personal data specific to the use of the notice
Layer 3 - A Proof of Notice (PoN) record is generated
A secured Anchored Notice Record generated upon engagement with a notice to demonstrate that the PII Principal is informed. Not an opt-in or opt-out check box – which is linked to a notice. But check-box to confirm a notice clause is read, with a button on the notice dialogue that generates a record and receipt when used by the PII Principal
A proof of notice record can then be used by processing stakeholders to generate subsequent (serialized) linked notice, notification and disclosure records pertinent to the context of notice.
Personal identifiers and attributes are encrypted, secured, verified and validated by linking to the private notice record.
...
These are the schema elements that are used to generate an un-Anchored a static Notice Record and do does not contain any PII, or digital identifiers.
Field Cat Name | Name | Object Description | Presence Requirement |
---|---|---|---|
PII Controller Identity | Object | _ | Required |
Presented Name of Service Provider | name of service. E.g. Microsoft | May | |
PII Controller Name | Company/organization name | MUST | |
PII Controller address | _ | MUST | |
PII Controller contact email | correspondence email | MUST | |
PII Controller jurisdiction legal reference | PII Controller Operating Privacy Law | MUST | |
PII Controller Phone | The general correspondence phone number | SHOULD | |
PII Controller Website | URL of website (or link to controller application) | MUST | |
PII Controller Certificate | A capture Website SSL | OPTIONAL | |
Privacy Contact Point Location | pcpL | Direct link to security and/or privacy contact point | MUST |
Privacy Contact Point Types (pcpT) | Object | Must have at least one field for the PCP object | MUST |
PCP_Profile | Privacy Access Point Profile | ** | |
PCP_InPerson | In-person access to privacy contact | ** | |
PCP_Email | PAP email | ** | |
PCP_Phone | Privacy access phone | ** | |
PCP _PIP_URI | privacy info access point, URI | ** | |
PCP_Form | Privacy access form URI | ** | |
PCP_Bot | privacy bot, URI | ** | |
PCP_CoP | code of practice certificate, URI of public directory with pub-key | ** | |
PCP_Other | Other | ** | |
PCP Policy | pcpp | privacy policy, URI with standard consent label clauses | MUST |
Anchor | ||||
---|---|---|---|---|
|
These fields can be asserted by the PII Principle to extend the functionality beyond the transparency TPI’s specified, on the PII Principal’s behalf.
These private record fields are separated from the Proof of Notice schema, as these are kept and controlled by the PII Principal and are used to provide defaults.
...
This is the data source for consented records of processing that is directed (and securely) verified by the PII Principal, with secure localized data source and device.
Record Field Name | Field Description | Verifier/Validator |
---|---|---|
Schema version | A number used by the PII Principal to track the PII Controller Record | Verifier |
Anchor Notice Record id # | An identifier unique to the controller, used to identify the legal entity accountable for relying parties and affiliated services | Verifier |
Date/Time | The date and time a notice was read by PII Principal | Validator |
Notice Presentation method | Notice presentation delivery method is also known as a user-interface presentation_Type | Validator |
Notice Location | URL, physical address, or regional location, the notice was presented to the PII Principal | Verifier |
Notice Legal Justification | One of the six legal justifications(PII Cntrl’r, ISO/IEC, GDPR, C108+) | Validator |
PII Principal Legal Location | Refers the privacy rules in the local context | Validator |
Device Type Identifier | device identifier or fingerprint used to verify the physical method of delivery -.e.g. sign, mobile phone number, desktop computer | Verifier |
PII Principal Private/Public - Key Pair | The cryptographic key pair used to sign and encrypt fields in a consent record | Verifier |
Anchor | ||||
---|---|---|---|---|
|
...
The 2FN produces a network event, presenting information that is needed to produce an evidential record, which a PII Principal can then use independently. A micro-credential used to aggregate operational transparency information, access privacy state and rights information, or to implement personal data controls (that are required for a grant of consent grants to a system to implement controls and permissions in systems for collection, capture, portability and access to private data profiles)
Field Cat | Field Name | Description | Presence |
---|---|---|---|
ANCR Record ID | Blinded identifier secret to the PII Principal | Required | |
Schema version | The notice record | Required | |
Timestamp | _the time and date when the ANCR record was created | Required | |
Legal Justification | One of six legal justifications used for processing personal data | Required | |
Notice Record | Object labels | ||
Notice Type | Notice, notification, disclosure | Required | |
Notice legal location | The physical location or region that the PII Principal read the information., | MUST | |
Notice presentation method | Website | SHALL | |
online notice -location | Notice location e.g., IP address | MUST | |
location Certificate | An SSL certificate or key | MAY | |
Notice Language | The language notice provided in | MUST | |
Notice Text File | URL and/or link to the notice text | SHALL | |
Notice text | The capture of a copy of the notification text | MUST | |
Notified legal Justification | Implied or explicit notified legal justification based on the text of a notice and its context | MUST | |
Concentric Notice Label | cnl | a label that is mapped to legal justifications, rights and controls that can be provided by default, for a specified purpose | SHALL |
A notice that is used to generate granular consent receipts using standards that specify purpose in the same way. Those generated with the same schema based can be compared to automate notice for operational transparency over changes to privacy state.
A 2FN is used to produce a dual record and receipt upon engaging with a standardized notice with access to administrator-level privacy rights from the notice, prior to processing with consent.
The consent receipts produced from a 2FN can be compared independently to measure the difference in the active state and status of privacy, to automatically produce a notification based on the difference in state.
Differential Transparency, produced with a tactile signal, or layer1 notice indicator, standardized with machine readable data privacy vocabulary (i.e., concentric and synchronic transparency).
...
In this table, suggestions for what method can be applied on a per attribute level are provided as an example.
Record Field Name | Field Description | Security | Trust Consideration |
---|---|---|---|
schema version | The version of this layered notice record schema | Differential Transparency | Can be required for technical assurance by the system that the record is correctly interpreted and used to compare record versions |
Anchor Notice Record id # | An identifier unique to the controller, used to identify the legal entity accountable for relying parties and affiliated services | BiT & Differential Transparency, (Required) | Only the PII Principal can unencrypt and use this identifier to aggregate records and receipt specific to that PII Controller relationship, Must be used for Differential Transparency, to compare one record against another to enable people to see if privacy is what people expect. |
Date/Time | The date and time a notice was read by PII Principal | Differential Privacy | Noise put in this data field so that it is not usable for evidence without legal justification |
Notice presentation method | Notice presentation medium/context in a user interface | Notice presentation vehicle | |
Notice Location | URL or address location the notice was presented to the PII Principal from | Verifiable Controller Credential | Used to monitor validate and monitor the controller |
PII Principal Legal Location | Refers the privacy rules in the local context of where PII Principal read the notice | BiT | BIT, regionally localized, – codes of practice/by laws and the like |
Device Identifier | The device identifier refers to type of device (e.g., sign, mobile phone, desktop computer) and its unique identifier(s) | BiT | Notice Medium |
Software Identifier | An identifier can be a software configuration fingerprint | Differential Privacy | Ads noise to this fingerprint |
PII Principal Pub Key | The cryptographic key used to sign consent receipts | Differential Transparency | Used to help determine if the record is secure and not fake |
Blinded Identity Taxonomy (BiT)
PII field security measure that is used to blind attributes that are identifiable, for example, the attributes presented in ISO/IEC 29100 section 4.4.2
A BiT attribute is encrypted with the PII Principals private key- so as not be usable in any data set without the corresponding authority required to unencrypt the field for a specified purpose and treatment.
In this specification BIT is used by the PII Principle to encrypt and blind the ANCR record ID field. Which is in the private notice record, the pseudonymized identifier generated/provided by the PII Principals (client security protocol)
Pseudonymized Identifier
The ANCR record id refers to the PII Controller legal identity captured with a notice record, and once a notice record is collected it can be signed to become added to digital wallet (or pod), it can be signed to become a micro-credential, and used to communicate to the PII Controller, to manage rights and control processing of digital identifiers and associated information.
Conceptually, the ANCR Id is a reverse use cookie, in that it is used by the PII Principle to remember the privacy state and track the PII Controller through different service environments, domains and jurisdictions.
Verifiable Private Notice Record used in a micro-credential
The PII Principal as the holder of the notice record can use it to a verify the presentation a PII Controller Identity
Holders of a signed notice record (proof of notice) can generate a verifiable presentation of this proof by;
signing a copy of the notice-record (micro-credential)
(transforms record into a micro-credential)
exchanging this with the other stakeholder (PII Principle or Controller) as a signed consent receipt in order to tokenize the exchange of attribute level private record data on a per processing session basis.
(W3C Verified Credential Data Model, www.w3.org/TR/vc-data-model/#what-is-a-verifiable-credential)
Differential Transparency – operational transparency signaling
Operational transparency ‘trust’ protocol for comparing the expected privacy state (purpose and credential) each technical session to authorize an instance of processing, whereby a signal is generated only if there has been a change in the expected, and known active state, of privacy.
Differential Transparency (DT) is a contextual transparency enhancing protocol that uses record serialization in order to sequence data control points. Used to maintain a shared understanding of privacy and conversely security expectations.
Implemented by comparing than Anchored Notice Record with a newly minted eConsent receipt. To detect if there has been a change in this expected state. Achieved through self-asserted changes, or through monitoring authoritative public data sources.
DT is used by the PII Principal to automate the verification of trust, monitoring the active state of the PII Controller Legal identity and technical security performance. Prior to authorizing data processing activities by signing a consent notice receipt.
Utilizing the Transparency Performance Indicator’s in the introduction of this specification to transform a consent receipt into a consent token. (Individual authority and providence default controls to implement rights)
Automating Operational Transparency
Human centric notice protocol to keep a record of controllers and context of processing, for each session/interaction, so that these contextual records, controlled owned and secured by the PII Principal, can remember the active state of privacy and verify the PII Control and Privacy state without interrupting the service-user flow.
Notice Signal Layer: For operational transparency at a glance using digital signaling to indicate with concentric labeling what is expected, and what is not.
...
Case Study:: Differential Privacy as a mechanism for Data Control
...
For discussion with security and privacy community. Like digital identity management, how sovereign data control can be measured is by identifying which PII Stakeholder is in control of the personal data and personal data process; who benefits from processing personal data; and how dynamic are the personal data controls? The analysis results indicate which stakeholder can authorise the use of the tool, and for which purpose(s)
...
Trustworthy identity requires notice and transparency defaults, or else it is very difficult for people trust the use of digital identity technology. As oppose to every jurisdiction and organisation deciding the standard, while services just change their terms and conditions. oppose to every jurisdiction and organisation deciding what is transparent, with T&C’s services just change without notice.
The defaults for operational transparency are presented in this industry publication “Adequacy of Identity Governance Transparency” with 23 default transparency for notice, notification and disclosures, which are required for a ZPN code of conduct.5
eConsent is a critical and missing component in the generation of identifiers the use of PII for big-data, machine learning, including differential privacy is arguably a breach of PII and clearly un-ethical as it violates the privacy expectations of the Individual, creating records people don’t control, and can’t see when they are used.
In this regard, ethical use of differential privacy would require a record of consent to identify and profile and personal identity, then, an explicit consent for the purpose of use.
In this way PII Principals can be secure, safeguarded, and empower their choices through the control of who benefits from their personal and why.
For an anchored notice record, it is recommended that PII Principal identifying information never be included in a record without being secured at the attribute level in the record. When a eConsent receipt is provided, all PII Principal identifiers MUST be blinded except for the legitimate required stakeholders. ,
Any PII Controller consent records record that combine raw personal identifiers May be more secure for a PII Controller but would insecure and high risk for the PII Principal, those systems are considered in this specification to have non-operational transparency, is not secure enough to be a consent record, which in this specification is self-sovereign anchor record. Trust is understood to be relative to each stakeholder but represented in this specification with a PII Controller consent.
Anchor | ||||
---|---|---|---|---|
|
The Anchored Notice record can be extended with the standardized consent record information structure by using three (3) extensions.
Anchor | ||||
---|---|---|---|---|
|
The concentric notice label is used to identify the default legal justification for processing which is used for the default data processing practices.
...
The extension is written for the PII Controller, to enable the anchored record to be used as a verifiable data source for operationalizing a channel (exchange) where PII Principals can advertise a consent grant to the controller. (see Appendix 1 )
Anchor | ||||
---|---|---|---|---|
|
Extension 2 is focused on data treatment and rights of the purpose specified in Extension1. This extension uses some of the ISO/IEC 27560 schema, as well as the W3C Data Privacy Vocabulary, and some additional elements regarding delegation, cross-border adequacy, definition of data privacy rights data controls.
Anchor | ||||
---|---|---|---|---|
|
Extending the security code of conduct, purpose specification (Extension 1) and data treatment sections (Extension2) with a transparency code of practice.
...
Anchor | ||||
---|---|---|---|---|
|
Notice Record Example Field Category | Label | Data Type | Attribute name | Field Description | Presence Requirement | TPI 1 Cntrl Id Present | TPI 2 Accessibility Example | Security TPI 3: Digital Context Integrity | ISO/IEC 29100-Ref | ISO/IEC 29184-Ref | GDPR Ref | Conv 108 Ref |
---|---|---|---|---|---|---|---|---|---|---|---|---|
PII Controller Identity | Controller ID Object | String | controller_id_object | _ | Required | Security key or Cert | 4.2.2 | 5.3.4 | ||||
Presented Name of Service Provider | String | presented_name_of_service_provider | name of service, e.g. Microsoft | May | ||||||||
PII Controller Name | String | piiController_name | Company/organization name | MUST | ||||||||
PII Controller address | String | piiController_address | _ | MUST | ||||||||
PII Controller contact email | Varchar(n) | piiController_contact_email | correspondence email | MUST | ||||||||
PII Controller legal location | String | piiController_legal_loc | PII Controller Operating Privacy Law | MUST | ||||||||
PII Controller Phone | Char | piiController_phone | The general correspondence phone number | SHOULD | Issuer Statement | |||||||
PII Controller Website | Varchar | piiController_www | URL of website (or link to controller application) | MUST | ||||||||
PII Controller Certificate | BLOB | piiController_certificate | A capture Website SSL | OPTIONAL | ||||||||
Privacy Contact Point Location | VarChar(max) | pcpL | Public Key base64 (human readable - kind of...) | |||||||||
Privacy Contact Point Types (pcpT) | Object | pcpType | ||||||||||
Must have at least one field for the PCP object | MUST | |||||||||||
PCP-Profile | String | pcpProfile | Privacy Access Point Profile | ** | ||||||||
PCP-InPerson | String | pcpInperson | In-person access to privacy contact | ** | CRL and OSCP endpoints | |||||||
PCP-Email | Varchar | pcpEmail | PAP email | ** | ||||||||
PCP-Phone | char | pcpPhone | Privacy access phone | ** | ||||||||
PCP -PIP- URI | Varchar | pcpPip_uri | privacy info access point, URI | ** | ||||||||
PCP-Form | Varchar | pcpForm | Privacy access form URI | ** | ||||||||
PCP-Bot | String | pcpBot | privacy bot, URI | ** | ||||||||
PCP-CoP | String | pcpCop-loc | code of practice certificate, URI of public directory with pub-key | ** | ||||||||
PCP-Other | string | pcp_other | Other | ** | ||||||||
PCP Policy | pcpp | string | pcpp | privacy policy, URI with standard consent label clauses | MUST | |||||||
Anchored Notice Record Field Categories | Name | Type | Attribute Name | Description | Presence | |||||||
ANCR Record ID | string | ancr_id | Blinded identifier secret to the PII Principal | Required | ||||||||
Schema version | string | V x.xx.x schema_version | ||||||||||
Timestamp | DATETIME | time_stamp | _the time and date when the ANCR record was created | Required | ||||||||
Legal Justification | string | legal_justiication | One of six legal justifications used for processing personal data | |||||||||
Notice Record | Object labels | VarChar(max) | notice_record | |||||||||
Notice Type | string | notice_type | Notice, notification, disclosure | Required | ||||||||
Notice method | string | notice_method | Link/URL to the UI that was used to present the notice e.g. website home page | MUST | ||||||||
-digital-Notice-location | string | digital_notice_location | Notice location e.g. IP address | MUST | ||||||||
location Certificate | BLOB | location_certificate | MAY | |||||||||
Notice Language | string | notice_language | The language notice provided in | MUST | ||||||||
Notice Text File | string | notice_text_file | URL and/or Hashlink for the notice text | MUST | ||||||||
Notice text | string | notice_text | The capture of a copy of the notification text | MUST | ||||||||
Notified legal Justification | string | notice_legal_justification | Implied or explicit notified legal justification based on the text of a notice and its context | MUST | ||||||||
Concentric Notice Label Type | string | cnl | a label that is mapped to legal justifications, rights and controls that can be provided by default, for a specified purpose | SHALL | 5.3.12 | |||||||
Not-Consent | Refers to laws and democratic consensus (legitimate Interest, Legal Obligation, Public Interest & Vital Interest) | |||||||||||
Private Anchored Notice Record Field Category | Label | Type | Attribute name | Field Name | Required/Optional | |||||||
Private Record | schema version # | V | Optional (unless shared or used further) | |||||||||
Anchor Notice Record id # | Int | Ancr_id | MUST | |||||||||
Date/Time | DEATETIME | Required | ||||||||||
Notice Collection method | optional | |||||||||||
Notice Collection Location | VarChar(max) | required | ||||||||||
Notice Legal Justification | VarChar(max) | |||||||||||
PII Principal Legal Location | VarChar(max) | ploc | ||||||||||
Device ID | NVarChar (max) | |||||||||||
PII Principal Private- Key | VarChar(max) |
Anchor | ||||
---|---|---|---|---|
|
...
These are mapped here to provide a set of operational transparency defaults to set and support privacy as expected by the PII Principal. Expectations that provide a privacy notice starting point, where PII Principal and PII Controller can gain a shared understanding, or where a PII Principal can assert a legal justification for processing to access privacy rights.
Legal Justification | Description | Concentric Notice Type | Privacy Rights/PII Controls | Reference |
---|---|---|---|---|
Vital Interest | refers to processing ‘which is essential for the life of the Data Subject or that of another natural person. Processing of personal data | Implied/ implicit | Transparency, Access, Rectify, Forget/Erase, Withdraw, Restrict | ISO/IEC 29184, 5.4.2 Conv.108+ 10.2(c) GDPR art 6.1(d) art 49(f) |
Explicit Consent Notice | Explicit consent to processing one or more specified2 purpose | Explicit , Directed, Altruistic Consent | Access, Rectify, Forget/Erase, Object,/Withdraw, Restrict, Portability | 29184, 5.4.2 Conv.108+ 10.2(a) GDPR art 6.1(a) |
Implicit consent notice | And where manifestly published by the PII Principal | Implicit Consent | Con 108 + 10.2(e) | |
Implied consent notice | By Controller or Principal in the field of employment and social security and social protection law | Implied Consent | CoE 108+ 10.2(b) | |
Contractual Necessity | Implied consent | Restrict Processing, Object to | 29184, 5.4.2 Con. 108+(43) | |
Legitimate Interest | Implied consent | Object and restrict processing | 29184, 5.4.2 GDPR Recital 47 Con.108+ 10.2(d) | |
Public Interest | Democratically framed | Implied Consent/ Consensus | 29184, 5.4.2 Con. 108+ 10.2 (I,g,j) | |
Legal Obligation | ISO/IEC 29184, 5.4.2 | |||
Processing is necessary for the establishment, exercise or defense of legal claims | Con.108+ (f) |
Note: Participatory Consensus, and Concentric data control are two outcome specific conditions that will be added to this specification to include an assessment for operational evidence of these two outcomes.
...
Access to privacy rights and information. meaningful through a direct mapping with specific rights, obligations and customs for interaction for data processing, which are enforceable with the references
Concentric Notice Type | Description | Legal Justification | Privacy Rights | Legal Ref |
---|---|---|---|---|
Non-Operational Notice N/O | Insufficient notice/security information for digital privacy | Not compliant with any if unable to determine or confirm Controller, or contact | Withdraw, Object, Restrict, | Con.108+ 79.1(a) GDPR Art 13/14 1a,b, |
Consensus Notice | Notice of Legitimate Processing. Surveillance Notification | Legitimate interest | ||
Implied Consent Notice | Implied through PII Principals participation in a specific context. | Consent | ISO/IEC GDPR Art 50 1 c Con 108+ -Supplement- IPC, Canada3 | |
Implicit consent notice | Refers to governance that is implicit to the action of the PII Principal. | Legitimate interest, Contract, Legal obligation | Object , Restrict | |
Expressed Consent notice | Expressed through the implicit action of a Notified individual. | Informed Consent | Withdraw | |
Explicit Consent Notice | Provided in such a way that the is Informed, freely given, knowledgeable consent,. | Consent witch is knowledgeable of risk | Withdraw | Con 108+.1(4)1b GDPR Art 7.1 |
Directed Consent | A consent directive is consent explicitly defined by the PII Principal for specific purposes, according to disclosures of risks that are notified. | meaningful consent, in which the individual has specified the consented purpose | GDPR 9.1(h) | |
Altruistic Consent | Not knowing who the Controller of PII will be. Consent to a purpose and public benefit governance framework, without knowing who is the beneficiary | Consent | DGA, Recital 1,2,4,36,39 |
Anchor | ||||
---|---|---|---|---|
|
...
Codes of practice can be approved and monitored, and can combine multiple purposes together for an expected code of practice. A “Purpose Bundles” operated with a code practice can be approved and to operationalize privacy.
Anchored Record Schema ‘Structure’
...
In addition to the consent receipt schema, the ANCR record schema provides a protocol for its operation.
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Version | Date | Summary of Substantive Changes | |
0.1 DRAFT | 2021-02-28 | Initial v1.1 draft | |
0.5 | 2022-02-02 | Draft – updating scope to Notice and eConsent | |
0.8 | 2022-07-04 | Full outline/70% drafted | |
0.8.5 | 2022-08-04 | Outline 100% Draft - Posted to Kantara Wiki | |
8.8.2 | Annex Updates | ||
8.8.3 | Restructured Sections and schema, cleaned schema up a little – practice what preaching by making spec structural human centric | ||
8.8.4.0.1 | 2022-09-18 | Content edited for grammar, consistency, clarity |
1 Lizar, M, Pandit, H, Jesus, V, “Privacy as expected Consent Gateway”, Next Generation Internet (NGI) Grant [Access July 4] http://privacy-as-expected.org/
...
4 For example the “Age Appropriate Design Code of Practice,” http://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-code/
5 Lizar M, Ortalda, A” “Report on the Adequacy of Identity Governance Transparency – DIACC Special Group Insights” Digital Identity and Authentication Council of Canada [Online]