Versions Compared

Old Version 16

changes.mady.by.user Mark Lizar

Saved on

compared with

New Version 17

changes.mady.by.user Mark Lizar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Version: 0.8.9

Document Date: September 2019, 2022

Editor(s): Mark Lizar, Sharon Polsky

Contributors: Sal D’Agostino, Paul Knowles

Contributing Orgs: Open Consent Group/0PN C.I.C, Privacy & Access Council of Canada, Human Colossus Foundation,

Produced by: ANCR-WG

Status: WG Draft v0.8.9 - Open for ANCR WG - Comment: (WG Review)

NOTES TO READER

This Kantara Initiative work effort began when Liberty Alliance became the Kantara Initiative, and the Consent and Information Sharing Working Group formally began in 2015. That Working Group’s activities carried on through the ANCR Working Group.

...

TPI 3 – Security Certificate (or key) of Notified Controller

IPR Option:

...

Patent & Copyright: Reciprocal Royalty Free with Opt-out to Reasonable and Nondiscriminatory (RAND)

Suggested Citation: (upon WG approval)

ANCR Specification v0.9

NOTICE

...

Anchor
_30j0zll
_30j0zll
Anchor
_Toc114372086
_Toc114372086
Anchor
_Toc114373590
_Toc114373590
Anchor
_Toc114373688
_Toc114373688
Anchor
_Toc114397892
_Toc114397892
Anchor
_Toc114372087
_Toc114372087
Anchor
_Toc114373591
_Toc114373591
Anchor
_Toc114373689
_Toc114373689
Anchor
_Toc114397893
_Toc114397893
Anchor
_Toc114372088
_Toc114372088
Anchor
_Toc114373592
_Toc114373592
Anchor
_Toc114373690
_Toc114373690
Anchor
_Toc114397894
_Toc114397894
Anchor
_Toc114372089
_Toc114372089
Anchor
_Toc114373593
_Toc114373593
Anchor
_Toc114373691
_Toc114373691
Anchor
_Toc114397895
_Toc114397895
Anchor
_Toc114372090
_Toc114372090
Anchor
_Toc114373594
_Toc114373594
Anchor
_Toc114373692
_Toc114373692
Anchor
_Toc114397896
_Toc114397896
Anchor
_Toc114372091
_Toc114372091
Anchor
_Toc114373595
_Toc114373595
Anchor
_Toc114373693
_Toc114373693
Anchor
_Toc114397897
_Toc114397897
Anchor
_Toc114372092
_Toc114372092
Anchor
_Toc114373596
_Toc114373596
Anchor
_Toc114373694
_Toc114373694
Anchor
_Toc114397898
_Toc114397898
Anchor
_Toc114372093
_Toc114372093
Anchor
_Toc114373597
_Toc114373597
Anchor
_Toc114373695
_Toc114373695
Anchor
_Toc114397899
_Toc114397899
Anchor
_Toc114372094
_Toc114372094
Anchor
_Toc114373598
_Toc114373598
Anchor
_Toc114373696
_Toc114373696
Anchor
_Toc114397900
_Toc114397900
Anchor
_Toc114372095
_Toc114372095
Anchor
_Toc114373599
_Toc114373599
Anchor
_Toc114373697
_Toc114373697
Anchor
_Toc114397901
_Toc114397901
Anchor
_Toc114372096
_Toc114372096
Anchor
_Toc114373600
_Toc114373600
Anchor
_Toc114373698
_Toc114373698
Anchor
_Toc114397902
_Toc114397902
Anchor
_Toc114372097
_Toc114372097
Anchor
_Toc114373601
_Toc114373601
Anchor
_Toc114373699
_Toc114373699
Anchor
_Toc114397903
_Toc114397903
Anchor
_Toc114372098
_Toc114372098
Anchor
_Toc114373602
_Toc114373602
Anchor
_Toc114373700
_Toc114373700
Anchor
_Toc114397904
_Toc114397904
Anchor
_Toc114372099
_Toc114372099
Anchor
_Toc114373603
_Toc114373603
Anchor
_Toc114373701
_Toc114373701
Anchor
_Toc114397905
_Toc114397905
Anchor
_Toc114372100
_Toc114372100
Anchor
_Toc114373604
_Toc114373604
Anchor
_Toc114373702
_Toc114373702
Anchor
_Toc114397906
_Toc114397906
Anchor
_1fob9te
_1fob9te
Anchor
_Toc108928869
_Toc108928869
Anchor
_Ref114328224
_Ref114328224
Anchor
_Ref114328225
_Ref114328225
Anchor
_Toc114397907Toc114497429
_Toc114397907Toc114497429
Introduction

International laws and standards — including ISO/IEC 29100 Security and Privacy Framework — are the international framework for creating records for trustworthy ‘consented data access’, for adequate data transfers internationally; and provide an opportunity to implement a low-cost digital records and receipt mechanism and thus dramatically improve the security of personal data control, thereby increasing the effectiveness of cyber physical security and digital privacy.

...

  1. The PII Controller Identity and privacy contact point

  2. The Accessibility of PII Controller Identity and Contact information,

  3. The security Security and integrity Integrity of the controller’s transparencyPII Controller’s Transparency

The ANCR Notice Record is specified for PII Principals, using terms, semantics and laws that champion the legal utility of data control and its management. As such, representing a shift in the architecture of digital identity semantics to legal semantics specific to human centric transparency, usability, and control.

For this purpose, the ANCR record is first specified as a single use record, that the Individual controls with 3 transparency performance indicators. First defined as a single use record to generate a record the Individual can own, control and trust. The KPI’s provided here are specified to provide transparency over data control and it’s human/decentralized data governance. (specified as Operational Transparency),

Anchor
_Toc114372102
_Toc114372102
Anchor
_Toc114373606
_Toc114373606
Anchor
_Toc114373704
_Toc114373704
Anchor
_Toc114397908
_Toc114397908
Anchor
_Toc114372103
_Toc114372103
Anchor
_Toc114373607
_Toc114373607
Anchor
_Toc114373705
_Toc114373705
Anchor
_Toc114397909
_Toc114397909
Anchor
_Toc114372104
_Toc114372104
Anchor
_Toc114373608
_Toc114373608
Anchor
_Toc114373706
_Toc114373706
Anchor
_Toc114397910
_Toc114397910
Anchor
_Toc114372105
_Toc114372105
Anchor
_Toc114373609
_Toc114373609
Anchor
_Toc114373707
_Toc114373707
Anchor
_Toc114397911
_Toc114397911
Anchor
_Toc114397912Toc114497430
_Toc114397912Toc114497430
Anchor
_Toc498675767
_Toc498675767
Anchor
_Toc108928897
_Toc108928897
Notice Record

The Notice Record is first specified as a static, one-time use notice record that is created by the PII Principal and used to initiate a state of operational transparency in context measured by access to, and performance of, rights.

Diagram 1: Notice Record

...

Anchor
_

...

Toc114497431
_

...

Toc114497431
Table1: Single Use Notice Record:
PII Controller Identity AND Contact Transparency Report

Field Name

Field Description

Requirement: Must, Shall, May

Field Data Example

Notice Location

Location the notice was read/observed

MUST

http://www.walmart.com

PII Controller Name

Name of presented business

MUST

Walmart

Controller Address

The physical address of controller and/or accountable person

MUST

1940 Argentina Road Mississauga, Ontario L5N 1P9

PII Controller Contact Type

Contact method for correspondence with PII Controller

MUST

Email, phone

PII Controller-Correspondence Contact

General contact point

SHALL

Privacy@org.com

Privacy Contact Type

The Contact method provided for access to privacy contact

MUST

email

Privacy Contact Point

Location/address of Contact Point

MUST

Org.com/privacy.html

Session Certificate

A certificate for monitored practice

Optional

SSL Certificate Security (TLS) and Transparency

Anchor
_

...

Toc114497432
_

...

Toc114497432
Anchoring the Notice Record for Trust

The record identifier, when added to each record, provides an anchor for the notice record in the first instance. The Anchored Notice Record can be extended for use as a ‘trust anchor’ for the PII Principal by adding an ANCR Record ID that the PII Principal can use to track the PII Controller and the data processing and digital identity relationship over time. In this way an Anchored Notice Record is a gateway to scale consent online and internationally.1

Anchor
_

...

Toc114497433
_

...

Toc114497433
Notice Record Transparency Performance Indicators

Diagram 2: Transparency Performance Indicators

...

The first two (2) performance indicators measure the transparency of the ‘provided’ PII Controller Identity information. Providing Required to measure how accessible the provided PII Controller Identity information is, before or at the time of data processing, which is a condition of governance adequacy and privacy compliance for all digital identifier-based processing activities, used to develop data profiles. An ANCR Record of the data processing activity demonstrates compliance,in this way provides evidence to demonstrate security and privacy compliance.

Once the capacity for digital privacy is ascertained, the third performance indicator can be used to measure the security certificate (or key) for its contextual integrity for the specific session or and processing context.

TPI 1: PII Controller Identity and Contact Transparency

...

This transparency accessibility rating score of [1,0, -1 or –3] reflects the number of steps, screens, or clicks required to find the ‘provided’ information within a mobile application or webpage providing the client user interface.

Anchor
_Toc114372114
_Toc114372114
Anchor
_Toc114373615
_Toc114373615
Anchor
_Toc114373712
_Toc114373712
Anchor
_Toc114397916
_Toc114397916
Anchor
_Toc114372115
_Toc114372115
Anchor
_Toc114373616
_Toc114373616
Anchor
_Toc114373713
_Toc114373713
Anchor
_Toc114397917
_Toc114397917
Anchor
_

...

Toc114497434
_

...

Toc114497434
Transparency Accessibility Rating description table 2

Rating

Description

Instruction

+1

<<WORDS ARE.MISSING>>

Controller identity is embedded

and linked for - auto discovery

as a credential linked to authoritative registries.

PII Controller credential is displayed, using a standard format with machine readable language and linked, for example, in an http header in a browser

0

PII Controller Identity prominently displayed on first view – prior to processing first page of viewing, the assessment question would be

PII Controller Identity or credential is provided in first notice

-1

Privacy signal Is not first presented – but is linked and one click and screen away

The Controller Identity, or screen with the Controller Identity is one screen and click away. For example, the privacy policy link in the footer of a webpage

  • 3

Identity or credential is two or more screens of view away

PII Controller Identity is not accessible enough to be considered ‘provided’

TPI 3: Certificate (and/or Key) Security Transparency

This security performance indicator requires that the notice record session certificate is collected and used to check if the PII Controller Identity information is the same or linked to the controlling entity in the associated security certificate. For example, does the SSL (secure software layer) certificate identify the Controller, and is it secured for the jurisdictional domain and DNS DNS and localization expectation and corresponding jurisdictional information (as a ZPN required digital security for privacy measure of adequacy)?to implement the international governance interoperability with legal adequacy with eConsent)

Certificate status, and transparency performance, are used to establish session security prior to the collection, use and processing of PII. The security TPI is used to measure the certificate and or cryptographic keys for a specified organizational unit to corroborate and validate the PII Controller’s digital integrity.

Anchor
_

...

Toc114497435
_

...

Toc114497435
Table 2 : Notice Record TPI Report

Field Name

Field Description

Requirement: Must
Shall
May

TPI 1

Available

Not Available

TPI 2

Rate: +1, 0, -1, -3,

TPI 3
Certificate or Key

CN-Matches
OU – Match
Jurisdiction – Match (optional)

Notice Location

Location the notice was read/observed

MUST

Present

+1

found

PII Controller Name

Name of presented organization

MUST

Present

0

Match

PII Controller Address

Physical organization Address

MUST

Present

0

Not match

Privacy Contact Point

Location/address of Contact Point

MUST

Present

1

Not match

Privacy Contact Method

Contact method for correspondence with PII Controller

MUST

Present

-1

No Match

Session key or Certificate

A certificate for monitored practice

MUST

Present (or Not-found)

1 (or –3 )

Present (or No Security Detected)

Anchor
_1t3h5sf
_1t3h5sf
Anchor
_Toc108928874
_Toc108928874
Anchor
_Toc498675757
_Toc498675757
Anchor
_

...

Toc114497436
_

...

Toc114497436
Notice Record References

For the purposes of this specification, the following terms and definitions apply as normative; non-normative to be used per context; and additive, in that they aid human understanding and data control.

...

Anchor
_Toc114372120
_Toc114372120
Anchor
_Toc114373620
_Toc114373620
Anchor
_Toc114373717
_Toc114373717
Anchor
_Toc114372121
_Toc114372121
Anchor
_Toc114373621
_Toc114373621
Anchor
_Toc114373718
_Toc114373718
Anchor
_Toc114372122
_Toc114372122
Anchor
_Toc114373622
_Toc114373622
Anchor
_Toc114373719
_Toc114373719
Anchor
_Toc114372123
_Toc114372123
Anchor
_Toc114373623
_Toc114373623
Anchor
_Toc114373720
_Toc114373720
Anchor
_Toc114372124
_Toc114372124
Anchor
_Toc114373624
_Toc114373624
Anchor
_Toc114373721
_Toc114373721
Anchor
_Toc114372125
_Toc114372125
Anchor
_Toc114373625
_Toc114373625
Anchor
_Toc114373722
_Toc114373722
Anchor
_Toc114372126
_Toc114372126
Anchor
_Toc114373626
_Toc114373626
Anchor
_Toc114373723
_Toc114373723
Anchor
_Toc114372127
_Toc114372127
Anchor
_Toc114373627
_Toc114373627
Anchor
_Toc114373724
_Toc114373724
Anchor
_Toc114372128
_Toc114372128
Anchor
_Toc114373628
_Toc114373628
Anchor
_Toc114373725
_Toc114373725
Anchor
_Toc114372129
_Toc114372129
Anchor
_Toc114373629
_Toc114373629
Anchor
_Toc114373726
_Toc114373726
Anchor
_Toc114372130
_Toc114372130
Anchor
_Toc114373630
_Toc114373630
Anchor
_Toc114373727
_Toc114373727
Anchor
_Toc114397921Toc114497437
_Toc114397921Toc114497437
Terms and definitions

The definitions and reference terms that are used in this specification to indicate what is normative, non-normative, and additive.

If this specification is not compatible with a jurisdiction’s privacy laws, the internationally‑defined terms reflected in this specification can be mapped to jurisdiction’s laws and context specific terms. For example, PII Principal in this document maps to the term ‘Data Subject’ in European GDPR legislation and the term ‘individual’ in Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

Anchor
_

...

Toc114497438
_

...

Toc114497438
NOTATIONS

In this document the keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", “NOT RECOMMENDED”, "MAY", and "OPTIONAL" are to be interpreted as described in [RFC 2119].

Anchor
_

...

Toc114497439
_

...

Toc114497439
Abbreviations and stakeHolders

The following abbreviations and set of stakeholders are used to frame a mutually exclusive and collectively exhaustive set of terms for providing transparency over what organization controls the processing of personal information, and who is accountable for enforcement.

  • ANCR Record — means the Anchored Notice Record and Consent Receipt Record

  • ANCR WG — means the Advanced Notice and Consent Receipt Work Group

  • Array — means an array of field objects

  • Conv. 108+ — means the Council of Europe Convention 108+

  • FIPP — means Fair Information Practice Principles

  • IRM — means Identifier Relationship Management

  • ISO/IEC — means International Organization for Standardization/International Electrotechnical Commission

  • Object — means a field object

  • PII — means Personally Identifiable Information

  • POMME — means Privacy Operationalization Model and Method for Engineering

  • ZPN – Zero Public Network – a network in which each processor of personal information has a controller credential

Anchor
_

...

Toc114497440
_

...

Toc114497440
Code of Conduct

A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.

...

[Source: Conv. 108+ Art 29.5]

Anchor
_

...

Toc114497441
_

...

Toc114497441
Concentric Notice Label

This a new field – normative in this specification.

Used to provide a label that indicates what privacy an individual can expect by default, determined by legal justification per context for consistent transparency that people an Individual can trust.

The types of Concentric Notice Label are specified in Annex B, which spans the spectrum of legally defined consent types, defined from for the individual’s context and perspective.

Anchor
_

...

Toc114497442
_

...

Toc114497442
Consent Notice Label Types

Not Concentric: Legal obligation or legitimate interest independent of PII Principal

Implied Consent: The PII Controller defines the purpose

Express Consent: The Individual actions indicate purpose

Explicit & Informed Consent:

Meaningful and/or Directed Consent, where in a PII Principal specifies the purpose for the collection, use, and/or disclosure of PII. Requires and ensures a higher degree of understanding.

...

That principle concerns, in particular, information to the Data Subjects on the identity of the controller Controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation, and communication of personal data concerning them, which are being processed.

Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such [rules of] processing.

[Source: Conv 108+ Rec.20]

Anchor
_

...

Toc114497443
_

...

Toc114497443
Notice

Adhering to the openness, transparency and notice principles means providing PII Principals with clear and easily accessible information about the PII Controller’s policies, procedures and practices with respect to the processing of PII;

  • including in notices the fact that PII is being processed, the purpose for which this is done, the types of privacy stakeholders to whom the PII might be disclosed, and the identity of the PII Controller including information on how to contact the PII Controller;

  • disclosing the choices and means offered by the PII Controller to PII Principals for the purposes of limiting the processing of, and for accessing, correcting and removing their information; and

  • giving notice to the PII Principals when major changes in the PII handling procedures occur.

[Source: ISO/IWC IEC 29100]

To provide notice where it is required, in a language appropriate to PII Principals, at a time that permits PII Principals to meaningfully exercise consent, at places where it is easy for PII Principals to recognize.

...

[ANCR Notice Record Annex B]

Anchor
_

...

Toc114497444
_

...

Toc114497444
Notice Modalities

The organization may implement the control using different techniques: layered notices, dashboards, just-in-time notices, or icons, and may provide notices in a machine-readable format so that the software which is presenting it to the PII Principal can parse it to optimize the user interface and help PII Principals make decisions.

[Source: ISO/IEC 29184 5.2.7]

...

That information may be provided in combination with standardised icons in order to give in better provide an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.

[Conv 108+ Rec 35]

Anchor
_

...

Toc114497445
_

...

Toc114497445
Notice Record

Organizations should seek consent for changes such as those outlined here, and should consider whether the PII Principal has access to a record (of some kind) of their original consent, as well as how much time has elapsed between the original consent and the present. If the PII Principal is able to access a record of their prior consent readily and if the elapsed time is not significant, organizations may provide notice of the changes and seek consent for same. Otherwise, the organization should seek reconfirmation of the original consent in addition to consent to the notified changes.

...

[Source: ISO/IEC 29100 Table 3]

Anchor
_

...

Toc114497446
_

...

Toc114497446
Proof of Notice

A Consent Notice Receipt, for a proof of notice, used as evidence of consent and to demonstrate compliant records of processing activities.

...

[Source: ANCR Notice Record v1 – Specification]

Anchor
_z337ya
_z337ya
Anchor
_Toc108928885
_Toc108928885
Anchor
_

...

Toc114497447
_

...

Toc114497447
Personally Identifiable Information (PII)

Any information that (a) can be used to identify the PII Principal to whom Personally Identifiable Information relates, or (b) is or might be directly or indirectly linked to a PII Principal.

...

[Source: Conv. 108+ Rec 16]

Anchor
_

...

Toc114497448
_

...

Toc114497448
PII that is in a Sensitive (or Special) Category

What constitutes Sensitive PII is defined explicitly in legislation; however, the definition might vary across jurisdictions. Sensitive PII might include information revealing race, ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, sexual lifestyle or orientation, and the physical or mental health of the PII Principal. In other jurisdictions, sensitive PII might include information that could facilitate identity theft or otherwise result in significant emotional, psychological, or financial harm to the natural person (e.g., credit card numbers, bank account information, or government-issued identifiers such as passport numbers, social security numbers or drivers’ license numbers), and information that could be used to determine the PII Principal’s real time location.

...

[Source: Conv. 108+ Rec, 29]

Anchor
_3j2qqm3
_3j2qqm3
Anchor
_Toc108928886
_Toc108928886
Anchor
_

...

Toc114497449
_

...

Toc114497449
PII Principal, Data Subject or Individual

The natural person to whom the personally identifiable information (PII) relates.

...

Individual: Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

[Additive: PIPEDA 4.9]

Anchor
_1y810tw
_1y810tw
Anchor
_Toc108928887
_Toc108928887
Anchor
_

...

Toc114497450
_

...

Toc114497450
PII Controller

A privacy stakeholder (or privacy stakeholders) who determines the purposes and means for processing Personally Identifiable Information (PII) other than natural persons who use data for personal purposes.

NOTE: A PII Controller sometimes instructs others (e.g., PII processors) to process PII on its behalf while the responsibility for the processing remains with the PII Controller.

[Source: ISO 29100]

‘controller’ ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Note: it may also be called data controllerAlso known as a Data Controller.

[Source: GDPR Art. 4(7)]

‘controller’ ‘Controller’ means the Union institution or body or the directorate-general or any other organisational entity which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by a specific Union act, the controller or the specific criteria for its nomination can be provided for by Union law;

[Source: Conv 108+ Art 3(8)]

Anchor
_4i7ojhp
_4i7ojhp
Anchor
_Toc108928888
_Toc108928888
Anchor
_

...

Toc114497451
_

...

Toc114497451
PII Joint Controller

Covers multiple joint controller relationships including co-controllers, hierarchical, fiducial, and code.

...

[Source: Conv 108+ Art 86.1]

Anchor
_2xcytpi
_2xcytpi
Anchor
_Toc108928889
_Toc108928889
Anchor
_

...

Toc114497452
_

...

Toc114497452
PII Processor

A privacy stakeholder that processes personally identifiable information (PII) on behalf of and in accordance with the instructions of a PII Controller.

...

[Source: Conv. 108+ Art 3(12)]

Anchor
_1ci93xb
_1ci93xb
Anchor
_Toc108928890
_Toc108928890
Anchor
_

...

Toc114497453
_

...

Toc114497453
PII Sub-Processor

Refers to the PII Controller type in the ANCR record specification.

...

[Additive: W3C DPV 2.3.1.6 http://w3c.github.io/dpv/dpv/ ]

Anchor
_3whwml4
_3whwml4
Anchor
_Toc108928891
_Toc108928891
Anchor
_

...

Toc114497454
_

...

Toc114497454
Processing of PII

An operation or set of operations performed on personally identifiable information (PII).

...

[Source. Convention 108+]

Anchor
_2bn6wsx
_2bn6wsx
Anchor
_Toc108928892
_Toc108928892
Anchor
_

...

Toc114497455
_

...

Toc114497455
Privacy Stakeholder

A natural or legal person, public authority, agency or any other body that can affect, be affected by, or perceive themselves to be affected by a decision or activity related to personally identifiable information (PII) processing.

...

[Source: Conv.108+ Art 51(c)]

Anchor
_

...

Toc114497456
_

...

Toc114497456
ISO/IEC 29100 to 27000: Security Framework Mapping

Table A.1 — Mapping ISO/IEC 29100 concepts to ISO/IEC 27000 concepts

Anchor
_Toc108928893
_Toc108928893
ISO/IEC 29100 concepts

Correspondence with ISO/IEC 27000 concepts

Privacy stakeholder

Stakeholder

PII

Information asset Information security incident Control

Privacy breach Privacy control Privacy risk

Risk

Privacy risk management

Risk management

Privacy safeguarding requirements

Control objectives

[Source: ISO/IEC 29100: Annex A]

Anchor
_

...

Toc114497457
_

...

Toc114497457
Third Party (or 3rd Party)

A privacy stakeholder other than the personally identifiable information (PII) principal, the PII Controller and the PII processor, and the natural persons who are authorized to process the data under the direct authority of the PII Controller or the PII processor.

...

[Source: Convention 108 Art 3.14]

Anchor
_

...

Toc114497458
_

...

Toc114497458
Notice Record Schema Specification

The ANCR notice record is fundamentally a layered record schema, the first record layer is the minimum viable notice record (MVNR) a PII Principal can make to capture the organisation/institution that controls their personal data as well as the accountable person and liable for that legal entity. This record collects no additional data, except what the PII Principal is required to see and understand in order to be legally informed of the risks of generating a digital identifier.

...

This schema is cumulative, where each schema layer can be added upon the previous layer.

  1. Layer 1 - Notice Record Schema.

    1. The PII Principal's private record of a notice without digital identifiers, also called a ‘minimum viable record notice’. This record is un-anchored and used for contextual purposes when it does not contain an ANCR Record ID, in the ancr record id field.

  2. Layer 2 – Private Notice Record Micro-Data

    1. The meta data that can, and must be collected with the notice record to make a digital record of the notice record

    2. Is kept private and not directly accessible, exposed or made public.

    3. The PII Principal private record collects personal data specific to the use of the notice

  3. Layer 3 - A Proof of Notice (PoN) record is generated

    1. A secured Anchored Notice Record generated upon engagement with a notice to demonstrate that the PII Principal is informed. Not an opt-in or opt-out check box – which is linked to a notice. But check-box to confirm a notice clause is read, with a button on the notice dialogue that generates a record and receipt when used by the PII Principal

    2. A proof of notice record can then be used by processing stakeholders to generate subsequent (serialized) linked notice, notification and disclosure records pertinent to the context of notice.

    3. Personal identifiers and attributes are encrypted, secured, verified and validated by linking to the private notice record.

Anchor
_

...

Toc114497459
_

...

Toc114497459
Notice Record Schema: PII Controller Identity & Privacy Contact Point Schema

This is These are the schema elements that are used to generate a an un-Anchored Notice Record and do not contain any PII, or digital identifiers.

Field Cat Name

Name

Object Description

Presence Requirement

PII Controller Identity

Object

_

Required

Presented Name of Service Provider

name of service. E.g. Microsoft

May

PII Controller Name

Company/organization name

MUST

PII Controller address

_

MUST

PII Controller contact email

correspondence email

MUST

PII Controller jurisdiction legal reference

PII Controller Operating Privacy Law

MUST

PII Controller Phone

The general correspondence phone number

SHOULD

PII Controller Website

URL of website (or link to controller application)

MUST

PII Controller Certificate

A capture Website SSL

OPTIONAL

Privacy Contact Point Location

pcpL

Direct link to security and/or privacy contact point

MUST

Privacy Contact Point Types (pcpT)

Object

Must have at least one field for the PCP object

MUST

PCP

-

_Profile

Privacy Access Point Profile

**

PCP

-

_InPerson

In-person access to privacy contact

**

PCP

-

_Email

PAP email

**

PCP

-

_Phone

Privacy access phone

**

PCP

-

_PIP

-

_URI

privacy info access point, URI

**

PCP

-

_Form

Privacy access form URI

**

PCP

-

_Bot

privacy bot, URI

**

PCP

-

_CoP

code of practice certificate, URI of public directory with pub-key

**

PCP

-

_Other

Other

**

PCP Policy

pcpp

privacy policy, URI with standard consent label clauses

MUST

Anchor
_

...

Toc114497460
_

...

Toc114497460
Private Notice Record Profile

These fields can be asserted by the PII Principle to extend the functionality beyond the transparency TPI’s specified.

These private record fields are separated from the Proof of Notice schema, as these are kept and controlled by the PII Principal and are used to provide defaults.

Anchor
_

...

Toc114497461
_

...

Toc114497461
Private Notice Record Schema

This is the data source for consented records of processing that is directed (and securely) verified by the PII Principal, with secure localized data source and device.

Record Field Name

Field Description

Verifier/Validator

Schema version

A number used by the PII Principal to track the PII Controller Record

Verifier

Anchor Notice Record id #

An identifier unique to the controller, used to identify the legal entity accountable for relying parties and affiliated services

Verifier

Date/Time

The date and time a notice was read by PII Principal

Validator

Notice

Delivery

Presentation method

Notice presentation delivery method is also known as a user-

interfaceType

interface presentation_Type

Validator

Notice Location

URL

or digital address and location

, physical address, or regional location, the notice was presented to the PII Principal

Verifier

Notice Legal Justification

One of the six legal justifications(PII

ConISO

Cntrl’r, ISO/IEC, GDPR, C108+)

Validator

PII Principal Legal Location

Refers the privacy rules in the local context

Validator

Device Type Identifier

device identifier or fingerprint used to verify the physical method of delivery -.e.g. sign, mobile phone number, desktop computer

Verifier

PII Principal Private/Public - Key Pair

The cryptographic key pair used to sign and encrypt fields in a consent record

Verifier

Anchor
_

...

Toc114497462
_

...

Toc114497462
Proof of Notice Record

For consented digital identity management, a proof of Notice Record is used as an alternative to terms and conditions, which refer to the contract-based policy to mitigate high privacy risks associated with digital identifier surveillance and profiling. Terms of use refer to a contract-based policies for the governance of identifiers and credentials.

...

  1. Legal justification,

  2. Purpose of profiling

  3. Localization/Scope of disclosures & identification of 3rd Parties Party Controllers

  4. Privacy/Security and Surveillance Risks

The 2FN can provides standardized options to engage with the notice, notification, or disclosure. 2FN is typically implemented with a software interface in which, at a minimum, these three options are used by default (and easily extended with a code of practice):4

  1. By default, the notice can be ignored.

  2. PII Principal provides an informed consent

  3. A privacy Privacy rights and control options are presented and, depending on the Individual’s age, an accessibility context can be further simplified to the right to be heard and make a complaint, in specific context of processing personal data notified.

Note: Option C refers to GDPR and Convention 108+ legal instruments, neither of which requires a digital identifier, a user account, or any other personally identifying information to access.]

An ANCR Notice Record and a Consent Receipt, referred to as a mirrored (or twinned) record of a processing activity, is generated when the PII Principal engages with the dialogues a notice dialogue and completes a notification sequence by selecting one of the 2FN options; and, by default, when a notice or notification is ignored. When an ‘I consent’ option is selected an electronic notice record and evidence of consent record and receipt is generated, for the corresponding eConsent.

Note: The ANCR Notice Record ID is used to create and link new receipts, thereby ensuring the providence of the PII Principal’s control of the ANCR Record.

Anchor
_

...

Toc114497463
_

...

Toc114497463
Proof of Notice Record Schema

The Proof of Notice Record builds upon the PII Controller Identity fields and contact fields, with PII Controller Identifiers used to digitally track the state of privacy .

The 2FN produces a network event, presenting information that is needed to produce an evidential record, which a PII Principal can then use independently, as a credential, . A micro-credential used to aggregate operational transparency information, access privacy state and rights information, or to implement personal data controls (that are required for more advanced grants to permission record‑based a grant of consent grants to a system to implement controls and permissions in systems for collection, capture, portability and access to private data profiles)

Field Cat

Field Name

Description

Presence

ANCR Record ID

Blinded identifier secret to the PII Principal

Required

Schema version

The notice record

Required

Timestamp

_the time and date when the ANCR record was created

Required

Legal Justification

One of six legal justifications used for processing personal data

Required

Notice Record

Object labels

Notice Type

Notice, notification, disclosure

Required

Notice legal location

The physical location

ore

or region that the PII Principal read the information.,

MUST

Notice presentation method

Website

MUST

SHALL

online notice -location

Notice location e.g., IP address

MUST

location Certificate

An SSL certificate or key

MAY

Notice Language

The language notice provided in

MUST

Notice Text File

URL and/or

Hashlink for

link to the notice text

MUST

SHALL

Notice text

The capture of a copy of the notification text

MUST

Notified legal Justification

Implied or explicit notified legal justification based on the text of a notice and its context

MUST

Concentric Notice Label

cnl

a label that is mapped to legal justifications, rights and controls that can be provided by default, for a specified purpose

SHALL

  • A notice that is used to generate granular consent receipts using standards that specify purpose in the same way. Those generated with the same schema based can be compared to automate notice for operational transparency over changes to privacy state.

  • A 2FN is used to produce a dual record and receipt upon engaging with a standardized notice with access to administrator-level privacy rights from the notice, prior to processing with consent.

  • The consent receipts produced from a 2FN can be compared independently for to measure the difference in the active state and status of privacy, to automatically produce a notification based on the difference in state.

  • Differential Transparency, produced with a tactile signal, or layer1 notice indicator, standardized with machine readable data privacy vocabulary (i.e., concentric and synchronic transparency).

...

Anchor
_

...

Toc114497464
_

...

Toc114497464
Anchor
_Toc498675771
_Toc498675771
Anchor
_Toc108928904
_Toc108928904
Notice Record Security Architecture

Anchor
_

...

Toc114497465
_

...

Toc114497465
Overview

The ANCR Record represents the online privacy notice control record that is used to assess conformance with privacy expectations using controls and structure for consent from ISO/IEC 29184 Online Privacy Notice and Consent, which sets out the rules used to secure, protect and safeguard personal data:

  • The only identifier is the identifier the PII Principal chooses to provide to extend the functionality of the anchored record for receipts.

  • Only the PII Principal owns, controls, and delegates technical access to this identifier

  • Whenever an identifier is exchanged, it must use the blinding identifier taxonomy, cryptographically hashed with PII Principal public keyOnly attributes from the corresponding records can be used with a verified /private key pair in which the private key is in the notice record and the public key is applied according to it’s purpose

  • Only attributes from the corresponding records can be verified for a credential

  • The record MUST not be generated or managed by any other stakeholder or delegate, apart from the PII Principal in order to be a trustworthy id.

...

Anchor
_Toc114372161
_Toc114372161
Anchor
_Toc114373661
_Toc114373661
Anchor
_Toc114373757
_Toc114373757
Anchor
_Toc114397950
_Toc114397950
Anchor
_Toc114372162
_Toc114372162
Anchor
_Toc114373662
_Toc114373662
Anchor
_Toc114373758
_Toc114373758
Anchor
_Toc114397951
_Toc114397951
Anchor
_Toc114372163
_Toc114372163
Anchor
_Toc114373663
_Toc114373663
Anchor
_Toc114373759
_Toc114373759
Anchor
_Toc114397952
_Toc114397952
Anchor
_Toc114372164
_Toc114372164
Anchor
_Toc114373664
_Toc114373664
Anchor
_Toc114373760
_Toc114373760
Anchor
_Toc114397953
_Toc114397953
Anchor
_Toc114397954Toc114497466
_Toc114397954Toc114497466
Security practice: requirements for the privately anchored record

The ANCR record identifier has specific security requirements and considerations since it can be used by the PII Principal as an Identifier identifier for and by a PII ControllersController. The ANCR Notice Record can be extended to additional stakeholders with a public key. Consent records and receipts created by the PII Principal are sensitive, confidential, and secured for PII Principal ownership and control. Evidence of consent is required to access these attributes for producing or using verifiable (micro) credentials the PII Principal can validate.

The protocol requires that the ANCR Record be referenced each time a directed, or altruistic consent is generated, or when decentralized data governance is required. This is done in order to verify the PII Controller Identity and ensure sufficient (any) security for the privacy state that is, and can then be, expected by the PII Principal.

Trustworthy Compliance

...

Metrics

The transparency performance indicators (TPIs) provide transparency and security assurance to the PII Controller before the Controller processes personal information.

...

  1. Differential Privacy (additive as editorial)

In this table, suggestions for what method can be applied on a per attribute level are provided as an example.

Record Field Name

Field Description

Security

Trust Consideration

schema version

The version of this layered notice record schema

Open Public

Required

Differential Transparency

Can be required for technical assurance by the system that the record is correctly interpreted

according to standards and best practice it is written forNotice presentation

and used to compare record versions

Anchor Notice Record id #

An identifier unique to the controller, used to identify the legal entity accountable for relying parties and affiliated services

Blinded and pseudonymized

Date/Time

The date and time a notice was read by PII Principal

Differential Privacy

Notice Delivery method

BiT & Differential Transparency, (Required)

Only the PII Principal can unencrypt and use this identifier to aggregate records and receipt specific to that PII Controller relationship, Must be used for Differential Transparency, to compare one record against another to enable people to see if privacy is what people expect.

Date/Time

The date and time a notice was read by PII Principal

Differential Privacy

Noise put in this data field so that it is not usable for evidence without legal justification

Notice presentation method

Notice presentation medium/context in a user interface

Notice presentation vehicle

Notice Location

URL or

digital

address

and

location the notice was presented to the PII Principal from

Verified

Verifiable Controller Credential

Used to monitor validate and monitor the controller

PII Principal Legal Location

Refers the privacy rules in the local context of where PII Principal read the notice

BiT

BIT, regionally localized, – codes of practice/by laws and the like

Notice of Legal Justification

One of the six legal justifications(PII ConISO, GDPR, C108)

BiT

Device Identifier

The device identifier refers to type of device (e.g., sign, mobile phone, desktop computer) and its unique identifier(s)

BiT

Notice Medium

Software Identifier

An identifier

, often version number,

can be

supplemented with

a software configuration fingerprint

BiT

Differential Privacy

Ads noise to this fingerprint

PII Principal Pub Key

The cryptographic key used to sign consent receipts

Open Not-Public

Differential Transparency

Used to help determine if the record is secure and not fake

  1. Blinded Identity Taxonomy (BiT)

    1. PII field security measure that is used to blind attributes that are identifiable, for example, the attributes presented in ISO/IEC 29100 section 4.4.2

    2. A BiT attribute is encrypted with the PII Principals private key- so as not be usable in any data set without the corresponding authorization authority required to unencrypt the field for a specified purpose and data treatment.

    3. In this specification BIT is used by the PII Principle to encrypt and blind the ANCR record ID field. Which is in the private notice record, the pseudonymized identifier generated/provided by the PII Principals (client security protocol)

  2. Pseudonymized Identifier

    1. The ANCR record id refers to the PII Controller legal identity captured with a notice record, and once added to the notice recorda notice record is collected it can be signed to become added to digital wallet (or pod), it can be signed to become a micro-credential, and used to communicate to present the PII Controller Identity information by the PII Controller, as a micro-credentialthe PII Controller, to manage rights and control processing of digital identifiers and associated information.

    2. Conceptually, the ANCR Id works as is a reverse use cookie, in that it is used by the PII Principle to remember the privacy state and track the PII Controller through different service environments, domains and jurisdictions.

  3. Verifiable Private Notice Record used in a Credentialmicro-credential

    1. The PII Principal as the holder of the notice record can use it to a verify the presentation a PII Controller Identity

    2. Holders of a signed notice record (proof of notice) can generate a verifiable presentation of this proof by;

      1. signing a copy of the notice-record (micro-credential)

        1. (transforms record into a micro-credential)

      2. exchanging this with the other stakeholder (PII Principle or Controller) as a signed consent receipt in order to tokenize the exchange of attribute level private record data on a per processing session basis.

        1. (W3C Verified Credential Data Model, www.w3.org/TR/vc-data-model/#what-is-a-verifiable-credential)

  4. Differential Transparency – operational transparency signaling

    1. Operational transparency ‘trust’ protocol for comparing the expected privacy state (purpose and credential) each technical session to authorize an instance of processing, whereby a signal is generated only if there has been a change in the expected, and known active state, of privacy.

    2. Differential Transparency (DT) is a contextual transparency enhancing protocol that uses record serialization in order to sequence data control points. Used to maintain a shared understanding of privacy and conversely security expectations.

    3. Implemented by comparing than Anchored Notice Record with a newly minted eConsent receipt. To detect if there has been a change in this expected state. Achieved through self-asserted changes, or through monitoring authoritative public data sources.

    4. DT is used by the PII Principal to automate the verification of trust, monitoring the active state of the PII Controller Legal identity and technical security performance. Prior to authorizing data processing activities by signing a consent notice receipt.

      1. Utilizing the Transparency Performance Indicator’s in the introduction of this specification to transform a consent receipt into a consent token. (Individual authority and providence default controls to implement rights)

    5. Automating Operational Transparency

      1. Human centric notice protocol to keep a record of controllers and context of processing, for each session/interaction, so that these contextual records, controlled owned and secured by the PII Principal, can remember the active state of privacy and verify the PII Control and Privacy state without interrupting the service-user flow.

      2. Notice Signal Layer: For operational transparency at a glance using digital signaling to indicate with concentric labeling what is expected, and what is not.

[Editorial Example: Differential Privacy as Data Control Use Case]

For discussion with security and privacy community. Like digital identity management, how sovereign data control can be measured is by identifying which PII Stakeholder is in control of the personal data and personal data process; who benefits from processing personal data; and how dynamic are the personal data controls? The analysis results indicate which stakeholder can authorise the use of the tool, and for which purpose(s)

  1. Differential Privacy [ not to be confused with Differential Transparency]

    1. A method to produce noise in a personal data profile, and data sets so that the output cannot be used as conclusive evidence, or used to attack systems. A safeguard that is described as a way to provide a ‘buffer’ to protect the PII Principal from harms.

      1. A relevant topic defined in the ANCR Record used in a different context, not as a tool used by a PII Controller, but as a control for PII Principal to use when engaging with PII Controller Services,

    2. Synthetic personal data can be generated from the Anchored Private Notice record and linked eConsent receipts with the use of verified micro-credentialing

    3. These records and receipts can be used to provide safe environments to model future personal data, anonymize PII Principles own data before use, provide statistical data to services and trusts, safeguard Altruistic Consent (see concentric data types) can be employed to open certain data types for a specific purpose to help people and society.

    4. Differential privacy can be used to evaluate structural deficiencies in existing data models (online profiles), and invalidate data sets through access rights which are near universal.

    5. Differential privacy tools can generate synthetic personal data to increase the size of a personal data set, and to employ machine learning systems on behalf of the PII Principal to address and secure the use of PII in machine learning systems, ultimately to enable the individual to address contextual and even adversarial scenariosdiffuse data in order to address privacy harms which exists with use of big data, with out transparency or consent. Like any other tool it can be used in good and bad ways.

Anchor
_

...

Toc114497467
_

...

Toc114497467
Security Code of Conduct

Non-national standards are used in this specification to mediate transborder data controls and policies , and provide extra-territorial governance. National standards are limited in terms of governance policy.

  • This specification advocates for using international standards for measuring adequacy, mapping the rules, vocabulary and semantics presented in this specification to the national standards and regional privacy regulation.

  • eConsent is a security access control that is required to make a record that a PII Principal signs by engaging with a Two Factor Notice (2FN)Principal signs by engaging with a Two Factor Notice (2FN)

A code of conduct in this specification refers to regulation and/or Regulator approved set of rules, which are enforceable. As oppose to a transparency code of practice, which refers to a certifiable best practice used to implement a code of conduct, for example, requiring the use of two factor notice.

ISO/IEC Security and Privacy Techniques Framework

  • ISO/IEC 29100 - Security and Privacy schema, information structure

    • Mature, mutually exclusive, and collectively exhaustive framework used to identify security and privacy stakeholder roles in data governance

    • The ANCR record is specified to propose a standard method, to secure records that can be self-asserted by people to control, use, and trust online.

    • It is envisioned that the only data ever seen by the PII Principal and accessible only via verification are those specifically delegated as such by the PII Principal.

  • PII Controller uses privacy stakeholders as a mutually inclusive and collectively exhaustive technology governance framework for cross-border identifier exchanges

  • All data processing is required to be transparent by default and provide notice, notifications, and disclosures, all of which can be automated with this specification.

    • Transparency defaults are provided in relation to adequacy with international best practice in order to be interoperable with EU-GDPR and Convention 108 to operationalize transparency with enforcement.

  • Every non-person entity, or delegate, processing personal data is a PII Controller. An unidentified PII Controller, is a 3rd Party, and requires PII Controller Category with a scope of authority for the context of processing personal data.

    • The PII Controller can have many roles, according to context of processing (e.g., Joint Controller, PII Processor, and PII-Sub-processor. 3rd Party

  • 3rd Party Recipients,

    • All 3rd parties MUST be identified as a PII Controller to

    • A stakeholder without a Controller ID, or role in direct purpose of processing . Using is required to provide the legitimate legal justification and specified purpose.

    • Monitoring of non-identified controllers should include using a different legal justification, like legal obligation. For automated discovery of security events, like without authority could further be analyzed for mis-information and fraud detection.

    • Assurances that 3rd parties, can also be identified as a PII Controller.

    • Assurances that all PII Joint Controllers, Processors or Sub-Processors, are accountable and identifiable as a PII Controller.

    • PII Controller Identity credential (is required to produce a consent notice receipt for verification, validation and authorisation by the PII Principle.

    • There are interoperable with IAM system roles 0 Holder, Verifier, and Issuer in Self Sovereign Identifiers (SSIs) and Distributed Identifiers (DIDs) can be directly mapped to PII Controller roles.

  • ANCR notice records can be generated by the PII Principal and notarized by a 3rd Party authority, on behalf of the PII Principal, for use independently of a PII Controller.

  • Differential Privacy

    • An editorial use case – in which a recovered is made of the questions is asked? who controls the choice to use differential privacy. ? Is it the PII Principal or the PII Controller, or both? Presented in the context that the PII Principal is in control of record and the choice to use the method. As opposed to the PII Controller being in control and deciding when to use this without proof in the form of electronic notice and consent.

    • To address a security gap – dis-empowering 3rd Party data processing without consent, the creation of an identifier for system access and management, any type of tracking, is referred to as profiling, which constitutes a high-risk privacy activity.

    • To mitigate the substantial risks , of digital identifier management technologies, any secondary use of the data – including ‘Differential Privacy’ must a) be transparent (specified with the consent information structure) and b) consented with a proof of notice receipt for evidence of consent,

    • This means processing is specific to purpose of the consent (Note: unless derogated in law which is also provided in notice and a represented in a code of practice, for the service.

    • Best Practice - Consent for the service to re-use a PII Principal profile for a secondary purpose, is a specific explicit consent, not an opt-in, or out governance control.

Trustworthy ID

...

  • Trustworthy identity requires notice and transparency defaults, or else it is very difficult for people trust the use of digital identity technology. As oppose to every jurisdiction and organisation deciding the standard, while services just change their terms and conditions.

  • eConsent is a critical and missing component in the generation of identifiers

    ,

    the use of PII for big-data, machine learning, including differential privacy is arguably a breach of PII and clearly un-ethical as it violates the privacy expectations of the Individual

    .

    To this over-arching point of providence of authority through consent.

    The use of digital identity technology requires electronic notice and when required electronic consent,

    , creating records people don’t control, and can’t see when they are used.

  • In this regard, ethical use of differential privacy would require a record of consent to identify and profile and personal identity, then, an explicit consent for the purpose of use.

    • In this way PII Principals can be secure, safeguarded, and empower their choices through the control of who benefits from their personal and why.

  • Bottom Line

    For an anchored notice record, it is recommended that PII Principal identifying information

    MUST

    never be included in a record without being secured at the attribute level in the record. When a

    consent

    eConsent receipt is provided, all PII Principal identifiers MUST be blinded

    and, in this way, pseudonymized, in a format in which identifiers can be made portable (data portability) e.g., with a verifiable credential using zero-knowledge proof.

    except for the legitimate required stakeholders. ,

  • Any PII Controller consent records that combine raw personal identifiers

    with a consent record are therefore insecure and

    May be more secure for a PII Controller but would insecure and high risk for the PII Principal, those systems are considered in this specification to have non-operational transparency

Anchor
_

...

Toc114497468
_

...

Toc114497468
Notice Record Extensions (for a Consent Record information structure)

The Anchored Notice record can be extended with the standardized consent record information structure by using three (3) extensions.

Anchor
_

...

Toc114497469
_

...

Toc114497469
Extension 1

The concentric notice label is used to identify the default legal justification for processing which is used for the default data processing practices.

...

The extension is written for the PII Controller, to enable the anchored record to be used as a verifiable data source for operationalizing a channel (exchange) where PII Principals can advertise a consent grant to the controller. (see Appendix 1 )

Anchor
_

...

Toc114497470
_

...

Toc114497470
Extension 2

Extension 2 is focused on data treatment and rights of the purpose specified in Extension1. This extension uses some of the ISO/IEC 27560 schema, as well as the W3C Data Privacy Vocabulary, and some additional elements regarding delegation, cross-border adequacy, definition of data privacy rights data controls.

Anchor
_

...

Toc114497471
_

...

Toc114497471
Extension 3

Extending the security code of conduct, purpose specification (Extension 1) and data treatment sections (Extension2) with a transparency code of practice.

...

This can be further extended (Internationally) where the filed data, categories, vocabulary, ontology and record formats are specified (to be hosted by a non-national regulatory body) to enable decentralized data exchange governance at a global scale.
[Note: The appendices introduce the new elements found in this specification, as well as a schema map for interoperability with ISO/IEC 27560 for contribution.]

Anchor
_

...

Toc114497472
_

...

Toc114497472
Acknowledgements

  • Kantara Community, DIACC, ToiP, W3C DPV and Consent

  • The ISO/IEC 27560 committee

  • Standards Council of Canada

  • PasE; Consent Gateway Team and the NGI – Next Generation Internet Grant contribution

Anchor
_1v1yuxt
_1v1yuxt
Anchor
_Toc498675772
_Toc498675772
Anchor
_Toc108928905
_Toc108928905
Anchor
_

...

Toc114497473
_

...

Toc114497473
References

[Conv 108+] Council of Europe, Convention 108 +

...

[ISO 639] ISO 639-1:2002, Codes for the representation of names of languages — Part 1: Alpha-2 code http://www.iso.org/standard/22109.html

[Kantara Initiative] Blinding Identity Taxonomy [BiT]

...

Click through to no cost license standards.iso.org/ittf/PubliclyAvailableStandards/c045123_ ISO_IEC_29100_2011.zip

Annex (WiP to v8.9.9)

Anchor
_

...

Toc114497474
_

...

Toc114497474
ANNEX A : ANCR OPERATIONAL SCHEMA

Anchor
_

...

Toc114497475
_

...

Toc114497475
ANCR Record Schema

This ANCR Record uses a record data type for MySQL as the example data type for records, unlike consent notice receipt tokens, which use jason-ld web-token data types. (PII ConISO/IEC 28184 Annex B: Consent [Notice] Receipt)

The Notice Record uses data types for a record in a database, this maps to MySQL, unlike the consent receipt which uses JSON token data types.

Anchor
_

...

Toc114497476
_

...

Toc114497476
Terms and Definitions

Attribute Name

data types, for attribute … machine readable element

  • Array [attribute type]: a data type that defines a structure that holds several data items or elements of the same data type. When you want to store many pieces of data that are related and have the same data type, it is often better to use an array instead of many separate variables (e.g. array[text], array[numeric], etc.).

  • Binary:a data type that defines a binary code signal, a series of electrical pulses representing numbers, characters, and performed operations. Based on a binary number system, each digit position represents a power of two (e.g., 4, 8, 16, etc.). In binary code, a set of four binary digits or bits represents each decimal number (0 to 9). Each digit only has two possible states: off and on (usually symbolised by 0 and 1). Combining basic Boolean algebraic operations on binary numbers makes it possible to represent each of the four fundamental arithmetic operations of addition, subtraction, multiplication, and division.

  • Boolean:a data type where the data only has two possible variables: true or false. In computer science, Boolean is an identification classifier for working out logical truth values and algebraic variables.

  • DateTime: a data type that defines the number of seconds or clock ticks that have elapsed since the defined epoch for that computer or platform. Common formats (see 'Format Overlay') include dates (e.g., YYYY-MM-DD), times (e.g., hh:mm:ss), dates and times concatenated (e.g., YYYY-MM-DDThh:mm:ss.sss+zz:zz), and durations (e.g., PnYnMnD).

  • Document Reference

  • Element Reference

  • Field Category

  • Field Description

  • Field Label

  • Numeric: a data type that defines anything of, relating to, or containing numbers. The numbering system consists of ten different digits: 0, 1, 2, 3, 4, 5, 6, 7, 8,and 9.

  • Reference: a data type that defines a self-addressing identifier (SAID) that references a set of attributes through its associated parent. SAID is an identifier that is deterministically generated from and embedded in the content it identifies, making it and its data mutually tamper-evident.

  • Text: a data type that defines a human-readable sequence of characters and the words they form, subsequently encoded into computer-readable formats such as ASCII.

Anchor
_Toc114497477
_Toc114497477
ANCR Specification Schema Table

Notice Record Example Field Category

Label

Data Type

Attribute name

Field Description

Presence Requirement

TPI 1 Cntrl Id Present

TPI 2 Accessibility Example

Security TPI 3: Digital Context Integrity

ISO/IEC 29100-Ref

ISO/IEC 29184-Ref

GDPR Ref

Conv 108 Ref

PII Controller Identity

Controller ID Object

String

controller_id_object

_

Required

Security key or Cert

4.2.2

5.3.4

Presented Name of Service Provider

String

presented_name_of_service_provider

name of service, e.g. Microsoft

May

PII Controller Name

String

piiController_name

Company/organization name

MUST

PII Controller address

String

piiController_address

_

MUST

PII Controller contact email

Varchar(n)

piiController_contact_email

correspondence email

MUST

PII Controller legal location

String

piiController_legal_loc

PII Controller Operating Privacy Law

MUST

PII Controller Phone

Char

piiController_phone

The general correspondence phone number

SHOULD

Issuer Statement

PII Controller Website

Varchar

piiController_www

URL of website (or link to controller application)

MUST

PII Controller Certificate

BLOB

piiController_certificate

A capture Website SSL

OPTIONAL

Privacy Contact Point Location

VarChar(max)

pcpL

Public Key base64 (human readable - kind of...)

Privacy Contact Point Types (pcpT)

Object

pcpType

Must have at least one field for the PCP object

MUST

PCP-Profile

String

pcpProfile

Privacy Access Point Profile

**

PCP-InPerson

String

pcpInperson

In-person access to privacy contact

**

CRL and OSCP endpoints

PCP-Email

Varchar

pcpEmail

PAP email

**

PCP-Phone

char

pcpPhone

Privacy access phone

**

PCP -PIP- URI

Varchar

pcpPip_uri

privacy info access point, URI

**

PCP-Form

Varchar

pcpForm

Privacy access form URI

**

PCP-Bot

String

pcpBot

privacy bot, URI

**

PCP-CoP

String

pcpCop-loc

code of practice certificate, URI of public directory with pub-key

**

PCP-Other

string

pcp_other

Other

**

PCP Policy

pcpp

string

pcpp

privacy policy, URI with standard consent label clauses

MUST

Anchored Notice Record Field Categories

Name

Type

Attribute Name

Description

Presence

ANCR Record ID

string

ancr_id

Blinded identifier secret to the PII Principal

Required

Schema version

string

V x.xx.x schema_version

Timestamp

DATETIME

time_stamp

_the time and date when the ANCR record was created

Required

Legal Justification

string

legal_justiication

One of six legal justifications used for processing personal data

Notice Record

Object labels

VarChar(max)

notice_record

Notice Type

string

notice_type

Notice, notification, disclosure

Required

Notice method

string

notice_method

Link/URL to the UI that was used to present the notice e.g. website home page

MUST

-digital-Notice-location

string

digital_notice_location

Notice location e.g. IP address

MUST

location Certificate

BLOB

location_certificate

MAY

Notice Language

string

notice_language

The language notice provided in

MUST

Notice Text File

string

notice_text_file

URL and/or Hashlink for the notice text

MUST

Notice text

string

notice_text

The capture of a copy of the notification text

MUST

Notified legal Justification

string

notice_legal_justification

Implied or explicit notified legal justification based on the text of a notice and its context

MUST

Concentric Notice Label Type

string

cnl

a label that is mapped to legal justifications, rights and controls that can be provided by default, for a specified purpose

SHALL

5.3.12

Not-Consent

Refers to laws and democratic consensus (legitimate Interest, Legal Obligation, Public Interest & Vital Interest)

Private Anchored Notice Record Field Category

Label

Type

Attribute name

Field Name

Required/Optional

Private Record

schema version #

V

Optional (unless shared or used further)

Anchor Notice Record id #

Int

Ancr_id

MUST

Date/Time

DEATETIME

Required

Notice Collection method

optional

Notice Collection Location

VarChar(max)

required

Notice Legal Justification

VarChar(max)

PII Principal Legal Location

VarChar(max)

ploc

Device ID

NVarChar (max)

PII Principal Private- Key

VarChar(max)

Anchor
_

...

Toc114497478
_

...

Toc114497478
ANNEX B: Concentric Notice Label Types

The object of the ANCR record is to enable operational transparency. A concentric notice type is used to provide a human centric label to a record or a receipt.

The ANCR record is intended to extend operational transparency to a Privacy Operationalization Model and provide for a scalable Method for Engineering.

operational privacy, specifying here the right of transparency to include

...

Referencing the corresponding ISO/IEC 29184 control to enhance interoperability of operational transparency. Interoperability that is realized through the extension of transparency with records of processing to establish and maintain a shared understanding of security and privacy risks. Affording people choice which mitigate risks and transfer liability.

Anchor
_

...

Toc114497479
_

...

Toc114497479
Mapping Legal Justifications to Concentric Notice Types

These are mapped here to provide a set of operational transparency defaults to set and support privacy as expected by the PII Principal. Expectations that provide a privacy notice starting point, where PII Principal and PII Controller can gain a shared understanding, or where a PII Principal can assert a legal justification for processing to access privacy rights.

Legal Justification

Description

Concentric Notice Type

Privacy Rights/PII Controls

Reference

Vital Interest

refers to processing ‘which is essential for the life of the Data Subject or that of another natural person. Processing of personal data

Implied/ implicit

Transparency, Access, Rectify, Forget/Erase, Withdraw, Restrict

ISO/IEC 29184, 5.4.2

Conv.108+ 10.2(c)

GDPR art 6.1(d) art 49(f)

Explicit Consent Notice

Explicit consent to processing one or more specified2 purpose

Explicit , Directed, Altruistic Consent

Access, Rectify, Forget/Erase, Object,/Withdraw, Restrict, Portability

29184, 5.4.2

Conv.108+ 10.2(a)

GDPR art 6.1(a)

Implicit consent notice

And where manifestly published by the PII Principal

Implicit Consent

Con 108 + 10.2(e)

Implied consent notice

By Controller or Principal in the field of employment and social security and social protection law

Implied Consent

CoE 108+ 10.2(b)

Contractual Necessity

Implied consent

Restrict Processing, Object to

29184, 5.4.2

Con. 108+(43)

Legitimate Interest

Implied consent

Object and restrict processing

29184, 5.4.2

GDPR Recital 47

Con.108+ 10.2(d)

Public Interest

Democratically framed

Implied Consent/ Consensus

29184, 5.4.2

Con. 108+ 10.2 (I,g,j)

Legal Obligation

ISO/IEC 29184, 5.4.2

Processing is necessary for the establishment, exercise or defense of legal claims

Con.108+ (f)

Note: Participatory Consensus, and Concentric data control are two outcome specific conditions that will be added to this specification to include an assessment for operational evidence of these two outcomes.

Concentric digital transparency is a design principle of electronic Notice and evidence of consent. The outcomes are for a shared/concentric understanding of a relationship and the purpose of digital interaction, the data control impact, and associated risks centric to the PII Principal.

Anchor
_

...

Toc114497480
_

...

Toc114497480
Concentric Notice Labels to Privacy Rights

Concentric Notice Types are you to create a digital notice label to enable that can be applied to digital processing context which are understood from a human centric perspective.

...

Access to privacy rights and information. meaningful through a direct mapping with specific rights, obligations and customs for interaction for data processing, which are enforceable with the references

Concentric Notice Type

Description

Legal Justification

Privacy Rights
(GDPR)

Legal Ref

Non-Operational Notice

N/O

Insufficient notice/security information for digital privacy

Not compliant with any if unable to determine or confirm Controller, or contact

Withdraw, Object, Restrict,
Access/Edit, Forget,

Con.108+ 79.1(a) GDPR Art 13/14 1a,b,

Consensus Notice

Notice of Legitimate Processing. Surveillance Notification

Legitimate interest

Implied Consent Notice

Implied through PII Principals participation in a specific context.
Or through a notice from PII Controller for a specific purpose context. Can also refer to an existing state of privacy and its established status. aka ‘applied consent’ to data processing.

Consent

ISO/IEC

GDPR Art 50 1 c

Con 108+

-Supplement- IPC, Canada3

Implicit consent notice

Refers to governance that is implicit to the action of the PII Principal.

Legitimate interest, Contract,

Legal obligation

Object , Restrict

Expressed Consent notice

Expressed through the implicit action of a Notified individual.

Informed Consent

Withdraw

Explicit Consent Notice

Provided in such a way that the is Informed, freely given, knowledgeable consent,.

Consent witch is knowledgeable of risk

Withdraw

Con 108+.1(4)1b

GDPR Art 7.1

Directed Consent

A consent directive is consent explicitly defined by the PII Principal for specific purposes, according to disclosures of risks that are notified.

meaningful consent, in which the individual has specified the consented purpose

GDPR 9.1(h)

Altruistic Consent

Not knowing who the Controller of PII will be. Consent to a purpose and public benefit governance framework, without knowing who is the beneficiary

Consent

DGA, Recital 1,2,4,36,39

Anchor
_

...

Toc114497481
_

...

Toc114497481
Appendix — EXTENSIONS

Anchor
_

...

Toc114497482
_

...

Toc114497482
Extension 1: Purpose Specification

(For the latest draft of this Extension, or to get involved in working on it, visit ANCR WG‑Kantara Wiki ANCR - Extension 1 – ISO/IEC 27560 - Consent record information structure)

...

SUMMARY

An Anchored Notice Record is specified to capture the data control relationship between the PII Principal and the PII Controller, using the international ISO/IEC 29100 standard.

...

  • This purpose schema is specified for the PII Controller, and can also be used by a Privacy Stakeholder as a record to assess a purpose

  • The ANCR protocol is for generating a Record of Notice containing Controller ID and contact. This is always the event, and in this regard, the ancr_id maps to event id. To this extend event schema section is not required.

  • The ANCR record is specified to ISO/IEC 29100, in which the ‘privacy and security stakeholders’ are defined. In the context of the ANCR record, this means that any role (other than PII Principal) has a Controller ID, relative to the PII Principal, in addition to the role for the specific context of processing (e.g., processor, recipient, third party, which represent the processing role and activity relative to the ANCR record). This enables liability and risks to be delegated and transferred amongst the stakeholders specified to a per‑process instance. As a result, the party_ID schema is incorporated in the ANCR Record ID, which is specific to a PII Controller, not a service or purpose.

...

Introduction

Consent receipt, and the associated record information structure, were conceived as a record that captures the notice of a PII Controller, or the notice context of the PII Principal.

...

In this regard, ISO/IEC27560 is specified with the utility of the consent receipt in mind, which is to specify the purpose of personal data use and risks so that people can make informed choices and control personal data.

...

...

Schema Interoperability

The ANCR protocol is for generating a Record of Notice containing Controller ID and contact. This is always the schema ‘event’ indicator, in this regard the ancr_id field maps to and replaces the event id field in ISO/IEC 27560 WD 5 consent record information structure.

...

The ANCR record can itself be extended in to a Controller Credential When the ANCR record is used in a consent receipt flow it can also be used to. ToiP-Controller Credentialwiki.trustoverip.org/pages/viewpage.action?pageId=27722576

...

...

Schema Mapping

The following mapping of the ANCR record schema conforms to instructions provided in ISO/IEC 27560. To this extent, and in accordance with ISO/IEC 27560 Art 6.2.3, this annex publishes the ANCR Record Schema’s at Kantara and hosted at the Human Colossus Foundation, for the Global Privacy Rights, public benefit Initiative.

...

The Anchored Record Schema ‘Structure’ Sections refer to ISO/IEC 27560 line – 362 WD4, where it calls out the need to reference the schema(s) information structure used, in addition to demonstrating the capacity to maintain documentation for its correct technical implementation. - and conformance to the requirements specified in the ISO/IEC 27560 documents.

Anchor
_

...

Toc114497483
_

...

Toc114497483
Extension 2: Data Treatment

In summary, elements from ISO/IEC 27560 frame the data treatment elements are found in Extension 3 in addition to [ ]

Anchor
_

...

Toc114497484
_

...

Toc114497484
Extension 3: Code of Practice

The ANCR record is specified in this information structure according to legally defined code of conduct, each element that is required is referenced to standards and legislation which constitute the code of conduct for operational transparency trustworthy id protocol.

The legal code of conduct is extended by codes of practice which are often recognized as certifications and represented by digital certificates , public keys and certifications.

Anchor
_

...

Toc114497485
_

...

Toc114497485
Extension Library

Terms, definitions, filed data, record examples, machine readable privacy vocabulary, used to generate notice, notifications, and disclosures are provided here.

Anchor
_4f1mdlm
_4f1mdlm
Anchor
_Toc498675774
_Toc498675774
Anchor
_Toc108928906
_Toc108928906
Anchor
_

...

Toc114497486
_

...

Toc114497486
Revision history

Version

Date

Summary of Substantive Changes

0.1 DRAFT

2021-02-28

Initial v1.1 draft

0.5

2022-02-02

Draft – updating scope to Notice and eConsent

0.8

2022-07-04

Full outline/70% drafted

0.8.5

2022-08-04

Outline 100% Draft - Posted to Kantara Wiki

8.8.2

Annex Updates

8.8.3

Restructured Sections and schema, cleaned schema up a little – practice what preaching by making spec structural human centric

8.8.4.0.1

2022-09-18

Content edited for grammar, consistency, clarity

1 Lizar, M, Pandit, H, Jesus, V, “Privacy as expected Consent Gateway”, Next Generation Internet (NGI) Grant [Access July 4] http://privacy-as-expected.org/

...