Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchored Notice and Consent Receipt (ANCR) Record for Operational Transparency

Version: 0.8.9.23

Document Date: September 23 Oct 8, 2022

Editor(s): Mark Lizar, Sharon Polsky

...

Contributing Orgs: Open Consent Group/0PN C.I.C, Privacy & Access Council of Canada, Human Colossus Foundation

Produced by: ANCR-WG

Status: WG Draft v0.8.9 (WG Review)

...

In this specification and proposed standard the term “PII Principal” is used interchangeably with Data Subject and “Individual”.

Abstract:

At the present time, when online services are involved, Individuals have no way of seeing or knowing who is in control of collecting, using, processing, or disclosing their personal information before the collection, use, processing, or disclosure takes place. Individuals are powerless to resist or object to the one-size-fits-all contracts presented on websites that are called ‘terms and conditions’, ‘user licenses’, ‘privacy policies’ or ‘data sharing agreements’, that do not implement privacy people expect.

No mechanism is currently available for Individuals to assert authority in advance of disclosing their personal information; and no way for them to determine, control, or negotiate the conditions or sources under which data about them may be processed, used, managed, or associated with other data consent.

Lack of transparency and consent defaults prevent Individuals from knowing or seeing (therefore trusting or controlling) when digital identifiers and related metadata about themselves are created, used, or disclosed, for additional purposes

Systemically prohibiting interaction, access and participation required for individuals to see how information about themselves is used, when, by whom, and for what purposes.

Enabling individuals to see how information about themselves is used, when, by whom, and for what purposes, requires a standardized transparency mechanism as a way to provide data governance that scales when decentralized.

The Anchored Notice and Consent Record implements a standard of transparency to enable Individuals to see if PII about them is being used in ways that are private and whether, when, where, and to whom it is disclosed — locally, domestically, or internationally.

The ability to direct and control the collection, use and disclosure of information about themselves is essential for Individuals to have technical capacity to trust the management of surveillance, personal identity, and advanced digital data analysis technologies.

This specification provides a mechanism to implement legal and technical standards for transparency that supersede ‘terms and conditions’, ‘user licenses’, ‘privacy policies’ and ‘data sharing agreements’. Specifying an active technical object for managing the rules of data and its consented exchange.

The ANCR process creates a record of operational transparency over data control and processing that works to regulate surveillance from offline and online activities, in much the same way as financial transactions are now regulated and tracked.

The Anchored Notice and Consent Receipt (ANCR) Record specification enables individuals (i.e., a PII Principal) to employ a 3-layer notice record schema to indicate their consent for a specific data exchange. PII Principals can enhance the single use record schema with a layer 2 schema that incorporates a digital identifier to serve a ‘proof of notice’ record for repeated use in concentric data exchanges.

The 3rd notice record schema is the anchored notice records is a private information (identity relationship) record, which considers security requirements as a pre-condition for generating records and receipts in identifier management systems.

Finally, an active technical record of processing activities provides for the PII Principal in context transparency over who is accountable for — and is a pre-condition of — processing Personally Identifiable Information (PII) for human interoperable governance and security.

In this first rendition of the ANCR framework specification it is the PII Principal who manages consented surveillance, and the processors who each manage and comply with the permissions granted for a specified purpose and scope. To this point, this specification focuses on transparency performance for the assessment of data control and it’s impact. Including 3 ANCR Framework Extensions summarized in the Appendix for extending the transparency over data control with,

  • Extension 1: consented purpose specification

  • Extension 2: data treatment and right based controls

  • Extension 3: bundling codes of conduct and practice in implementation

Subsequent iterations and extension of this specification focus on a Controller Credential agnostic to identifier technology. The use of notice records as a Micro- credentials and consent receipt as tokens for proof of notice for any of the 6 legal justifications for processing as well as evidence of electronic consent.

Specification Components

This introduction demonstrates the use of a 29100 record for processing to illustrate the use of 29184 controls to assess performance of this record.

The ANCR Record specification introduces three (3) transparency performance indicators (TPIs) that an Individual can use to assess an organization’s transparency — how it collects, uses, and discloses Personally Identifiable Information — before electing to provide their personally identifiable information or authorize its collection, use, processing, or disclosure.

TPI 1 – Notice of Identity of Controller

TPI 2 – Accessibility of Notice

TPI 3 – Security Certificate (or key) of Notified Controller

IPR Option:

This ANCR Record Specification is available for use for public benefit licensing @0PN C.I.C and the open schema available @Human Colossus, and is specified under a Reasonable and Non‑Discriminatory (RAND) agreement at the Kantara Initiative for submission to ISO/IEC SC 27 WG 5

Published for use as public infrastructure through code of conduct and practice in industry and trade certification bodies.

Patent & Copyright: Reciprocal Royalty Free with Opt-out to Reasonable and Nondiscriminatory (RAND)

Suggested Citation: (upon WG approval)

ANCR Specification v0.9

NOTICE

This document has been prepared by Participants of Kantara Initiative Inc. Permission is hereby granted to use the document solely for the purpose of implementing the Specification. No rights are granted to prepare derivative works of this Specification. Entities seeking permission to reproduce this document, in whole or in part, for other uses must contact the Kantara Initiative to determine whether an appropriate license for such use is available.

Implementation or use of certain elements of this document may require licenses under third party intellectual property rights, including without limitation, patent rights. The Participants and any other contributors to the Specification are not and shall not be held responsible in any manner for identifying or failing to identify any or all such third-party intellectual property rights. This Specification is provided "AS IS," and no Participant in Kantara Initiative makes any warranty of any kind, expressed or implied, including any implied warranties of merchantability, non-infringement of third-party intellectual property rights, or fitness for a particular purpose. Implementers of this Specification are advised to review Kantara Initiative’s website (http://www.kantarainitiative.org ) for information concerning any Necessary Claims Disclosure Notices that have been received by the Kantara Initiative Board of Directors.

Dear reader

Thank you for downloading this publication prepared by the international community of experts that comprise the Kantara Initiative. Kantara is a global non-profit ‘commons’ dedicated to improving trustworthy use of digital identity and personal data through innovation, standardization and good practice.

Kantara is known around the world for incubating innovative concepts, operating Trust Frameworks to assure digital identity and privacy service providers, and developing community-led best practices and specifications. Its efforts are acknowledged by OECD ITAC, UNCITRAL, ISO SC27, other consortia and governments around the world. 'Nurture, Develop, Operate' captures the rhythm of Kantara in consolidating an inclusive, equitable digital economy offering value and benefit to all.

Every publication, in every domain, is capable of improvement. Kantara welcomes and values your contribution through membership, sponsorship and active participation in the working group that produced this and participation in all our endeavors so that Kantara can reflect its value back to you and your organization.

...

Contents

Table of Contents

...

International laws and standards — including ISO/IEC 29100 Security and Privacy Framework — are the international framework for creating records for trustworthy ‘consented data access’, for adequate data transfers internationally; and provide an opportunity to implement a low-cost digital (twin) record and receipt mechanism and thus dramatically improve the security of personal data control, thereby increasing the effectiveness of cyber physical security and digital privacy.

This specification is a contribution to ongoing work at ISO/IEC SC27 WG5, using ISO/IEC 29100 to create a standardized Record of Processing format for notice records and consent receipts.

The Notice Record is specified for generating operational transparency with the use of the controls in ISO/IEC 29184 Online Privacy Notices and Consent and evidenced with anchored notice and consent receipts. [ISO/IEC 29184, Appendix B]

Why was this specification written?

An internationally standardized notice and consent record information structure provides the standard for a PII Principal to generate records independently of the PII Controller, and to hold, control and manage, separately from the PII Controller access to withdraw consent. This specification is proposed to capture, measure, and standardize the transparency of PII Controllers’ security and privacy practice through the entire lifecycle of personal information collected from a PII Principal.

Why Operational Transparency?

Standardized digital notice is a steppingstone to operational privacy and is required to scale human to system (electronic) consent online. A record that is provided by default using standard digital identifier governance defaults, designed for self-sovereign/human centric transparency and interoperability, between people and systems.

The notice record information structure is specified in this document with ISO/IEC 29100 Security and privacy techniques framework, which is a free and public standard. ISO/IEC 29100 is used in this specification to measure the performance of transparency using the controls, and consent notice receipt, specified in ISO/IEC 29184.

What should you expect to find in this document?

This ANCR WG specification introduces a method to capture a Notice and verify its credential. It specifies with what, and how a PII Principal can capture a Record of Notice with and assess digital transparency and the state of security. The specification also describes the three (3) transparency performance indicators (TPIs) used to demonstrate how a minimum notice record Information structure can be used to create a record that the PII Principal holds, controls, and manages to control their personal information, namely:

  1. The PII Controller Identity and privacy contact point

  2. The Accessibility of PII Controller Identity and Contact information,

  3. The Security and Integrity of the PII Controller’s Transparency

The ANCR Notice Record is specified for PII Principals, using terms, semantics and laws that champion the legal utility of data control and its management. As such, representing a shift in the architecture of digital identity semantics to legal semantics specific to human centric transparency, usability, and control.

For this purpose, the ANCR record is first specified as a single use record, that the Individual controls with 3 transparency performance indicators. First defined as a single use record to generate a record the Individual can own, control and trust. The KPI’s provided here are specified to provide transparency over data control and it’s human/decentralized data governance. (Specified as Operational Transparency),

...

The Notice Record is first specified as a static, one-time use notice record that is created by the PII Principal and used to initiate a state of operational transparency in context measured by access to, and performance of, rights.

Diagram 1: Notice Record (TBD_

...

Field Name

...

Field Description

...

Requirement: Must, Shall, May

...

Field Data Example

...

Notice Location

...

Location the notice was read/observed

...

MUST

...

http://www.walmart.com

...

PII Controller Name

...

Name of presented business

...

MUST

...

Walmart

...

Controller Address

...

The physical address of controller and/or accountable person

...

MUST

...

1940 Argentina Road Mississauga, Ontario L5N 1P9

...

PII Controller Contact Type

...

Contact method for correspondence with PII Controller

...

MUST

...

Email, phone

...

PII Controller-Correspondence Contact

...

General contact point

...

SHALL

...

Privacy@org.com

...

Privacy Contact Type

...

The Contact method provided for access to privacy contact

...

MUST

...

email

...

Privacy Contact Point

...

Location/address of Contact Point

...

MUST

...

Org.com/privacy.html

...

Session Certificate

...

A certificate for monitored practice

...

Optional

...

SSL Certificate Security (TLS) and Transparency

...

The record identifier, when added to each record, provides an anchor for the notice record in the first instance. The Anchored Notice Record can be extended for use as a ‘trust anchor’ for the PII Principal by adding an ANCR Record ID that the PII Principal can use to track the PII Controller and the data processing and digital identity relationship over time. In this way an Anchored Notice Record is a gateway to scale consent online and internationally.1

...

Diagram 2: Transparency Performance Indicators

...

The first two (2) performance indicators measure the transparency of the ‘provided’ PII Controller Identity information. Required to measure how accessible the provided PII Controller Identity information is, before or at the time of data processing, which is a condition of governance adequacy and privacy compliance for all digital identifier-based processing activities, used to develop data profiles. An ANCR Record of data processing activity in this way provides evidence to demonstrate security and privacy compliance.

Once the capacity for digital privacy is ascertained, the third performance indicator can be used to measure the security certificate (or key) for its contextual integrity for the specific session and processing context.

TPI 1: PII Controller Identity and Contact Transparency

Assess if the required information for transparency over who is in control of notice is ‘provided’

The MUST fields identify elements that are required in legislation that MUST be present.

TPI 2: Transparency Accessibility

How accessible is the PII Controller and Privacy Contact information?

For example, in the context of a website or a mobile device, how difficult was it to access the ‘provided’ information. How many clicks, or screens, away is the required information?

TPI 2–Example — Accessibility Measurement Rating

This transparency accessibility rating score of [1,0, -1 or –3] reflects the number of steps, screens, or clicks required to find the ‘provided’ information within a mobile application or webpage providing the client user interface.

...

Rating

...

Description

...

Instruction

...

+1

...

Controller identity is embedded as a credential linked to authoritative registries.

...

PII Controller credential is displayed, using a standard format with machine readable language and linked, for example, in an http header in a browser

...

0

...

PII Controller Identity prominently displayed on first view – prior to processing first page of viewing, the assessment question would be

...

PII Controller Identity or credential is provided in first notice

...

-1

...

Privacy signal Is not first presented – but is linked and one click and screen away

...

The Controller Identity, or screen with the Controller Identity is one screen and click away. For example, the privacy policy link in the footer of a webpage

...

  • 3

...

Identity or credential is two or more screens of view away

...

PII Controller Identity is not accessible enough to be considered ‘provided’

TPI 3: Certificate (and/or Key) Security Transparency

This security performance indicator requires that the notice record session certificate is collected and used to check if the PII Controller Identity information is the same or linked to the controlling entity in the associated security certificate. For example, does the SSL (secure software layer) certificate identify the Controller, and is it secured for the DNS and localization expectation and corresponding jurisdictional information (a ZPN required digital security for privacy measure to implement the international governance interoperability with legal adequacy with eConsent)

Certificate status, and transparency performance, are used to establish session security prior to the collection, use and processing of PII. The security TPI is used to measure the certificate and or cryptographic keys for a specified organizational unit to corroborate and validate the PII Controller’s digital integrity.

...

Field Name

...

Field Description

...

Requirement: Must
Shall
May

...

TPI 1

Available

Not Available

...

TPI 2

Rate: +1, 0, -1, -3,

...

TPI 3
Certificate or Key

CN-Matches
OU – Match
Jurisdiction – Match (optional)

...

Notice Location

...

Location the notice was read/observed

...

MUST

...

Present

...

+1

...

found

...

PII Controller Name

...

Name of presented organization

...

MUST

...

Present

...

0

...

Match

...

PII Controller Address

...

Physical organization Address

...

MUST

...

Present

...

0

...

Not match

...

Privacy Contact Point

...

Location/address of Contact Point

...

MUST

...

Present

...

1

...

Not match

...

Privacy Contact Method

...

Contact method for correspondence with PII Controller

...

MUST

...

Present

...

-1

...

No Match

...

Session key or Certificate

...

A certificate for monitored practice

...

MUST

...

Present (or Not-found)

...

1 (or –3 )

...

IPR Option:

This ANCR Record Specification is available for use for public benefit licensing @0PN C.I.C and the open schema available @Human Colossus, and is specified under a Reasonable and Non‑Discriminatory (RAND) agreement at the Kantara Initiative for submission to ISO/IEC SC 27 WG 5

Published for use as public infrastructure through code of conduct and practice in industry and trade certification bodies.

Patent & Copyright: Reciprocal Royalty Free with Opt-out to Reasonable and Nondiscriminatory (RAND)

Suggested Citation: (upon WG approval)

ANCR Specification v0.9

NOTICE

This document has been prepared by Participants of Kantara Initiative Inc. Permission is hereby granted to use the document solely for the purpose of implementing the Specification. No rights are granted to prepare derivative works of this Specification. Entities seeking permission to reproduce this document, in whole or in part, for other uses must contact the Kantara Initiative to determine whether an appropriate license for such use is available.

Implementation or use of certain elements of this document may require licenses under third party intellectual property rights, including without limitation, patent rights. The Participants and any other contributors to the Specification are not and shall not be held responsible in any manner for identifying or failing to identify any or all such third-party intellectual property rights. This Specification is provided "AS IS," and no Participant in Kantara Initiative makes any warranty of any kind, expressed or implied, including any implied warranties of merchantability, non-infringement of third-party intellectual property rights, or fitness for a particular purpose. Implementers of this Specification are advised to review Kantara Initiative’s website (http://www.kantarainitiative.org ) for information concerning any Necessary Claims Disclosure Notices that have been received by the Kantara Initiative Board of Directors.

Dear reader

Thank you for downloading this publication prepared by the international community of experts that comprise the Kantara Initiative. Kantara is a global non-profit ‘commons’ dedicated to improving trustworthy use of digital identity and personal data through innovation, standardization and good practice.

Kantara is known around the world for incubating innovative concepts, operating Trust Frameworks to assure digital identity and privacy service providers, and developing community-led best practices and specifications. Its efforts are acknowledged by OECD ITAC, UNCITRAL, ISO SC27, other consortia and governments around the world. 'Nurture, Develop, Operate' captures the rhythm of Kantara in consolidating an inclusive, equitable digital economy offering value and benefit to all.

Every publication, in every domain, is capable of improvement. Kantara welcomes and values your contribution through membership, sponsorship and active participation in the working group that produced this and participation in all our endeavors so that Kantara can reflect its value back to you and your organization.

...

Copyright: The content of this document is copyright of Kantara Initiative, Inc.
© 2022 Kantara Initiative, Inc.

Anchor
_gjdgxs
_gjdgxs
Anchor
_Toc243379787
_Toc243379787
Anchor
_Toc244482062
_Toc244482062
Anchor
_Toc260291045
_Toc260291045

Contents

Table of Contents

Anchor
_30j0zll
_30j0zll
Anchor
_Toc114372086
_Toc114372086
Anchor
_Toc114373590
_Toc114373590
Anchor
_Toc114373688
_Toc114373688
Anchor
_Toc114397892
_Toc114397892
Anchor
_Toc114372087
_Toc114372087
Anchor
_Toc114373591
_Toc114373591
Anchor
_Toc114373689
_Toc114373689
Anchor
_Toc114397893
_Toc114397893
Anchor
_Toc114372088
_Toc114372088
Anchor
_Toc114373592
_Toc114373592
Anchor
_Toc114373690
_Toc114373690
Anchor
_Toc114397894
_Toc114397894
Anchor
_Toc114372089
_Toc114372089
Anchor
_Toc114373593
_Toc114373593
Anchor
_Toc114373691
_Toc114373691
Anchor
_Toc114397895
_Toc114397895
Anchor
_Toc114372090
_Toc114372090
Anchor
_Toc114373594
_Toc114373594
Anchor
_Toc114373692
_Toc114373692
Anchor
_Toc114397896
_Toc114397896
Anchor
_Toc114372091
_Toc114372091
Anchor
_Toc114373595
_Toc114373595
Anchor
_Toc114373693
_Toc114373693
Anchor
_Toc114397897
_Toc114397897
Anchor
_Toc114372092
_Toc114372092
Anchor
_Toc114373596
_Toc114373596
Anchor
_Toc114373694
_Toc114373694
Anchor
_Toc114397898
_Toc114397898
Anchor
_Toc114372093
_Toc114372093
Anchor
_Toc114373597
_Toc114373597
Anchor
_Toc114373695
_Toc114373695
Anchor
_Toc114397899
_Toc114397899
Anchor
_Toc114372094
_Toc114372094
Anchor
_Toc114373598
_Toc114373598
Anchor
_Toc114373696
_Toc114373696
Anchor
_Toc114397900
_Toc114397900
Anchor
_Toc114372095
_Toc114372095
Anchor
_Toc114373599
_Toc114373599
Anchor
_Toc114373697
_Toc114373697
Anchor
_Toc114397901
_Toc114397901
Anchor
_Toc114372096
_Toc114372096
Anchor
_Toc114373600
_Toc114373600
Anchor
_Toc114373698
_Toc114373698
Anchor
_Toc114397902
_Toc114397902
Anchor
_Toc114372097
_Toc114372097
Anchor
_Toc114373601
_Toc114373601
Anchor
_Toc114373699
_Toc114373699
Anchor
_Toc114397903
_Toc114397903
Anchor
_Toc114372098
_Toc114372098
Anchor
_Toc114373602
_Toc114373602
Anchor
_Toc114373700
_Toc114373700
Anchor
_Toc114397904
_Toc114397904
Anchor
_Toc114372099
_Toc114372099
Anchor
_Toc114373603
_Toc114373603
Anchor
_Toc114373701
_Toc114373701
Anchor
_Toc114397905
_Toc114397905
Anchor
_Toc114372100
_Toc114372100
Anchor
_Toc114373604
_Toc114373604
Anchor
_Toc114373702
_Toc114373702
Anchor
_Toc114397906
_Toc114397906
Anchor
_1fob9te
_1fob9te
Anchor
_Toc108928869
_Toc108928869
Anchor
_Ref114328224
_Ref114328224
Anchor
_Ref114328225
_Ref114328225
Anchor
_Toc114497429
_Toc114497429
Introduction

Anchor
_1t3h5sf
_1t3h5sf
Anchor
_Toc108928874
_Toc108928874
Anchor
_Toc498675757
_Toc498675757
Anchor
_Toc114497436
_Toc114497436
Notice Record References

...

  • 1980/2013 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data [OECD]

  • Kantara Initiative Consent Receipt v1.121

  • Kantara Initiative: Blinding Identity Taxonomy (Bit)32

  • For input to ISO/IEC 27561:2022 POMME (Privacy operationalization model and method for engineering)

...

PII Principals provide their PII for processing to PII Controllers and PII processors and, when it is not otherwise provided by applicable law, they give consent and determine their privacy preferences for how their PII should be processed. PII Principals can include, for example, an employee listed in the human resources system of a company, the consumer mentioned in a credit report, and a patient listed in an electronic health record. It is not always necessary that the respective natural person is identified directly by name in order to be considered a PII Principal. If the natural person to whom the PII relates can be identified indirectly (e.g., through an account identifier, social security number, or even through the combination of available attributes), he or she is considered to be the PII Principal for that PII set.

[Source: ISO 29100 4.2.1]

Personal Data means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

[Source: GDPR: Article 4.1]

Individual: Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

[Additive: PIPEDA 4.9]

...

A privacy stakeholder (or privacy stakeholders) who determines the purposes and means for processing Personally Identifiable Information (PII) other than natural persons who use data for personal purposesa patient listed in an electronic health record. It is not always necessary that the respective natural person is identified directly by name in order to be considered a PII Principal. If the natural person to whom the PII relates can be identified indirectly (e.g., through an account identifier, social security number, or even through the combination of available attributes), he or she is considered to be the PII Principal for that PII set.

[Source: ISO 29100 4.2.1]

Personal Data means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

[Source: GDPR: Article 4.1]

Individual: Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

[Additive: PIPEDA 4.9]

Anchor
_1y810tw
_1y810tw
Anchor
_Toc108928887
_Toc108928887
Anchor
_Toc114497450
_Toc114497450
PII Controller

A PII controller determines why (purpose) and how (means) the processing of PII takes place. The PII controller should ensure adherence to the privacy principles in this framework during the processing of PII under its control (e.g., by implementing the necessary privacy controls). There might be more than one PII controller for the same PII set or set of operations performed upon PII (for the same or different legitimate purposes). In this case the different PII controllers shall work together and make the necessary arrangements to ensure the privacy principles are adhered to during the processing of PII. A PII controller can also decide to have all or part of the processing operations carried out by a different privacy stakeholder on its behalf. PII controllers should carefully assess whether or not they are processing sensitive PII and implement reasonable and appropriate privacy and security controls based on the requirements set forth in the relevant jurisdiction as well as any potential adverse effects for PII principals as identified during a privacy risk assessment.

NOTE: A PII Controller sometimes instructs others (e.g., PII processors) to process PII on its behalf while the responsibility for the processing remains with the PII Controller.

[Source: ISO 29100 4.2.2]

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

...

Table A.1 — Mapping ISO/IEC 29100 concepts to ISO/IEC 27000 concepts

Anchor
_Toc108928893
_Toc108928893
ISO/IEC 29100 concepts

Correspondence with ISO/IEC 27000 concepts

Privacy stakeholder

Stakeholder

PII

Information asset Information security incident Control

Privacy breach Privacy control Privacy risk

Risk

Privacy risk management

Risk management

Privacy safeguarding requirements

Control objectives

[Source: ISO/IEC 29100: Annex A]

...

This schema is cumulative, where each schema layer can be added upon the previous layer.

3 Layer ANCR Notice Record Schema

Layer 1 - Notice Record Schema.

...

These are the schema elements that are used to generate a static Notice Record and does not contain any PII, or digital identifiers.

Field Cat Name

Name

Object Description

Presence Requirement

PII Controller Identity

Object

_

Required

Presented Name of Service Provider

name of service. E.g. Microsoft

May

PII Controller Name

Company/organization name

MUST

PII Controller address

_

MUST

PII Controller contact email

correspondence email

MUST

PII Controller jurisdiction legal reference

PII Controller Operating Privacy Law

MUST

PII Controller Phone

The general correspondence phone number

SHOULD

PII Controller Website

URL of website (or link to controller application)

MUST

PII Controller Certificate

A capture Website SSL

OPTIONAL

Privacy Contact Point Location

pcpL

Direct link to security and/or privacy contact point

MUST

Privacy Contact Point Types (pcpT)

Object

Must have at least one field for the PCP object

MUST

PCP_Profile

Privacy Access Point Profile

**

PCP_InPerson

In-person access to privacy contact

**

PCP_Email

PAP email

**

PCP_Phone

Privacy access phone

**

PCP _PIP_URI

privacy info access point, URI

**

PCP_Form

Privacy access form URI

**

PCP_Bot

privacy bot, URI

**

PCP_CoP

code of practice certificate, URI of public directory with pub-key

**

PCP_Other

Other

**

PCP Policy

pcpp

privacy policy, URI with standard consent label clauses

MUST

Anchor
_Toc114497460
_Toc114497460
Private Notice Record Profile

...

This is the data source for consented records of processing that is directed (and securely) verified by the PII Principal, with secure localized data source and device.

Record Field Name

Field Description

Verifier/Validator

Schema version

A number used by the PII Principal to track the PII Controller Record

Verifier

Anchor Notice Record id #

An identifier unique to the controller, used to identify the legal entity accountable for relying parties and affiliated services

Verifier

Date/Time

The date and time a notice was read by PII Principal

Validator

Notice Presentation method

Notice presentation delivery method is also known as a user-interface presentation_Type

Validator

Notice Location

URL, physical address, or regional location, the notice was presented to the PII Principal

Verifier

Notice Legal Justification

One of the six legal justifications(PII Cntrl’r, ISO/IEC, GDPR, C108+)

Validator

PII Principal Legal Location

Refers the privacy rules in the local context

Validator

Device Type Identifier

device identifier or fingerprint used to verify the physical method of delivery -.e.g. sign, mobile phone number, desktop computer

Verifier

PII Principal Private/Public - Key Pair

The cryptographic key pair used to sign and encrypt fields in a consent record

Verifier

Anchor
_Toc114497462
_Toc114497462
Proof of Notice Record

...

The 2FN can provides standardized options to engage with the notice, notification, or disclosure. 2FN is typically implemented with a software interface in which, at a minimum, these three options are used by default (and easily extended with a code of practice):43

  1. By default, the notice can be ignored.

  2. PII Principal provides an informed consent

  3. Privacy rights and control options are presented and, depending on the Individual’s age, an accessibility context can be further simplified to the right to be heard and make a complaint, in specific context of processing personal data notified.

...

The 2FN produces a network event, presenting information that is needed to produce an evidential record, which a PII Principal can then use independently. A micro-credential used to aggregate operational transparency information, access privacy state and rights information, or to implement personal data controls (that are required for a grant of consent grants to a system to implement controls and permissions in systems for collection, capture, portability and access to private data profiles)

Field Cat

Field Name

Description

Presence

ANCR Record ID

Blinded identifier secret to the PII Principal

Required

Schema version

The notice record

Required

Timestamp

_the time and date when the ANCR record was created

Required

Legal Justification

One of six legal justifications used for processing personal data

Required

Notice Record

Object labels

Notice Type

Notice, notification, disclosure

Required

Notice legal location

The physical location or region that the PII Principal read the information.,

MUST

Notice presentation method

Website

SHALL

online notice -location

Notice location e.g., IP address

MUST

location Certificate

An SSL certificate or key

MAY

Notice Language

The language notice provided in

MUST

Notice Text File

URL and/or link to the notice text

SHALL

Notice text

The capture of a copy of the notification text

MUST

Notified legal Justification

Implied or explicit notified legal justification based on the text of a notice and its context

MUST

Concentric Notice Label

cnl

a label that is mapped to legal justifications, rights and controls that can be provided by default, for a specified purpose

SHALL

  • A notice that is used to generate granular consent receipts using standards that specify purpose in the same way. Those generated with the same schema based can be compared to automate notice for operational transparency over changes to privacy state.

  • A 2FN is used to produce a dual record and receipt upon engaging with a standardized notice with access to administrator-level privacy rights from the notice, prior to processing with consent.

  • The consent receipts produced from a 2FN can be compared independently to measure the difference in the active state and status of privacy, to automatically produce a notification based on the difference in state.

  • Differential Transparency, produced with a tactile signal, or layer1 notice indicator, standardized with machine readable data privacy vocabulary (i.e., concentric and synchronic transparency).

...

In this table, suggestions for what method can be applied on a per attribute level are provided as an example.

Record Field Name

Field Description

Security

Trust Consideration

schema version

The version of this layered notice record schema

Differential Transparency

Can be required for technical assurance by the system that the record is correctly interpreted and used to compare record versions

Anchor Notice Record id #

An identifier unique to the controller, used to identify the legal entity accountable for relying parties and affiliated services

BiT & Differential Transparency, (Required)

Only the PII Principal can unencrypt and use this identifier to aggregate records and receipt specific to that PII Controller relationship, Must be used for Differential Transparency, to compare one record against another to enable people to see if privacy is what people expect.

Date/Time

The date and time a notice was read by PII Principal

Differential Privacy

Noise put in this data field so that it is not usable for evidence without legal justification

Notice presentation method

Notice presentation medium/context in a user interface

Notice presentation vehicle

Notice Location

URL or address location the notice was presented to the PII Principal from

Verifiable Controller Credential

Used to monitor validate and monitor the controller

PII Principal Legal Location

Refers the privacy rules in the local context of where PII Principal read the notice

BiT

BIT, regionally localized, – codes of practice/by laws and the like

Device Identifier

The device identifier refers to type of device (e.g., sign, mobile phone, desktop computer) and its unique identifier(s)

BiT

Notice Medium

Software Identifier

An identifier can be a software configuration fingerprint

Differential Privacy

Ads noise to this fingerprint

PII Principal Pub Key

The cryptographic key used to sign consent receipts

Differential Transparency

Used to help determine if the record is secure and not fake

  1. Blinded Identity Taxonomy (BiT)

    1. PII field security measure that is used to blind attributes that are identifiable, for example, the attributes presented in ISO/IEC 29100 section 4.4.2

    2. A BiT attribute is encrypted with the PII Principals private key- so as not be usable in any data set without the corresponding authority required to unencrypt the field for a specified purpose and treatment.

    3. In this specification BIT is used by the PII Principle to encrypt and blind the ANCR record ID field. Which is in the private notice record, the pseudonymized identifier generated/provided by the PII Principals (client security protocol)

  2. Pseudonymized Identifier

    1. The ANCR record id refers to the PII Controller legal identity captured with a notice record, and once a notice record is collected it can be signed to become added to digital wallet (or pod), it can be signed to become a micro-credential, and used to communicate to the PII Controller, to manage rights and control processing of digital identifiers and associated information.

    2. Conceptually, the ANCR Id is a reverse use cookie, in that it is used by the PII Principle to remember the privacy state and track the PII Controller through different service environments, domains and jurisdictions.

  3. Verifiable Private Notice Record used in signed to be a micro-credential

    1. The PII Principal as the holder of the notice record can use it to a verify the presentation a PII Controller Identity

    2. Holders of a signed notice record (proof of notice) can generate a verifiable presentation of this proof by;

      1. signing a copy of the notice-record (micro-credential)

        1. (transforms record into a micro-credential)

      2. exchanging this with the other stakeholder (PII Principle or Controller) as a signed consent receipt in order to tokenize the exchange of attribute level private record data on a per processing session basis.

        1. (W3C Verified Credential Data Model, www.w3.org/TR/vc-data-model/#what-is-a-verifiable-credential)

  4. Differential Transparency – operational transparency signaling

    1. Operational transparency – notice record ‘trust’ protocol for active state technical object. Achieved by comparing the expected privacy state (purpose and credential) each technical session to authorize an instance of processing, whereby a notification signal is generated only if there has been a change in the expected, and known active state , of privacy.

    2. Differential Transparency (DT) is a contextual transparency enhancing notification protocol that uses record serialization in order to sequence data control points. Used to maintain a shared understanding of privacy and conversely security expectations.

    3. Implemented by comparing than Anchored Notice Record with a newly minted eConsent anchored consent notice receipt. To detect if there has been a change in this expected state. Achieved through self-asserted changes, or through monitoring authoritative public data sources.

    4. DT Differential Transparency is used by the PII Principal to automate the verification of trust, monitoring the active state of the PII Controller Legal identity and technical security performance. Prior to authorizing data processing activities by signing a consent notice receipt.

      1. Utilizing the Transparency Performance Indicator’s in the introduction of this specification to transform a consent receipt into a consent token. (Individual authority and providence default controls to implement rights)

    5. Automating Operational Transparency

      1. Human centric notice protocol to keep a record of controllers and context of processing, for each session/interaction, so that these contextual records, controlled owned and secured by the PII Principal, can remember the active state of privacy and verify the PII Control and Privacy state without interrupting the service-user flow.

      2. Notice Signal Layer: For operational transparency at a glance using digital signaling to indicate with concentric labeling what is expected, and what is not.

Case Study:

...

Differential Privacy as a mechanism for Data Control

For discussion with security and privacy community. Like digital identity management, how sovereign data control can be measured is by identifying which PII Stakeholder is in control of the personal data and personal data process; who benefits from processing personal data; and how dynamic are the personal data controls? The analysis results indicate which stakeholder can authorise the use of the tool, and for which purpose(s)

...

  • Trustworthy identity requires notice and transparency defaults, or else it is very difficult for people trust the use of digital identity technology. As oppose to every jurisdiction and organisation deciding what is transparent, with T&C’s services just change without notice.

    • The defaults for operational transparency are presented in this industry publication “Adequacy of Identity Governance Transparency” with 23 default transparency for notice, notification and disclosures, which are required for a ZPN code of conduct.54

  • eConsent is a critical and missing component in the generation of identifiers the use of PII for big-data, machine learning, including differential privacy is arguably a breach of PII and clearly un-ethical as it violates the privacy expectations of the Individual, creating records people don’t control, and can’t see when they are used.

  • In this regard, ethical use of differential privacy would require a record of consent to identify and profile and personal identity, then, an explicit consent for the purpose of use.

    • In this way PII Principals can be secure, safeguarded, and empower their choices through the control of who benefits from their personal and why.

  • For an anchored notice record, it is recommended that PII Principal identifying information never be included in a record without being secured at the attribute level in the record. When a eConsent receipt is provided, all PII Principal identifiers MUST be blinded except for the legitimate required stakeholders.

  • Any PII Controller consent record that combine raw personal identifiers, is not secure enough to be a consent record, which in this specification is self-sovereign anchor record. Trust is understood to be relative to each stakeholder but represented in this specification with a PII Controller consent.

...

[GDPR] General Data Protection Regulation, http:// www.eugdpr.org/article-summaries.html

[ISO 29100:2011] Information technology -- Security techniques -- Privacy framework. http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45123

...

Anchor
_Toc114497477
_Toc114497477
ANCR Specification Schema Table

Notice Record Example Field Category

Label

Data Type

Attribute name

Field Description

Presence Requirement

TPI 1 Cntrl Id Present

TPI 2 Accessibility Example

Security TPI 3: Digital Context Integrity

ISO/IEC 29100-Ref

ISO/IEC 29184-Ref

GDPR Ref

Conv 108 Ref

PII Controller Identity

Controller ID Object

String

controller_id_object

_

Required

Security key or Cert

4.2.2

5.3.4

Presented Name of Service Provider

String

presented_name_of_service_provider

name of service, e.g. Microsoft

May

PII Controller Name

String

piiController_name

Company/organization name

MUST

PII Controller address

String

piiController_address

_

MUST

PII Controller contact email

Varchar(n)

piiController_contact_email

correspondence email

MUST

PII Controller legal location

String

piiController_legal_loc

PII Controller Operating Privacy Law

MUST

PII Controller Phone

Char

piiController_phone

The general correspondence phone number

SHOULD

Issuer Statement

PII Controller Website

Varchar

piiController_www

URL of website (or link to controller application)

MUST

PII Controller Certificate

BLOB

piiController_certificate

A capture Website SSL

OPTIONAL

Privacy Contact Point Location

VarChar(max)

pcpL

MUST

Public Key base64 (human readable - kind of...)

Privacy Contact Point Types (pcpT)

Object

pcpType

Must have at least one field for the PCP object

MUST

PCP-Profile

String

pcpProfile

Privacy Access Point Profile

**

PCP-InPerson

String

pcpInperson

In-person access to privacy contact

**

CRL and OSCP endpoints

PCP-Email

Varchar

pcpEmail

PAP email

**

PCP-Phone

char

pcpPhone

Privacy access phone

**

PCP -PIP- URI

Varchar

pcpPip_uri

privacy info access point, URI

**

PCP-Form

Varchar

pcpForm

Privacy access form URI

**

PCP-Bot

String

pcpBot

privacy bot, URI

**

PCP-CoP

String

pcpCop-loc

code of practice certificate, URI of public directory with pub-key

**

PCP-Other

string

pcp_other

Other

**

PCP Policy

pcpp

string

pcpp

privacy policy, URI with standard consent label clauses

MUST

Anchored Notice Record Field Categories

Name

Type

Attribute Name

Description

Presence

ANCR Record ID

string

ancr_id

Blinded identifier secret to the PII Principal

Required

Schema version

string

V x.xx.x schema_version

Timestamp

DATETIME

time_stamp

_the time and date when the ANCR record was created

Required

Legal Justification

string

legal_justiication

One of six legal justifications used for processing personal data

Notice Record

Object labels

VarChar(max)

notice_record

Notice Type

string

notice_type

Notice, notification, disclosure

Required

Notice method

string

notice_method

Link/URL to the UI that was used to present the notice e.g. website home page

MUST

-digital-Notice-location

string

digital_notice_location

Notice location e.g. IP address

MUST

location Certificate

BLOB

location_certificate

MAY

Notice Language

string

notice_language

The language notice provided in

MUST

Notice Text File

string

notice_text_file

URL and/or Hashlink for the notice text

MUST

Notice text

string

notice_text

The capture of a copy of the notification text

MUST

Notified legal Justification

string

notice_legal_justification

Implied or explicit notified legal justification based on the text of a notice and its context

MUST

Concentric Notice Label Type

string

cnl

a label that is mapped to legal justifications, rights and controls that can be provided by default, for a specified purpose

SHALL

5.3.12

Not-Consent

Refers to laws and democratic consensus (legitimate Interest, Legal Obligation, Public Interest & Vital Interest)

Private Anchored Notice Record Field Category

Label

Type

Attribute name

Field Name

Required/Optional

Private Record

schema version #

V

Optional (unless shared or used further)

Anchor Notice Record id #

Int

Ancr_id

MUST

Date/Time

DEATETIME

Required

Notice Collection method

optional

Notice Collection Location

VarChar(max)

required

Notice Legal Justification

VarChar(max)

PII Principal Legal Location

VarChar(max)

ploc

Device ID

NVarChar (max)

PII Principal Private- Key

VarChar(max)

Anchor
_Toc114497478
_Toc114497478
ANNEX B: Concentric Notice Label Types

...

These are mapped here to provide a set of operational transparency defaults to set and support privacy as expected by the PII Principal. Expectations that provide a privacy notice starting point, where PII Principal and PII Controller can gain a shared understanding, or where a PII Principal can assert a legal justification for processing to access privacy rights.

Legal Justification

Description

Concentric Notice Type

Privacy Rights/PII Controls

Reference

Vital Interest

refers to processing ‘which is essential for the life of the Data Subject or that of another natural person. Processing of personal data

Implied/ implicit

Transparency, Access, Rectify, Forget/Erase, Withdraw, Restrict

ISO/IEC 29184, 5.4.2

Conv.108+ 10.2(c)

GDPR art 6.1(d) art 49(f)

Explicit Consent Notice

Explicit consent to processing one or more specified2 purpose

Explicit , Directed, Altruistic Consent

Access, Rectify, Forget/Erase, Object,/Withdraw, Restrict, Portability

29184, 5.4.2

Conv.108+ 10.2(a)

GDPR art 6.1(a)

Implicit consent notice

And where manifestly published by the PII Principal

Implicit Consent

Con 108 + 10.2(e)

Implied consent notice

By Controller or Principal in the field of employment and social security and social protection law

Implied Consent

CoE 108+ 10.2(b)

Contractual Necessity

Implied consent

Restrict Processing, Object to

29184, 5.4.2

Con. 108+(43)

Legitimate Interest

Implied consent

Object and restrict processing

29184, 5.4.2

GDPR Recital 47

Con.108+ 10.2(d)

Public Interest

Democratically framed

Implied Consent/ Consensus

29184, 5.4.2

Con. 108+ 10.2 (I,g,j)

Legal Obligation

ISO/IEC 29184, 5.4.2

Processing is necessary for the establishment, exercise or defense of legal claims

Con.108+ (f)

Note: Participatory Consensus, and Concentric data control are two outcome specific conditions that will be added to this specification to include an assessment for operational evidence of these two outcomes.

...

Access to privacy rights and information. meaningful through a direct mapping with specific rights, obligations and customs for interaction for data processing, which are enforceable with the references

Concentric Notice Type

Description

Legal Justification

Privacy Rights
(GDPR)

Legal Ref

Non-Operational Notice

N/O

Insufficient notice/security information for digital privacy

Not compliant with any if unable to determine or confirm Controller, or contact

Withdraw, Object, Restrict,
Access/Edit, Forget,

Con.108+ 79.1(a) GDPR Art 13/14 1a,b,

Consensus Notice

Notice of Legitimate Processing. Surveillance Notification

Legitimate interest

Implied Consent Notice

Implied through PII Principals participation in a specific context.
Or through a notice from PII Controller for a specific purpose context. Can also refer to an existing state of privacy and its established status. aka ‘applied consent’ to data processing.

Consent

ISO/IEC

GDPR Art 50 1 c

Con 108+

-Supplement- IPC, Canada3

Implicit consent notice

Refers to governance that is implicit to the action of the PII Principal.

Legitimate interest, Contract,

Legal obligation

Object , Restrict

Expressed Consent notice

Expressed through the implicit action of a Notified individual.

Informed Consent

Withdraw

Explicit Consent Notice

Provided in such a way that the is Informed, freely given, knowledgeable consent,.

Consent witch is knowledgeable of risk

Withdraw

Con 108+.1(4)1b

GDPR Art 7.1

Directed Consent

A consent directive is consent explicitly defined by the PII Principal for specific purposes, according to disclosures of risks that are notified.

meaningful consent, in which the individual has specified the consented purpose

GDPR 9.1(h)

Altruistic Consent

Not knowing who the Controller of PII will be. Consent to a purpose and public benefit governance framework, without knowing who is the beneficiary

Consent

DGA, Recital 1,2,4,36,39

Anchor
_Toc114497481
_Toc114497481
Appendix — EXTENSIONS

Anchor
_Toc114497482
_Toc114497482
Extension 1:

...

27560

...

for Purpose Specification

(For the latest draft of this Extension, or to get involved in working on it, visit ANCR WG‑Kantara Wiki ANCR - Extension 1 – ISO/IEC 27560 - Consent record information structure)Extension 1: Purpose Specification (with 27560)

SUMMARY

An Anchored Notice Record is specified to capture the data control relationship between the PII Principal and the PII Controller, using the international ISO/IEC 29100 standard and 29184 controls.

In this schema, this record is extended by a service that presents the purpose specification to the ANCR record, to generate a notice, notification or disclosure as required:

...

This can then always be used to identify the Controller and link subsequent notifications. The PII Controller details. And by linking it to a notice, the record header is embedded in the notice, in a standard format. Wrapping

[Source: ISO/IEC 29184 5.3.4][GDPR Art 13&14.1 (a)(b)][Convention 108+,

...

Section 2 Purpose Specification – generating a notice record and consent receipt

Section 3: Data Treatment and Rights

...

Codes of practice can be approved and monitored, and can combine multiple purposes together for an expected code of practice. A “Purpose Bundles” operated with a code practice can be approved and to operationalize privacy.

Anchored Record Schema ‘Structure’ Sections

In addition to the consent receipt schema, the ANCR record schema provides a protocol for its operation.

...

Anchor
_4f1mdlm
_4f1mdlm
Anchor
_Toc498675774
_Toc498675774
Anchor
_Toc108928906
_Toc108928906
Anchor
_Toc114497486
_Toc114497486
Revision history

Version

Date

Summary of Substantive Changes

0.1 DRAFT

2021-02-28

Initial v1.1 draft

0.5

2022-02-02

Draft – updating scope to Notice and eConsent

0.8

2022-07-04

Full outline/70% drafted

0.8.5

2022-08-04

Outline 100% Draft - Posted to Kantara Wiki

8.8.2

Annex Updates

8.8.3

Restructured Sections and schema, cleaned schema up a little – practice what preaching by making spec structural human centric

8.8.4.0.1

2022-09-18

Content edited for grammar, consistency, clarity

1 Lizar, M, Pandit, H, Jesus, V, “Privacy as expected Consent Gateway”, Next Generation Internet (NGI) Grant [Access July 4] http://privacy-as-expected.org/ 2 Kantara Initiative, ‘Consent Receipt v1.1’. [Internet] http://kantarainitiative.org/download/7902/

3 2 Kantara Initiative, ‘Blinding Identity Taxonomy’ [Internet] docs.kantarainitiative.org/Blinding-Identity-Taxonomy-Report-Version-1.0.pdf

4 3 For example the “Age Appropriate Design Code of Practice,” http://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-code/

5 4 Lizar M, Ortalda, A” “Report on the Adequacy of Identity Governance Transparency – DIACC Special Group Insights” Digital Identity and Authentication Council of Canada [Online]