Transparency Trust Metrics
Editors: Sharon Polsky, Mark Lizar
Contributors: Sal D’Agostino
Introduction
This section describes the use of an ISO/IEC 29100 record for processing to illustrate the use of ISO/IEC 29184 controls to assess performance of this record. The associated notice controller credential and its associated record is regulated with international privacy laws, principals and standards, As a result of the record’s basis on the ISO/IEC 29100 Security and Privacy Framework the record and associated data fields provide a globally binding and standardized governance framework for creating records. Importantly it provides the transparency legally required for trustworthy ‘consented data access’, for adequate data transfers internationally; and can also provide an opportunity to implement a low-cost digital (twin) record and receipt mechanism. The use of the associated notices, receipts and records dramatically improve the security of personal data control, significantly increasing transparency and as a result the scale and effectiveness of cyber physical security and digital privacy.
This specification is a contribution for extending the work and interoperability of ISO/IEC SC27 WG5, 29100 privacy and security framework, that results in a standardized record processing format for generating notice records and consent receipts.
The Notice Record specified here provides, importantly, operational transparency with the use of the controls in ISO/IEC 29184 Online Privacy Notices and Consent and evidenced with anchored notice and consent receipts. [ISO/IEC 29184, Appendix B]
Why was this specification written?
An internationally standardized notice controller credential provides people with digital transaprency over who controls personal data in context. Provides a public format for a PII Principal to generate records independently of the PII Controller, and to hold, control and manage, separately from the PII Controller to withdraw consent by context for multiple services.. Standardized to capture, measure the performance of PII Controllers’ transparency, digital security and active state of digital privacy. throughout the service use life-cycle.
Why Digital Transparency?
Standardized digital notice is a steppingstone to digital privacy and is required to scale human to system (electronic) consent online. A record that is provided by default using standard digital identifier governance defaults, designed for self-sovereign/human centric transparency and interoperability, between people and systems.
The notice record information structure is specified in this document with ISO/IEC 29100 Security and privacy techniques framework, which is a free and public standard. ISO/IEC 29100 is used in this specification to measure the performance of transparency using the controls, and consent notice receipt, specified in ISO/IEC 29184.
What should you expect to find in this document?
This ANCR WG specification introduces a method to capture a Notice and verify its credential. It specifies with what, and how a PII Principal can capture a Record of Notice with and assess digital transparency and the state of security. The specification also describes the three (3) transparency performance indicators (TPIs) used to demonstrate how a minimum notice record Information structure can be used to create a record that the PII Principal holds, controls, and manages to control their personal information, namely:
The PII Controller Identity and privacy contact point
The Accessibility of PII Controller Identity and Contact information,
The Security and Integrity of the PII Controller’s Transparency
The ANCR Notice Record is specified for PII Principals, using terms, semantics and laws that champion the legal utility of data control and its management. As such, representing a shift in the architecture of digital identity semantics to legal semantics specific to human centric transparency, usability, and control.
For this purpose, the ANCR record is first specified as a single use record, that the Individual controls with 3 transparency performance indicators. First defined as a single use record to generate a record the Individual can own, control and trust. The KPI’s provided here are specified to provide transparency over data control and it’s human/decentralized data governance. (Specified as Operational Transparency),
Notice Record
The Notice Record is first specified as a static, one-time use notice record that is created by the PII Principal and used to initiate a state of operational transparency in context measured by access to, and performance of, rights.
Diagram 1: Notice Record
Table1: Single Use Notice Record:
PII Controller Identity AND Contact Transparency Report
Field Name | Field Description | Requirement: Must, Shall, May | Field Data Example |
|---|---|---|---|
Notice Location | Location the notice was read/observed | MUST | www.walmart.com |
PII Controller Name | Name of presented business | MUST | Walmart |
Controller Address | The physical address of controller and/or accountable person | MUST | 1940 Argentina Road Mississauga, Ontario L5N 1P9 |
PII Controller Contact Type | Contact method for correspondence with PII Controller | MUST | Email, phone |
PII Controller-Correspondence Contact | General contact point | SHALL | Privacy@org.com |
Privacy Contact Type | The Contact method provided for access to privacy contact | MUST | |
Privacy Contact Point | Location/address of Contact Point | MUST | Org.com/privacy.html |
Session Certificate | A certificate for monitored practice | Optional | SSL Certificate Security (TLS) and Transparency |
Anchoring the Notice Record for Trust
The record identifier, when added to each record, provides an anchor for the notice record in the first instance. The Anchored Notice Record can be extended for use as a ‘trust anchor’ for the PII Principal by adding an ANCR Record ID that the PII Principal can use to track the PII Controller and the data processing and digital identity relationship over time. In this way an Anchored Notice Record is a gateway to scale consent online and internationally.1
Notice Record Transparency Performance Indicators
Diagram 2: Transparency Performance Indicators
The first two (2) performance indicators measure the transparency of the ‘provided’ PII Controller Identity information. Required to measure how accessible the provided PII Controller Identity information is, before or at the time of data processing, which is a condition of governance adequacy and privacy compliance for all digital identifier-based processing activities, used to develop data profiles. An ANCR Record of data processing activity in this way provides evidence to demonstrate security and privacy compliance.
Once the capacity for digital privacy is ascertained, the third performance indicator can be used to measure the security certificate (or key) for its contextual integrity for the specific session and processing context.
TPI 1: PII Controller Identity and Contact Transparency
Assess if the required information for transparency over who is in control of notice is ‘provided’
The MUST fields identify elements that are required in legislation that MUST be present.
TPI 2: Transparency Accessibility
How accessible is the PII Controller and Privacy Contact information?
For example, in the context of a website or a mobile device, how difficult was it to access the ‘provided’ information. How many clicks, or screens, away is the required information?
TPI 2–Example — Accessibility Measurement Rating
This transparency accessibility rating score of [1,0, -1 or –3] reflects the number of steps, screens, or clicks required to find the ‘provided’ information within a mobile application or webpage providing the client user interface.
Transparency Accessibility Rating description table 2
Rating | Description | Instruction |
|---|---|---|
+1 | Controller identity is embedded as a credential linked to authoritative registries. | PII Controller credential is displayed, using a standard format with machine readable language and linked, for example, in an http header in a browser |
0 | PII Controller Identity prominently displayed on first view – prior to processing first page of viewing, the assessment question would be | PII Controller Identity or credential is provided in first notice |
-1 | Privacy signal Is not first presented – but is linked and one click and screen away | The Controller Identity, or screen with the Controller Identity is one screen and click away. For example, the privacy policy link in the footer of a webpage |
- 3 | Identity or credential is two or more screens of view away | PII Controller Identity is not accessible enough to be considered ‘provided’ |
TPI 3: Certificate (and/or Key) Security Transparency
This security performance indicator requires that the notice record session certificate is collected and used to check if the PII Controller Identity information is the same or linked to the controlling entity in the associated security certificate. For example, does the SSL (secure software layer) certificate identify the Controller, and is it secured for the DNS and localization expectation and corresponding jurisdictional information (a ZPN required digital security for privacy measure to implement the international governance interoperability with legal adequacy with eConsent)
Certificate status, and transparency performance, are used to establish session security prior to the collection, use and processing of PII. The security TPI is used to measure the certificate and or cryptographic keys for a specified organizational unit to corroborate and validate the PII Controller’s digital integrity.
Table 2 : Notice Record TPI Report
Field Name | Field Description | Requirement: Must | TPI 1 Not Available | TPI 2 Rate: +1, 0, -1, -3, | TPI 3 |
|---|---|---|---|---|---|
Notice Location | Location the notice was read/observed | MUST | Present | +1 | found |
PII Controller Name | Name of presented organization | MUST | Present | 0 | Match |
PII Controller Address | Physical organization Address | MUST | Present | 0 | Not match |
Privacy Contact Point | Location/address of Contact Point | MUST | Present | 1 | Not match |
Privacy Contact Method | Contact method for correspondence with PII Controller | MUST | Present | -1 | No Match |
Session key or Certificate | A certificate for monitored practice | MUST | Present (or Not-found) | 1 (or –3 ) | Present (or No Security Detected) |
1 Lizar, M, Pandit, H, Jesus, V, “Privacy as expected Consent Gateway”, Next Generation Internet (NGI) Grant [Access July 4] privacy-as-expected.org/