CR v1.2 Framework
the receipt is further defined and fields and broken down into
v1.1 - represented by submission to ISO 27560
- delegation
- jurisdictions
- personal data categories
- consent record structions
- purpose finger print
- purpose -
V1.2.1 : Anchor Receipt
- Required Notice of Controller Identity Fields - the capture of the identity of the controller, and the physical context of the notice for processing provided by the controller
V1.2.2 : Consent Notice Receipt
- Extend with Legal justification to specify purpose for a service
- Specifying the Legal Justification for data processing in a notification
- Specifying Data Categories
- Specifying Data Treatment
- Specifying Security
V 1.2.3 : Rights Access & Automation
V 1.2.4 : Consent Validation - The Life cycle of a consent
- Active State of Consent Validation
- identity governance controls and scope
- Consent Grant for Identity Protocol Governance
- Scope of a Consent Grant Represented in the User Managed Access Protocol
- use of consent gateway for consent grant validation
- Scope of a Consent Grant Represented in the User Managed Access Protocol
Protocol Scope Use Cases
UMA
SAML / eIDAS
- FAPI
- GNAP
V 1..2.5 :
- Privacy as Expected - Part 3: Consent by Design - operational conformance - standardizing signalling - UI interaction point conformance - proof of notice and transparency/accountability assurance
- 29184 notice controls and consent structure
V 1.2.6 Data Governance Interoperability
- Privacy Framework for Gov interop for Security/Surveillance, Evidence and Policing
- Re-Issuing Identity Credentials with a native and local identity service - rather than exporting a federation into foreign governance models (e.g. Contracts / T&C's)
- Transparency Assurance
V 1.2.6 Topics Raised to be Reviewed / Refined and Addressed in Roadmap to V2
- Delegation
- Jurisdiction (physical location proof)
- Consent Types Defined in v1.2
- explicit
- implied
- directed
- altruistic
WKD ISSUES
The CR v1,1 as published known challenges have been addressed and are specified here in the v1.2 update.
- See V1.1 Update https://kantarainitiative.org/confluence/x/VYSVC
- V1.1 (2017) addressed with GDPR and then adopted to ISO
- V1.1 completed with comments to ISO
- delegation
- Jurisdiction
- PII categories
CR v1.2 Format Structure and fields
- Notice field object
- Location & Time
- Location – twin -
- Physical Device -
- PII Controller object
- Jurisdictions,
- Link to physical notice
- Extend it (Legal Justification)
- Privacy Stakeholders
- Categories of controllers
- Consent Purpose Specification (v.1.1)
- Purpose Category
- Purpose Descriptions
- Purpose Sensitive Categories of Data
- Sensitive data category
- Personal Data Category
- Personal Data Types/attributes etc
- Personal Data Processing Treatment
- Storage
- Security (cert/sighed key)
- Extensions –Requirements (according to Context)
Notice & Notifications
A Notice can itself be extended with a Notification for the maintenance of a consent record, and consent based relationship. Notice Receipts facilitate a Semantic Governance Framework
A notice of controller is the first section of the receipt 1, can be extended with these receipt profiles
- Contract Notice Receipt
- Vital Notice Receipt
- Notice of (legal) Obligation Receipt
- Legitimate Interest Notice Receipt
- Public Interest Notice Receipt
Notification `
The spectrum of consent has multiple vectors
- Is the relationship vector:
- Starting at the first notice for consent, then lasting for the lifecycle of Consent and permission
- This first Notice for Consent receipt is the Anchor receipt and is maintained with linked notices
- Consent Notice Receipts
- Anchor receipt
Type of Consent Receipt | Description | Lifecycle Use |
|
Explicit Consent | Anchor Receipt (starts a receipt) |
|
|
Implied Consent | Action of the PII Principal |
|
|
expressed | Notification by the PII Principal |
|
|
Directed | (Health Care ) |
|
|
Altruistic | No Notice Required - |
|
|