Legal Compliance Scale Task List
- Define each compliance level item in the MVCR
- Add requirements for above compliant
- Add requirements and audit for trusted services
- Add User Mangaed Compliance audit and spec
MVCR Compliance
Audit
Each field on the MVCR contains legal notice requirements, each of these components are listed in and the presence of these are counted and a flag is added to record if any of these self asserted claims have been disputed and not resolved.
The MVCR has a maximum rating of compliant. (Note: Additional Ratings are possible with extensions)
This rating can be self asserted with the provision of this consent receipt. A scale of compliance is used for each of these notice information elements. If one or more elements do not work, or are not verifiable then a status of partialy compliant is provided.
If all elements are not verifiable then the consent is no longer compliant or verifiable for basic compliance level rating.
Notice Compliance Checklist | Non Compliant | Partially Compliant | Compliant | Above Compliant | Trusted | User Managed |
|---|---|---|---|---|---|---|
Contact of DC |
|
| X |
| ||
Address of DC |
|
| X |
| ||
Purpose(s) |
|
| X |
| ||
Sensitive Data (If NO) |
|
| X |
| ||
Share with 3rd Party (If No) |
|
| X |
| ||
| Agree to implement context checklist? (Y/N) | Yes | |||||
| Any of the above self asserted is Disputed or un verifiable (Y/N Flag) (If No) ( if Yes and unresolved = Non-Compliant) | X |
(additional architecture is needed to mediate compliance level ratings)
MVCR Compliance Assurance Scale
Each item in the MVCR will be rated with this scale presented below
The compliance scale is based on the ICO table of compliance http://ico.org.uk/for_organisations/data_protection/working_with_the_ico/~/media/documents/library/Data_Protection/Detailed_specialist_guides/auditing_data_protection.pdf
Trusted Services Appendix
Trusted services/networks and frameworks, can be used to meet or exceed notice(and therefore consent) legal requirements. Or to address the need for assurance and trust for people so that consent and its management can be automated and more usable. It is for seen that a notice registry is the natural place for trust services to register their services.
A process for auditing and verifying all trust services needs to be in place for trust services to be trusted. Then when an organisation enrols into the registry they can also add (or manage) trust services that has been added to the receipt.
This is a table to map the list and categories of assurance framework with examples and notes on interoperability with this category of service.
Type of Trust Framework
Consent Policy Format
Personal Policy Preference
Consent Extension Location
Trusted Service Provider Examples
Tracker: Analytics etc:
Cookie
Do Not Track
browser header
cookiepedia, privacy clearing warehouse, Ghostery
Terms of Use Policy
Agree to terms
TOS;DR, Citizen Me
Policy Tracking Services
Policy Comparison
Has terms materially changed ( is consent still compliant? )
TOSBack
Consent Type
What kind of consent has been received
To record the type of consent or whether there is an exception to the requirement for consent.
Reputation
Trust Framework
(all trust services provide reputation)
Privacy Icons
Pictorial Short Notices
Disconnect Me
Capture of Personal Preference at Time of Consent
Does the issuing entity acknowledge DNT
If not available, should provide a notice that it is missing
Data Control Protocol
User Managed Access
Trusted Network Service
Respect Network
Standards
Certificates
TrustE
Levels of Assurance
KI: Identity Assurance Framework