Commonly referred to as the ANCR TPA Scheme : Parts 1 and 2 for measuring conformance, compliance, performance and security of Transparency and Consent
Conformity & Compliance Scheme Framework v0.08
ANCR refers to an Anchored Notice & Consent Receipt, it is a record that is generated using the Transparency Performance Indicator that assess the operational conformance of the record of processing and its compliance with legislation.
Note: In ANCR Consent Notice Receipt specification, the record and receipt is generated with a PII Controller Identity
Editor(s):
Mark Lizar, WG Co-Chair, WG Editor
Contributor(s):
Sal D’Agostino, WG Co-Chair
Gigi Agassini, WG Secretary
IPR Option:
This ANCR TPA Scheme is a specification is required to be open, as specified under a Patent & Copyright: Reciprocal Royalty Free with Opt-out to Reasonable and Non-discriminatory (RAND) license agreement at the Kantara Initiative for contribution to ISO/IEC SC 27 WG 5.
Any derivative use of this specification must not create any dependency that limits or restricts the use, accessibility, and availability of the scheme and/or its use to evaluate the performance of transparency and/or the ability for the PII Principal to provide and manage consent records.
Suggested Citation: (upon WG approval)
ANCR Digital Identity Trust: Transparency Performance Assessment Scheme, Part 1 & 2 v0.8
NOTICE
This specification relies on (open access to) ISO/IEC 29100 Security techniques, Privacy framework and ISO/IEC 29184 online privacy notices and consent, and the Consent Notice Receipt, which is a digitally twinned record information structure, Consent Receipt v1.1.4
Conditions for use
License Condition:
This document has been prepared by participants of Kantara Initiative Inc. ANCR-WG. No rights are granted to prepare derivative works of this ANCR Scheme outside of the ANCR WG. Entities seeking permission to reproduce this document, in whole or in part, for other uses must contact the Kantara Initiative to determine whether an appropriate license for such use is available.
Implementation or use of this document may require licenses under third party intellectual property rights, including without limitation, patent rights. The participants and any other contributors to the specification are not and shall not be held responsible in any manner for identifying or failing to identify any or all such third-party intellectual property rights. This Specification is provided "AS IS," and no Participant in Kantara Initiative makes any warranty of any kind, expressed or implied, including any implied warranties of merchantability, non-infringement of third-party intellectual property rights, or fitness for a particular purpose. Implementers of this Digital Trust Transparency Scheme specification are advised to review the Kantara Initiative’s website (Kantara Initiative: Trust through ID Assurance ) for information concerning any Necessary Claims Disclosure Notices that have been received by the Kantara Initiative Board of Directors.
Dear reader,
Thank you for reviewing this specification in its preparation for publication and contribution. The Kantara Initiative is a global non-profit dedicated to improving secure, private and trustworthy use of digital identifier surveillance through innovation, standardisation, and good practice.
The Kantara Initiative, known internationally for incubating innovative concepts, operating an Identity Trust Assurance Framework to assure digital identity and privacy service providers and developing community-led best practices and specifications. Its efforts are acknowledged by OECD ITAC, UNCITRAL, ISO SC27, other consortia and governments around the world. “Nurture, Develop, Operate” captures the rhythm of Kantara in consolidating an inclusive, equitable digital economy offering value and benefit to all.
Every publication, in every domain, is capable of improvement. Kantara welcomes and values your contribution through membership, sponsorship and active participation in the working group that produced this and participation in all our endeavors so that Kantara can reflect its value back to you and your organization.
Copyright: The content of this document is copyright of Kantara Initiative, Inc.
© 2024 Kantara Initiative, Inc.
Abstract
Since the first signatory in 1980, the international standardisation of security and privacy law has been underway to become formalised into regulation that is now enforceable upon its implemented as legislation in Commonwealth countries, like the EU through the General Data Protection Regulation and Canada through Quebec Law 25. This has paved the way for the ratification of the updated to the 108 Convention from the Council of Europe to Convention 108+. The international commonwealth privacy framework, which is interoperable with the ISO/iEC 29100 security and privacy framework, also widely adopted and open access.
This identity management trust assessment scheme creates a PII Controller Record, using the Kantara Consent Receipt Schema, now also found in the ISO/IEC 27560 (2023) - Consent Record information structure.
Part 1 of the scheme introduces 4 Transparency Performance Indicators; these are used to measure and rate the conformance of transparency. Called a Transparency & Consent Index Rating, which is added to the record.
In Part 2 of the scheme (in the Appendix A) a transparency information request is sent to the controller using the PII Controller Record that is generated in Part 1 of the assessment scheme to; a) test the operational performance of transparency and consent information by making a rights request or complaint and, b) assess compliance in accordance to the international adequacy baseline.
Application
4 Transparency Performance Indicators asses transparency signalling in Part 1,
when PII Controller Identity information is provided in accordance to when data is captured, to assess the security and privacy risk and compliance, to determine the legal validity of consent.
If required PII Controller Identity information is provided. to assess operational complinace for any legal justification or authority.
Accessibility & Authenticity the presentation accessibility of the PII Controller Identity Information, taking into account device accessibility, the language and number of screens to access privacy information. in order to then assess the terms and their definition against the legal (and expected) terms and definitions.
Security integrity, of a SSL Certificate (or token) - digital security certificate integrity, asses its OU, Jurisdiction, and Name, to match the PII Controller Information, registration and risks presented in notice.
In Part 2, the record is used to send a digital privacy rights request, which is then made to operational performance and integrity of the notice, notification and disclosures.
Terms & Definitions
Normative
CoE Convention 108+
ISO/IEC 29100 security and privacy framework standard maps terms in the standard itself, for example PII Principal is mapped to the Data Subject.
Term Mapping
The ANCR Record Framework is used to specify Transparency Performance Indicators (TPIs)
Stakeholder | ISO/IEC 29100 | Conv 108+ | GDPR | PIPEDA | |
Data Protection Authority | |||||
PII Principal | Data Subject | Individual | |||
PII Controller | Controller | Data Controller | |||
Processor | Data Processor | ||||
Joint-Controller | |||||
Sub-Processor |
(compliance roles, mapped to be interoperable within any data privacy framework)
Roles in this document refer to a record of relationship between the Individual and any digital service, as documented by identifiers. Primary digital trust is technically identified
Introduction
Transparency Performance Indicator’s (TPI’s) are introduced here as an object of conformity used to capture the presentation of PII Controller (Credential) information, to measure this information to determine its completeness,, accessibility and security. Its operational data governance capacity per context can then be assessed against international adequacy baseline for compliance.
In this way TPI’s can quickly be used to determine the validity, quality, and governance of data process for digital and physical assessment contexts.
The TPI’s are employed to assess digital privawcy transparency for human context.
About the Scheme
The TPI Scheme presented here is scoped to international/internet scale digital commonwealth transparency adequacy baseline for trans-border digital consent capable records of transparency. The TPS includes:
A conformity and compliance assessment scheme, implemented in 2 parts to generate a full operational transparency report.
TPI Scheme 1 Part 1 - Conformance
Initial test to diagnose the operational capacity of privacy services in any specific context.
TPI Scheme 1 Part 2 – Compliance (found in Appendix A)
Specifies an example operational transparency compliance performance test, in which the transparency is tested by generating a privacy rights-based request, to access privacy services.
Part 1 refers to conformance with digital identifier elements of the PII Controller required to be presented to initiate a session and is the body of this document.
Part 2 is Appendix A and uses the ANCR record to audit the Adequacy of the captured controller elements as specified in the Council of Europe, Conv. 108+. Article 14, Transparency Modalities.
How Does the scheme Operate?
an ANCR (Anchored Notice and Consent Receipt) Notice Receipt Record, which is assessed as a ‘proof of notice’ (or knowledge record ) claim, conformant as a Consent Notice Receipt as a record format to perform an ISO/IEC conformant digital privacy transparency compliance assessment, against international technical and legal baselines.
The Scheme employs TPI’s to measure the operational performance of transparency and accountability This is used to determine the capacity for dynamic control of personal data, in an online service context. .
The ANCR record is produced from a TPI Assessment which captures the identity of the controller and accountable person, contact and physical address. In this way the presented digital governance and surveillance context can be assessed for compliance for transborder flows of data,
What Do TPI’s Measure
There are 4 Indicators specified in this scheme used to measure the existence and performance of the publicly required digital service information. The TPIs check digital components, and identify the governance model, authority, and security framework to assure the validity of the privacy state in an online service context. This provides privacy risk assurance for people.
Indicators are captured at the point of notice presentation to capture the required PII Controller privacy rights access point(s), and the governance framework personal data processing is being governed.
How Does the Scheme Work
The TPI’s for conformance in the capture of privacy information or services are mapped to analogue legal requirements which measure response times in days, out of technical context. TPIs all measure how dynamic privacy service information is in context, and provide a rating, from -3 to +1, in which +1 is for a Dynamic, in context transparency performance indicator. This introduces the concept of a shared active privacy state transparency, comprised of the signal that indicates if the privacy as expected in context.
TPIs assess when the notice is presented, if the notice information provided is contextually relevant, if the contact information is fake or not, is it usable reciprocally, and proportionally, and if a digital service can represent policy and security required for digital privacy. The information and understanding gained from applying these indicators are a necessary precondition for processing of personal data as well as meaningful consent.
Digital transparency requires a record to provide a standardised purpose specification so as to include who the beneficiary of data is, how they benefit, and where the benefit and value originates. This information once collected in a standard credential, record, and receipt format can be assessed in the Scheme.
The security and privacy risks can then be assessed relevant to the data processing context to provide for an informed choice about whether to provide additional permissions, withdraw consent, or even pause consent to a service, and stop tracking for a particular digital context.
4 TPI’s
The 4 Transparency Performance Indicators capture transparency and data capture practices in context and are used to test the self-asserted information for its operational usability.
These 4 TPIs Part 1, and the associated receipt and record Part 2 can be used together with the other Appendices for public interest application, such as a listing of the Controller credential encompassing the TPIs and associated assessment. The scheme is directed at providing a basis for required public security and privacy transparency assurance.
TPIs specified focus is on the initial point of contact. This includes the publicly required information that MUST be provided and refers to the PII Controller Identity and Contact information, which is required in all legal privacy instruments. Transparency, in this regard, is a universal requirement, and required for the free, prior, and informed consent necessary to scale digital privacy online and as a means of governing and providing trust in authority.
The TPIs here are used to assess session-based data capture and self-asserted information by organizations to specify a public level of trust assurance that is provided in an online context. 5
TPI 1 - Measuring the Timing of PII Controller Identity Notification:
This TPI captures when the Controller's legal entity and accountable Privacy Officer (digital identifiers) provide notice of their identity. This is measured to see if the notice is delivered
Before,
At the time of,
During, or
After
Personally identifiable information is captured.3
By assessing dynamic and operational transparency, as opposed to static, infrequent information, it provides a way for an individual to assess if they can trust a service or not. This is also assessing compliance with Article 14.1, and specifically defined in Article, 15 1, a) and b)
Information to be provided where personal data are collected from the data subject
Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
(a) the identity and the contact details of the controller;
(b) the contact details of the data protection officer;
TPI 2 - Measures Required Data Elements
This TPI captures whether the required security and privacy attributes are provided,6 These are required to provide the PII Controller information for all accountable parties. Namely who and what information about them is legally required. In “all” cases, there is a requirement for a Notice of who is processing your data, who is accountable, and the privacy contact information for access to personal information and rights and as required. [Art 14.1]
A first-time notice must exhibit two (2) factors (2FN), 1) is the notice adequate as notice of risk, and 2) are the practices relating to permissions permitted by the purpose, accepted, which can then be used as proof of notice by the data subject.
The required Digital Privacy Transparency (notice) elements are:
Legal Entity Identity Name,
Address, Contact information
Name or role of Data Privacy Officer (or the authoritative owner and Accountable Person (AP) in charge of that legal entity.
Privacy services access and contact point information.
Privacy or other policy governing the processing of personal information.
Transparency information before use
Digital governance framework
Legal Basis for Purpose of initial Processing of PII
Recipients or categories of recipients if any
Transfer of data on networks out of Country, to a 3rd Country,
The existence of adequacy,
Existence of safeguards, where to get a copy of them, or where they have been made available.7
TPI 3 - Measure of Transparency Accessibility
This TPI measures the performance of transparency in terms of accessibility to the information in TPI 2. For example, is the information readily available, ideally prior to the digital session and capture of PII. For example, is TPI-2 information presented in a pop-up notice at the initiation of a digital service session, or is it required to click a link, e.g., to a privacy policy, and then access additional link. , Is the operational transparency information on the first screen, or is it at the bottom reached only after scrolling multi-pages, with links not highlighted, and not accessible to children or parents.
In this way TPI 3a measures Informational accessibility. This is a key transparency metric that indicates if the context of digital privacy is capable of being inclusive and accessible and trustworthy. This measure is extended to include the exercise of rights on the part of the PII Principal to determine how adequately Controllers respond.
TPI 3b - Measure the semantic accuracy of the terms in the controller notice -
Cookie = Digital receipt - nmis-information - cause mass damage - liable -
TPI 4: A Measures security information integrity
This TPI captures the relevant digital certificates, (e.g. x.509), or security token (e.g. JOSE) and keys to compare the security meta-data, and policy objects against the required information in TPI 2. It checks for consistency and continuity in the security provided and is it adequate for the task. E.g., does an SSL certificate Organization Unit and Jurisdiction fields match the captured legal entity information? How do the policy and jurisdiction there relate to other beneficial entities? Importantly does this align with the policy expectations of the person?
TPI Metrics
Transparency Performance Rating
The TPI Rating system is designed to measure dynamically the operational transparency and performance of the required security and privacy information and its usability. The scale applied penalise bad behaviour more than it rewards conformance and compliance from +1 “good” to -3 “bad”. These are presented one by one and then in a table for comparison followed by an example in the next section.
For TPI 1:
+1 refers to the existence of a technical framework and PII Controller transparency prior to the initiation of a session. This provides security-based trust assurances for the data subject.
0 refers providing dynamic transparency in context at the start (which is at the time of collection), including purpose and other required disclosures,
-1 refers to where the legally required information is presented at some point in the session.
-2 refers to the provision of low quality legally required information.
-3 refers to the provision of non-operable, non-compliant, unusable transparency and digital privacy related information.
For TPI 2
+1 is given for each of the Controller information of the elements
-3 if the information is missing.
For TPI 3
+1 for meeting legal requirements for responsiveness for each of the required PII Controller information categories.
-2 for response but not within legal requirements
-3 if information unavailable
For TPI 4
+1 There exists a security notice before processing with the contextual integrity of each the security features.
0 There exits contextual integrity of each the security features
-1 if security information matches controller but policy not contextual (specific to the use case and purpose)
-2 if security key information does not match controller information, e.g. in the Organizational Unit (OU) and Common Name (CN) in the session certificate.
-3 for each integrity mismatch
Table 1: Transparency Performance Indicator Record Ratings
The following shows how TPIs work together as timing is relevant to all the TPIs.
Rating | TPI 1 Timing of Notice | TPI 2 Content of Notice | TPI 3 Access to Content | TPI 4 Security Integrity |
+1 (assured) | Before Transparency of control - governance required information | Controller Information - Credential is registered and present | Controller identity is presented prior to data collection | Security demonstrated prior to data collection |
0 (contemporaneous assurance) | Just in time, At the time of | Notice/credential is presented just in time (automated check and first-time notice) | Embedded as a credential linked to authoritative registries. | Is assured -e.g., certificate is specific to and matches controller and context with icon. |
-1 (analogue assurance - online) | During | Controller information is accessible during collection | PII Controller Identity prominently displayed on first view – prior to processing first page of viewing, the assessment question would be | Requires analysis of security information. |
-2 - (not mandatory in flow) | Available | Controller information is linked | Link not presented | Requires linked information such as certificate policy statement. |
| After | Controller information not present | Identity or credential is not accessible in context - e.g., two or more screens away, or privacy contact is mailing address and non-operative in context of data collection. | Valid issuer, cryptography, expiration, or policy NOT provided. |
Table 2: Transparency Performance Indicator Record Rating Example
Field Name | Field Description | Requirement: | TPI 1 | TPI 2 | TPI 3 | TPI 4 |
Notice Location | Location of where was read / observed | MUST | At time of 0 | Present +1 | Match +1 | |
PII Controller Name | Name of presented organization | MUST | At time of 0 | Present +1 | Responsible entity verified +1 | Match (CN, OU) +1 |
PII Controller Address | Physical organization Address | MUST | At time of 0 | Present +1 | Location accessible +1 | Not match -3 |
Privacy Contact Point | Location / address of Contact Point | MUST | Not present -3 | Not Present -3 | Point of contact verified +1 | Not match -3 |
Privacy Contact Method | Contact method for correspondence with PII Controller | MUST | Information linked -1 | Present +1 | Response in required time +1 | Match +1 |
Session key or Certificate | A certificate for monitored practice | MUST | At time of 0 | Present +1 | Not Expired +1 | Not contextually valid -3 |
Summary
In summary, Transparency Performance Scheme and Indicatorsare specified here for people to use in context in combination with out of session elements, independently of service providers to gain an understanding of digital identifier relationships. TPIs are digital transparency tools used to self-determine how much a service in context can be trusted.
These TPIs are designed to work with open standards, and licenses, e.g. ANCR WG royalty free license, and open-source software to provide adequate, and scalable Transparency conformance. Transparency tools are required to be open in multiple ways so that people can use and create records they can own and keep across and independently of service providers. It is a cornerstone of agency that the scheme puts in place.
TPI 1 is a measure of trust, so that when asked, “Do you trust (accept) a service”, you necessarily know who is processing your data before, during or after.” Overwhelmingly people indicate trust would be higher. if notified prior to data capture, which only makes sense.
TPI 2 is the legally required attributes, present and available. Are they machine readable
TPI 3 is an indicator of how accessible, and inclusive, digital transparency is. Are the transparency attributes machine readable.
TPI 4 validates for the individual if security “matching the controller jurisdiction” to addresses a critical cross-border security challenge widely overlooked today.
This is a 1.0 document; we look forward to its evolution.
TPI Compliance Assessment Scheme Part 2
Operational Transparency Assessment
The following describes an assessment using the TPIs to measure Operational Transparency and assurance.
Most often for the PII Principal there are missing identifying attributes, controlled, and held by PII Controllers with commercial interests., that are required for operational digital governance, This scheme looks to systemically capture and maintain these attributes as digital commons assets turned into public infrastructure to support Operational Transparency.
Transparency is required to be available in context, i.e., during the time when PII is obtained (found in Transparency Statement or Privacy Policy).8
Time period data stored.
Existence of rights/controls to access and rectify.
Existence of right to manage consent.
Existence of right to lodge a complaint with a Data Protection Authority (DPA).
Whether processing is based under a statutory, or contractual context, or whether necessary for entering a contract, if the PII is obliged, and the consequences of failure to provide this data.9
Existence of
AI, or any automated decision-making technology
Digital identity management surveillance technologies
Any profiles, or graphs generated
Meaningful information about the logic involved
Significance in overall policy or processing and decision making
Expected consequences for and to PII Principal - Data Subject
TPI Assessment Guidance
The TPI Rating system is designed to measure the operational performance of the information, for example if only a mailing address is provided for a privacy contact on a website, this is considered non-operable according to the context. This means that privacy access and specific information is not retrievable in the context of data collection. The TPIs measure adequacy and demonstrate non-performance by PII Controllers as a form of data co-governance.
The associated Conformity Assessment: uses the open ISO/IEC 29100 security framework for generating interoperable records and receipts of data processing activity, according to transparency in context.
TPIs are captured in sequence
a. TPI 1 measuring the point when the individual is notified versus when personal information/digital identifiers are collected and processed. The scheme starts by capturing the timing of notice presentation in relation to first data capture, and first contact.10
b. TPI 2 measuring the contents of the notification for required PII Controller digital attributes that correspond to the physical brick and mortar attributes specified in privacy, security, safety, and surveillance legislation. This is the PII Controller identity and entity information and access point.
c. TPI 3 measures how usable are the contents (information record) of the PII Controller entity, and its identity information and access point.
d. TPI 4 validates the coherence of cybersecurity information versus the digital transparency information capturing and comparing the SSL certificate and/or tokens/keys and associated meta-data (e.g. object identifiers, and certificate policies).
Combined, these TPIs provide an overall Indication of the operational state of digital privacy.
TPI – Scheme 1, Part 1(S1-P1) metric logic
Rating - Instruction | TPI 1 Timing (with regards to processing) | TPI 2 Required Information | TPI 3 Accessibility | TPI 4 - Digital Security |
+1 (assured) | PII Controller credential is displayed, using a standard format with machine readable language, and linked, for example, in an http header in a browser | The Controller is discoverable prior to session (out of band) in a machine-readable format: 1.Controller Registry 2.A client-side record of processing (via a wallet or browser) | Controller identity is presented prior to data collection | Security is required prior to collection (digital wallet based)
|
0 (dynamic assurance) | PII Controller Identity or credential is provided in first notice | Credential is presented just in time (automated check and first-time notice) | Embedded as a credential and dynamically available upon access (almost just in time) | Assurance provided– e.g., certificate is specific to and matches controller and context. |
-1 (analogue assurance - online) | The Controller Identity, or screen with the Controller Identity is one screen and click away. For example, the privacy policy link in the footer of a webpage | Controller information is accessible (not presented) during collection | PII Controller Identity prominently displayed on first view – prior to processing first page of viewing | Not-specific to controller - does not match jurisdiction. |
-2 - (not mandatory in flow) |
| Controller Credential information is linked during collection | is linked not presented | Does not match OU |
-3 (non-operative) | PII Controller Identity is not accessible enough to be considered ‘provided’ | Controller information not present | Identity or credential is not accessible in context - e.g., two or more screens of view away, or privacy contact is mailing g address and non-operative in context of data collection. | It is not a valid, secure, or recognized provider. |
1.2. Table 2: ANCR Mirrored Record Schema Example
This appendix is an example of a notice record and the schema and can be used as a template for the information record, rating, and analysis.
FIELD NAME | FIELD DESCRIPTION | REQUIREMENT: MUST, SHALL, MAY | FIELD DATA EXAMPLE |
Notice Location | Location the notice was read/observed | MUST | http://Walmart.com (actual link) |
PII Controller Name | Name of presented business | MUST | Walmart |
Controller Address | The physical address of controller and/or accountable person | MUST | 1940 Argentina Road Mississauga, Ontario L5N 1P9 |
PII Controller Contact Type | Contact method for correspondence with PII Controller | MUST | Email, phone |
PII Controller-Correspondence Contact | General contact point | SHALL | |
Privacy Contact Type | The Contact method provided for access to privacy contact | MUST | Email, or other |
Privacy Contact Point | Location/address of Contact Point | MUST | |
Session Certificate | A certificate for monitored practice | Optional | TLS, Transparency, Policy (OID) Context |
Digital Transparency Code of Conduct
These digital transparency code of conduct rules coincide with the TPIs presented and reference the international adequacy requirements for transparency required for digital identifier management. In Report on the Adequacy of Digital Identity Governance for cross border transparency and consent:
PII Controller must:
Provide their PII Controller Notice Credentials, before or at the time of processing personal information (TPI 1), Article 14.1
PII Controller credential information must be accessible
PII Controller credential information must be operationally capable for access to rights with evidence of notice & consent
The security context must match the controller’s jurisdiction where it is assumed PII is processed
Appendix D. References
Appendix F. ISO scheme Profile
1
2
3 Mirrored Record Information Structure, 2024, ANCR WG Kantara Initiative { ANCR: Consent Receipt V2: Consent Notice Receipt }
4 Consent receipt v1, CISWG Kantara Initiative https://kantarainitiative.org/download/7902/
5Note to reader: The ANCR Record Framework presents 4 levels of transparency assurance for PII Controller (Notice) Credentials, which can be use in 3 vectors of digital governance; 1. Personal data control 2. Data Protection 3. Co-regulation, i as assessed in this document at assurance level 0.
6 This is the most common legislated privacy element in the world, required and mappable to all privacy legislation and instruments. (ISTPA 2007)p.64
7 An international repository would be an ideal for framework when accessing thes first-time sign or notice.
8 A second factor notice must be linked to the first notice receipt/record to provide proof of notice and state.
9 This is missing from CoE 108+ - but required element to include in the Code of Conduct.
10 Flows for return visits can make use of receipts that capture the state of the relationship on first contact, and record and maintain any change of state thereafter for any use by any controller, including joint controllers, sub-controllers, processors, and sub-processors.
I