ANCR WG 20210609

Date and Time

Agenda

  • Roll
  • IPR
  • Minutes  Approval 
  • Agenda Approval
  • Intros
  • Agenda Items Discussion
    • Actions pending
    • Actions new
  • Updates from the consent community
  • AOB


Roll call

Salvatore D'Agostino (Unlicensed) 

Mark Lizar (Unlicensed)

vitor jesus (Unlicensed)

Jan Lundquist


Quorate: Yes

Participant List

--

IRP Policy Announcement

Approve Minutes 

None presented

Minutes

Review of spreadsheets to determine working sheet for fields

ISO 27560 next draft published 15 June

Human readable receipts, human centric legal standard for privacy on line, in compliance with GDPR for example

The person creates an ANCR receipt and record.

Not an identity management system receipt

Need to reference missing field in particular for the anchor notice and consent receipt

29184 is used to implement privacy law, use these to "filter" receipts.

Establishes the baseline for further interactions, independently of others and action.

ANCR captures interoperable legal requirement

Specify fields for the legal justification of the use of rights

Under Framework put legal components that are being referenced that then enable outcomes 

What defineds a notice, what defines a notification, and a field for the risk or else its not compliant (in Canada).

Notice of risk is not in spec, the ANCR receipt is the first notice and then go to Gateway to make a rights request or exercise rights.

How do we define a notice of risk?

How do we see the flows in time?

Framework has to go through BOLTS...


LayerI AgreePrivacy as Expected



Business

Data ProtectionDecentralized Governance

Operational

Compliance, Breach Resolution, Data Sharing RiskPerson Driven, Lower Operational Burden
LegalCyber InsuranceInteroperable Global Governance, Shared Liability and Risk
TechnicalLackingStandards based receipts and  records
SurveillanceLack of transparency,Provides a trust anchor for security and identity services that include privacy



ANCR receipt


  • Place of notice digital and physical location (of the person)
  • Method in 1.2 
    • how do I do this 
  • Method of collection of consent vs. collection of notice
  • Method of deliver of notice
    • Related to quality of consent and better definition of risk
  • Location is where the subject is exposed to the policy.
    • Tell me that you agree
      • (Consent Methods....)
      • And whether the notice is legally compliant
  • Can you consent if you don't know who you are dealing with...
    • In the US implicit consent is the norm...
  • Make it something that Bob could figure out...
    • 1.1. was call your lawyer to fill out the field..
  • You want to be able to create your own receipt, that captures the level of transparency at that interaction
    • Quality of Notice
    • Use of Rights

Actions 

  • Create Flow to Match Protocol Contribution
  • Define Initial Notice Receipt Fields
  • Review framework 

(Previous)

  • Review receipt fields (uploaded) -> test against:
    • transborder requirements
    • delegation
    • outsourced receipts ("store")
    • legally covering GDPR and other potential laws/acts/regulations
    • can we pair receipts for active state
  • Updating language on our part is an important next step