ANCR Record Framework for PII Credentials
Kantara Initiative : ANCR WG
V. Status Draft v0.5 (WiP)
Author: Mark Lizar
Editor: Sharon Polsky
Contributors: Sal D’Agostino
Abstract:
At the present time, when online services are involved, Individuals have no way of seeing or knowing who is in control of collecting, using, processing, or disclosing their personal information before the collection, use, processing, or disclosure takes place. Individuals are powerless to resist or object to the one-size-fits-all contracts presented on websites that are called ‘terms and conditions’, ‘user licenses’, with corresponding ‘privacy policies’ or ‘data sharing agreements’, that do not implement or provide privacy rights or data control people expect. Expectation which don’t scale online.
ANCR, Anchored notice and consent receipt, is a record and receipt protocol that is used to twin the state of security and digital privacy, in a format that is designed to be human understandable by default. A simple solution to trust, a receipt, advances assurances for personal data control and transparency while being inclusive of everyone.
Extending an exigent public trust mechanism for high risk, confidentiality and the assertion of authority in advance of disclosing their personal information; as without a receipt (a record of our own) there is no way to determine, control, or negotiate the conditions or sources under which data about them may be processed, used, managed, or associated with other data consent.
Lack of our own digital transparency prevents tracking the states of our own consent, preventing Individuals from knowing or seeing (therefore trusting or controlling), when digital identifiers and related micro-meta data about themselves are created, used, or disclosed, for additional purposes.
Services today. systemically control the records of interaction, choosing when to make records often with no records at all. As a result, restricting user side interaction, access and participation required for individuals, to see how information about themselves is used, when, by whom, and for what purposes. Which in effect requires a systematic approach to addressing digital transparency to enable people online.
The consent receipt is used to twin the security and privacy state relative to the individual. Enabling individuals to see how information about themselves is used, when, by whom, and for what purposes.
The Anchored Notice and Consent Receipt (ANCR) is normalized here as notice and consent receipt flow, where a notice receipt is received by the individual and consent receipt is a grant provided by the Individual. credential used to enable transparency for Individuals to see if data governance, in online contexts. To visualize PII about that is being processed in ways that are private and weather, when, where, and to whom it is disclosed — locally, domestically, or internationally.
A record ability to direct and control the collection, use and disclosure of information about themselves is essential for Individuals to have technical capacity to trust the management of surveillance, personal identity, and advanced digital data analysis technologies.
The ANCR specification provides a mechanism to implement legal and technical standards for transparency that supersede ‘terms and conditions’, ‘user licenses’, ‘privacy policies’ and ‘data sharing agreements’. Specifying an active technical object for managing the rules of data and its consented exchange in accordance to international data governance convention.
NOTES TO READER
This Kantara Initiative work effort began when Liberty Alliance became the Kantara Initiative, and the Consent and Information Sharing Working Group formally began in 2015. That Working Group’s activities carried on through the ANCR Working Group.
In this specification and proposed standard the term “PII Principal” is used interchangeably with Data Subject and “Individual”.
Introduction
This documents specifies the core credential schema using the ANCR Notice record schema to generate a digital record which acts as a digital envelop for the digital privacy information, attributes, identifiers and notice text it is used with.
The term Notice is defined here broadly to refer to any content or dialogue presented to the individual to which an Open Notice Controller Credential can be linked to or embedded.
The Open Notice Controller Credential (or Notice Credential for short) is specified here to be a privacy regulated Notice Credential. Accretive to the international body of Privacy by Design standards and specification work. It is Regulated as it is technically defined in this document using the I international standards and referenced to the CoE 108+, and GDPR, which provides an International Legal Adequacy baseline for assessing the legal conformance of digital privacy transparency and governance behind a notice.
The Open Notice Controller Credential’s authority is limited to the notice, sign or signal that contextually represents context of technological surveillance without additional assurance. Assurance levels are Not specified in this document. (see ANCR AuthC Protocol - May23)
The requirements to provide a Controller identity and privacy contact is universal to all privacy frameworks, and the regulatory guidelines indicate that notice MUST provided before, or at the time of processing for transparency in context. When this is not possible, notice after capture and processing MUST be provided and notice of processing must be disclosed.
The Notice Credential includes legal information that is required to be presented, open and public in all legal privacy intruments. Making a notice credential the only point of legal technical and social point to scale interoperability of data governance.
PII Controller Identity identifiers, privacy rights access point and legally accountable contact information is specified to be open. Most importantly, the credential is used to and is bound by authority of notice, and the most authoritative person in an Organization or a delegated DPO, indicated at the contact point.
The Notice Credentials Scope of authority is restricted to the notice it is embedded to and the context it is provided in.
Credential Purpose of Use
Operationally, the embedded Notice Credential is used to dynamically generate micro-notice credentials and to receive consent receipt tokens, as well as to render an active state digital privacy signal
Notice Credential Binding
To generate a credential, these core notice fields are bound to the accountable authority, which can be delegated (and by default is referred to in this as the PII Privacy Officer).
An identifier is provided for the credential, as well as crypto graphic key for signing with the credential as apart of the format.
The credential type is also required. fields added to the notice record to become a credential must be crypto-graphically signed with a public private key pair.
Notice Record Schema
Notice Record Credential fields are added to the notice record schema and used to bind and generate an Open Notice PII Controller Credential
Notice Record Credential Fields added to Schema
adds the technical attributes
Notice Record ID
Key Pair
Controller Type
Delegated Authority Attributes for Controller & Principal - DPO
Serialization - the controller id# used to generate a record id, which is used to generate a consent receipt id - 1.
Normative References
For the international and cross-domain use of the records and receipts reflected in this specification, this document refers to the following:
ISO/IEC 29100:2011 Security and privacy techniques
ISO/IEC 29184: Online privacy notices and consent
31700-1:2023 : Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements
Fair Information Practice Principles (FTC) foundational principles
Non-Normative References
1980/2013 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data [OECD]
Kantara Initiative Consent Receipt v1.11
Kantara Initiative: Blinding Identity Taxonomy (Bit)2
For input to ISO/IEC 27561:2022 POMME (Privacy operationalization model and method for engineering)
Additive Reference
General Data Protection Regulation (GDPR)
Council of Europe Convention 108+ (Conv. 108+)
PIPEDA – Individual, Meaningful Consent
Terms and definitions
The definitions and reference terms that are used in this specification to indicate what is normative, non-normative, and additive.
If this specification is not compatible with a jurisdiction’s privacy laws, the internationally‑defined terms reflected in this specification can be mapped to jurisdiction’s laws and context specific terms. For example, PII Principal in this document maps to the term ‘Data Subject’ in European GDPR legislation and the term ‘individual’ in Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
NOTATIONS
In this document the keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", “NOT RECOMMENDED”, "MAY", and "OPTIONAL" are to be interpreted as described in [RFC 2119].
ABBREVIATIONS
The following abbreviations and set of stakeholders are used to frame a mutually exclusive and collectively exhaustive set of terms for providing transparency over what organization controls the processing of personal information, and who is accountable for enforcement.
ANCR Record — means the Anchored Notice Record and Consent Receipt Record
ANCR WG — means the Advanced Notice and Consent Receipt Work Group
Array — means an array of field objects
Conv. 108+ — means the Council of Europe Convention 108+
FIPP — means Fair Information Practice Principles
IRM — means Identifier Relationship Management
ISO/IEC — means International Organization for Standardization/International Electrotechnical Commission
Object — means a field object
PII — means Personally Identifiable Information
PbD- Privacy by Design
TPI - Transparency Performance Indicators -
ZPN – Zero Public Network – a network in which each processor of personal information has a controller credential and the PII Principal has a private record of the credential
Terms & Definitions
Code of Conduct
A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.
[Source: GDPR Art 40.4]
When a Processor is not a European Union institution or body, its adherence to an approved code of conduct referred to in Article 40(5) of Regulation (EU) 2016/679 or an approved certification mechanism referred to in Article 42 of Regulation (EU) 2016/679 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.
[Source: Conv. 108+ Art 29.5]
Concentric Notice Label
This a new field – normative in this specification.
Used to provide a label that indicates what privacy an individual can expect by default, determined by legal justification per context for consistent transparency that an Individual can trust.
The types of Concentric Notice Label are specified in Annex B, which spans the spectrum of legally defined consent types, defined from for the individual’s context and perspective.
Concentric Notice Label Types
Not Concentric: Legal obligation or legitimate interest independent of PII Principal
Implied Consent: The PII Controller defines the purpose
Express Consent: The Individual actions indicate purpose
Explicit & Informed Consent:
Meaningful and/or Directed Consent, where in a PII Principal specifies the purpose for the collection, use, and/or disclosure of PII. Requires and ensures a higher degree of understanding.
Altruistic Consent, which requires a certified code of practice (in this framework – for a directed consent in which the legal obligation to identify the controller before processing is derogated.
[Source: ANCR Notice Record Annex B]
The organization shall provide information about the PII Principal's rights (e.g., access, rectification, deletion, objection, restriction, data portability, withdrawal of consent)
[Source: 29184: 5.3.1.2 — PII Principal Participation]
Modalities should be provided for facilitating the exercise of the Data Subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means.
[GDPR Rec 59]
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed.
The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.
That principle concerns, in particular, information to the Data Subjects on the identity of the Controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation, and communication of personal data concerning them, which are being processed.
Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such [rules of] processing.
[Source: Conv 108+ Rec.20]
Digital Privacy [Proposed]
The reference to digital privacy specifies the not only the data category for a specific element, but also the field format, record structure, the attributes that populate the field elements, the attributes used in those fields, the ontology and vocabulary used to specify the attributes.
These are the digital privacy legal elements that are co-regulated. These are focused on here to represent physical privacy expectations and the digital surveillance context in open access interactions online.
Co-regulated digital privacy ‘technical’ context refers to,
representation of individual physical privacy online
proportional and reciprocal access to privacy rights information, controls, mitigations and remedies
access to privacy services and controls without identification
use of privacy services and controls for security and commerce
transparency over the active state of digital privacy in context
dynamic transparency and data control capacity
Digital Privacy Transparency (DPT) [Proposed]
The transparency over digital representation of active state of privacy in a specific context
digital identity of Organization
digital Identity of Privacy Officer
digital privacy access point for information and control
digital Privacy Transparency; Laws & Standards
references enforceable and standardized regulations
GDPR [General Data Protection Regulation]
Convention 108+/GDPR - Transparency Adequacy Legal Code of Conduct
Digital Privacy Transparency (DPT)Standards reference:
ISO/IEC 29100 security + privacy techniques for ISO 27k Framework
ISO/iEC 29184 Online privacy notice and consent, Consent Notice Receipt (record) in the appendix B
W3C - Data Privacy Vocabulary V1
Kantara Consent Receipt v1.1
accretive to the ISO/IEC 31700, Privacy by Design standard. Contributing high performance data privacy transparency metrics, which are referenced as - K-DPI’s (Key Digital Privacy Indicators) indicating the active state of digital transparency.
Transparency Performance Indicators:
transparency data capture and assessment criteria for assessing the performance of digital privacy elements.
Notice
Adhering to the openness, transparency and notice principles means providing PII Principals with clear and easily accessible information about the PII Controller’s policies, procedures and practices with respect to the processing of PII;
including in notices the fact that PII is being processed, the purpose for which this is done, the types of privacy stakeholders to whom the PII might be disclosed, and the identity of the PII Controller including information on how to contact the PII Controller;
disclosing the choices and means offered by the PII Controller to PII Principals for the purposes of limiting the processing of, and for accessing, correcting and removing their information; and
giving notice to the PII Principals when major changes in the PII handling procedures occur.
[Source: ISO/IEC 29100]
To provide notice where it is required, in a language appropriate to PII Principals, at a time that permits PII Principals to meaningfully exercise consent, at places where it is easy for PII Principals to recognize.
[Source: ISO/IEC 29184: Art 5.2.1]
Notice may be required, among other situations, when the organization plans to collect new PII (from the PII Principal or from another source) or when it plans to use PII already collected for a new purpose.
[Source: ISO/IEC 29184]
The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.
[GDPR Rec.58]
Notice Modalities
The organization may implement the control using different techniques: layered notices, dashboards, just-in-time notices, or icons, and may provide notices in a machine-readable format so that the software which is presenting it to the PII Principal can parse it to optimize the user interface and help PII Principals make decisions
[Source: ISO/IEC 29184 5.2.7]
Transparency, including general information on the logic underlying the PII processing, can be required, particularly, if the processing involves a decision impacting the PII Principal. Privacy stakeholders that process PII should make specific information about their policies and practices relating to the management of PII readily available to the public. All contractual obligations that impact PII processing should be documented and communicated internally as appropriate. They should also be communicated externally to the extent those obligations are not confidential.
[Source: ISO/IEC 29100 5.8]
That information may be provided in combination with standardised icons in order to better provide an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.
[Conv 108+ Rec 35]
Notice Record
Organizations should seek consent for changes such as those outlined here, and should consider whether the PII Principal has access to a record (of some kind) of their original consent, as well as how much time has elapsed between the original consent and the present. If the PII Principal is able to access a record of their prior consent readily and if the elapsed time is not significant, organizations may provide notice of the changes and seek consent for same. Otherwise, the organization should seek reconfirmation of the original consent in addition to consent to the notified changes.
Where re-consent is requested, and no response is received, it should be assumed that the request for consent for the new/additional purpose is not granted; and the purposes for which the original consent has been provided remains unchanged.
[Source: 29184: 5.3]
Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
(a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
[Source: GDPR Art 30]`
Records of processing activities: 1. Each controller shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information: the name and contact details of the controller, the data protection officer and, where applicable, the processor and the joint controller;
[Source: Conv 108+ Art 31]
Principles relating to processing of personal data
Personally identifiable information must be processed lawfully, fairly, and in a transparent manner in relation to the Data Subject (‘lawfulness, fairness and transparency’);
[Conv 108+: Art.4(a)]
Broadly refers to any surveillance or privacy notice, notification, disclosure, statement, policy, sign, or signal used to indicate personal data processing.
[ANCR Notice Record Annex B]
Privacy by Design [Proposed]
In reference to privacy design methodologies in which privacy is considered and integrated into the initial design stage and throughout the complete lifecycle of products, processes or services (3.3) that involve processing of personally identifiable information (3.2), including product retirement (3.15) and the eventual deletion (3.26) of any associated personally identifiable information (3.2)
Note 1 to entry: The lifecycle also includes changes or updates.
[31700-1:2023 : Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements]
Privacy Principles
The privacy principles articulated in ISO/IEC 29100 are now embodied in international standards and laws.
Consent and choice
Purpose legitimacy and specification
Collection limitation
Data minimization
Use, retention, and disclosure limitation
Accuracy and quality
Openness, transparency, and notice
Individual participation, and access
Accountability
Information security
Privacy compliance
[Source: ISO/IEC 29100 Table 3]
Proof of Notice
A Consent Notice Receipt, for a proof of notice, used as evidence of consent and to ...demonstrate compliant records of processing activities.
[Source: ISO/IEC 29184 Appendix B]
A Record of Notice that is generated to provide proof of an informed individual supersedes terms and conditions (contract), to implement overarching privacy rights‑based control.
[Source: ANCR Notice Record v1 – Specification]
Personally Identifiable Information (PII)
Any information that (a) can be used to identify the PII Principal to whom Personally Identifiable Information relates, or (b) is or might be directly or indirectly linked to a PII Principal.
NOTE: To determine whether or not an individual should be considered identifiable, several factors need to be taken into account. (Equivalent with personal data)
[Source: ISO/IEC 29100]
Descriptor for a type of Personally Identifiable Information, or a set of types of Personally Identifiable Information
[Source: ISO/IEC 29184 3.3]
Personal Data means any information relating to an identified or identifiable natural person.
Data Subject means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
[Source: Conv. 108+ Rec 16]
PII that is in a Sensitive (or Special) Category
What constitutes Sensitive PII is defined explicitly in legislation; however, the definition might vary across jurisdictions. Sensitive PII might include information revealing race, ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, sexual lifestyle or orientation, and the physical or mental health of the PII Principal. In other jurisdictions, sensitive PII might include information that could facilitate identity theft or otherwise result in significant emotional, psychological, or financial harm to the natural person (e.g., credit card numbers, bank account information, or government-issued identifiers such as passport numbers, social security numbers or drivers’ license numbers), and information that could be used to determine the PII Principal’s real time location.
[Source: ISO/IEC 29100 4.4.7]
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
[Source: GDPR Art 9.1]
Sensitive PII should not be processed unless the specific conditions set out in this Regulation are met. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. In addition to the specific requirements for processing of sensitive data, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the Data Subject gives his or her explicit consent or in respect of specific needs, in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.
[Source: Conv. 108+ Rec, 29]
PII Principal (also Data Subject or Individual)
The natural person to whom the personally identifiable information (PII) relates.
NOTE: Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym “Data Subject” can also be used instead of the term “PII Principal.”
[Source: ISO 29100 2.11]
PII Principals provide their PII for processing to PII Controllers and PII processors and, when it is not otherwise provided by applicable law, they give consent and determine their privacy preferences for how their PII should be processed. PII Principals can include, for example, an employee listed in the human resources system of a company, the consumer mentioned in a credit report, and a patient listed in an electronic health record. It is not always necessary that the respective natural person is identified directly by name in order to be considered a PII Principal. If the natural person to whom the PII relates can be identified indirectly (e.g., through an account identifier, social security number, or even through the combination of available attributes), he or she is considered to be the PII Principal for that PII set.
[Source: ISO 29100 4.2.1]
Personal Data means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
[Source: GDPR: Article 4.1]
Individual: Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
[Additive: PIPEDA 4.9]
PII Controller
A PII controller determines why (purpose) and how (means) the processing of PII takes place. The PII controller should ensure adherence to the privacy principles in this framework during the processing of PII under its control (e.g., by implementing the necessary privacy controls). There might be more than one PII controller for the same PII set or set of operations performed upon PII (for the same or different legitimate purposes). In this case the different PII controllers shall work together and make the necessary arrangements to ensure the privacy principles are adhered to during the processing of PII. A PII controller can also decide to have all or part of the processing operations carried out by a different privacy stakeholder on its behalf. PII controllers should carefully assess whether or not they are processing sensitive PII and implement reasonable and appropriate privacy and security controls based on the requirements set forth in the relevant jurisdiction as well as any potential adverse effects for PII principals as identified during a privacy risk assessment.
NOTE: A PII Controller sometimes instructs others (e.g., PII processors) to process PII on its behalf while the responsibility for the processing remains with the PII Controller.
[Source: ISO 29100 4.2.2]
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Note: Also known as a Data Controller.
[Source: GDPR Art. 4(7)]
‘Controller’ means the Union institution or body or the directorate-general or any other organisational entity which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by a specific Union act, the controller or the specific criteria for its nomination can be provided for by Union law;
[Source: Conv 108+ Art 3(8)]
PII Sub-Controller [Proposed]
in IoT use case of a smart building, in which the building controller leases a space to a bank, the building Controller delegates PII Controller Credential to the bank for that space and defined geo-location for data governance of security and privacy.
PII Joint Controller
Covers multiple joint controller relationships including co-controllers, hierarchical, fiducial, and code.
Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the Data Subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for Data Subjects.
[Source: GDPR Art 26.1]
Where two or more controllers or one or more controllers together with one or more controllers other than Union institutions and bodies jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with their data protection obligations, in particular as regards the exercise of the rights of the Data Subject and their respective duties to provide the information referred to in Article 79, by means of an arrangement between them, unless and in so far as the respective responsibilities of the joint controllers are determined by Union or Member State law to which the joint controllers are subject. The arrangement may designate a contact point for Data Subjects.
[Source: Conv 108+ Art 86.1]
PII Processor
A privacy stakeholder that processes personally identifiable information (PII) on behalf of and in accordance with the instructions of a PII Controller.
[Source: ISO 29100]
'processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
[Source: GDPR Art 4(8)]
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
[Source: Conv. 108+ Art 3(12)]
PII Sub-Processor [Additive]
Refers to the PII Controller type in the ANCR record specification.
[ANCR Notice Record Specification v0.9]
An additional field to indicate a delegated PII Processor (rather than 3rd Party). Used to distinguish between, a legally authorized 3rd Party, like a public health authority, who would themselves be a PII Controller, for that legal justification. Also found in the W3C Data Privacy Vocabulary.
[Additive: W3C DPV 2.3.1.6 http://w3c.github.io/dpv/dpv/ ]
Processing of PII
An operation or set of operations performed on personally identifiable information (PII).
NOTE: Examples of processing operations of PII include, but are not limited to, the collection, storage, alteration, retrieval, consultation, disclosure, anonymization, pseudonymization, dissemination or otherwise making available, deletion or destruction of PII.
[Source: ISO 29100]
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
[Source: GDPR Art 4.2]
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
[Source. Convention 108+]
PII Regulator
Refers to a government authority responsible for the enforcement of privacy and data protection regulation. Referred to also as a Data Governance Authority, a Data Protection Authority (DPA) or simply Privacy Regulator.
Privacy Stakeholder
A natural or legal person, public authority, agency or any other body that can affect, be affected by, or perceive themselves to be affected by a decision or activity related to personally identifiable information (PII) processing.
[Source: ISO 29100]
Engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data;
[Source: GDPR Art. 50(c)]
Engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data;
[Source: Conv.108+ Art 51(c)]
ISO/IEC 29100 to 27000: Security Framework Mapping
Table A.1 — Mapping ISO/IEC 29100 concepts to ISO/IEC 27000 concepts
ISO/IEC 29100 concepts | Correspondence with ISO/IEC 27000 concepts |
Privacy stakeholder | Stakeholder |
PII | Information asset Information security incident Control |
Privacy breach Privacy control Privacy risk | Risk |
Privacy risk management | Risk management |
Privacy safeguarding requirements | Control objectives |
[Source: ISO/IEC 29100: Annex A]
Standard Concentric clauses
Standard Concentric Clauses implement 29184 compliance controls and Privacy Service Agreements [ISO/IEC TS 27570: 3.22]
These clauses are used to implement the PII Principals expectations of privacy, data control, localization and security according to context and notified purpose. These clauses are introduced in contracts, terms and conditions and refer to the concentric notice label controls and requirements as specified in this document Annex X.
These clauses MUST be employed in a manner to scale the expectations of the PII Principal online, to facilitate data governance interoperability and transborder adequacy of electronic consent.
Third Party (or 3rd Party)
A privacy stakeholder other than the personally identifiable information (PII) principal, the PII Controller and the PII processor, and the natural persons who are authorized to process the data under the direct authority of the PII Principal, PII Controller or the PII processor. Referring to government, police, telecoms, relying parties. In all roles, the stakeholder is also considered to have a controller identity.
[Source: ISO 29100 2.27]
Third party means a natural or legal person, public authority, agency or body other than the Data Subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
[Source: GDPR Art 4.10]
Third party means a natural or legal person, public authority, agency or body other than the Data Subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
[Source: Convention 108 Art 3.14]
Open Notice PII Controller Credential Schema
TABLE1: NOTICE RECORD SCHEMA
adds the technical attributes
Notice Record ID
Key Pair
Controller Type
Delegated Authority Attributes for Controller & Principal - DPO
Serialization - the controller id# used to generate a record id, which is used to generate a consent receipt id - 1.
FIELD NAME | FIELD DESCRIPTION | REQUIREMENT: MUST, SHALL, MAY | FIELD DATA EXAMPLE |
Notice Location | Location the notice was read/observed | MUST | |
PII Controller Name | Name of presented business | MUST | Walmart |
Controller Address | The physical address of controller and/or accountable person | MUST | 1940 Argentina Road Mississauga, Ontario L5N 1P9 |
PII Controller Contact Type | Contact method for correspondence with PII Controller | MUST | Email, phone |
PII Controller-Correspondence Contact | General contact point | SHALL | |
Privacy Contact Type | The Contact method provided for access to privacy contact | MUST | |
Privacy Contact Point | Location/address of Contact Point | MUST | |
Session Certificate | A certificate for monitored practice | Optional | SSL Certificate Security (TLS) and Transparency |