| field Name | Section | Comment | Changed Text | Added to ANCR V? Y/N |
|
|---|
| 5.2 | out of scope remove section | Link to list of iterations on the ANCR WG Wiki Remove |
|
|
| 5.3.4 | Remove - Assessment | - Assessment is not in right context, remove and revisit as a sub-component of a code of practice
|
|
|
| 5.3.6 | Remove | - (see ANCR receipt Consent Grant)
|
|
|
| 5.3.4 | termination, | remove replaced by consent grant. |
|
|
| 5.3.4 | method of use, this is specified by the purpose and is not needed or required | Remove |
|
|
| 5.3.4 | Services and Service | Remove Or make Optional - Services, or service as this is not a Legally required term,
- 5.3.4. Codified Practice Provider (optional)
-
|
|
|
| 5.2.4 | Relationship between records and receipts | Change - a record of the notice is used to generate a consent receipt – by capturing the required notice elements for a consent to be secure, private and assured
|
|
|
| 5.3.3 | Record Meta-Data section contents | - Remove"
Guidance " in the ANCR v1.2, WD 2 - the Consent Receipt prefix is the “meta-data” record of the notice, and is what is used to generate a 'data Soverign' consent receipt, specified by privacy law, meta-data = receipt pre-fix
|
|
|
| 5.3.5. | - Remove ALL / Rplace party_id with ANCR_ID
|
This can be removed – each party is identified by the PII Principal or Controller with an ancr_id linking to the any stakeholder or party in scope of consent.
- ANCR_ID’s for all other stakeholders can be created by a PII Principal by harvesting a consent receipt id. it then can be used to generate a ANCR record by generating an Ancr record id with a receipt id, which MUST includes the same schema version for the privacy controller information for the 3rd party prefix.
|
|
|
| 3.3.2 |
| Recommend change - .consent_record_id
- to anchoured_record_ID
|
|
|
| 5.3,4.14 | withdrawl There are 5 or 6 different rights applicable for consent in GDPR, that are standardized in 29184. - e.g the ability to object, not be subject to automated decision making, access and correction, etc, depending on the legal justification being provided, the context and any specified codes.
- Recommend changing to privacy rights information,
is not technically the right when translated in privacy rights
| change to 'privacy rights |
|
|
| 5.3.4 | third_party_name all 3rd parties are un-defined PII Controllers, which is Privacy Stakeholder as defined in 29100
| Change to third_party_disclosure_log a log of PII Controllers which data has been disclosed to, which includes the purpose of the disclosure, each disclosure should generate a notice or notification and a receipt generated by the PII Stakeholder |
|
|
| 5.3.3.3 | consent_record_id Change to consent_receipt_id,
(not a consent record id is a n identity access and preference log)
| Change to Consent_receipt_id, there is no consent record id in this specification,
consent receipt id is generated with each purpose, notification and disclosure , in context of that purpose, e.g. when a receipt is generated the consent receipt id field is appended to the ancr record (aka the consent receipt appendix) |
|
|
| 5.3.4 | Purpose Category | Update to purpose context Purpose context, (also known as purpose category), can also be the name of a service name, or brand name, or context generically |
|
|
| 5.3.4.4 | Purpose
** Critical comment MUST be singular in context to be legally viable/ demonstrate a compliant consent,. - Recommend changing to Purpose (singular) as each consent receipt is for a single purpose, or a bundled set of permissions for the same or similar purpose, called a codified practice,
| should be purpose description
|
|
|
| 5.3.4 | sensitive pii categories recommend - change to sensitive PII Category, making one for each category, - to add primary context of use, as this provides the legal notice, notification, and disclosure requirements applicable to the consent.
This MUST be a mandatory field , defined by or for the context of purpose, and is key field for purpose specification.
This field is used to indicate what specific privacy conformance profile is legally required in a purpose assessment for a consent receipt to be legally valid and usable as evidence. As well as required to be able to ascertain and present risks to the PII Principal in a notice, for the consent to be legally informed.
| Sensitive PII Category - should not be plural, and MUST be required
|
|
|
| 5.3.4 | collection method from a website and in the future via: - access PII Principal Data Store
- a stored copy of data
| remove - along with information about any risks associated with PII collection methods, add - should include, initial location and future collection or use location |
|
|