ANCR WG 20210609
Date and Time
- Wednesday 10:30 EST
- Screenshare and dial-in:Â
United States: +1 (224) 501-3316, Access Code: 485-071-053 (confirm or change)
- See ANCR calendar for additional details:Â https://kantara.atlassian.net/wiki/display/WA/Calendar
Agenda
- Roll
- IPR
- Minutes ApprovalÂ
- Agenda Approval
- Intros
- Agenda Items Discussion
- Actions pending
- Actions new
- Updates from the consent community
- AOB
Roll call
Salvatore D'Agostino (Unlicensed)Â
Jan Lundquist
Quorate: Yes
--
IRP Policy Announcement
Approve MinutesÂ
None presented
Minutes
Review of spreadsheets to determine working sheet for fields
ISO 27560 next draft published 15 June
Human readable receipts, human centric legal standard for privacy on line, in compliance with GDPR for example
The person creates an ANCR receipt and record.
Not an identity management system receipt
Need to reference missing field in particular for the anchor notice and consent receipt
29184 is used to implement privacy law, use these to "filter" receipts.
Establishes the baseline for further interactions, independently of others and action.
ANCR captures interoperable legal requirement
Specify fields for the legal justification of the use of rights
Under Framework put legal components that are being referenced that then enable outcomesÂ
What defineds a notice, what defines a notification, and a field for the risk or else its not compliant (in Canada).
Notice of risk is not in spec, the ANCR receipt is the first notice and then go to Gateway to make a rights request or exercise rights.
How do we define a notice of risk?
How do we see the flows in time?
Framework has to go through BOLTS...
Layer | I Agree | Privacy as Expected |
---|---|---|
Business | Data Protection | Decentralized Governance |
Operational | Compliance, Breach Resolution, Data Sharing Risk | Person Driven, Lower Operational Burden |
Legal | Cyber Insurance | Interoperable Global Governance, Shared Liability and Risk |
Technical | Lacking | Standards based receipts and records |
Surveillance | Lack of transparency, | Provides a trust anchor for security and identity services that include privacy |
ANCR receipt
- Place of notice digital and physical location (of the person)
- Method in 1.2Â
- how do I do thisÂ
- Method of collection of consent vs. collection of notice
- Method of deliver of notice
- Related to quality of consent and better definition of risk
- Location is where the subject is exposed to the policy.
- Tell me that you agree
- (Consent Methods....)
- And whether the notice is legally compliant
- Tell me that you agree
- Can you consent if you don't know who you are dealing with...
- In the US implicit consent is the norm...
- Make it something that Bob could figure out...
- 1.1. was call your lawyer to fill out the field..
- You want to be able to create your own receipt, that captures the level of transparency at that interaction
- Quality of Notice
- Use of Rights
ActionsÂ
- Create Flow to Match Protocol Contribution
- Define Initial Notice Receipt Fields
- Review frameworkÂ
(Previous)
- Review receipt fields (uploaded) -> test against:
- transborder requirements
- delegation
- outsourced receipts ("store")
- legally covering GDPR and other potential laws/acts/regulations
- can we pair receipts for active state
- Updating language on our part is an important next step