ANCR: Transparency Performance Report
- Mark Lizar
- Salvatore D'Agostino
ANCR: Transparency Performance Report
Editor(s)
Mark Lizar, WG Editor
Contributors
Salvatore D’Agostino, WG Chair
Gigliolla Agassini, WG Secretary
Tim Lloyd
Tim Reiniger
Daniel Schleifer
v. 0.8.9
Table of Contents
- 1 ANCR: Transparency Performance Report
- 2 Abstract
- 3 IPR Option:
- 4 Conditions for use
- 5 Scope
- 6 Normative References
- 7 Terms & Definitions
- 7.1.1 Accessibility
- 7.1.2 Completeness
- 7.1.3 Choice
- 7.1.4 First Notice
- 7.1.5 Identity
- 7.1.6 Identification
- 7.1.7 Notice Type
- 7.1.8 Permission
- 7.1.9 Secure Transparency
- 7.1.10 Timing: Controller Identification Timing
- 7.1.11 Transparency Performance
- 7.2 Abbreviated terms
- 8
- 9 Methodology
- 10 Transparency Performance Indicator Metrics, Analysis, and References
- 11 TPI 1 - Measuring the time of Controller Identification:
- 11.1 Analysis;
- 11.2 Legal or Standard Reference for timing of controller identification
- 11.2.1 ISO/IEC 29100 Reference
- 11.3 TPI 2 - Controller Identification RecordElements
- 11.4 Compliance Analysis of compulsory identification attributes
- 11.5 Legal & Standard references for compulsory identification elements
- 11.6 PII Controller Record Conformance
- 12 TPI 3 - Security and Privacy Access
- 13 TPI 4: A measure of security information integrity
- 13.1 Analysis
- 13.2
- 13.3 Legal Reference
- 14 Reporting Summary
- 15 ISO/IEC 29100 Terminology Bibliography
- 16 Appendix A: PII Controller identification record
- 17 Appendix B Role Mapping Across Privacy and Security Instruments
Abstract
The capacity to consent is underpinned by the privacy principle of openness, and knowledge of to whom one consents to is critical. Openness is a fundamental democratic requirement, entrenched in legislation in all countries, culture and governing contexts. When any type of identification or recorded surveillance of individuals occurs, identification of who the PII Controller is, that is who is doing the surveillance, must be presented. Trust, in the protection and control of personal information, in both physical and online spaces, requires the presentation and the identification of who is accountable.
For safety, security and privacy in digital identification technologies, transparency is required for inclusive identification, and required prior to collecting and processing personal data. This is a foundational requirement for consent to be legally, technically, or ethically possible. This transparency is the focus and goal of this document.
the
This document specifies four (4) Transparency Performance Indicators (TPIs) that indicate if Consent is valid for any surveillance context. They are used here to create a Transparency Performance Report (TPR) wherein a record of transparency is generated, where the performance is measured to determine if consent is valid, and operable.
The resulting PII Controller identification record is evidential as it is defined here with ISO/IEC 29100:2024 Privacy framework, using the Kantara Consent Receipt v1.1, which has evolved now into the ISO/IEC 27560:2024 Consent record information structure. It is applied here to enable the measure of international (internet) legal adequacy, of transparency for consent. This represents, and is required as, the underlying legal justification for digital identification management technologies.
Without a presentation of Controller identification, there is no legal or technical way for people to be informed about who is in control and accountable for the security, privacy, and sovereignty of surveillance. (in short how trustworthy is “digital trust”). Without this there is no traceability or accountability for misinformation, independent of service providers, much like running a business without auditing or accounting with generally accepted principles. This requirement is not only essential for human security, it is also compulsory for consent, or any type of legitimate processing regardless of justification or Controller.
Transparency modalities take the form of the timing and type of notice required to authorize organizations to collect, process or otherwise surveil an individual, Transparency is required to not only meet legal obligations but also for the capacity to trust and enforce accountability for all security and privacy stakeholders.
The audience for this transparency report are individuals, organizations, developers, and regulators. The objective of this report is to support these stakeholders in observing the active state of transparency and its performance. This is particularly relevant for the governance of surveillance in information and communication technology (ICT) environments. By providing a structured framework for recording and evaluating transparency, the TPR’s objective is to assist stakeholders in navigating complex security and privacy considerations while fostering innovation in digital trust transparency and its legal compliance.
The TPR provides a minimum consent and sovereign security validation tool for digital surveillance, identification and artificial intelligence (AI) technologies. It assesses whether transparency is operational and secure as a necessary prerequisite for consent. It has an extensive scope of application and can be extended into an international and inclusive benchmark. The TPR reports on Controller identification transparency rather than the technical details, or implementation mechanisms of technology. The specifics depend on various contextual factors beyond the scope of this report framework. Instead, the TPR provides a foundational approach to measuring transparency in PII processing, which can be extended in context by regulatory requirements.
IPR Option:
This Anchored Notice and Consent Receipt (ANCR) WG Recommendation is open and can be used royalty-free under the ANCR WG IP license, patent and copyright (see: Reciprocal Royalty Free with Opt-out to Reasonable and Non-discriminatory (RAND) license agreement at the Kantara Initiative for its use and contribution to ISO/IEC SC 27 WG 5).
Any derivative use of this specification must not create any dependency that limits or restricts the open use, transparency, accessibility, or availability of the specification and/or its use to measure the performance of transparency and/or the ability for the PII Principal to receive a notice receipt, or to manage or present a notice receipt as a record of and for the authoritative use of PII Principal consent.
Suggested Citation: (upon WG and Kantara Approval)
Kantara Initiative, 2024: ANCR Transparency Performance Report v 1.0
Conditions for use
License Condition:
This document has been prepared by participants of Kantara Initiative Inc. ANCR-WG. No rights are granted to prepare derivative works of this ANCR Scheme outside of the ANCR WG. Entities seeking permission to reproduce this document, in whole or in part, for other uses must contact the Kantara Initiative to determine whether an appropriate license for such use is available.
Implementation or use of this document may require licenses under third party intellectual property rights, including without limitation, patent rights. The participants and any other contributors to the specification are not and shall not be held responsible in any manner for identifying or failing to identify any or all such third-party intellectual property rights. This Specification is provided "AS IS," and no Participant in Kantara Initiative makes any warranty of any kind, express or implied, including any warranties of merchantability, non-infringement of third-party intellectual property rights, or fitness for a particular purpose. Implementers of this Transparency Performance Indicators specification are advised to review the Kantara Initiative’s website (Kantara Initiative: Trust through ID Assurance )1 for information concerning any Necessary Claims Disclosure Notices that have been received by the Kantara Initiative Board of Directors.
Dear reader,
Thank you for reviewing this specification in its preparation for publication and contribution. The Kantara Initiative is a global non-profit dedicated to improving secure, private and trustworthy use of digital identifier surveillance through innovation, standardisation, and good practice.
The Kantara Initiative, known internationally for incubating innovative governance technologies, operates Identification Trust Assurance Frameworks to assure digital identification practices are developed with community-led best practices and specifications. Its efforts are acknowledged by OECD ITAC, UNCITRAL, ISO SC27, and other consortia and governments around the world. “Nurture, Develop, Operate” captures the rhythm of Kantara in consolidating an inclusive, equitable digital economy offering value and benefit to all.
Every publication, in every domain, is capable of improvement. Kantara Initiative ANCR WG welcomes and values your contribution through membership, sponsorship and active participation in community driven working groups2 that drive all endeavors so that Kantara can reflect its value back to you and your organization.
Copyright: The content of this document is copyright of Kantara Initiative, Inc.
© 2024 Kantara Initiative, Inc.
Scope
This document specifies a methodology for observing, interpreting, and measuring the performance of PII controller identification transparency, providing a standardized structure for reporting and capturing evidence of (digital trust) compliance. It records and indicates how transparent digital identification surveillance is for humans.
The use of this report provides evidence of the validity and legitimacy of consent for PII processing utilizing Transparency Performance Indicators (TPIs). TPI’s capture the PII Controller3 required , security, privacy information focusing on capturing the first notification online independently of the PII controller to generate a controller record, e.g. for example for data processing on a website. Specifically, the four (4) TPIs measure; 1. timing, 2. content, 3. accuracy/ accessibility/usability of content, and 4. sovereignty/contextuality of security. Together, they capture the state of operational capacity for transparency with respect to conformance and compliance.
Legal transparency can be measured against international Convention 108+ Privacy Treaty, utilizing the ISO/IEC JTC 1 WG 5 29100:2024 (Information technology — Security techniques — Privacy framework) and associated standard to record the transparency modality by creating a PII controller record. A record which can measure the performance of legislated law and or practice against the international Treaty. Also referred to as the global privacy policy framework, Convention 108+. The controller record, along with ISO/IEC 29100:2024, is also interoperable with ISO/IEC 27001:2022 standard and framework. (Information security, cybersecurity and privacy protection — Information security management systems — Requirements),
The PII Controller identification and access record generated with this methodology has many applications, and can be used for both security and privacy benchmarking, and for evidence, conformance, auditing compliance and transparency signalling.
.
Normative References
Convention 108+ International Treaty
Council of Europe, Convention 108+, an international treaty expected to be fully ratified in 2025, provides a formal global security and privacy framework.
It provides the standard instructions and requirements for the signatory countries to implement interoperable privacy law, and/or privacy law that is deemed adequate.
The treaty, in particular transparency of processing, and notification requirements, guides and provides the logic of the performance report and its measures as referenced in the appendix
It provides and international measure of common legal best practice.
ISO/IEC 29100:2024 Security and privacy techniques, along with source bibliography
This standard is open and free to access “relates to PII in all ICT environments, specifying a common privacy terminology; defining the actors and their roles in processing PII; describing privacy safeguarding requirements; and referencing known privacy principles.”4
Actors and roles;
Interactions;
Recognizing PII;
Privacy safeguarding requirements;
Privacy policies;
Privacy Controls.”5
Kantara Initiative, Minimum Viable Consent Receipt, & Consent Receipt v1
(published in ISO/IEC 29184:2020 Online privacy notice and consent appendix b) - providing a common transparency schema used to make the report.
Note: Presented in support of Canadian meaningful consent regulation in 2017. Submissions: Kantara CISWG: Consent Receipt Specification - August 2016
Terms & Definitions
Accessibility
Completeness
Choice
First Notice
Identity
Identification
Notice Type
Identification Notice
Just in Time Notice,
Privacy Statement
Privacy Policy (regulated or unregulated)
Permission
Secure Transparency
Timing: Controller Identification Timing
operational transparency
Transparency Performance
Abbreviated terms
ANCR WG Anchored Notice and Consent Receipt
ISO/IEC
PII personally identifiable information
Methodology
The transparency modality is captured, recorded and measured using the PII Controller identification record (Appendix A). This records transparency performance, to assess if transparency is valid, operable, and secure, i.e., sufficient, for consent, using the l TPIs, or justified, in the case of non-consent based surveillance.
Transparency Performance Indicators(TPIs)
These four (4) Transparency Performance Indicators, are very specifically articulated to measure a transparency modality for valid consent, how meaningful it is, and operationally capable, to assess conformance with international (Internet suitable) Convention 108+, standard global privacy framework.
Consent is Valid if PII Controller identification is provided before data collection, partially valid if before processing with for example low risk pseudonymous identifiers, and not valid if identification is provided after processing. Consent is measured as capable of being Meaningful, if access to security and privacy is proportionate to data collection, sovereign and access capable.
Transparency Performance Indicators are;
Timing of PII Controller identification:
Captures the timing of controller identification presentation. It assesses if identification was provided prior to collection, before, or after processing PII.
Presence of compulsory identification:
Records the extent to which the compulsory Controller identification attributes are provided (Present/Not Present)
Security and Privacy Rights Access:
Measures how accessible the above compulsory controller identification information is in the service session context. In addition it measures how accessible is the Controller security and privacy access point, and assesses how accurate, complete and operational (i.e., usable) this information is in practice.
Security and Sovereignty:
This indicator records the digital certificate(s), keys and other tokens that may be employed to secure the technical interaction and or encrypt a session. It examines Identification, Location, Jurisdiction, and governance sovereignty (source of authority) information from the first 3 TPIs compared with the technical security information recorded in this 4th TPI (the associated certificates, object identifiers, policy and associated endpoint if accessible), for a measure of sovereign security integrity. While this is further facilitated by network connectivity it is possible to provide some or all this information in the form of an offline document.
Considerations
Only identification and access is measured, as these indicators assess the conformance and compliance that is globally required for surveillance, authentic (i.e., from a legitimate authority) security, and privacy. This does not assess services specific information, for example; purpose, legitimacy of processing, authority to process PII (i.e. the grant of permission for processing), or a more granular scope of processing, beyond what is sovereign, It provides often missing requirements for digital identification, referred to here and also known as surveillance trust requirements.
In physical spaces, Controller identification, security and rights access should, and in many cases, MUST be attached to surveillance signs, posted at the entry to physically, whether by a person or through the use of digital technologies, surveilled and secured spaces. In the case of online services, or on a device, all screens and user interfaces can be considered a notice, wherein Controller identification is required to be and can be presented.
Note: this v1 is simplified from previous versions in a number of ways providing room for iteration. Measurement, and analysis, here has been reduced to the most basic elements to measure transparency performance. This v1 is intentionally has reduced measurement to a 3 point metric, but the original design is to include, dynamic or contextually operational in context, and analogue for functional, as there currently is no measure for active state or how operational personal data is in data silo’s, even though operational personal data is a legal requirement for security services in article 72 0f the EEMA version of the GDPR and the cyber resilience act.
After some testing and implementation feedback, the metrics are expected to evolve in this direction for performance measurement.
Note: beyond comments, we invite additional analysis. and reporting questions, which can be provided with the data collected and evidenced in a PII Controller Identification Record. Including extra data collection from external sources.
Transparency Performance Indicator Metrics, Analysis, and References
The primary authoritative reference is the Convention 108+, as this treaty specifies the requirements for adequacy which countries implement as legislation that can be enforced to ratify the Convention. The convention itself is based on principles widely implemented even in non-commonwealth countries. As a result, Convention 108+ is the authoritative privacy policy for adequacy with regards to global Internet and digital privacy. It is used here to extend the use of ISO/IEC 29100, which is used to specify and record the Controller information.
While the TPI’s can be used to quickly self-assess transparency, its performance, capacity and security, the methodology requires that the technical environment should be captured for evidential quality. In addition to TPI’s, the notice type, device type, operating system, discovery software (e.g. a web browser and version), and any search tool. See Appendix A, Supplementary capture record.
TPI 1 - Measuring the time of Controller Identification:
This TPI captures the point in time the notice was presented versus when PII is collected, and when PII is processed.
TPI 1 - Timing Measure | Description | Measure |
Before collecting PII | Controller identification is presented before data is collected | +1 |
Before processing PII | Controller identification was provided before collected data was processed | 0 |
After collection and processing of PII | Controller identification was provided after processing | -1 |
Analysis;
Result | Analysis |
+1 | For valid consent, the controller identification MUST be presented prior to processing. |
0 | If the Controller, or Joint Controllers identification is presented after data is collected but before processed then consent is valid, only if the PII is not sensitive, and not collected in a sensitive context, not a minor or vulnerable person, is fair and not deceptive, or is pseudonymous, and is not disclosed, or shared with an unknown 3rd party PII controller, or processor. |
-1 | If the Controller, or Joint Controller Identification is provided after collection and processing of PII then Consent is not valid. |
Note: The measurement scale, 0 (low risk consent/consensu) is for low risk partial compliance and conforms to a decision by the European Data Protection Board (EPDB) on the 16th of January 2025. Pseudonymous data is a type of personal data according to the EDPB, “if the additional information needed to attribute it to an individual is held by someone else.” As a result, pseudonymised identifiers, or credentials, don't automatically become anonymous in the hands of a third party who does not have access to the additional information.
For valid, and meaningful consent, the individual must be informed of what pseudonymous information was collected, before it is processed. Similar to showing live Video Surveillance on a screen at the point of surveillance.
Legal or Standard Reference for timing of controller identification
TPI 2 - Controller Identification RecordElements
This TPI captures the ‘compulsory controlled identification and access attributes into a PII Controller identification record (Appendix A)
TPI 2 - Compulsory Information Measure | Description | Measure |
All PII CI Requirements | Is the compulsory identification information and access point information provided? | +1 |
Partial PII CI Requirements | If the compulsory information is provided but the information to access it is not provided? | 0 |
After collection and processing of PII CI | Is the identification information provided non-existent or non-operable? | -1 |
Compliance Analysis of compulsory identification attributes
These PII Controller identification elements MUST be provided by the PII Controller and are compulsory, although advanced and dynamic access, using existing records or receipts that might also meet the requirements of functional compliance,
Result | Analysis | Notes |
+1 | 100% of the required attributes are presented |
|
0 | 90% (“most) of the controller information is provided and/or security and privacy rights access point not provided. | partial digital transparency, can be compliant in physically secure and in person, or out of digitally recorded context for explicit consent. |
-1 | Any listed controller identification information is missing. |
|
Legal & Standard references for compulsory identification elements
Reference Controller identification | Reference | Quote |
CoE 108 + (Code of Conduct) | Recital 68 p.23 | Information on the name and address of the controller – the right of everyone not to be subject to a purely automated decision significantly affect- ing them without having their views taken into consideration (littera a.) ; – the right of everyone to request confirmation of a processing of data relating to them and (or co-controllers), the legal basis and the purposes of the data processing, the categories of data processed to access the data at reasonable intervals and without excessive delay or expense (littera b.); and recipients, as well as the means of exercising the – the right of everyone to be provided, on rights can be provided in any appropriate format
|
GDPR | Article 13.1, 14.1 | (a) the identity and the contact details of the controller and, where applicable, of the controller's representative; (b) the contact details of the data protection officer, where applicable; |
Quebec Law 25/CAI Guidance | B.3 Consent and Collection | Comply with its obligation of transparency by providing accurate and complete information to the persons concerned when the collection is made from them4 .
|
ISO/IEC 29100 | 5.6 pg.13 | An external privacy policy provides outsiders to the organization with a notice of the organization’s privacy practices, as well as other relevant information such as the identity and official address of the PII controller, contact points from which PII principals can obtain additional information, etc. In the context of this framework, the term “privacy policy” is used to refer to the internal privacy policy of an organization. External privacy policies are referred to as notices.
|
PII Controller Record Conformance
PII Controller ‘identity’ requirements captured in Controller Identification presentation, in an explicit security presentation, or a privacy notice statement can use the ISO/IEC 29184:2020, or 27560:2024 or the Kantara Consent Receipt v1.1 for Controller identity and consent record and format.
Note: Record, attributes and format has been widely implemented in industry, to include
Legal Entity (or natural person) Name and/or trading name.
Legal Entity Address
Legal jurisdiction(s)Controller Privacy Access point and Contact when applicable
The means for accessing privacy and transparency
Privacy policy or access point
TPI 3 - Security and Privacy Access
This TPI measures the accessibility of the Controller identification presentation and means for accessing rights.
TPI 3 - Access Measure | Description | Measure |
Access point presented with Controller identification presentation | The security and privacy access point, is dynamically accessible and provided with Controller identification, including, Data privacy officer contact | +1 |
Access Point (scrolling page) | The security and privacy access point, is operational and easily accessed (out of context) | 0 |
Access point analogue or buried (two links) | Data privacy access point is not easily accessed, is not operational | -1 |
Analysis of Access
This indicator also takes into account the additional Controller information and
data collected for the TPI and includes, device and user-interaction, accessibility, language of presentation, the number of “screens” that must be traversed to access and use privacy information to exercise the PII Principals rights.
Accessibility of Access | Description | Metric |
Dynamically accessible and meaningful, within the context. | Dynamic access to security and privacy can occur when for example the PII Principal can control and has access to their PII. The Controller identification is presented prior to data processing, and when access to privacy rights has a meaningful result. | +1 |
Operationally accessible, but not accessible in context, Analogue, | Operational privacy access information, can come in the form of contact information, that can be used in context of the digital service but requires additional actions outside of the current user workflow. | 0 |
InOperable or accessible and not meaningful | Non-operable, refers to privacy access that is analogue, and out of context for example a mailing address, or when privacy access is not immediately accessible at the time of processing PII. | -1 |
Legal References for Accessibility of security and privacy rights access
Instrument | Reference | Text |
CoE Convention 108 + |
| “Article 8 - Transparency of processing 68. can be provided in any appropriate format (either through a website, technological tools on per-sonal devices, etc.) as long as the information is fairly and effectively presented to the data subject. The information presented should be easily accessible, legible, understandable and adapted to the relevant data subjects (for example, in a child friendly language where necessary). Any additional information that is necessary to ensure fair data processing.”
|
GDPR | 13.1 (b), 14.1 (b) | rights access
|
Quebec Law 25/CAI Guidance | B.2 Methods of Control a) |
Through rights (access, rectification, etc.) or remedies (complaint to an organization or the CAI, etc.). To ensure that individuals can exercise these rights in full knowledge of the facts, the laws provide for transparency obligations for organizations;
|
ISO/IEC 29100 | 6.9 Individual participation and access (pg.17) | Adhering to the individual participation and access principle means:
authenticated with an appropriate level of assurance and such access is not prohibited by applicable law;
|
TPI 4: A measure of security information integrity
This TPI captures the relevant digital certificate(s), (e.g. x.509), or security token(s), e.g., (Javascript Object Signing and Encryption (JOSE) or Concise Binary Objection Representation (CBOR), and/or verifiable credential or mobile driver license documents (i.e., Decentralized Identifiers (DIDs) v1.0 or mDOC) nd keys to compare the public security meta-data, and policy objects against the required information in TPI 2. It checks for consistency and continuity in the security provided and is adequate.
TPI 4 - Security and Sovereignty | Description | Measure |
Transparent Security and Sovereignty, | Transparency over extra-territorial data transfer sovereignty + security certificate or token identification matches Controller identification | +1 |
Transparent Security |
| 0 |
Non-Transparent, non-matching, or unknown Controller Security information |
| -1 |
Analysis
Result | Analysis |
|
Dynamic | The SSL certificate Organization Unit and Jurisdiction fields match the captured legal entity information, extra-territorial data transfers are presented, and policy is appropriate for protection of PII. | +1 |
Operational | The TLS/SSL certificate OU matches and is in the same jurisdiction, or different jurisdiction, with some other security notification for extra-territorial data transfer | 0 |
Not Operable | The SSL certificate OU does not match, or the legal jurisdiction is not sovereign to the PII Principal, or no security information for data transfers. Object identifiers are not relevant in context. | -1 |
Legal Reference
Instrument | Reference | Text |
CoE 108 + (Code of Conduct) | Article 7 - Data Security 63 p.22 & 110. pg. 28 | 63. Security measures should take into account the current state of the art of data-security methods and techniques in the field of data processing. Their cost should be commensurate with the seriousness and probability of the potential risks. Security measures should be kept under review and updated where necessary.
110. The level of protection should be assessed for each transfer or category of transfers. Various ele- ments of the transfer should be examined such as: the type of data; the purposes and duration of processing for which the data are transferred; the respect of the rule of law by the country of final destination; the general and sectoral legal rules applicable in the State or organisation in question; and the professional and security rules which apply there.
|
GDPR | Recital 39 | … Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.
|
Quebec Law 25/CAI Guidance |
|
|
ISO/IEC 29100 | 6.11 Information security Adhering to the information security principle means:
| implementing controls in proportion to the likelihood and severity of the potential consequences, the sensitivity of the PII, the number of PII principals that might be affected, and the context in which it is held; - limiting
|
Reporting Summary
This ANCR WG Recommendation provides a method to assess the governance of digital identification systems, for valid consent in 4 ways, with key metric indicators to signify compliance. It introduces a Transparency Performance Indicators (TPI’s) methodology to generate a report on the state of transparency. It can be further used, independently, to control identification data with the application of privacy rights. The report that is generated, can be reused by the PII Principal, as a PII Controller transparency record, and sent back to the Controller, to establish a common state of understanding of data governance, and access to digital identity privacy rights. . The objective of the recommendation is to establish with this report, in particular the use of TPI’s to provide a standard method of recording digital transparency, which is critical to governance and its enforcement.
This version 1.0 report is the first step; we look forward to its continuing evolution.
TPI # | Metric | Key Performance Metric | 1-3 Rating |
| Timing + 1 | before, | pass |
1 | Timing 0 | during (at the time of) |
|
| Timing -1 | after | Fail |
| Required +1 | complete, not completeness, | 100% |
2 | Required 0 |
| 90 % |
| Required -1 |
| < 90% |
| Access +1 - In Context | how performative the transparency is for access to security information or privacy rights | pass (Dynamic) Can access security. |
3 | Access 0 - functions (analogue) |
| usable (Operational), or out of context (na) |
| Access -1 - in operable |
| not-accessible (non-operable or responsive) |
| Sovereignty +1 (Valid) | transnational? | ` |
4 | Sovereignty 0 (Partially Validated) |
| match or jurisdiction (partial) |
| Sovereignty -1 (not Valid) |
| no match or jurisdiction (no Security info) |
ISO/IEC 29100 Terminology Bibliography
[1] ISO Guide 733, Risk management — Vocabulary
[2] ISO 31000, Risk management — Guidelines
[3] SC 27 committee document 502 — Privacy References List, available at: https://committee.iso .org/home/jtc1sc27
[4] ISO/IEC 27000:2018, Information technology — Security techniques — Information security
management systems — Overview and vocabulary
[5] ISO/IEC 27001, Information security, cybersecurity and privacy protection — Information security management systems — Requirements
[6] ISO/IEC 27002, Information security, cybersecurity and privacy protection — Information security controls
[7] ISO/IEC 27003, Information technology — Security techniques — Information security management systems — Guidance
[8] ISO/IEC 27004, Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation
[9] ISO/IEC 27005, Information security, cybersecurity and privacy protection — Guidance on managing information security risks
[10] ISO/IEC 27006, Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems
[11] ISO/IEC 27007, Information security, cybersecurity and privacy protection — Guidelines for information
security management systems auditing
[12] ISO/IEC TS 27008, Information technology — Security techniques — Guidelines for the assessment of information security controls
[13] ISO/IEC 270094), Information technology — Security techniques — Sector-specific application of
ISO/IEC 27001 — Requirements
[14] ISO/IEC 27010, Information technology — Security techniques — Information security management for inter-sector and inter-organizational communications
[15] ISO/IEC 27011, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for telecommunications organizations
[16] ISO/IEC 27013, Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
[17] ISO/IEC 27014, Information security, cybersecurity and privacy protection — Governance of information security
[18] ISO/IEC TR 27016, Information technology — Security techniques — Information security management — Organizational economics
[19] ISO/IEC 27017, Information technology — Security techniques
[20] ISO/IEC 29100:2024 Information technology – Security techniques - Privacy Framework
Appendix A: PII Controller identification record
Field # | Controller ID Object | String | controller_id_object | _ | Required |
1 | Capture presentation of PII Controller Identity \ | text | presented_name_of_service_provider | name of service. E.g. Microsoft | May |
2 | PII Controller Identity & Contact | object | [piiController_identity] |
|
|
3 | PII Controller Name | String | piiController_name | Company / organization name | MUST |
| PII Controller address | String | piiController_address | _ | MUST |
4 | PII Controller contact email | Varchar(n) | piiController_contact_email | correspondence email | MUST |
6 | PII Controller Phone | Char | piiController_phone | The general correspondence phone number | SHOULD |
7 | PII Controller Website | Varchar | piiController_www | URL of website (or link to controller application) | MUST |
8 | PII Controller Certificate | Blob | piiController_sslcertificate | A capture Website SSL | MUST |
| means of accessing privacy rights and controls | VarChar(max) | pcpL | The end point address for privacy information and service access | MUST |
9 | Service Privacy Access Point (SPAP)-Other | string | pcp_other | Other | ** |
10 | Privacy Contact Point Types (pcpT) | Object |
| pcpType |
|
| SPAP-MailAddress | object |
| Mailing address | MUST |
| SPAP-Profile | String | pcpProfile | Privacy Access Point Profile | ** |
| SPAP-InPerson | String | pcpInperson | In-person access to privacy contact | ** |
| SPAP-Email | Varchar | pcpEmail | PAP email | ** |
| SPAP-Phone | char | pcpPhone | Privacy access phone | ** |
| SPAP -PIP- URI | Varchar | pcpPip_uri | privacy info access point, URI | ** |
| SPAP-Form | Varchar | pcpForm | Privacy access form URI | ** |
| SPAP-Bot | String | pcpBot | privacy bot, URI | ** |
| SPAP-CoP | String | pcpCop-loc | Code of practice certificate, URI of public directory with pub-key | ** |
10 | SPAP-Other | string | pcp_other | Other | ** |
| SPAP Policy link, notice, statement, label | text | pcpn/ | the means of privacy | MUST |
Supplementary Dependent on Transparency Modality.
Environment Technical Context and Attribute |
|
|
Security or Privacy Access |
|
|
Physical or Digital Identification |
|
|
Device |
|
|
operating system |
|
|
Discovery Software, Browser |
|
|
Discover Service, AI, web Search |
|
|
|
|
|
Appendix B Role Mapping Across Privacy and Security Instruments
ISO/IEC 29100 security and privacy framework standard maps terms in the standard itself, for example PII Principal is mapped to the Data Subject.
The ANCR Record Framework is used to specify Transparency Performance Indicators (TPIs)
Stakeholder | ISO/IEC 29100 | Conv 108+ | GDPR | PIPEDA | Quebec Law 25[1] |
Regulator | Privacy Supervising Authority | Supervisory Authority | Data Protection Authority | Privacy Commissioner | Commission d’accès à l’information du Québec
|
Principal | PII Principal | Data Subject | Data Subject | Individual | Concerned Person (or person concerned) |
Controller | PII Controller | Data Controller | Data Controller | Organisation | Person in Charge of the Protection of Personal Information |
Joint (or Co-) Controller | Joint PII Controller | Joint Data Controller | Joint-Controller | Organisations | Person in Charge of the Protection of Personal Information |
Processor | PII Processor | Processor | Data Processor | 3rd Party | Service Provider (prestataire de services) |
Sub-Processor | Sub-Processor | Sub-Contractor | Sub-Processor | 3rd Party / Service Provider | Service Provider (prestataire de services) |
3rd Party | Any entity or individual other than the Data Subject, Controller or Processor | Any entity or individual other than the Data Subject, Controller or Processor | Any entity or individual other than the Data Subject, Controller or Processor | 3rd Party | Any individual or organisation other than the person concerned or the organisation in charge of data protection |
Table 1. Role Mapping
Quebec, Bill 64 - [1] An Act to modernize legislative provisions as regards the protection of personal information, SQ 2021, c 25,
(compliance roles, mapped to be interoperable within data privacy framework)
Roles in this document refer to a record of relationship between the Individual and any digital service, as documented by the Controller identity schema for TPI assessment.
1 (Kantara Initiative: Trust through ID Assurance
2 Kantara Initiative hosts a number of work groups which work at the apex of digital identification and trust, and assurance.
4 ISO/IEC 29100:2024, “1 Scope: This document provides a privacy framework which:” pg 1.
5 ISO/IEC 29100:2024, “ 5.1 Overview of the privacy framework The following components relate to privacy and the processing of PII in ICT systems and make up the privacy framework described in this document: pg.4
3 The term controller is used with multiple adjectives in this document. One source of this is different terminology for a category of actor (see Appendix A. Table 1). Further it is possible for the person to be subject, controller, and object granted. Another is the specific type of controller action taken. In the case of the PII Controller, here, the action measured is notice and so with it the specific role of the PII Controller as Notice Controller.