PII Controller Notice Credential

Version 5.0.1 (new-outline)

NOTES TO READER

This Kantara Initiative work effort began when Liberty Alliance became the Kantara Initiative, and the Consent and Information Sharing Working Group in 2015. That Working Group’s activities carried on through the ANCR Working Group.

In this specification and proposed standard the term “PII Principal” is used interchangeably with Data Subject and “Individual”.

Summary

Introduction

This documents specifies the core controller credential schema from the Consent record information structure in the consent receipt and ISO/IEC 27560. Schema up into a Controller Credential, purpose specification and notice context, which is then used to sign notices and to generate Notice records and receipts. The credential acts as the header and is linked to an 0PN-API that generates 3 types of records of processing, used for exchange and processing, with an exchange service,

• Transparency-Notice Receipt

• ANCR Controller Notice Record

• Consent Notice Receipt & Token

The PII Controller Credential Schema

The ANCR Notice record schema is used to generate a record, a digital record which acts as a digital envelop for the digital identifiers, their linked information, attributes, and presented notice text they are presented with.

The term Notice is defined broadly in reference to any notice, notification or disclosure which impacts the consent of the individual. Inclusive of text and graphical content or dialogue presented to the individual to which an Open Notice Controller Credential can be linked to or embedded.

This Notice Controller record can be used as a verifiable credential (or Notice Credential for short) is specified here to be regulated by legislation as a Controller Notice Credential. Accretive to the international body of Privacy by Design standards and specification work. It is Regulated as it is technically defined in this document using the I international standards and referenced to the CoE 108+, and GDPR, which provides an International Legal Adequacy baseline for assessing the legal conformance of digital privacy transparency and governance behind a notice.

The Notice Controller Credential’s authority is defined by the scope and context of the notice, a sign or signal in context of the notice.

contextually represents context of technological surveillance without additional assurance.

The requirements to provide a Controller identity and privacy contact is universal to all privacy frameworks, and the regulatory guidelines indicate that notice MUST provide before, or at the time of processing for transparency in context. When this is not possible, notice after capture and processing MUST be provided and notice of processing must be disclosed.

The Notice Credential includes legal information that is required to be presented, open and public in all legal privacy instruments. Making a notice credential the only point of legal technical and social point to scale interoperability of data governance.

PII Controller Identity identifiers, privacy rights access point and legally accountable contact information is specified to be open. Most importantly, the credential is used to and is bound by authority of notice, and the most authoritative person in an Organization or a delegated DPO, indicated at the contact point.

The Notice Credentials Scope of authority is restricted to the notice it is embedded to and the context it is provided in.

Controller Credential Purpose of Use

Operationally, the embedded Notice Credential is used to dynamically generate micro-notice credentials and to receive consent receipt tokens, as well as to render an active state digital privacy signal.

Controller Notice Credential Binding

To generate a credential, these core notice fields are bound to the accountable authority, which can be delegated (and by default is referred to in this as the PII Privacy Officer).

An identifier is provided for the credential, as well as crypto graphic key for signing with the credential as apart of the format.

The credential type is also required. fields added to the notice record to become a credential must be crypto-graphically signed with a public private key pair.

Controller Notice Credential Record Schema

Notice Record Credential fields are added to the notice record schema and used to bind and generate an Open Notice PII Controller Credential.

Editors Note: Controller Notice Record Credential Fields (added to consent record schema)

adds the technical attributes

• Controller ID.

• Consent Record ID.

• Key Pair.

• Controller Assurance Level.

• Delegated Authority for Controller & Principal - DPO.

• Serialization - the controller id# used to generate a record id, which is used to generate a consent receipt id - 1.

References

For the international and cross-domain use of the records and receipts reflected in this specification, this document refers to the following, Consent by default and privacy by design, twin record governance model :

Compliance Adequacy

• Authoritative Compliance.

  • Council of Europe 108+

• Best Practice Compliance EU.

  • Digital Services Act.

  • Digital Markets Act.

  • Digital Governance Act.

Conformance Normative

• ANCR WG - Record information structure for conformance.

• ANCR AuthC.

• Normative Conformance.

  • ISO/IEC 29100:2011 Security and privacy techniques.

  • 1980/2013 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data [OECD].

Non-Normative References

• ISO/IEC 29184: Online privacy notices and consent.

• ISO/IEC 27560: Privacy technologies - Consent record information structure.

Referential

• 31700-1:2023 : Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements.

• Fair Information Practice Principles (FTC) foundational principles.

The PII Controller Notice Credential is the base Digital Privacy Transparency (DPT) record schema, which is extensible, and is used for digital privacy transparency. It is used to standardize directed consent, and altruistic modes of consent. The PII Controller Notice Credential is linked to a notice, notification, or disclosure, and is used by the PII Principal’s agent to generate an ANCR Notice Record.

In this way, a Controller Credential can be used to govern digital privacy expectations with Consent by Default.

The credential, is then used to generate a receipt in context, for any notice, notification, and or disclosure, presented by the PII Controller. There are 23 digital privacy transparency requirements for the PII Controller Notice Credential that are defined in this governance report, [1]Lizar, M, Ortaldo, A, Adequacy of Identity Governance Transparency,   https://diacc.ca/2022/03/31/adequacy-of-identity-governance-transparency/

Authoritative Delegation of Data Governance with Legitimate Authority

Delegation of authority, sovereign data regulation and its governance can be assessed by reviewing the strength and independence of the National Data Protection Authority, the delegation of this data governance authority to Data Privacy Officers, or Data Surveillance Officers, and the subsequent data processors and sub-processors. This authority is what provides legitimacy to privacy rights. Likewise, data sovereignty in free and democratic societies is delegated to the individual, and their capacity to meaningfully consent to services to use personal data only for the purpose as expected.    Delegation of authority in this context comes by citizenship, and location, and by co-regulation, through international adequacy with Convention 108+ and using international record and receipt standards for digital privacy transparency.  In this way digital privacy  expectations can be assured between parties (peer to peer) without data intermediaries.   

Assessment Acronyms

·       DPA -  Data Privacy Authority  (DPA),  refers to privacy regulator(s).

o    Data Privacy Authority, e.g.

·       DPO – Data Privacy Officer.

·       DSO – Data Surveillance Operator.

PII Controller Notice Credential Governance Model

1. Four (4) levels of assurance.

2. Three (3) vectors of governance (including data protection).

   1. Three (3) layers of trust.

3. Governed and secured by scopes of Disclosure.

Provides PII Principal with their own autonomous digital privacy transparency records, which mirror the Controllers Records of Notice Processing.

3 Systems of Authority in a co-regulatory model (for autonomous principals)

However, this level of individual autonomy does not mean an absence of regulations or oversight. In fact, the model operates within a co-regulatory framework where authority is divided into three systems: regulation to the regulator (government and state

1. Regulation to the Regulator. (Government and State Regulated)

   1. DPA (regulator) to Digital Privacy Officer (DPO) or Digital Surveillance Operator. (DSO)

2. Individually Regulated and Sovereign authority to controls data with consent.

   1. Individual to the proxy, 3 delegation types.

3. Publicly Regulated data.

Data Layer Identity management Roles

1. Private Data Guardian

2. Commons Guardian.

3. Public (enterprise or institution) Gurardian

At its core, the model is based on scopes of Disclosure regulated under the authority of Controller or Individual, which is also referenced as the Master Controller. These Authorities Govern how organizations handle sensitive data. This recognises the authority of an individual to control their own data source and presentation, enabling self controlled privacy by ensuring standardised digital privacy transparency. In effect, controller receipts that are required and generated by those held by, or provided for controllers.

Digital Privacy Expectations

The PII Controller Credential trust framework for digital privacy expectations is predicated upon a Consent (notice) Receipt, being generated for every notice, notification and disclosure,  in addition to a log of each time that data is processed, which includes who specifically processed the data and the technical purpose of use.

Anchored refers to, anchored with the control and assurance of the individual. In this regard, an Anchored Receipt, is Self-Sovereign record of authority.

The initial, or first digital record is anchored by the digital relationship, in most contexts described in this framework, a notice receipt is controlled (owned) witnessed, and even certifiable, by the PII Principal / individual. 

This anchored record can then be fully trusted by the individual, as a record of context.

Digital Privacy Security: Break the Glass vs Backdoor Data Security 

Break the Glass on Scope of Disclosure - International Security, Fraud, Policing, Politics

The 3^rd party is able to access specific data dynamically with an automatic registration of notice to the regulating authorities, – and the PII Principle if not required to be secret

o   common disclosure notice publishing processed is used.

The data exact data requested is made accessible at source – then – with a button aggregated into pseudo -  data set – as a meta-data trust -fiduciary – governed by the same framework all stakeholders are governed by .

Backdoor Disclosure  – National Security, Industry Specific, Fraud, Policing – and not politics

the DPO is informed, a RoPA is created – data is copied and taken by the third party –

o   no-chain of evidence. 

Liability is transferred with the record, but data is not secure post disclosure.

Governance Assurance Model

The PII Controller Notice Credential is specified to accommodate 3 governance vectors corresponding to 3 types of trust, for four levels of digital privacy transparency (DPT) assurance. Level 1-4, aka - (digital trust risk assurance).

Contextual Trust Levels

Digital Privacy Transparency for an individual trust is constrained by the quality of digital transparency for all surveillance contexts.  If the notice, notification, and disclosure requirements for consent vary by jurisdiction, service and context then it is very difficult for all stakeholders to know what privacy to expect in any context.

In all, there are 23 notice, notification and disclosure requirements[1] that are specified by Conv 108+, mirrored in the GDPR, which cover all the context for a consistent digital privacy transparency experience that can be expected.

In this way, internationally, individuals can be assured that digital transparency, and digital transparency controls are consistent. 

Primary Trust

The Primary Trust context, an individual’s digital identity privacy expectation refer to an individuals assessment of the outcome of engaging with a service in any given context.

Primary Trust, in which an individual controls their own personal data and does required data protection or co-regulation, as PII is not generated, shared or disclosed to any other party.

Secondary Trust

Trusted digital security, is referenced from the PII Controller perspective, which includes their capacity to delegate the processing role to a PII Processor with a contract. In this regard,  a 3^rd party, is any other party, which would not be expected by the individual, in accordance with the purpose and context of consent.  

IF people can’t see who is tracking, under what authority, and why then an individual is not to trust.

Secondary Trust, in which personal data is shared, or required to be disclosed to a company or government service, where digital transparency and encryption is required to secure personal information.  This context is defined from the second party perspective as trusting the individual and meeting obligations. 

Extra-Territorial Trust

When there are extenuating circumstances.

Extra-territorial Trust, is the trust and individual has in the governance of PII when PII is collected from a 3^rd party, or secretly without the individual knowing.  Effectively assured by the governance of personal data and identifiers through co-regulated instruments and mechanisms.

3 vectors of Governance

3 vectors of governance correspond to 3 modes of data control governance in a receipt store/wallet.

1. Personal Data Control.

   1. In which Data Protection / Digital Privacy Is not Required.

2. Data Protection.

   1. In which Controllers are responsible.

3. Co-Regulated Data (adequacy is defined by Conv 108+) – using ISO/IEC 29100, 29184, 27560 to standardise digital privacy transparency, for all data processing, for all stakeholders.

Mapping to Holder, Verifier, Issuer

Part of the Data Control Impact assessment, is identifier credential terms mapping.

Step1. Identify the stakeholders.

Who is the Controller, the PII Principal, who is the Processor?

o   Map these to holder, issuer, verifier for a specific technical session and processing  context.

4 Levels (0 to 3) of  Transparency Risk DPT Assurance

Level 0 – Self-Asserted

the Digitally Public Commons  - people self assert attributes.

Level 1 – Legally Verifiable

Authority and status credential – aka DPO / DSO  (service level credential).

Level 2 –  Certified Controller Notice Credential

• DPO – Data Privacy Officer, Controller Credential.

• DSO - (active state monitored) Legal Authority  (Multi-Service Operator).

Level 3 – Adopted Credential Registrar

Regulator / Digital Commons approved Code of Practice for a 3^rd Party Governance  Authority Administrator.

Scope of Disclosure:

The scope of disclosure refers to the

Localized digital credential security, embedding geo-fencing requirements in the core of the profile is defined by the governance authority used to process the personal data by the Data Controller.

Hyperlocal

Personal  and intimate consent – 

a.     Scope of surveillance.

b.     Code of Practice for this profile.

c.      Regulatory Compliance.

Put regulatory requirements -

ii.     Standard conformance requirement.

iii.      

Child 

 Youth

d.     UN Co

Adult

Community

e.     Sovereign –

f.        

Regional

These are location based jurisdictions with their own administrative authority.

National 

International 

A transfer of PII that is transborder providing PII access or control

PII Controller Notice Credential Schema