Transparency Performance Reporting Terms and Definitions (wip)

3 min

-

3. Normative References

3.1 Council of Europe Convention 108+ Convention for the protection of individuals with regard to the processing of personal data

  1. Council of Europe, Convention 108+, an international treaty expected to be fully ratified in 2025, provides a formal global security and privacy framework.  

  2. It provides the standard instructions and requirements for the signatory countries to implement adequate interoperable privacy law and/or privacy law.

  3. The treaty, in particular transparency of processing, and notification requirements, guides and provides the logic of the performance report and its measures as referenced in the appendix.

  4. It provides an international measure of adequacy in common legal practice.

3.2 ISO/IEC 29100:2024 Security and privacy technique

This standard is open and free to access “relates to PII in all ICT environments, specifying a common privacy terminology; defining the actors and their roles in processing PII; describing privacy safeguarding requirements; and referencing known privacy principles, covering;[AG1] 

·   Actors and roles; (See Annex

·   Interactions;

·   Recognising PII;

·   Privacy safeguarding requirements;

·   Privacy policies;

·   Privacy Controls.

·   Source bibliography

 

3.3 Non- Normative

 

3.4 EUDPR 2018

·       GDPR (General Data Protection Regulation) covers private sector entities and Member State public authorities.

·       EUDPR (European Data Protection Regulation) focuses on EU institutions' internal operations, ensuring their compliance with data protection standards. While also mirroring the GDPR, the EUDPR includes specific rules for the governance of "operational personal data," which pertains to law enforcement tasks carried out by EU bodies like Europol or Eurojust. These provisions are distinct from GDPR's general framework (Article 70-94)

 

3.4 Kantara Initiative, Minimum Viable Consent Receipt, & Consent Receipt Specification [1]

(published in ISO/IEC 29184:2020 Online privacy notice and consent appendix, then utilized in ISO/IEC 27560  providing for a common transparency (notice and consent record) schema for Controller identification used to make the report.  

 

Previously presented in support of Canadian meaningful consent regulation in 2017. https://www.priv.gc.ca/en/about-the-opc/what-we-do/consultations/completed-consultations/consultation-on-online-reputation/submissions-received-for-the-consultation-on-online-reputation/or/sub_or_15/

 

4. Terms & Definitions

 

4.1 - Acronyms

ANCR – Anchored Notice and Consent Receipt

CAI - Commissionaire

CCIA - compulsory controller identification attributes - (recommend updating in 6.2.1 )

EDPB - European Data Protection Board

  • The EDPB’s goal is to ensure a consistent application and enforcement of data protection law across the European Economic Area, EEA. [https://www.edpb.europa.eu/edpb_en

GDPR: General Data Protection Regulation

ISO/IEC – International Organization for Standardization/International Electrotechnical Commission

PII – Personally Identifiable Information 

SPAP: Security and Privacy Access Point

TPI-Risk Reporting M Transparency Performance Indicator - Reporting Methodology

  • Bench march repoorting Methodology for valid consent, that can be applied to all legal basis of processing, using the international law, and open ISO/IEC standard for assessing valid consent in the use of digital identification technologies

  • TPI - Transparency Performance indicators

    • There are 4 Transparency Performance Indicators specfied here in this methodology

  • TPI-RB Report

    • Transparency Performance Indicator Report Benchmark, for Valid Consent

 

4.2 Terms and Definitions

Note: These terms and definitions introduce clarity to terms for the context of transparency to measure the validity of legal consent in context of digital identification technologies.

As a result the terms here refer more precisely to digital identification management as required to articulate the process of generating, a record of a digital notification as a record of a processing activity, in order to legally assess the compliance of identification management record, identifiers and the scope of their use

 

PII Controller identification record

  • PII controller identification requires; physical address, contact, privacy access point so as to be transparent about the policy jurisdiction, and authority used to process personal data.

    • Required to provide Scope of Jurisdictional Disclosure

    • now available in a standard ISO/IEC 27560 Consent record information structure. (but requires an ANCR profile)

  • Generates a record of what was notified and when, the location of the stakeholders involved at the moment.

  • ‘Notified’ Record of Processing Activity,

    • or Proof Of Notice, which provides evidence as to the validity of the authority to process/ surveil people.

  • Notified Record of Processing Activity, Indicators

    • First Presented and recorded Notice of Controller Identification

    • Notified Authority

    • Notified Jurisdiction Transfer

    • Notified Scope of Disclosure (by which party)

  • PII Principal identification permission,

    • turn on, and off, (not opt-in) to be identified

  • Transparency Performance Indicator

  • meaningful consent

  • Notice Presentation Record

  • Valid Consent

  • Permission

  • Preference

  • Identification

  • Pii principal attribute

  • PII principal

online privacy and security   transparency

sovereignty

        Transparency Performance Reporting

  • transparency performance indicators

Transparency and Notice Types

·     Controller identification  presentation notice

·     notification,

·     disclosure

·     statement

·     governance – transparency policy

  • notice before identification (or upon first notice)

 

Related content