MVCR Compliance Audit & Scale

Audit

Each field on the MVCR contains legal notice requirements, each of these components are listed in and the presence of these are counted and a flag is added to record if any of these self asserted claims have been disputed and not resolved.

The MVCR has a maximum rating of compliant. (Note: Additional Ratings are possible with extensions)

This rating can be self asserted with the provision of this consent receipt. A scale of compliance is used for each of these notice information elements. If one or more elements do not work, or are not verifiable then a status of partialy compliant is provided.

If all elements are not verifiable then the consent is no longer compliant or verifiable for basic compliance level rating.

Notice Compliance Checklist	Non Compliant	Partially Compliant	Compliant	Above Compliant	Trusted	User Managed
Contact of DC			X
Address of DC			X
Purpose(s)			X
Sensitive Data (If NO)			X
Share with 3rd Party (If No)			X
Agree to implement context checklist? (Y/N)			Yes
Any of the above self asserted is Disputed or un verifiable (Y/N Flag) (If No) ( if Yes and unresolved = Non-Compliant)			X

(additional architecture is needed to mediate compliance level ratings)

MVCR Compliance Assurance Scale

Each item in the MVCR will be rated with this scale presented below

The compliance scale is based on the ICO table of compliance http://ico.org.uk/for_organisations/data_protection/working_with_the_ico/~/media/documents/library/Data_Protection/Detailed_specialist_guides/auditing_data_protection.pdf

Trusted Services Appendix

Trusted services/networks and frameworks, can be used to meet or exceed notice(and therefore consent) legal requirements. Or to address the need for assurance and trust for people so that consent and its management can be automated and more usable. It is for seen that a notice registry is the natural place for trust services to register their services.

A process for auditing and verifying all trust services needs to be in place for trust services to be trusted. Then when an organisation enrols into the registry they can also add (or manage) trust services that has been added to the receipt.

This is a table to map the list and categories of assurance framework with examples and notes on interoperability with this category of service.

Type of Trust Framework	Consent Policy Format	Personal Policy Preference	Consent Extension Location	Trusted Service Provider Examples
Tracker: Analytics etc:	Cookie	Do Not Track	browser header	cookiepedia, privacy clearing warehouse, Ghostery
Terms of Use Policy	Agree to terms			TOS;DR, Citizen Me
Policy Tracking Services	Policy Comparison	Has terms materially changed ( is consent still compliant? )		TOSBack
	Consent Type	What kind of consent has been received	To record the type of consent or whether there is an exception to the requirement for consent.
Reputation	Trust Framework			(all trust services provide reputation)
Privacy Icons	Pictorial Short Notices			Disconnect Me
Capture of Personal Preference at Time of Consent	Does the issuing entity acknowledge DNT	If not available, should provide a notice that it is missing		[#receipt]!:uuid:1234<#dnt>&/&/true
Data Control Protocol				User Managed Access
Trusted Network Service				Respect Network
Standards
Certificates				TrustE
Levels of Assurance				KI: Identity Assurance Framework

Browser not supported