ISO 27560 ANCR WG Comments Aug 2022

 

Template for comments and secretariat observations

Date: Aug 8, 2022

Document: ISO/IEC 27560 WD5

 

 

 

 

 

 

 

MB/ NC1

Line number

Clause/ Subclause

Paragraph/ Figure/ Table/ (e.g. Table 1)

Type of comment

Comments

Proposed change

 

(e.g. 17)

(e.g. 3.1)

 

 

 

 

KI/ANCR WG

 

 

 

ge

Every receipt has a dual role as a record of notice and a receipt for  electronic  consent (eConsent). Its role is relative, if kept by the controller it can be called a consent record, in transit or exchange its a receipt, but in the possession of the Principal it is a credential, with a role relative to the credential holder, and the holder's context of use  governed by proceeding notices.  

 

KI/ANCR WG

1269

Annex E

 

te

In this WD5 the consent notice record and receipt contains the meta-data of notice, date, time location, as well as the PII Principal Identifier, which contravenes 29100 Sec. 5.11 in addition to international conventions 108+ Art 33 1(a)(b),  GDPR Art 32.1 (a)(b),  to ensure PII is secure and treated properly.   27560 makes an assumption in that the PII Controller -already controls PII and the right to make the consent record is   assumed.   E.g. The JSON record in annex A presents includes the PII Principal identifier, in cleartext along with additional information about the subject (correlatable). For example, the entity to which the identifiers are presented now knows that both identifiers relate to the same subject, as do others with access to the records and receipts.

Remove PII Principal ID from a consent record (e.g. only a receipt or record ID) and / or - provide a section for privacy considerations for this specification, and remove that identifier JSON especially. - add security/privacy consideration - Such a record would itself first require a notice with transparency of over legal justification and must allow the PII Principal to control/access the identifier(s) in the record relating to their PII Principal or other identifiers.

KI/ANCR WG

425 &827 

6.3.3.4

 

te

The consent receipt v1.1 specification captures a notice event to assess conformance with ISO/IEC 29184 controls.  In 27560 the  event schema is added to the standard to included additional event types out of the scope of notice.    This effects the integrity of the record from the PII Principal's perspective, to include non-notified events, and defeats the purpose of the receipt. 

Reconsider event schema 

KI/ANCR WG

758

6.3.6

 

te

The term 3rd Party in 27560 references 29100 - and points to the PII Controller Identity.  27560 WD5 contains a party_id schema for digital identification, and in doing so creates a new (additional) stakeholder name and identifier for the PII Controller ID. This extends beyond the 29100 defined privacy stakeholders, and effects the security of the record. It  also appears to create an additional stakeholder type. The PII Controller ID (is the party id) has in addition to Controller role, which should also be provided in a record., the are additional roles, e.g., Processor or Sub-Processor, which can then further defined by function in processing (recipient, holder, issuer, verifier).

Reconsider party schema - Suggest : "All  roles have a PII Controller identity" e.g. processor, principal or 3rd party - which can also be indicated as a recipient"

KI/ANCR WG

451

6.3.4.1

 

ed

Privacy notice is not the same as  'terms of use' as established in 29184.  Terms of use refer to contract which is  out of scope of consent record, and conflicts with 29184 5.4.5 "clearly differentiated from terms of use"

remove -terms of use 

KI/ANCR WG

1276

Annex E.

1

ed

ISO/TR 23244 points to  ISO/IEC 29100,. If referencing privacy framework for DLT best to use common reference across technologies and use 29100 directly

change to .... considerations can be found in ISO/IEC 29100.

Â