PII Controller Registrar Assessment WG & ANCR Scheme Development Proposal
Proposed Name: WorkGroup for Community and Industry Digital Consent Codes for Dynamic Practice
The ANCR workgroup proposes a new DG/WG, working on a registrar of registries and notaries assessment scheme, with a group of experts to provide a Kantara report, on its findings with regards to the scheme requirements, feasibility, and value to Kantara community and market,
Upon approval the ANCR Transparency Performance Conformance and Compliance Scheme and PII Controller Specifications would be contributed to this program and workgroup. The scheme can support the new WG in the development of the assessment and further iterations of the PII Controller credential.
Deliverables and Timeline
ANCR Roadmap and Kantara Controller Trust Framework Assessment (CTFRA DG/WG “working name”), work plan for May to September - Explore controller registry requirements and deliver Kantara Report and budget requirements for program, inclusive of its presentation to Kantara LC, other WGs and membership.
Present report and program to international stakeholders, and raise interest, liaisons, partnerships, and participants to support and fund the program to move forward.
Background: Presentation to the Leadership Council monthly meeting.
The ANCR WG prepared a response in a single PowerPoint, below, which highlighted the opportunity to take work on transparency performance and the consent receipt v2/redux (vs. consent deceit) and craft it in the form of an assessment scheme.
The next step was to put together on outline and answer basic questions about a conformance scheme. @Salvatore D'Agostino offers the following initial draft for further comment by theWG, LC, Kantara as a whole.
PII Controller Conformance Assessment Scheme
Set of rules and procedures that describes:
The objects of conformity assessment.
Identifies the specified requirements for the object of conformity assessment
Provides the methodology for performing conformity assessment.
The object of the assessment is the PII Controller.
The requirements are defined by the legal requirements for the processing and protection of personal information, and cybersecurity and privacy standards specifications including notice and consent receipts and the consent information record.
The methodology is defined by the ANCR Framework, and the Transparency Performance Scheme and put forward in the context of a PII Controller Credential and a WHiSSPRr (White Hat Identity, Security, Privacy, Risk Record) assessment.
The initial PII Controller Credential is specified for notice requirements. Starting with notice is critical in that notice is part of all legal justifications for processing, and a normative factor of consent. The PII Control Credential is also specified and assessed for the required transparency and its performance. This has benefits across any data ecosystem and to identity and access management scalability, accuracy, security, and privacy. It also addresses, in an interoperable format, international governance, regulations, and compliance. Notice and transparency are necessary for the PII Principal to be an active participant in managing their risk. It also provides the other actors, be they enterprises, and/or regulators, and/or their AI’s, with the policy and decision making (PIP, PDP, PEP in access control terms), based on mutual analog to digital understanding, for access and risk management.
This scheme would define the assessment requirements for a registrar for a registry of PII Controllers, and a PII Controller Credential for a common purpose. The further development of this scheme is proposed as a new Kantara Work Group. It would build on, improve, and expand the existing work, and forthcoming Kantara publications in the ANCR WG. There are already efforts underway for PII Controller registries for Age Assurance, Privacy Officers, and Physical Security, as desired business opportunities. The scheme would leverage the ongoing Kantara investment in ISO Certification and complement the existing IAWG and NIST 800-63, and UK assurance schemes, and ISO liaison. If successful it would go forward with the backing of the individuals, organizations, and government, likely, ideally as participants of the WG.