Versions Compared

Old Version 45

changes.mady.by.user Mark Lizar

Saved on

compared with

New Version 46

changes.mady.by.user Mark Lizar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In all of the jurisdictions, in all the laws, providing a notice to people is required, as this is how people gain contextual knowledge and can participate in consensus.   Every privacy law requires that the identity of the privacy controller and the contact point for rights administration be provided.  A  

A privacy controller credential is

  1. the combination of the legal entity +
  2. the accountable / contact person into a verifiable credential
    1. so that it can be used to provide privacy assurances

...

    1. (access to privacy rights

...

    1. information and to be heard) 

Legally, this information is required to be as open as possible and is codified in law in many different ways.  Standardizing the credential using ISO 29100( open and free ) so that privacy controller credential can be used by people internationally to assert privacy controls and negotiate individual digital rights with service providers and communities. 

This specification focuses on a best practice schema for identifying the privacy controller. 


What is this

Decentralized Governance and  Data Control - through the use of the credential, which can be asserted. 


Privacy/Surveillance Engineering Principal - "Transparency Proportionality and Control Reciprocity - Dynamic Data Controls"

  • Use Case
    • Use a standard to assert privacy rights by identifying the privacy controller credential 
    • Level of Privacy Controller Credential Assurance according privacy and surveillance 
      • self asserted - 
      • legal asserted  - 
      • certified  - 
    • Org - Identity - use semantics to indicate what surveillance people are under - beyond what they expect.
    • Notice - 
  • Beneficial Owner 0 
  • Accountable Person is apart of another company 
  • Schema for the Controller Credential 
  • the ANCR Record is a record of the privacy controller credential created from a privacy notice. 

 Controller/Operator Implementation

  • Principals of use 
  • Interoperability
    • Standards - ISO 29100 + 27560 + 29184 

how the controller can .. .

  1. Notice of  surveillance Risk 
  2. Proof Of Notice  
  3. Assert - State - Valid state of consent -  Privacy Rights - data controls - right to be heard - (Childrens Privacy Right)  - 
    1. use my ANCR record - Use my Cookie for you - 
      1. Choice 

how the can controller use.. this 

  • for proof of compliance 
  • evidence of consent 
  • access tokens

The Governance of Controllers Credential (out of scope) 



Process in progress:

  1. Re-Alignment
  2. Outline of Specification 
  3. Discussion Points in Progress
    1. Provided Data Record 
    2. Linking Records 
    3. Providence Fields
      1. Beneficial Owner
        1. Owner Agreement

Notice & Consent Task Force 

Project owner:

Mark Lizar Salvatore D'Agostino

Team members:

Ken Adler

Jan Lindquist


Status

ACTIVE 


Spec Dev Link

Notice & Consent for people relies on clear communication. 

Decentralized identity relies on contextual legal semantics and notices in order to be compliant with sovereign data rights or operational in context.


Specification proposal:  to extend Decentralized Semantic Governance for a dynamic data control ( DDC) architecture for transparency and controls  that are human centric.   

  • Privacy Controller Credential 

...

This credential is comprised of the legal entity name and the accountable person as defined by their role in the data organization and documented in the ISO 27560 standard. This record is further specified here for 3 levels of Privacy Assurances for transparency and control of personal data when processing in an ecosystem or supply chain,

Challenges

...

focused on with this specification:

  1. The accountable person may or may not be an employee of the organization. 
  2. Different jurisdictions name/define and reference this role differently 
  3. Some jurisdictions, like the UK have a data controller registry (DCR), where this binding is public and legally required (benefit in this case, challenge where absent)and the name of the accountable person is publicly available in ICO DCR.  (using blinding identity taxonomy)
  4. Some jurisdictions, like the EU require an accountable data controller representative in the jurisdiction where a service is operating, in order to address legal data privacy and security issues that may arise. 
  5. 2 or more Controllers might be accountable for processing of personal data.
  6. Identify in context of service for any user the controller and accountable person.
  7. The privacy law in some jurisdictions, can itself break privacy law in other jurisdictions by requiring the accountable person information to be published publicly, 
  8. Specifies how to by a VC (in this case the Privacy Controller Credential) for trust assurance for privacy assurance
  9. International Notice & Control protocol for  Unified Data Control & Portable semantics for governance interoperability between domain and jurisdictions.

...

  1. Develop an extensible controller credential format
  2. specifying  3 nested layers of controller identifier claims, to correspond with 3 levels standard tiers of Privacy assuranceRisk Assurance.
  3. A set of rules for the use: verification, validation and notarization of the controller credential. 

...