...
There are 3 vectors of governance that this specification is designed to cater for which affect the privacy and security risks
Between,
Transparency Governance Framework - For Transparency Trust
3 Vectors of Governance
- Personal Data Control (Gov) - (lower risk) uses micro-credentials
- the individual controls the source of data and verification
- attribute by attribute control
- Logging the access to the attribute for processing
- Co-Regulation : multi-party governed -
- Data trusts, where the individual + regulator and service co-regulate
- Logging the access to the processing
- Data Protection : Self-Regulated -
- the service provider regulates the processing of personal data
- Signed, verified and open code, with shared logging
3 Tiers of Controller Assurance
0 - Self Asserted Identifier
- Public verifiable
- Digitally verifiable & Legal (service delegation)
- Operator Controller - Certified and legal
...
The ANCR Record provides Consent Types to anchor the records relationship, and individuals understanding of the relationship.record trust record and an individual's understanding of the relationship. Specifically, root of trust record for the individual, which the individual owns and controls In a personal data store and profile.
Two types of Trust: OECD ref
type 1.
The individual trusting the system
type 2
the individual prooving who they are. digital (don't need to trust) technology like zero knowledge,
The Record and Receipt specification uses ISO/IEC 29100 Security and Privacy techniques ref (free ISO specification) terms and definitions to identify the legal stakeholders(ref) and their roles in the processing and control of personal information. Using international standards for creation of record and receipts publicly.
...
The field data for the records and receipts are specified from numerous sources, in particular the W3C Data Privacy Vocabulary, for
Fields Added to ANCR Record to Create Verifiable Credential
ANCR Record spec - is here (enter link)
This credential is for transparency and accountability for data (and identifier) governance,
The eNotice (PII) Controller Cresdential, is used to generate eNotice record, for micro-credential PII Principal
- PII Controller Identifier [DiD]
- Credential ID Fiels specified here are added to the ANCR Notice Record,
- Accountable Person
- Accountable Person and role
- Controller Notice Record Identifier
- Controller Receipt Identifier
- : DiD: Verified Credential
...
The individual can use this controller credential to provide consent for a specific purpose, as well as specifying the source of data, by providing a consent receipt, signed to be a micro-credential.
There are a series of steps which need to take place to establish two types of trust
Type 1: Transparency Trustframework -
Human security, discovers or generates a controller credential to create human trust anchor record and credential (dial tone)independent of the Controller/Service provider.
Type 2: Technical Trust
This Controller Credential is
Micro-Credential Use Cases
...
Privacy Stakeholders | ISO Definition | |
---|---|---|
Regulator / | Privacy Regulator for individuals | |
PII Principal | ||
PII Controller | ||
Joint PII Controller | ||
PII Processor | ||
3rd Party | another person, or police, |
Annex: Privacy Stakeholder Mapping to Functional ToiP Roles
...