Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Overview of (OPN) Data Governance Authority Architecture:
    1. Intro
      1. This data governance authority architecture provides the international legal roles for  
    2. Identity & Data Governance RolesLegally Specified Actors /Stakeholders
      1. Policy Controller, Privacy (Data) Controller, Registration Operator Governance Authority, DGA - Registrar 
    3. Privacy Risk Assurance Levels 1-4
      1. Policy Controller, Privacy Controller, Data/Identity Governance Authority Operator (DGAO)
        1. Controller: Tier  0 Risk Assurance - Not Registered 
        2. Policy Controller ( or just Controller) - Tier 1 Assurance - Self Asserted Binding  -No Privacy Risk Assurance Assurance - Discoverable
        3. Privacy Controller (or  Data Controller) - Tier 2 Assurance - Signed Binding for Legal Compliance - Mitigated Risk Assurance
        4. Data Governance Authority Operator - Tier 3 - Assurance - High Risk Assurance 
        5. Registrar - Tier 4 - Registrar Infrastructure - 
          1. Low Risk Personal Data Processing - 
            1. only personal information of Controller, and Company Operators
  2. Privacy Controller credential Credential Specification
    1. Overview:  a Privacy Controller Credential is comprised of a bound relationship relationship identifiers for accountability and transparency: This enables data supply chain transparency
      1. Accountable Person + Legal Entity Identifier
        1. Legal Status of Accountable person and Legal Entity 
        2. Wether the Accountable person is employed by Legal Entity, or 3rd Party 
          1. if 3rd Party - Privacy Controller Credential of 3rd party is required
      2. Conditions of access and use:
        1. the accountable person info should be masked unless required (not published as is required in some jurisdictions) 
  3. Use Case(s) 
    1. Digital Immunisation Passport
    2. Legal Justifications for processing
      1. Surveillance of identifiers  
      2. Holder, Verifier & IssuerIssuer 

Unified Notice Control Language for Semantic Harmonization 


Uses the definitions and terms specified in the ISO 29100 framework, Consent Receipt v1.2,  specifying for specifying key roles for data control, transparency and accountability as .  This international framework is the basis for a extending semantic data governance framework, in which to decentralized data economy.  In this economy, the Privacy Controller Credential extended the Privacy Controller Public Profile for verified claims, decentralized identifiers, and Self Soverign applications.  For this purpose, this specification is used to extend provide the best practices for the data controller role to generate a verifiable credential, usable the considerations in using this as a legal  legal credential for standardized data processing profile.  The  

The Privacy Controller, the key accountable, authorizing stakeholder for data processing , and to represent this in the.  standards and references for legal governance, and to currate a list of proposed (new terms/elements to explore) At this time, a privacy controller credential written out in long form, might have is the key audience for this specification and language. 

Key Problem> 

At this time, a high risk, high sensitivity data processing activity, has the responsibility to be transparent over the legal entities responsible for processing personal data, the beneficiaries of the data processing activity, in addition to any othe processors.  This includes partners and data processing service providers, like Google or identity management service provider.  

This privacy controller profile, printed out in long form would  have multiple legal entities and Privacy Controller Credentials required, this would include addressall of their mailing addresses (by law) and , public contact points and can be a very long document.  These elements which are found in a Public Privacy Profile point/addresses, and the details of any jurisdictional representative for privacy and data protection.

This specification, aims to tease out the language used for specifying  these elements, which are legally required to be Public so that they can be represented with a single distributed identifier from the registrar, available via api and to simplify each  DDE interaction. 

Privacy Risk Assurance ;

  • refers to trustworthy transparency 
    • e.g does this organization use of standardized legal semantics for notice and consent to ease understanding


Tier 0 - No-Risk Indicated :  Self Asserted Binding  with a privacy policy - providing minimum Privacy Risk Assurance (trustworthy Transparency)

  • A non registered Broadcast listing 

Tier 1 - Policy Controller - Low Risk - doesn't process personal data electronically, does not collect or process personal information, and for any personal identifier, this is minimized and secure, has internal security for data of employee's


Tier 4 - Controller Operator - Provides Registration services for Privacy Controller Credentials, Mitigates Privacy Risk with codes of conduct and certifications that accredit codes of practice.  Controller can then register to these codes of conduct and practice 

Use's of The PCC Credential  - for a credential  to provide a  a single identifier for a Privacy Controller, which links to all LEI's for beneficial ownership. 


Privacy Stakeholders

ISO Definition

Regulator / 

PII Principal

PII Controller

PII Processor

3rd Party

Privacy Controller Credential Roles 

Data Governance Authority Operator Role  Certification Providers on Regulator Approved Codes of Conduct  - very limited PII - data controller personal information and a linked reference to a data subjects identifier -

Data Governance Registrar`


StakeholderPrivacy Controller Credential : Creating Credentials for a use CaseDescription