...
- Provenance of control starts with the person who is accountable and bound to a legal entity (who is liable).
...
Abstract
Supporting Decentralized Data Controls with Identity Governance for Data subject’s (data) rights. This task force mission is to enhance identity and data governance interoperability with standardized notice of Control and accountability for processing personal data (with the ToiP layered governance model.)
...
- For privacy and security notifications of decentralized identifiers, VC's and the ISO 27710 series,Security Techniques - Information Security Management Systems - in particular,
- ISO/ IEC 29100 Security Techniques - Privacy Framework (for identifier governance)
- ISO/IEC 29184 Online Privacy Notice & Consent
- ISO/IEC 27560 Consent Record Structure
- Kantara Advanced Notice & Consent Receipt specifications for
- Decentralized Proof of Notice for orgs
- Decentralized Proof of Processing (aka consent) for people
- W3C Data Control Vocabulary ( maps legal semantics to ontology) to harmonize decentralized legal semantics with machine readable semantics for linking identifiers and personal data.
- OCA Specification for Operational Semantic Notice
- conformity assessment vectors for OCA schema's
- legal schema overlay from localized privacy law schema
- legal schema conformity assessment to ISO baseline
- legal schema overlay conformity assessment to a privacy law schema
- conformity assessment report on legal adequacy for privacy rigxzhts and associated infrormation controls
- conformity assessment vectors for OCA schema's
Overview
For advance privacy transparency and accountaibilty to ensure trustworthiness - Required from decentralized identity - without the use of frederated systems for access control
Key Security Challenge the PCC address
- Verifying people for service use has been the main security approach
- Altenrative approach is to verfify their privacy controller credential and use privacy law for defining purpose specific services -
- Using standards fromework (ISO) with ANCR Receipt and the W3C Vocabulary for Notice and Notifications text (which fills the receipt fields)
- Advanced Security for Human Centric Privacy/Policy Controls that scale
- Must have a receipt (with operational Privacy Controller Credential) to engage in the Dynamic Data Control Ecosystem from a privacy rights and self-soveign data control
- Privacy Controller Credential is used to automate purpose driven online services, to enhance or even replace federated identity systems with self-sovering identity governance
- Key aspect is (addressing the systemic weak online controller transparency) where privacy controller credential are not available for using privacy rights
The credential is use for - credential -
the credential is generated by
The credential has 0-3 levels of Privacy Controller Credential Assurance specified here
- Self Asserted Notice Controller
- Privacy Controller
- Operating Privacy Controller
Each level requires addition verification of th4e accountable person, their role and the providence of the LEI processing personal data.
This specification formalizes the format for these 3 tiers of Privacy Assurance
Format is using ISO etc,
Tier 1 Notice Controller Credential
Tier 2 Privacy Notice Controller Credential (AKA PII/Data Controller)
Tier 3 High Transparency Assurance over the providence of processing -
- Asserting benificial owner, codes of conduct and codes of practice
The credential record for this is as follows
PII Controller info
Standards controller meta-data
OCA Translation of Controller Credential for Rights Automation
-- Next Week - Reveiwq and fill out outline for this aspect
References for use for creating a Unified (generic) Data Control Vocabulary for OCA
...