...

1. The accountable person may or may not be an employee of the organization. 
2. Different jurisdictions name/define and reference this role differently 
3. Some jurisdictions, like the UK have a data controller registry, where this binding is public and legally required (benefit in this case, challenge where absent)
4. Some jurisdictions, like the EU require an accountable data controller representative in the jurisdiction where a service is operating, in order to address legal data privacy and security issues that may arise. 
5. 2 or more Controllers might be accountable for processing of personal data.
6. Identify in context of service for any user the controller and accountable person.
7. The privacy law in some jurisdictions, can itself break privacy law in other jurisdictions by requiring the accountable person information to be published publicly, 
8. Extend a privacy assurance profile by binding Specifies how to by a VC (in this case the Privacy Controller Credential) for trust assurance for privacy assurance.
9. Developing a Unified Notice Control Language that is interoperableInternational Notice & Control protocol for  Unified Data Control & Portable semantics for governance interoperability between domain and jurisdictions.

The proposed solution: 

Develop this controller credential specification with a set of rules for the use, maintenance, and lifecycle of a privacy controller credential. 

To illustrate: 

A record format to capture the bound controller information, which can be used to present a notice of control according to context, and a notice of who the accountable person is according to purpose of credential use., that is independent of the privacy controller. 

The specification should provide: 

• a record format that MUST blind the identity of the accountable person,
• be usable as a linked data in a notice of control receipt, which provides only the controller information required for the purpose of credential use. 
• record, so as to provide a profile of the bound controller credentials in a manner that can show the controlling person before, during and after the use of a decentralized digital identifier.

Details for Risk and Liability Management 

• Provenance  of control starts control providence begins with the person who is accountable and bound making the assertion to the accountable role using laws and standards to bind privacy rights request to a legal entity (who is liable).  

...

summary  

Supporting Decentralized Data Controls with Identity Governance for Data subject’s (data) rights. This task force mission is to enhance identity and data governance interoperability  with standardized notice of Control and accountability for processing personal data (with the  ToiP layered governance model.)

...

This specification will provide a nested schema to record a privacy controller credential for transparency over the control of processing.  This privacy controller credential is intended to use a stack of standards and specifications to provide a standard set of identity control semantics, that can then be used in notice and notification by people to control personal data directly to provide Privacy assurance. 

Decentralized Semantic Governance Stack

The Identity and Data Governance semantic based line is the international ISO/IEC 29100 security and privacy techniques framework, this is mapped to Legal jurisdiction notice schema and the differnces and risks (in terms of rights and the performance of data controls) is provided as a component of the notice of control.

...

1. For privacy and security notifications of  decentralized identifiers, VC's and the ISO 27710 series,Security Techniques - Information Security Management Systems - in particular,
   1. ISO/ IEC 29100 Security Techniques - Privacy Framework  (for identifier governance) 
   2. ISO/IEC 29184 Online Privacy Notice & Consent
   3. ISO/IEC 27560 Consent Record Structure
   4. Kantara Advanced  Notice & Consent Receipt specifications for 
      1. Decentralized Proof of Notice for orgs 
      2. Decentralized Proof of Processing (aka consent) for people
2. W3C  Data Control Vocabulary ( maps  legal semantics to ontology) to harmonize decentralized legal semantics with machine readable semantics for linking identifiers and personal data. 
3.  OCA Specification for Operational Semantic Notice 
   1. conformity assessment vectors for OCA schema's 
      1. legal schema overlay from localized privacy law schema 
      2. legal schema conformity assessment to ISO baseline 
      3. legal schema overlay conformity assessment to a privacy law schema 
      4. conformity assessment report on legal adequacy for privacy rigxzhts rights and associated infrormation information controls

Overview

For advance privacy transparency and accountaibilty  to ensure trustworthiness - Required from decentralized identity - without the use of frederated systems for access control

Key Security Challenge the PCC address 

• Verifying people for service use has been the main security approach 
• Altenrative approach is to verfify their privacy controller credential and use privacy law for defining purpose specific services - 
• Using standards fromework (ISO) with ANCR Receipt and the W3C Vocabulary for Notice and Notifications text (which fills the receipt fields) 

• Advanced Security for Human Centric Privacy/Policy Controls that scale
• Must have a receipt (with operational Privacy Controller Credential) to engage in the Dynamic Data Control Ecosystem from a privacy rights and self-soveign data control
• Privacy Controller Credential is used to automate purpose driven online services, to enhance or even replace federated identity systems with self-sovering identity governance
• Key aspect is  (addressing the systemic weak online controller transparency) where privacy controller credential are not available for using privacy rights 

The credential is use for - credential - 

the credential is generated by

The credential has 0-3 levels of Privacy Controller Credential Assurance specified here

1. Self Asserted Notice Controller
2. Privacy Controller 
3. Operating Privacy Controller 

Each level requires addition verification of th4e accountable person, their role and the providence of the LEI processing personal data. 

This specification formalizes the format for these 3 tiers of Privacy Assurance 

...

Business Story 

• Friction Reduction - simplifying compliance for digital ecosystems 
  • simple services that are purpose driven will have a better user experience 

*****

...

Tier 1  Notice Controller Credential 

Tier 2 Privacy Notice Controller Credential (AKA PII/Data Controller)

Tier 3 High Transparency Assurance over the providence of processing - 

• Asserting benificial owner, codes of conduct and codes of practice 

The credential record for this is as follows 

PII Controller info 

Standards controller meta-data 

OCA Translation of Controller Credential for Rights Automation 

-- Next Week - Reveiwq and fill out outline  for this aspect 

References for use for creating a Unified (generic) Data Control Vocabulary for OCA

...

OCA schema specification: https://docs.google.com/spreadsheets/d/1KOdq8Yy3OXmuELyh7tpHMlhyMZPSZ3Ib/edit#gid=68769926

Background of this Stack

...