Executive Summary
- The privacy controller credential is the digital version of an organizations privacy and surveillance notice and identification
- Rather than analogue - company identity, company address, company phone number, the controller credential contains the digital version of this information and privacy contract point for exercising data control for privacy rights.
- The point where a valid state of consent can be assured with a proof of notice and a record of consent.
- The aim of this specification is to implement related standards and specification for different measure of privacy assurance in accordance with the principles of operational privacy
- At its core, the privacy controller credential is a security and rights record and used for Non-Interdependent access to rights and controls in context of decentralized use of identifiers
Introduction
In privacy regulations globally the notice and notification requirements in legislation are the most consistent across jurisdictions. In all regulations the identity of the PII Controller is required to be provided to the person before, at the time, or as soon as possible, when processing personal information.
This specification uses ISO/IEC standard semantics to generate a notice of controller receipt for each digital identifier based relationship, in order to implement privacy rights to control the use of the personal information the digital identifier relates too.
Key Security Challenge - KYC addressed enhanced with a new authorization flow called - KYB - Know your business
- Verifying people for service use has been the main security approach
- Altenrative approach is to verfify their privacy controller credential and use privacy law for defining purpose specific services -
- Using standards fromework (ISO) with ANCR Receipt and the W3C Vocabulary for Notice and Notifications text (which fills the receipt fields)
- Operational PrivacyEngineering & Design Principles
- Principal of "Transparency Proportionality and Control Reciprocity - Dynamic Data Controls"
- Code of Conduct
- Must have a receipt (with operational Privacy Controller Credential) to engage in the Dynamic Data Control Ecosystem from a privacy rights and self-soveign data control
- Privacy Controller Credential is used to automate purpose driven online services, to enhance or even replace federated identity systems with self-sovering identity governance
ISO 29100 Privacy Stakeholders
Privacy Stakeholders | ISO Definition | |
|---|---|---|
| Regulator / | ||
| PII Principal | ||
| PII Controller | ||
| PII Processor | ||
| 3rd Party |
| Privacy Controller Credential Roles | |||
|---|---|---|---|
| Data Governance Authority Operator Role | Certification Providers on Regulator Approved Codes of Conduct - very limited PII - data controller personal information and a linked reference to a data subjects identifier - | ||
| Data Governance Registrar | ` |
Applying /mapping ToiP Governance Model to international framework:
| Stakeholder | Privacy Controller Credential : Creating Credentials for a use Case | Description | |
|---|---|---|---|
| Issuer | |||
| Holder | |||
| Verifier |
Gov ToiP Role | UseCase Example | Roles | Actors Privacy Stakeholders
| |
|---|---|---|---|---|
| Provides the schema - hospital | issuer | Privacy Controller | ||
| Person - Requesting Information from - patient/traveller | holder | Data Subject | ||
| 3rd Party - border control | Verifier | Data Processor / 3rd Party |
- looking to make a process for what Legal Privacy Stakeholder has the Credential Role
- Steps to assign Stakeholder Roles
- Test for checking if its a processors or a 3rd party?
- Steps to assign Stakeholder Roles
Legal Semantic Element | semantic description | functional usage | fields Required | |
|---|---|---|---|---|
| controller | ||||
| controller_identity | ||||
| controller address registered | ||||
| controller address (mailing) | ||||
| controller contact | extend consent termination for a control point |
Delegated Role :
Delegated | |||
|---|---|---|---|
| Regulator | Ombudsman | ||
| PII Principal | Guardian | ||
| PII Controller | Joint-Controller | ||
| PII Processor | Sub-Processor | ||
| 3rd Party | turtles |