This specification for a controller credential is required to operationalize the electronic notice and eConsent framework. This specification distinguishes between what is referred to as consent by services online, with eConsent, which is a digital version of consent for use by digital identity systems to enable self-sovereign identity governance to scale from the physical world to the digital world.
Today what is called consent online is a capture of a consent preference as permission with the use of a contract or licensee agreement (terms of use). And is regulated with a privacy policy for this contract.
In this electronic architecture data governance policy is implemented with privacy law and then made scalable with contracts and terms and conditions. This is made possible by updating standardizing the required privacy controller information and its presentation, to include the accountable person and how the credential is linked, presented, recorded, shared, logged and stored.
Mission: " a public utility register for human centric transparency, identifier control and trust"
The controller credential is for implementing decentralized identity control transparency. Public utility for data governance used for automating personal data control transparency.
Implementing true SSI with electronic notice and consent - using international governance frameworks for hyperlocal transparency and data control
Process in progress:
| Notice & Consent Task ForceProject owner: Editors Surveillance Controller EditorSalvatore DAgostino OCA Schema Editor: | StatusACTIVE |
Notice Controller Credential add's additional fields to an existing consent record formant for notice and consent |
Introduction
In privacy regulations transparency is a key requirement. transparency is most often represented by the requirements for notice and specifying a legal justification and purpose for processing. These represent the analogue legal requirements. Modern privacy law has additional requirements in which transparency over rights and identity based controls should be proportionate to the technology and risk. Current digital identity notice and consent mechanisms are governed by terms, conditions and contracts and are most often defined by system permissions rather than the purpose of use. As a result analogue / human consent and control does not scale online to govern and control digital identifiers.
This is a significant security challenge for decentralized identity as lack of transparency over who controls and benefits from the digital identifier is a) not standardized and b) not provided until after digital identifiers are created and used to permission access and controls to an eco-system.
To scale transparency and data controls online, digital data controller information (and identitifiers) are required to automate rights based controls are to autonomously provide a stateful privacy signal. Required so that people can understand, access and effectively operationalize privacy for interoperability. Without standardized digital transparency and privacy controls, decentralized identifier control is not possible.
This additional controller 'digital trust' information is used to generate an electronic two factor notice (2FN) for eConsent.
Governance & Risk
3 Vectors of Governance
- Personal Data Control (Gov) - (lower risk) uses micro-credentials
- the individual controls the source of data and verification
- attribute by attribute control
- Logging the access to the attribute for processing
- Co-Regulation : multi-party governed -
- Data trusts, where the individual + regulator and service co-regulate
- Logging the access to the processing
- Data Protection : Self-Regulated -
- the service provider regulates the processing of personal data
- Signed, verified and open code, with shared logging
3 Tiers of Controller Assurance
0 - Self Asserted Identifier
- Public verifiable
- Digitally verifiable & Legal (service delegation)
- Operator Controller - Certified and legal
International standards are used to address limitation to internet scale data governance in national standards frameworks.
This controller credential utilizes a reference architecture that began with 1980 OECD Guidelines, and has been worked on for international /internet scalable data governance. This work has driven regulatory reform and convergence internationally. GDPR refer framework for digital.
This controller credential specification extends this international governance standard to the Trust over IP Governance Framework and is used to generate purpose specific micro-credentials for the governance of digital information with SSI's. This enables the use of this reference architecture to scale analogue notice and consent to electronic eNotice and eConsent for digital exchanges and interoperability.
- ISO/IEC 29100
- ISO/IEC 29100:2011 provides a privacy framework which. specifies a common privacy terminology; defines the actors and their roles in processing personally identifiable information (PII); describes privacy safeguarding considerations; and. provides references to known privacy principles for information technology.
- ISO/IEC 29184 Online Privacy Notice & Consent
- ISO/IEC 29184 WD 5 Consent record information structure
- ISO 27002 Series : WG 5 SC27
- ISO 27001 sets forth the compliance requirements needed to become certified. In contrast, ISO 27002 is a set of guidelines that are designed to help you introduce and implement ISMS best practices.
- CoE 108+
- International GDPR -
- data governance framework which provides the international enforcement policy baseline suitable for internet scale data control, identity transparency governance and consent
- International GDPR -
- W3C Data Privacy Vocabulary
- V.5
- Kantara
- ANCR WG: eNotice and eConsent identity governance information structure
- ANCR Notice Record
Addressing The Challenge: Security Risk, Vulnerability and Governance Transparency Gap for SSI, as decentralized identifiers need a framework for transparency and control that can demonstrate international legal adequacy.
The controller credential can be generated by any stakeholder, and is use to generate eNotice and eConsent records and receipts, that are defined here as micro-credentials.
Terms & Definitions
The terms and definitions presented and defined here are in addition to the references, this cover the field names specified for the controller.
- specific to this spec, (in the annex - mapping semantics between frameworks )
Specification Overview
This specification builds upon the Kantara ANCR Record specification (and Consent Reciept)(ref) to build a notice controller credential for recording the controller and contract information in a notice.
The ANCR Record provides Consent Types to anchor the record trust record and an individual's understanding of the relationship. Specifically, root of trust record for the individual, which the individual owns and controls In a personal data store and profile.
The Record and Receipt specification uses ISO/IEC 29100 Security and Privacy techniques ref (free ISO specification) terms and definitions to identify the legal stakeholders(ref) and their roles in the processing and control of personal information. Using international standards for creation of record and receipts publicly.
ISO/IEC 29184 - Online Privacy Notice and Consent Controls -
The field data for the records and receipts are specified from numerous sources, in particular the W3C Data Privacy Vocabulary, for
Fields Added to ANCR Record to Create Verifiable Credential
ANCR Record spec - is here (enter link)
This credential is for transparency and accountability for data (and identifier) governance,
The eNotice (PII) Controller Cresdential, is used to generate eNotice record, for micro-credential PII Principal
- PII Controller Identifier [DiD]
- Credential ID
- Accountable Person
- Accountable Person role
- Controller Notice Record Identifier
- As a DiD: Verified Credential
- Controller Type[Ctype]:
- Notice Controller,
- PII notice controller,
- PII controller,
- PII surveillance controller , (info not provided by PII Principle)
- [Ctype] controller operator,
- Accountable Person Type
Security Considerations
how to specify the
To address the security gap, the controller credential is presented in a privacy or security notice, prior to surveillance.
The individual can use this controller credential to provide consent for a specific purpose, as well as specifying the source of data, by providing a consent receipt, signed to be a micro-credential.
There are a series of steps which need to take place to establish two types of trust
Type 1: Transparency Trustframework -
Human security, discovers or generates a controller credential to create human trust anchor record and credential (dial tone)independent of the Controller/Service provider.
Type 2: Technical Trust
Mitigation Risk
Using standard framework for transparency of control with data control defaults
Micro-Credential
defined as a credential specified to a specific purpose.
Use Case
Assessment of transparency and performance of a micro-credential to mitigate risks with SSI
Examples
- Security,
- evidence
- fraud, traceabilty
- permission and access control transparency.
- Security of Security
- schema struture and use of object identifiers
- NIST - Privacy and Security Control framework
- NIST Language -
- evidence
- Auditing a ToiP implementation
Glossary
Controller Credential
Micro Credential
Privacy Stakeholders - ISO 29100
Privacy Stakeholders | ISO Definition | |
|---|---|---|
| Regulator / | Privacy Regulator for individuals | |
| PII Principal | ||
| PII Controller | ||
| Joint PII Controller | ||
| PII Processor | ||
| 3rd Party | another person, or police, |
Annex: Privacy Stakeholder Mapping to Functional ToiP Roles
Continuing of the ANCR Record Assessment to identify the controller credential,
Map the ToiP functional role to the legal authority, justification and role of the stakeholder.
Questions:
Is the controller the holder, verifier, or issuer?
| ISO Term | TOIP Terms | |||
|---|---|---|---|---|
| Controller | Holder, verifier, issuer | |||
| Principal | ||||
| Processor | ||||
| controller contact | extend consent termination for a control point |
Delegated Authority Examples :
Delegated | |||
|---|---|---|---|
| Regulator | Ombudsman | ||
| PII Principal | Guardian/Parent/School | ||
| PII Controller | Joint-Controller | ||
| PII Processor | Sub-Processor | ||
| 3rd Party | turtles |
References for Controller Credential, Infrastructure and Legal Framework
Standard/Specifications | Title | Description | Resource Status |
|---|---|---|---|
| ISO 29100 | Information technology — Security techniques — Privacy framework | ISO/IEC 29100:2011 provides a privacy framework which
| Status - Is publicly available - https://www.freestandardsdownload.com/iso-iec-29100-2011.html |
| ISO/IEC 29184:2020 | Online privacy notice and consent | (just published - not available to public - we are working on publishing a report/appendix for use with this group ) | |
| W3C DPV 0.01 | Data Privacy Vocabulary |
|
|
Reference: OPN: Open Notice (+ Consent) Receipt Schema: Starters Guide to Unified Data Control Schema
Lizar, M. & Pandit, H.J., OPN: Open Notice Receipt Schema, 14th International Conference on Semantic Systems (SEMANTiCS 2019), Karlsruhe, Germany, 2019 [Published http://www.tara.tcd.ie/handle/2262/91576 [accessed July 1, 2020]
Field Name | Field Label | Format | Description | Required/Optional |
Schema Version | version | string | Required | |
Notice Profile URI | profile | string | Link to the controller's profile in the OPN registry. | Required |
Type of Notice Receipt | Notice Receipt | string | Label Notice Receipt | Required |
Receipt ID | id | string | A unique number for each Notice Receipt. SHOULD use UUID-4 [RFC 4122]. | Required |
Timestamp | timestamp | integer | Date and time of when the notice was generated and provided. The JSON value MUST be expressed as the number of seconds since 1970-01-01 00:00:00 GMT (Unix epoch). | Required |
Signing Key | key | string | The Controller’s profile public key. Used to sign notice icons, receipts and policies for higher assurance. | Optional |
Language | language | string | Language in which the consent was obtained. MUST use ISO 639-1:2002 [ISO 639] if this field is used. Default is 'EN'. | Optional |
Controller Identity | controllerID | string | The identity (legal name) of the controller. | Required |
Legal Jurisdiction | jurisdiction | string | The jurisdiction(s) applicable to this notice | Required |
Controller Contact | controllerContact | string | Contact name of the Controller. Contact could be a telephone number or an email address or a twitter handle. | Required |
Link to Notice | notice | string | Link to the notice the receipt is for | Optional |
Link to Policy | policy | string | Link to the policies relevant to this notice e.g. privacy policy active at the time notice was provided | Required |
Context | context | string | Method of notice presentation, sign, website pop-up etc | Optional |
| Receipt Type | The human understandable label for a record or receipt for data processing. This is used to extend the schema with profile for the type of legal processing - and is Used to identify data privacy rights and controls |
OCA schema specification: https://docs.google.com/spreadsheets/d/1KOdq8Yy3OXmuELyh7tpHMlhyMZPSZ3Ib/edit#gid=68769926