Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Consent Notice Receipt lifecycle 
    • Notice of risk for adv transparency to mitigate
    • Notice of azcknolwdledge of rights (for the acknowledged risks)

Use Case points 

  • Privacy Shield Replacement
  • decentralized risks management 
  • enhancing or upgrading existing T&C's with receipt framework 

Items to cover

  • conformance framework 
    • code of conduct
      • Regulator approved (GDPR Adequacy - Industry & Sector )
    • code of practice
      •  certification

A consent by design protocol 

Types of consent processing Notice receipt type extensions https://openconsent.atlassian.net/l/c/82LahUFw 

...

  1. ANCR (Explicit Consent Receipt)- added designation to the notice receipt ID to indicate explict record of consent for a purpose
    1. All subsequent receipt - link to 
  2. Implied - processing receipt for when an ANCR receipt is implied - 
  3. Expressed by action (should link ANCR receipt)
  4. Directed - when a consent notice receipt is a privacy agreement for future consent to a Controller
  5. Altruistic - a consent notice receipt privacy agreement without a specifically identified controller for processing (usually a data trust) 

LifeCycle Framework : a Walk through outline

  • A notice receipt  captures the record entity relationship and indicate an active relationship  with a Controller notice - indicating the status of the controller and risk assurance provided by  the notice for processing - (risk assurance must be independent / notarized - to provide assurance) 
  • This can then be extended -  (rather then  combined ) with a consent receipt  CR v1.1 for consent purpose specification
    • Identifies purpose_cat - if any legally sensitive (special) categories exist (y/n)
      • The scheme Must be frame from industry and sector best practice .
        • categories have different rule frameworks for processing personal data which are consistent internationally and specified in ISO 29100
      • e.g. explicit notice and consent is required for  sensitive personal data category types are processed by this purpose (unless legal exemption exists)
      • Purpose Cat = Defined by a Scheme - which is defined by industry code and sector code
    • Any required attribute names
    • Deletion, expiry rights, controls, actions, security 
    • The purpose specification provides a notice that,
    • The purpose name 
    • The purpose description
    • The personal data/info categories 
    • The treatment of the data
    • Link to - send the receipt with a notice to withdraw consent (or manage its lifecycle)

...