There has been some good forward movement on resolving long outstanding issues in advancing the work from the ANCR WG. Below I explain why I would like to propose that we take our v2 notice and
consent receipt work to Data Governance Standards Institute (DGSI), a Canadian national standards body, as soon as possible.
For those of you who don’t know, there are some known challenges to progress the notice and consent receipt work. In summary:
-
Originally called the MVCR [Minimum Viable Consent Receipt], it was taken too soon to ISO and named 27560 Consent record information structure, without the CISWG’s knowledge
-
At ISO, it was politicised and diluted by numerous national inputs until it was unable to address the core issues of notice and consent
-
Consent requires open and standard transparency; its strength, integrity and viability depend on it. This is why the MVCR is a notice receipt, that anyone can use to consent with, Consent is essentially
based on a notice record information structure, which is what ISO/IEC 29184 is focused on, as well as some very specific laws,. able to be used autonomously to demonstrate consent
-
It was specified to the ISO/IEC 29100 security and privacy framework which was open, but its latest update is not
-
It was specified for ISO/IEC 291284 Online Privacy notice and consent standard, (see Appendix D 29184). This standard is not open (exclusive), so not operational as a international transparency
and identity governance standard
-
Finally, 27560 the consent record information structure makes a fundamental error by confusing consent (managed by humans) with permission (managed by services)
-
Whats more, continuing this work via Kantara has a dis-advantage, As Kantara is not a national standard body, making a Special Interest Group, for Authc with members from national stakeholder
a non viable path.
For these reasons and more, the ANCR WG has always been viewed as a place to incubate standards for industry and regulatory use. This is why we have worked on a companion TP-Scheme that uses
this specification to demonstrate conformance and compliance. The idea being that we, the ANCR WG, work on the scheme, and support its use and extension for a Kantara programme, or one that Kantara collaborates with.
The ANCR WG demo, in collaboration with a specification at DGS is what is ultimately being proposed here as the immediate path forward
DGSI are now recognised, accredited to make national and international standards, and have a direct route to ISO/IEC. Even more importantly, DGSI have an arrangement with ISO because their standards
are open, the standards put forward to ISO will also be free and open to access. This provides us with a clear path for our v2 Notice and Consent specification to ISO, with national regulatory input, at no cost.
To this end, the next plenary for ISO is coming up at the end of this month and comment is needed next week (w/c 9 September).
I suggest we put forward to the 27560 that we have a proposed v2 to be developed in collaboration with DGSI, and that we have a TPS at Kantara, to assess validity of consent,
Suggesting We move the TP-Scheme forward in this context - and from this context work on the AuthC SiG.
Please comment and respond before next weeks meeting (Wed 12th of September)
- Mark