Hi Sal, (ANCR WG) 

Thanks for tea’ing this up.  The challenges to completing work, which we have discussed at length through submissions of proposals for funding, are addressed if we collaborate with DGSI, move the CR V2 work there, and then update the TP-Scheme. 

 27560, which is now chaired by Jan and Harsh, has a new number 27569, to add the other legal justifications to the 27560 standard.   The aim is to submit a comment from ANCR, to ISO as well as via the Canadian SC27 Mirror Committee, that KI ANCR WG, is collaborating with DGSI, to submit a draft update to 27560, for 27569. 

Perhaps we can add something towards, addressing roles, distinguishing permission from consent, not identifying the individual be default, but making this the choice of the PII principal, with  personal data control.  Specified specifically to Conv 108+ - (which is mirrored by GDPR) to address Article - 13-17, 31 and 88.  

The so that the spec can be used by other standards to demonstrate compliance with these Articles.  I am talking with Jan and Harsh about this, this week, and intend to virtualy attend the meeting for this at the end of the month. 

Ideally, we can approve 
a) the contribution and collaboration with DGSI , 
b) the ANCR comment submitted to Canadian Mirror Committee, and subsequently ISO for the next meeting, (aka by the end of the next week. 

Can you add these to the agenda?   I will aim to get drafts over to the work group, asap. 

Best, 

Mark 
 

On 6 Sep 2024, at 09:31, Salvatore D'Agostino <sal@idmachines.com> wrote:

Dear Mark,
 
The opportunity with DGSI, the upcoming ISO meeting, and the need to complete the publications on our roadmap, requires us to focus on these projects/publications to take advantage of this.
 
The direction below does not change the work or the direction of what we have underway. In all cases we need to finalize the scope and get out the TPI/TPS, and CRv2.
 
I suggest that we use the majority of the meeting to assess where we are at, and what we commit to accomplishing.
 
Sincerely,
Sal
 
 
From: Mark Lizar <mark@transparencylab.ca>
Sent: Thursday, September 5, 2024 11:45 PM
To: wg-ancr@kantarainitiative.org
Subject: [WG-ANCR] Re: Next Steps - Notice and Consent Receipt v2,
 
Dear WG, 


There has been some good forward movement on resolving long outstanding issues in advancing the work from the ANCR WG. Below I explain why I would like to propose that we take our v2 notice and consent receipt work to Data Governance Standards Institute (DGSI), a Canadian national standards body, as soon as possible. 

For those of you who don’t know, there are some known challenges to progress the notice and consent receipt work. In summary: 

  • Originally called the MVCR [Minimum Viable Consent Receipt], it was taken too soon to ISO and named 27560 Consent record information structure, without the CISWG’s knowledge 
  • At ISO, it was politicised and diluted by numerous national inputs until it was unable to address the core issues of notice and consent 
  • Consent requires open and standard transparency; its strength, integrity and viability depend on it. This is why the MVCR is a notice receipt, that anyone can use to consent with, Consent is essentially based on a notice record information structure, which is what ISO/IEC 29184 is focused on, as well as some very specific laws,.  able to be used autonomously to demonstrate consent 
    • It was specified to the ISO/IEC 29100 security and privacy framework which was open, but its latest update is not 
    • It was specified for ISO/IEC 291284 Online Privacy notice and consent standard, (see Appendix D 29184). This standard is not open (exclusive), so not operational as a international transparency and identity governance standard 
  • Finally, 27560 the consent record information structure makes a fundamental error by confusing consent (managed by humans) with permission (managed by services) 
  • Whats more, continuing this work via Kantara has a dis-advantage, As Kantara is not a national standard body, making a Special Interest Group, for Authc with members from national stakeholder a non viable path.   

 

For these reasons and more,  the ANCR WG has always been viewed as a place to incubate standards for industry and regulatory use. This is why we have worked on a companion TP-Scheme that uses this specification to demonstrate conformance and compliance. The idea being that we, the ANCR WG, work on the scheme, and support its use and extension for a Kantara programme, or one that Kantara collaborates with. 

The ANCR WG demo, in collaboration with a specification at  DGS is what is ultimately being proposed here as the immediate path forward 

DGSI are now recognised, accredited to make national and international standards, and have a direct route to ISO/IEC. Even more importantly, DGSI have an arrangement with ISO because their standards are open, the standards put forward to ISO will also be free and open to access.  This provides us with a clear path for our v2 Notice and Consent specification to ISO, with national regulatory input, at no cost. 

To this end, the next plenary for ISO is coming up at the end of this month and comment is needed next week (w/c 9 September).

I suggest we put forward to the 27560 that we have a proposed v2 to be developed in collaboration with   DGSI, and that we have a TPS at Kantara,  to assess validity of consent,   

Suggesting We move the TP-Scheme forward in this context - and from this context work on the AuthC SiG. 

Please comment and respond before next weeks meeting (Wed 12th of September) 

 

- Mark 

 
 
_______________________________________________
A Community Group mailing list of KantaraInitiative.org
Wg-ancr mailing list -- wg-ancr@kantarainitiative.org
To unsubscribe send an email to staff@kantarainitiative.org
List archives --  https://mailman.kantarainitiative.org/hyperkitty/list/wg-ancr@kantarainitiative.org/
______
Group wiki -- https://kantara.atlassian.net/wiki/spaces/Wg-ancr