Control Catalogue: AdvCIS v1.2 - Online Privacy Notice and Consent Record
Operational Notice & Privacy Clause Controls Catalogue
This work is non-normative and (like the MVCR v.7 Appendices) should only be used as non-normative and subject to AdvCIS IPR. This catalogue, is used for mapping the ISO 27560 WD 1, CR V1.2 Report, to the ISO 29184 Controls, including content and structure control terms, content specification, consent specification and notifications requirements to specific terms of service and contract clauses.
Application
Notice
Content of Notice
Consent
Change of Conditions: Notifications :
Applications | Determining whether the control applies | Use of controls | expected results of the application for a successful us of the Notice and/or Consent Receipt |
Notice Conformance | able to identify the control in a notice and capture it |
|
|
Notice Creation |
|
|
|
Record Conformance | is a control required for a record | when there are reasons that can justify that the control does not apply, that the justification is, linked, documented and validated |
|
Use 3 : Demonstrating Conformance | This out of scope for this catalogue is demonstration of compliance with 29184, | , | c) how the implementation of the control is verified and validated. (with the use of the receipt is out of scope of this document,
|
CR v1.1: ISO 29184: Notice & Consent Control Catalogue
Notice | Notice Content & Structure Controls (Definitions) | Notice Obligation |
|
Meaningfully Exercise Consent | provide notice where it is required, in a language appropriate to PII principals, at a time that permits PII principals to meaningfully exercise consent, at places where it is easy for PII principals to recognize, and with references that provide PII principals with access to supplementary material, including prior notices and their responses | with references that provide PII principals with access to supplementary material, including prior notices and their responses |
|
5.2.2 Providing notices obligation | identify situations where providing notice is necessary and shall provide notice that complies with the requirements and recommendations | provide a notice to PII principals in accordance with relevant data protection/privacy legislation |
|
5.2.3 Appropriate expression | The organization shall provide the notice in a way that is clear and easy to understand for the targeted PII principals. The notice shall be easily legible and in a concise language that a reasonable person without any legal or technical training can comprehend. | The notice should be drafted taking into account particular categories or types of PII principals (e.g. disadvantaged societal sub-groups). |
|
5.2.4 Multi-lingual notice | The organization shall provide the notice in the language(s) according to the target principal's language expectations. | For example, the organization may present the PII principal with a list of supported languages displayed in the respective languages and allow the PII principal to choose the language. Displaying the name of each language in that language is important, as the PII principal may not be able to recognize it if it is shown in another language. A web browser has a preference setting for a preferred language, and it may be be used for this purpose. However, solely depending on the browser's language preference may not be a good idea since the PII principal may be using a shared computer. |
|
5.2.5 Appropriate timing | The organization shall determine and document the appropriate timing (e.g., immediately prior to collecting the PII) for providing notice to the PII principals when the activity in question is relevant to the privacy interests of the PII principals. |
| Timestamp for Consent Capture - also need timestamp for when data with be processed - and if not just in time, then when processing occurs |
5.2.6 Appropriate locations | The organization shall provide notices in a manner appropriate to the product or service in question so that PII principals can find and access the notices electronically and easily, including at online locations. |
|
|
5.2.7 Appropriate form | The organization shall determine how the notice is provided and made accessible with respect to the timing of processing. |
|
|
5.2.8 Ongoing reference | The organization shall keep and make available the version of the notice presented when the PII principal gave consent, as well as the most recent relevant version for easy reference by that PII principal |
|
|
5.2.9 Accessibility | The organization shall provide a notice in an accessible manner that is appropriate to the technologies nderlying the online service. | particularly in cases where individuals with accessibility issues are expected to access notices the notices should enable them to understand the content of the notices. This may involve the need to ensure that the text of the notice can be converted to sound for those individuals with visual issues. Guidelines such as ISO/IEC 40500:2012 W3C Web Content Accessibility Guidelines (WCAG) 2.0 help in designing accessibility. |
|
Contents of notice |
|
|
---|---|---|
5.3.1. General |
|
|
5.3.2 Purpose description | The organization shall ensure that the notice includes information about the purpose(s) for which the PII will be processed. | It is important for PII principals to understand the purposes for the processing of the PII collected so that they can provide meaningful consent. For brevity of the notice, a name or short phrase for each purpose may be used, but it should be possible (e.g., via a hyperlink) to associate that name or phrase with an overview of the purpose sufficient for PII principals to provide meaningful consent. [..] |
5.3.3 Presentation of purpose description | The organization shall specify the purposes related to the collection of each element of PII and appropriate information about the plausible risk of the processing, in an order according to the general assessment of the risk.NOTE The impact and risk may not necessarily be obvious. | The organization shall provide the PII principal with the relevant information (e.g., the identity and contact details) about the PII controller. |
5.3.4 Identification of the PII controller | The organization shall provide the PII principal with the relevant information (e.g., the identity and contact details) about the PII controller. | Identification of the PII controller is typically by company name, but could also involve the displaying of company number, head office / operational address and (if appropriate) departmental information. |
5.3.5 PII collection | The organization shall provide information that allows PII principals to understand what elements of PII are being collected, even where the collection of the particular elements of PII is obvious. | In addition to using generic language such as “Your personal information will be collected,” where appropriate based determined impact in the assessment described in 5.3.3, the organization should provide the list of specific elements of PII that are collected (e.g., “Your name, address, and telephone number will be collected.”) even if it is obvious what the collected information is.To identify what would count as the PII to be listed in the notice, the organization should consult 4.4 of ISO/IEC 29100:2011. The organization should present the actual value of an element of PII to be collected at the time of collection where it is relevant, feasible and practical. Where it is not feasible to do so, the organization may provide a clear example of the element values being collected with the associated name of an element of PII. By doing so, the PII principal can understand what is referred to by the name of an element of PII and what kind of values are going to be collected. [..] |
5.3.6 Collection method | The organization shall provide PII principals with clear explanations of the collection methods being used, along with information about any risks associated with particular collection methods.
| The organization shall explain in the notice generally when and where the PII is collected, although such notice shall not be required in circumstances where PII collection occurs where and when a PII principal undertakes an action such as the explicit submission of information. |
5.3.7 Timing and location of the PII collection | The organization shall explain in the notice generally when and where the PII is collected, although such notice shall not be required in circumstances where PII collection occurs where and when a PII principal undertakes an action such as the explicit submission of information. | If PII is not directly collected, the timing and the location of the PII collection may not be obvious to the PII principal. Including this information in the notice will help the PII principal to understand the situation. Typically, notices should be provided prior to the PII being collected. For example, where PII is being collected on a web based form, the top of the form could include the privacy notice (or a summary of the notice with a link to the full notice). A second example: when collecting PII by CCTV in a public area, a notice that 'CCTV is in operation' along with details of the PII controller and contact details should be displayed at the entrance to the area covered by the CCTV. |
5.3.8 Method of use |
|
ones to trick the PII principal to give consent. used as is, used after some processing (e.g., derivation, inference, de-identification, or combining with other data),combined with other data (e.g., geo-localized, via the use of cookies, from third parties), used by automated decision-making techniques (e.g., profiling, classification). If some processing (e.g., de-identification, aggregation) is applied to the PII before use, it is desirable to state what kinds of transformations are being applied. |
5.3.9 Geo-location of, and legal jurisdiction over, stored PII | The organization shall specify the geo-location(s) where PII will be stored and processed and the legal jurisdiction(s) that govern the handling of the data. | The granularity of geographical location(s) (e.g., country, region) should be consistent with the applicable geographical extent(s) of the relevant applicable law(s). |
5.3.10 Third party transfer | The organization shall provide in the notice if the PII will be transferred to a third party in the ordinary course of business. NOTE: Transfer includes PII disclosure/communication | If an organization will transfer PII to a third party, the notice shall include, directly or indirectly: to whom the PII will be transferred; the geo-location(s) to which the PII will be transferred, and any changes in legal jurisdiction(s) that may arise; for what purpose the PII will be transferred; Although the organization needs to identify and provide notice of individual third-party recipients, it may specify a group of recipients using clearly defined criteria where appropriate. Criteria as specified in 5.3.10 should be clearly defined as part of a Purpose specification category or definition |
5.3.11 Retention period | The organization shall provide information about the retention period and/or disposal schedule of PII that it is collecting. | The organization should give due consideration to the purposes for the PII processing and ensure that the retention periods are appropriate. The information concerning the retention period and/or disposal schedule may be in the form of a specified period (e.g., 5 years) from the date of collection or from the occurrence of a specific event, or a specified date (e.g., to be disposed of on 1 January 2025). It may also consist of the criteria used to determine that period or schedule. An organization may collect PII for multiple purposes. Depending on the purposes, the retention period may differ. As such, the data retention period may also be specified per purpose. |
5.3.12 Participation of PII principal | The organization shall provide information about the PII principal's rights (e.g., access, rectification, deletion, objection, restriction, data portability, withdrawal of consent, etc.). |
|
5.3.13 Inquiry and complaint | The organization shall provide information about the contact details for inquiries regarding the processing of PII stated in the notice and about the right to lodge a complaint with a supervisory authority. | Contact information consists of but not limited to telephone numbers, websites, email addresses, and physical locations where inquiries can be directed. |
5.3.14 Information about accessing the choices made for consent | The organization shall inform the PII principal of where and how to access preserved evidence of choice exercised initially and as subsequently revised by the PII principal (including revocation), along with the date such choices were made. |
|
5.3.15 Basis for processing | The organization shall ensure that the notice includes information about the basis by which the PII will be processed. | Consent is one possible basis for processing. Other bases such as performance of a contract may be possible. |
5.3.16 Risks | The organization should provide specific information about plausible risks to PII principals, where the impact to privacy and likelihood of occurrence (after mitigations are taken into account) are high or those risks cannot be inferred from other information provided to the PII principal. | The information provided in notices should generally be sufficient enough that the PII principal can be reasonably expected to identify potential risks to their privacy. The risk should be explicitly communicated:For those risks that are specifically communicated to the PII Principal, this can be done in a separate section or within the corresponding section (e.g. if the plausible highest risks relate to the purpose of processing and particular data types, it could be communicated within those section OR it could becommunicated in a separate section of the notice specific to risks). In some cases, it may be preferable to improve the other information provided so the risks can be better inferred from this information; e.g. by being more specific on purpose descriptions or elements of PII processed. NOTE Residual risk to privacy of a PII principal can determined from a risk assessment or privacy impact assessment. |
Consent | Consent Record Structure Controls |
|
---|---|---|
5.4.1 General | Objective: To ensure the organization shall obtain consent from the PII principal when consent is the basis for collection of PII in a manner that is fair, demonstrable, transparent, unambiguous and revocable (withdrawable). |
|
5.4.2 Identification of whether consent is appropriate | The organization shall identify the situations where consent or explicit consent is appropriate and shall request consent from PII principals in these situations. |
The organization may be required to obtain consent concerning its PII collection from PII principals by relevant data protection/privacy legislation. Consent may be required, among other things, when theorganization plans to collect new PII or when it plans to use PII already collected for new purposes. Consent is not the only lawful basis for the processing of PII and thus not always required. In some jurisdictions, other lawful basis includes a) contractual necessity, b) compliance with legal obligations, c) vital interest, d) public interest, and e) legitimate interests. |
5.4.3 Informed and freely given consent | provide sufficient details concerning their processing of PII so that the PII principal can give consent to the processing freely, specifically and on a knowledgeable basis, and can easily access, modify and/or withdraw that consent. | Consent is only considered to be informed if there is evidence that the PII principal has been provided a clear and understandable notice. |
5.4.4 Providing the information about which account the PII principal is using |
| A PII principal may have more than one online account at the PII controller. For example, the PI principal may have browser sessions to a service with both their work account and their private account. Another common example is a case where members of a family are sharing the same PC and the web browser is maintaining the sessions for all of them and the user can select the account from a pull-down menu. Organizations should display the user account or identity that is being used to give consent in the manner that the PII principal is accustomed to when using the system. [..] |
5.4.5 Independence from other consent | The organization shall obtain consent for matters related to privacy separately from consent for other matters not related to privacy. | Consent for use, collection, and processing of PII should be clearly differentiated from Terms of Use. Combining privacy related notice with other matters can obscure the notice and potentially have a negative impact on the comprehensibility of the notice. Organizations should obtain consent through an action independent from consent for any other terms not related to privacy (e.g., contractual terms andconditions). |
5.4.6 Separate consent to necessary and optional elements of PII | The organization shall make it possible for the PII principal to recognize the necessary (mandatory) and optional elements of PII for each identified purpose. | If the necessary elements of PII are not provided, then the processing cannot proceed, but it is not the case for the optional elements of PII. The organization should make it possible for the PII principal to provide consent separately on the necessary elements of PII and optional elements of PII. Where PII is provided for an optional element of PII, it should be taken that consent has been given. |
5.4.7 Frequency | The organization shall seek to confirm existing consent or gain the new consent of a PII principal at an appropriate interval. NOTE Interval may be indefinite. | If the organization asks for the consent of the PII principal too often, the PII principal may overlookwhat the consent is about and start accepting it without really understanding the implication of it. This is sometimes referred to as click training or user de-sensitization. The organization should not seek consent too often to prevent this from happening. An indicator for the considerations made before should be the negative impacts on the PII principal or the risks of such an impact (i.e. the frequency of confirming existing consent or gaining new consent should enable the PII principal to effectively and efficiently react to or prepare for the corresponding impacts or risks). Typically, re-consent is only required where a change of conditions (see 5.5) exist |
5.4.8 Timeliness | The organization shall obtain the consent of the PII principal in a timely manner. | Seeking the consent of the PII principal too early may have practical issues in the consideration being given to the consent. The organization should not seek the consent of the PII principal too early. |
|
|
|
5.5 Change of conditions | Objective: To ensure PII principals have an opportunity to re-consent when significant changes are made in respect to matters regarding initial consent (see 5.4). |
|
5.5.2 Renewing notice | organization shall inform the PII principal when its notice contents (see 5.3) are updated | a) the PII controller's contact details change; b) the contact point details change; c) recipients or categories of recipients change; d) PII retention period changes. |
5.5.3 Renewing consent | The organization shall inform the PII principal when its notice contents (see 5.3) are updated | Situations, when the PII principal is required to re-consent, are for example when: |
legal justifications privacy rights - 72 hour breach notification DPA
Notification Controls | Notification Requirements | When organizations should seek consent for changes such as those outlined here, they should consider |
|
a)the PII controller changes the purpose of use of collected PII to something outside the scope of what was notified to the PII principal at the time PII was collected; | 682 whether the PII principal has access to a record (of some kind) of their original consent, as well as how |
|
|
|
|
|
|
b) there is a substantial organizational change at the PII controller (e.g., change of owner, change of business); | 683 much time has elapsed between the original consent and the present. If the PII principal is able to |
|
|
|
|
|
|
c) there is a substantial organizational change at the PII controller (e.g., change of owner, change of business); | 684 access a record of their prior consent readily and if the elapsed time is not significant, organizations |
|
|
|
|
|
|
670 d) the PII controller changes the PII being collected (e.g., the PII being processed changes); the PII controller changes the processing of PII; | 685 may provide notice of the changes and seek consent for same. Otherwise, the organization should seek |
|
|
|
|
|
|
671 e)the PII controller changes the collection method of PII (e.g., the methods used to collect the PII change); | 686 reconfirmation of the original consent in addition to consent to the notified changes. |
|
|
|
|
|
|
672 | 687 Where re-consent is requested, and no response is received, it should be assumed that the original |
|
|
|
|
|
|
673 f) the PII controller changes matters related to the transfer of PII to a third party (unless the PII principal was previously notified that PII would be provided to a range of third parties and the change made does not expand the scope of transfer); | 688 consent has been withdrawn. If a PII principal was notified of a change and that change is going to be made within a notified context, |
|
|
675 | 690 the organization can change without obtaining consent from the PII principal. |
|
|
|
|
|
|
676 g) the PII controller extends the retention period or changes the disposal date notified to the PII principal at the time PII was collected; |
|
|
|
|
|
|
|
678 h) the PII controller changes matters related to disclosure, use and retention period, correction, deletion, third party transfer, or revoking of consent; |
|
|
|
| 691 In many cases, the consent for an individual PII principal would be obtained at the login time of the PII |
|
|
680 i) the PII controller changes the geo-location of data collection. |
|
|
|
| 692 principal. |
|
|