Control Catalogue: AdvCIS v1.2 - Online Privacy Notice and Consent Record

Owned by Mark Lizar
Last updated: Oct 05, 2020

Operational Notice & Privacy Clause Controls Catalogue

This work is non-normative and (like the MVCR v.7 Appendices) should only be used as non-normative and subject to AdvCIS IPR. This catalogue, is used for mapping the ISO 27560 WD 1, CR V1.2 Report, to the ISO 29184 Controls, including content and structure control terms, content specification, consent specification and notifications requirements to specific terms of service and contract clauses.

  1. Application

  2. Notice

  3. Content of Notice

  4. Consent

  5. Change of Conditions: Notifications :

Applications

Determining whether the control applies

Use of controls

expected results of the application for a successful us of the Notice and/or Consent Receipt

Notice Conformance

able to identify the control in a notice and capture it

 

 

Notice Creation

 

 

 

Record Conformance

is a control required for a record

when there are reasons that can justify that the control does not apply, that the justification is, linked, documented and validated

 

Use 3 : Demonstrating Conformance
ISO 29184 Scope: Organisations that wish to demonstrate compliance with this document shall document for each control of Clause 5

This out of scope for this catalogue is demonstration of compliance with 29184,
In addition, (out of scope of ISO 27560 WD 1 without this catalogue and mapping)

,

c) how the implementation of the control is verified and validated. (with the use of the receipt is out of scope of this document,

 

 

 

 

 

CR v1.1: ISO 29184: Notice & Consent Control Catalogue

 

Notice

Notice Content & Structure Controls (Definitions)

Notice Obligation

 

Meaningfully Exercise Consent 

provide notice where it is required, in a language appropriate to PII principals, at a time that permits PII principals to meaningfully exercise consent, at places where it is easy for PII principals to recognize, and with references that provide PII principals with access to supplementary material, including prior notices and their responses

with references that provide PII principals with access to supplementary material, including prior notices and their responses

 

5.2.2 Providing notices obligation

identify situations where providing notice is necessary and shall provide notice that complies with the requirements and recommendations

provide a notice to PII principals in accordance with relevant data protection/privacy legislation

 

5.2.3 Appropriate expression

The organization shall provide the notice in a way that is clear and easy to understand for the targeted PII principals. The notice shall be easily legible and in a concise language that a reasonable person  without any legal or technical training can comprehend.

The notice should be drafted taking into account particular categories or types of PII principals (e.g. disadvantaged societal sub-groups).

 

5.2.4 Multi-lingual notice

The organization shall provide the notice in the language(s) according to the target principal's language  expectations.

For example, the organization may present the PII principal with a list of supported languages displayed  in the respective languages and allow the PII principal to choose the language. Displaying the name of  each language in that language is important, as the PII principal may not be able to recognize it if it is shown in another language.

A web browser has a preference setting for a preferred language, and it may be be used for this purpose.

 However, solely depending on the browser's language preference may not be a good idea since the PII principal may be using a shared computer.

 

5.2.5 Appropriate timing

The organization shall determine and document the appropriate timing (e.g., immediately prior to collecting the PII) for providing notice to the PII principals when the activity in question is relevant to the privacy interests of the PII principals.

  1. When an organization provides a PII principal with a notice and then collects the PII at a later point in time, including cases in which data are collected from another source, the timing of the notice and the collection of PII can differ significantly.

  2. The organization should provide notice where the use of PII can have unexpected or significant effects on PII principals. If an organization intends to collect additional PII, they should provide a further  notice.

Timestamp for Consent Capture - also need timestamp for when data with be processed - and if not just in time, then when processing occurs

5.2.6 Appropriate locations

The organization shall provide notices in a manner appropriate to the product or service in question so that PII principals can find and access the notices electronically and easily, including at online locations.

  1. Appropriate online locations can include but are not limited to links on the organization's home pages on its websites, or on the landing page, the start-up page of mobile apps, online forms, or in captive portals.

  2. In some cases, PII may be processed without prior interaction with the PII principal. From the point of  view of the PII principals, it would actually be quite hard to even find out who is processing their data and thus it does not help to post the privacy notice only on the organization’s web site. It is useful to have a place where a PII principal can go and obtain the privacy notices of such organizations. Thus, where applicable and feasible, the organization should consider using a publicly accessible common repository where stakeholders can easily find and access the relevant notices.

 

5.2.7 Appropriate form

The organization shall determine how the notice is provided and made accessible with respect to the timing of processing.

  1. The organization may implement the control using different techniques: layered notices, dashboards  just-in-time notices and icons, and may provide notices in a machine-readable format so that the software which is presenting it to the PII principal can parse it to optimize the user interface and help  PII principals make decisions.

  2. If the organization implements the control using a layered notice, the first layer should detail anything unexpected or things that could significantly impact a PII principal The other layers should provide notice of all collection and/or processing activities in order to give the PII principal detailed information of these activities. [..]

 

5.2.8 Ongoing reference

The organization shall keep and make available the version of the notice presented when the PII principal gave consent, as well as the most recent relevant version for easy reference by that PII principal

  1. Versions of notices should be retained for as long as they are associated with retained PII.

 

5.2.9 Accessibility

The organization shall provide a notice in an accessible manner that is appropriate to the technologies nderlying the online service.

particularly in cases where individuals with accessibility issues are expected to access notices the notices should enable them to understand the content of the notices. This may involve the need to ensure that the text of the notice can be converted to sound for those individuals with visual issues.  Guidelines such as ISO/IEC 40500:2012 W3C Web Content Accessibility Guidelines (WCAG) 2.0 help in designing accessibility.

 

Contents of notice

 

 

Contents of notice

 

 

5.3.1. General

 

 

5.3.2 Purpose description

The organization shall ensure that the notice includes information about the purpose(s) for which the  PII will be processed.

It is important for PII principals to understand the purposes for the processing of the PII collected so that they can provide meaningful consent. For brevity of the notice, a name or short phrase for each purpose may be used, but it should be possible (e.g., via a hyperlink) to associate that name or phrase with an overview of the purpose sufficient for PII principals to provide meaningful consent. [..]

5.3.3 Presentation of purpose description

The organization shall specify the purposes related to the collection of each element of PII and  appropriate information about the plausible risk of the processing, in an order according to the general  assessment of the risk.NOTE The impact and risk may not necessarily be obvious.

The organization shall provide the PII principal with the relevant information (e.g., the identity and contact details) about the PII controller.

5.3.4 Identification of the PII controller

The organization shall provide the PII principal with the relevant information (e.g., the identity and contact details) about the PII controller.

Identification of the PII controller is typically by company name, but could also involve the displaying of company number, head office / operational address and (if appropriate) departmental information.

5.3.5 PII collection

The organization shall provide information that allows PII principals to understand what elements of  PII are being collected, even where the collection of the particular elements of PII is obvious.

In addition to using generic language such as “Your personal information will be collected,” where  appropriate based determined impact in the assessment described in 5.3.3, the organization should provide the list of specific elements of PII that are collected (e.g., “Your name, address, and telephone number will be collected.”) even if it is obvious what the collected information is.To identify what would count as the PII to be listed in the notice, the organization should consult 4.4 of ISO/IEC 29100:2011. The organization should present the actual value of an element of PII to be collected at the time of collection where it is relevant, feasible and practical. Where it is not feasible to do so, the organization may provide a clear example of the element values being collected with the associated name of an element of PII. By doing so, the PII principal can understand what is referred to by the name of an  element of PII and what kind of values are going to be collected. [..]

5.3.6 Collection method

The organization shall provide PII principals with clear explanations of the collection methods being  used, along with information about any risks associated with particular collection methods.

  1. PII can be collected in different ways.

  2. For example, PII can be

    1. directly collected from the PII principal, e.g., through a web form;

    2. indirectly collected, e.g., from a third party, such as a credit agency;

    3. observed by the PII controller, e.g., observing browser fingerprint and accessed web pages;

    4. inferred by the PII controller, e.g., profiling the PII principal by analysing the data collected through methods a) to c).

The organization shall explain in the notice generally when and where the PII is collected, although such notice shall not be required in circumstances where PII collection occurs where and when a PII  principal undertakes an action such as the explicit submission of information.

5.3.7 Timing and location of the PII collection

The organization shall explain in the notice generally when and where the PII is collected, although such  notice shall not be required in circumstances where PII collection occurs where and when a PII principal undertakes an action such as the explicit submission of information.

If PII is not directly collected, the timing and the location of the PII collection may not be obvious to the  PII principal. Including this information in the notice will help the PII principal to understand the situation. Typically, notices should be provided prior to the PII being collected. For example, where PII is being  collected on a web based form, the top of the form could include the privacy notice (or a summary of the notice with a link to the full notice). A second example: when collecting PII by CCTV in a public area, a  notice that 'CCTV is in operation' along with details of the PII controller and contact details should be displayed at the entrance to the area covered by the CCTV.

5.3.8 Method of use

  1. The organization shall include in the notice how the PII will be used.

  1. Method of use can include:

ones to trick the PII principal to give consent. used as is, used after some processing (e.g., derivation, inference, de-identification, or combining with other data),combined with other data (e.g., geo-localized, via the use of cookies, from third parties),

used by automated decision-making techniques (e.g., profiling, classification). If some processing (e.g., de-identification, aggregation) is applied to the PII before use, it is desirable to state what kinds of transformations are being applied.

5.3.9 Geo-location of, and legal jurisdiction over, stored PII

The organization shall specify the geo-location(s) where PII will be stored and processed and the legal  jurisdiction(s) that govern the handling of the data.

The granularity of geographical location(s) (e.g., country, region) should be consistent with the  applicable geographical extent(s) of the relevant applicable law(s).

5.3.10 Third party transfer

The organization shall provide in the notice if the PII will be transferred to a third party in the ordinary course of business.

 NOTE: Transfer includes PII disclosure/communication

If an organization will transfer PII to a third party, the notice shall include, directly or indirectly: to whom the PII will be transferred;

the geo-location(s) to which the PII will be transferred, and any changes in legal jurisdiction(s) that may arise; for what purpose the PII will be transferred;
negative impacts on the PII principal, or risks of such impacts caused by the data transfer; and the related technical and organizational measures for the transfer (e.g., confidentiality and integrity safeguard).  

Although the organization needs to identify and provide notice of individual third-party recipients, it  may specify a group of recipients using clearly defined criteria where appropriate.

Criteria as specified in 5.3.10 should be clearly defined as part of a Purpose specification category or  definition

5.3.11 Retention period

The organization shall provide information about the retention period and/or disposal schedule of PII that it is collecting.

The organization should give due consideration to the purposes for the PII processing and ensure that the retention periods are appropriate. The information concerning the retention period and/or disposal schedule may be in the form of a specified period (e.g., 5 years) from the date of collection or from the occurrence of a specific event, or a specified date (e.g., to be disposed of on 1 January 2025).

It may also consist of the criteria used to determine that period or schedule.

An organization may collect PII for multiple purposes. Depending on the purposes, the retention period may differ.

As such, the data retention period may also be specified per purpose.

5.3.12 Participation of PII principal

The organization shall provide information about the PII principal's rights (e.g., access, rectification, deletion, objection, restriction, data portability, withdrawal of consent, etc.).

  1. The notice should include, directly or indirectly, the following aspects of the access:

    1. what elements of PII the PII principal can request access to and the means by which the PII principal can make such a request;

    2. what information the PII principal has to provide to authenticate themselves to an acceptable level before access to any PII is authorized (to avoid the risk of inappropriate disclosure);

    3. the timelines within which a request will be acted upon;

    4. any fees which may be charged for such access, where the charging of such fees is permitted;

    5. the means by which PII principals can challenge the accuracy and completeness of the PII and have it amended as appropriate;

    6. the circumstances where information will not be altered or deleted and detailing opportunities to indicate the PII principal’s objections regarding the correctness of the PII; and

    7. when consent is the legal basis, how it can be revoked if the revocation is feasible or required by relevant legislation.

5.3.13 Inquiry and complaint

The organization shall provide information about the contact details for inquiries regarding the processing of PII stated in the notice and about the right to lodge a complaint with a supervisory authority.

Contact information consists of but not limited to telephone numbers, websites, email addresses, and physical locations where inquiries can be directed.

5.3.14 Information about accessing the choices made for consent

The organization shall inform the PII principal of where and how to access preserved evidence of choice exercised initially and as subsequently revised by the PII principal (including revocation), along with the date such choices were made.

  1. Choice and consent are distinct concepts. Choice is the action made by the PII principal. Unless the basis upon which the PII principal made the choice is informed and fair, the choice does not necessarily entail  consent. This control is dealing with choice instead of consent to preserve the objective action of the PII principal. [..]

5.3.15 Basis for processing

The organization shall ensure that the notice includes information about the basis by which the PII will  be processed.

Consent is one possible basis for processing. Other bases such as performance of a contract may be possible.

5.3.16 Risks

The organization should provide specific information about plausible risks to PII principals, where the  impact to privacy and likelihood of occurrence (after mitigations are taken into account) are high or  those risks cannot be inferred from other information provided to the PII principal.

The information provided in notices should generally be sufficient enough that the PII principal can be  reasonably expected to identify potential risks to their privacy. The risk should be explicitly communicated:For those risks that are specifically communicated to the PII Principal, this can be done in a separate section or within the corresponding section (e.g. if the plausible highest risks relate to the purpose of processing and particular data types, it could be communicated within those section OR it could becommunicated in a separate section of the notice specific to risks). In some cases, it may be preferable to improve the other information provided so the risks can be better inferred from this information; e.g. by being more specific on purpose descriptions or elements of PII  processed.

 NOTE Residual risk to privacy of a PII principal can determined from a risk assessment or privacy impact assessment.

Consent

Consent Record Structure Controls

 

Consent

 

5.4.1 General

Objective: To ensure the organization shall obtain consent from the PII principal when consent is the  basis for collection of PII in a manner that is fair, demonstrable, transparent, unambiguous and revocable (withdrawable).

 

5.4.2 Identification of whether consent is appropriate

The organization shall identify the situations where consent or explicit consent is appropriate and shall  request consent from PII principals in these situations.

  1. Explicit consent may be required, among other things, when the organization plans to collect sensitive PII or when it plans to use sensitive PII already collected for new purposes or if the collection or new  purposes cause or indicate a particularly high negative impact on the PII principal or a particularly high  risk of such an impact.

The organization may be required to obtain consent concerning its PII collection from PII principals by  relevant data protection/privacy legislation. Consent may be required, among other things, when theorganization plans to collect new PII or when it plans to use PII already collected for new purposes.  Consent is not the only lawful basis for the processing of PII and thus not always required. In some jurisdictions, other lawful basis includes a) contractual necessity, b) compliance with legal obligations, c) vital interest, d) public interest, and e) legitimate interests.

5.4.3 Informed and freely given consent

provide sufficient details concerning their processing of PII so that the PII principal can give consent to the processing freely, specifically and on a knowledgeable basis, and can easily access, modify and/or withdraw that consent.

Consent is only considered to be informed if there is evidence that the PII principal has been provided a clear and understandable notice.

5.4.4 Providing the information about which account the PII principal is using

  1. When an organization is collecting consent associated with an account, the organization shall clearly indicate which account of the PII principal it is asking to grant consent.

A PII principal may have more than one online account at the PII controller. For example, the PI  principal may have browser sessions to a service with both their work account and their private  account. Another common example is a case where members of a family are sharing the same PC and  the web browser is maintaining the sessions for all of them and the user can select the account from a pull-down menu.  Organizations should display the user account or identity that is being used to give consent in the  manner that the PII principal is accustomed to when using the system. [..]

5.4.5 Independence from other consent

The organization shall obtain consent for matters related to privacy separately from consent for other  matters not related to privacy.

Consent for use, collection, and processing of PII should be clearly differentiated from Terms of Use.

Combining privacy related notice with other matters can obscure the notice and potentially have a negative impact on the comprehensibility of the notice. Organizations should obtain consent through an  action independent from consent for any other terms not related to privacy (e.g., contractual terms andconditions).

5.4.6 Separate consent to necessary and optional elements of PII

The organization shall make it possible for the PII principal to recognize the necessary (mandatory) and optional elements of PII for each identified purpose.

If the necessary elements of PII are not provided, then the processing cannot proceed, but it is not the case for the optional elements of PII. The organization should make it possible for the PII principal to provide consent separately on the  necessary elements of PII and optional elements of PII. Where PII is provided for an optional element of PII, it should be taken that consent has been given.

5.4.7 Frequency

The organization shall seek to confirm existing consent or gain the new consent of a PII principal at an appropriate interval.

 NOTE Interval may be indefinite.

 If the organization asks for the consent of the PII principal too often, the PII principal may overlookwhat the consent is about and start accepting it without really understanding the implication of it. This is sometimes referred to as click training or user de-sensitization. The organization should not seek consent too often to prevent this from happening. An indicator for the considerations made before  should be the negative impacts on the PII principal or the risks of such an impact (i.e. the frequency of  confirming existing consent or gaining new consent should enable the PII principal to effectively and  efficiently react to or prepare for the corresponding impacts or risks).  Typically, re-consent is only required where a change of conditions (see 5.5) exist

5.4.8 Timeliness

The organization shall obtain the consent of the PII principal in a timely manner.

Seeking the consent of the PII principal too early may have practical issues in the consideration being given to the consent. The organization should not seek the consent of the PII principal too early.

 

 

 

5.5 Change of conditions

Objective: To ensure PII principals have an opportunity to re-consent when significant changes are made in respect to matters regarding initial consent (see 5.4).

 

5.5.2 Renewing notice

organization shall inform the PII principal when its notice contents (see 5.3) are updated

a) the PII controller's contact details change; b) the contact point details change; c) recipients or categories of recipients change; d) PII retention period changes.

5.5.3 Renewing consent

The organization shall inform the PII principal when its notice contents (see 5.3) are updated

Situations, when the PII principal is required to re-consent, are for example when:

 

 

legal justifications privacy rights - 72 hour breach notification DPA

Notification Controls

Notification Requirements

When organizations should seek consent for changes such as those outlined here, they should consider

 

a)the PII controller changes the purpose of use of collected PII to something outside the scope of what was notified to the PII principal at the time PII was collected; 

682 whether the PII principal has access to a record (of some kind) of their original consent, as well as how

  1. a) the PII controller's contact details change;

  2. 654  b) the contact point details change;

  3. 655  c) recipients or categories of recipients change;

  4. 656  d) PII retention period changes.

 

 

 

 

 

b) there is a substantial organizational change at the PII controller (e.g., change of owner, change of business);

683 much time has elapsed between the original consent and the present. If the PII principal is able to

 

 

 

 

 

 

c) there is a substantial organizational change at the PII controller (e.g., change of owner, change of business);

684 access a record of their prior consent readily and if the elapsed time is not significant, organizations

 

 

 

 

 

 

670 d) the PII controller changes the PII being collected (e.g., the PII being processed changes); the PII controller changes the processing of PII;

685 may provide notice of the changes and seek consent for same. Otherwise, the organization should seek

 

 

 

 

 

 

671 e)the PII controller changes the collection method of PII (e.g., the methods used to collect the PII change);

686 reconfirmation of the original consent in addition to consent to the notified changes.

 

 

 

 

 

 

672

687 Where re-consent is requested, and no response is received, it should be assumed that the original

 

 

 

 

 

 

673 f) the PII controller changes matters related to the transfer of PII to a third party (unless the PII principal was previously notified that PII would be provided to a range of third parties and the change made does not expand the scope of transfer);

688 consent has been withdrawn. If a PII principal was notified of a change and that change is going to be made within a notified context,

 

 

675

690 the organization can change without obtaining consent from the PII principal.

 

 

 

 

 

 

676 g) the PII controller extends the retention period or changes the disposal date notified to the PII principal at the time PII was collected;

 

 

 

 

 

 

 

678 h) the PII controller changes matters related to disclosure, use and retention period, correction, deletion, third party transfer, or revoking of consent;

 

 

 

 

691 In many cases, the consent for an individual PII principal would be obtained at the login time of the PII

 

 

680 i) the PII controller changes the geo-location of data collection.

 

 

 

 

692 principal.