From 2c6ad3ea309066246fba84bc35a504c6c36919cb Mon Sep 17 00:00:00 2001 From: Harshvardhan Pandit Date: Mon, 19 Aug 2024 19:36:36 +0100 Subject: [PATCH] fixes in guide consent 27560 - new changelog/errata section added - updated date to align with DPV 2.0 release - fixed incorrect concepts (InvolvementControl) for consent withdrawing - removed use of dct:type - fixed examples based on changes in DPV 2.0 - includes ReSpec outputs for consent guide and primer - cherry picked from dev b5dd89c50dc369d79549a6a46511cf47f3d47e25 --- .../template_guides_consent_27560.jinja2 | 196 +- guides/consent-27560.html | 4470 ++++++++++------- primer/index.html | 2092 +++++--- 3 files changed, 4303 insertions(+), 2455 deletions(-) diff --git a/code/jinja2_resources/template_guides_consent_27560.jinja2 b/code/jinja2_resources/template_guides_consent_27560.jinja2 index 9ad0e844e..e80ffc0fc 100644 --- a/code/jinja2_resources/template_guides_consent_27560.jinja2 +++ b/code/jinja2_resources/template_guides_consent_27560.jinja2 @@ -9,7 +9,7 @@ var respecConfig = { title: "Consent Records and Receipts as per ISO/IEC TS 27560:2023 using DPV", shortName: "guide-27560", - specStatus: "{{DOCUMENT_STATUS}}", + specStatus: "CG-FINAL", group: "dpvcg", latestVersion: "https://w3id.org/dpv/guides/consent-27560", canonicalUri: "https://w3id.org/dpv/guides/consent-27560", @@ -80,7 +80,7 @@

The ISO/IEC TS 27560:2023 Privacy technologies — Consent record information structure provides guidance for the creation and maintenance of records regarding consent as machine-readable information. It also provides guidance on the use of this information to exchange such records between entities in the form of 'receipts'. This document provides a guide for the implementation of machine-readable consent records and receipts as defined in ISO/IEC TS 27560:2023 by using the Data Privacy Vocabulary (DPV). Additionally, this document also provides guidance on using ISO/IEC TS 27560:2023 for meeting EU GDPR requirements regarding consent.

- {{ sotd('guide-consent-27560') }} + {{ sotd('guide-consent-27560', draft=False) }} {{ dpv_document_family(document='dpv-guides') }}
@@ -374,7 +374,7 @@ N/A N/A dpv:Purpose categories - dpv:hasPurpose or dct:type + dpv:hasPurpose lawful basis @@ -477,8 +477,8 @@ Mandatory 7-3, 13-2c, 14-2d withdrawing consent Mandatory - dpv:WithdrawingFromActivity - dpv:hasInvolvementControl + dpv:WithdrawConsent + dpv:hasConsentControl privacy rights @@ -544,7 +544,7 @@ N/A N/A dpv:SensitivePersonalData, dpv:SensitivityLevel - dpv:hasPersonalData or dct:type, dpv:hasSensitivityLevel + dpv:hasPersonalData, dpv:hasSensitivityLevel special pii category @@ -552,7 +552,7 @@ 9 special categories of data Mandatory dpv:SpecialCategoryPersonalData - dpv:hasPersonalData or dct:type + dpv:hasPersonalData party fields @@ -1054,7 +1054,7 @@

Additional Metadata

-

Information such as who maintains or published the record, when was it created or modified, and its provenance is not covered by [[ISO-27560]] as it is considered "implementation detail". To assist in maintaining this information, the following fields from [[DC-TERMS]] are suggested for documenting this information in an optional and non-normative manner:

+

Information such as who maintains or published the record, when was it created or modified, and its provenance is not covered by [[ISO-27560]] as it is considered "implementation detail". To assist in maintaining this information, the following fields from [[DCT]] are suggested for documenting this information in an optional and non-normative manner:

+
+

Changelog and Errata

+

15 August 2024

+
    +
  • Changed InvolvementControl (which doesn't exist) to ConsentControl (which is what was added in DPV 2.0). This change affects ISO 27560:2023, EU GDPR, and DPV comparison table, Processing Fields table, Consent Change & Withdrawal section, Example 19: Example specifying change and withdrawal of consent, Example 39: Example of a Consent Record with only the required fields, Example 40: Example of a Consent Record with both required and optional fields, Example 46: Example of a Consent Receipt with information from required fields in a consent record.
    • +
  • Removed `dct:type` in favour of `rdf:type` and directly using the DPV concepts following changes made in DPV 2.0.
    • +
  • Added note in Purpose field section describing use of `rdf:type` and `skos:broader` with a link to the Primer.
    • +
  • Updated examples to use `skos:broader` and concepts as per DPV 2.0
    • +
  • Added sentence to storage duration field regarding there being two examples - one showing the value used directly and another one with the type explicitly declared.
    • +
+

01 July 2024 First version published

+
+ {% block ACKNOWLEDGEMENTS %}

Funding Acknowledgements

diff --git a/guides/consent-27560.html b/guides/consent-27560.html index 71f707a19..d4bb8b319 100644 --- a/guides/consent-27560.html +++ b/guides/consent-27560.html @@ -1,348 +1,55 @@ - - - - Consent Records and Receipts as per ISO/IEC TS 27560:2023 using DPV - - - - + + + +Consent Records and Receipts as per ISO/IEC TS 27560:2023 using DPV + + + + + + + + + + + + + - - -
+ + +
+ +

Consent Records and Receipts as per ISO/IEC TS 27560:2023 using DPV

+

+ Final Community Group Report + +

+
+
This version:
+ https://www.w3.org/community/reports/dpvcg/CG-FINAL-guide-27560-20240801/ +
+
Latest published version:
+ https://w3id.org/dpv/guides/consent-27560 +
+
Latest editor's draft:
https://dev.dpvcg.org/guides/consent-27560
+ + + + +
Editor:
+ Harshvardhan J. Pandit (Harshvardhan J. Pandit) +
+ +
Authors:
+ Harshvardhan J. Pandit (ADAPT Centre, Dublin City University, Ireland) +
+ Georg P Krog (Signatu, Oslo, Norway) +
+ Jan Lindquist (Linaltech, Stockholm, Sweden) +
+
Feedback:
+ GitHub w3c/dpv + (pull requests, + new issue, + open issues) +
+
Key Publications
+ Implementing ISO/IEC TS 27560:2023 Consent Records and Receipts for GDPR and DGA (2024) +
+ Data Privacy Vocabulary (DPV) -- Version 2 (2024) +
+ Creating a Vocabulary for Data Privacy (2019) +
+
+ +

+ Copyright + © + 2024 + + the Contributors to the Consent Records and Receipts as per ISO/IEC TS 27560:2023 using DPV + Specification, published by the + Data Privacy Vocabularies and Controls Community Group under the + W3C Community Final Specification Agreement (FSA). A human-readable + summary + is available. + +

+
+
+

Abstract

The ISO/IEC TS 27560:2023 Privacy technologies — Consent record information structure provides guidance for the creation and maintenance of records regarding consent as machine-readable information. It also provides guidance on the use of this information to exchange such records between entities in the form of 'receipts'. This document provides a guide for the implementation of machine-readable consent records and receipts as defined in ISO/IEC TS 27560:2023 by using the Data Privacy Vocabulary (DPV). Additionally, this document also provides guidance on using ISO/IEC TS 27560:2023 for meeting EU GDPR requirements regarding consent.

-
- +

Status of This Document

+ This specification was published by the + Data Privacy Vocabularies and Controls Community Group. It is not a W3C Standard nor is it + on the W3C Standards Track. + + Please note that under the + W3C Community Final Specification Agreement (FSA) + other conditions apply. + + Learn more about + W3C Community and Business Groups. +

Contributing: The DPVCG welcomes participation to improve the DPV and associated resources, including expansion or refinement of concepts, requesting information and applications, and addressing open issues. See contributing guide for further information.

-
+

+ GitHub Issues are preferred for + discussion of this specification. + + +

-
-

DPV and Related Resources

-

[[[DPV]]]: is the base/core specification for the 'Data Privacy Vocabulary', which is extended for Personal Data [[PD]], Locations [[LOC]], Risk Management [[RISK]], Technology [[TECH]], and [[AI]]. Specific [[LEGAL]] extensions are also provided which model jurisdiction specific regulations and concepts . To support understanding and applications of [[DPV]], various guides and resources [[GUIDES]] are provided, including a [[PRIMER]]. A Search Index of all concepts from DPV and extensions is available.

-

[[DPV]] and related resources are published on GitHub. For a general overview of the Data Protection Vocabularies and Controls Community Group [[DPVCG]], its history, deliverables, and activities - refer to DPVCG Website. For meetings, see the DPVCG calendar.

+
+ +

Data Privacy Vocabulary (DPV) Specification: is the base/core specification for the 'Data Privacy Vocabulary', which is extended for Personal Data [PD], Locations [LOC], Risk Management [RISK], Technology [TECH], and [AI]. Specific [LEGAL] extensions are also provided which model jurisdiction specific regulations and concepts . To support understanding and applications of [DPV], various guides and resources [GUIDES] are provided, including a [PRIMER]. A Search Index of all concepts from DPV and extensions is available.

+

[DPV] and related resources are published on GitHub. For a general overview of the Data Protection Vocabularies and Controls Community Group [DPVCG], its history, deliverables, and activities - refer to DPVCG Website. For meetings, see the DPVCG calendar.

The peer-reviewed article “Creating A Vocabulary for Data Privacy” presents a historical overview of the DPVCG, and describes the methodology and structure of the DPV along with describing its creation. An open-access version can be accessed here, here, and here. The article Data Privacy Vocabulary (DPV) - Version 2, accepted for presentation at the 23rd International Semantic Web Conference (ISWC 2024), describes the changes made in DPV v2.

-
+

2. Conformance

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

+ The key words MAY and MUST in this document + are to be interpreted as described in + BCP 14 + [RFC2119] [RFC8174] + when, and only when, they appear in all capitals, as shown here. +

-
-

Profiles

-

The following profiles are provided by DPVCG for the implementation of [[ISO-27560]] in different use-cases. They are defined under the namespace: https://w3id.org/dpv/schema/dpv-27560#, prefixed hereafter as dpv-27560:

+

3. Profiles

+ +

The following profiles are provided by DPVCG for the implementation of [ISO-27560] in different use-cases. They are defined under the namespace: https://w3id.org/dpv/schema/dpv-27560#, prefixed hereafter as dpv-27560:

  1. dpv-27560:record: Consent Records conforming with 27560
  2. dpv-27560:record-eu-gdpr Consent Records conforming with 27560 and containing information as required by EU GDPR
    3. @@ -390,8 +948,8 @@

    Profiles

  3. dpv-27560:receipt-eu-gdpr Consent Receipts conforming with 27560 and providing information as required by EU GDPR
-
-

Namespaces

+

4. Namespaces

+

The following namespaces and prefixes are used throughout this document:

@@ -407,87 +965,87 @@

Namespaces

prefixURI
-
-
-

Introduction

-
-

Consent Records and Receipts

-

(Informed) Consent is an important legal basis as it provides control and empowerment to data subjects or users based on the ability to choose and make decisions. Privacy and data protection laws such as [[EU-GDPR]] regulate this process by defining conditions for when consent should be considered Valid Consent. The process of Informed Consent requires information be provided in the form of a Consent Notice to inform the data subject about the processing that will occur based on the consent and to enable them to make an informed choice or decision.

+ +

5. Introduction

+ + -