Approval control: ISO standards meet the vision of the European Union’s digital identity
Authors:
(1) Harshvardhan J[email protected]))
(2) Jan Lindquist, Privacy and Security Group, Standards Institute, Sweden ([email protected]);
(3) Georg P. KROG, Signatu AS, OSLO, Norway ([email protected]).
Links table
Abstract and 1 introduction
2 ISO/IEC TS 27560: 2023
3 comparison ISO-27560, ISO-29184 and GDPR
4 approval and receipts records using DPV
5 GDP support and DGA
6 considerations of implementation and future work
6.1 Confidence and Security
6.2 Use records and receipts with Eidas and EUDI
6.3 Standard for PII processing information and 6.4 technical considerations in record and receipts management
6.5 IEEE P7012 Automated Privacy Conditions
7 conclusion and references
An example of the approval record with both the required and optional fields
B example of receiving approval with the required fields from the approval record
6.1 Confidence and Security
Security considerations are very important in implementing approval and receipts records, while providing ISO-27560 applications. It aims to maintain approval records internally by an entity, and requires measures to ensure that it is consistent and healthy, and is not tampered with. This includes best practices for information management such as using encryption fragmentation to ensure that information is not changed, or to use access to access to ensure only allowing authorized amendments. Current international standards such as decentralized knowledge W3C[8] (DID) and W3C verified accreditation data[9] (VC) Allow the applications compatible with ISO-27560 using DPV because they are all based on operating semantic web standards.
In order to use approval receipts in a way that can be verified and confidently, the information in the receipt may require encryption measures to provide a guarantee to prove their ability to install and not pack. Moreover, receipts aim to be the information provided or exchange between different entities, which may require a mechanism to clearly verify the source (for example, a receipt from A to B) has been provided and capable of installation (for example, exactly X receipts). Curvement technologies such as digital signatures and certificates such applications can support their current use in applications and documents that support the Internet. Previous work [7] And projects[10] Such considerations have explored, but effective implementation requires consensus between stakeholders to create an inter -operating ecosystem.
Given the role of approval and receipts in showing approval decisions, they may end up with sensitive information. ISO-27560 recommends not to put this information directly in records and receipts, and if necessary, applications should use techniques such as hiding information or pseudonym to avoid exposing sensitive information directly. Although this should be balanced for the purpose of receipts in providing data topics with information about their approval.
6.2 Use records and receipts with Eidas and EUDI
After launching projects to use the European digital identity portfolio (EUDI)[11] For travel, health, banking services, education and other sectors, Cen Tc224 wg20[12]It is the Technical Committee for Tawhid Unification of the European Union to identify personal identity, which started a new project standards to provide guidance on when personal data (features) from the portfolio are shared according to EIDAS and its proposed review.
In this, ISO-27560 and ISO-29184 can be used to create an inter-operating mechanism and standards to regulate information and ensure the presence of mandatory fields needed to comply with GDP. Moreover, the use of these criteria also allows a fixed approach to creating common information panels that can work across the European Union. These privacy information boards will allow the wallet holder to have an overview of all their approval transactions, including any suspended requests in addition to providing a central mechanism to control their rights and withdraw approval using Eidas and EID mechanisms to prove the identity and prove the previous post.
ISO-27560 and ISO-29184 are very important as the only criteria related to approval, receipts, and privacy notifications, respectively. Using the analysis and applications described in this article, the ISO-27560 solution that also corresponds to the gross domestic product can be used to store approval records and receipts in the governor, which enables data topics to obtain a copy of their decision and their agreement to process personal data.
Its availability of the topic of data in coordination for machine can be used in innovative applications that enhance the re -use of data while ensuring adequate commitment to European Union values and regulations. For example, by looking at previous approval records or receipts, preferences can be determined how the individual makes decisions and can be used to create a template or pattern that makes future approval decisions more efficient and simpler for the individual. ISO-27560 Annex F provides instructions on how to represent preferences such as “privacy signals” in registrations and approval receipts.
Another strong model is also possible when combining ISO -27560 with EID, EIDAS and Eudi – where the topic of data begins in the approval process by providing specific approval to use or reuse its personal data, for example to access a specific service. In this scenario, the topic of the data decides the extent of what will be covered by their approval, and provides their consent to the service provider, and maintains a approval record within his portfolio with a signature receipt for the service provider as evidence of approval.
[8] https://www.w3.org/tr/vc-data-model/ [9] https://www.w3.org/tr/did-core/ [10] NGI Privacy Financing as expected: D2 D2 Technical Delivery Project Https://doi.org/10.5281/zenodo.5086238