ISO/IEC TS 27560:2023
(Main)Privacy technologies — Consent record information structure
Privacy technologies — Consent record information structure
This document specifies an interoperable, open and extensible information structure for recording PII principals' consent to PII processing. This document provides requirements and recommendations on the use of consent receipts and consent records associated with a PII principal's PII processing consent, aiming to support the: — provision of a record of the consent to the PII principal; — exchange of consent information between information systems; — management of the life cycle of the recorded consent.
Technologies pour la protection de la vie privée — Structure de l'information d'enregistrement du consentement
General Information
Buy Standard
Standards Content (Sample)
TECHNICAL ISO/IEC TS
SPECIFICATION 27560
First edition
2023-08
Privacy technologies — Consent
record information structure
Technologies pour la protection de la vie privée — Structure de
l'information d'enregistrement du consentement
Reference number
ISO/IEC TS 27560:2023(E)
© ISO/IEC 2023
---------------------- Page: 1 ----------------------
ISO/IEC TS 27560:2023(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC TS 27560:2023(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Overview of consent records and consent receipts . 2
5.1 General . 2
5.2 Consent record . . 2
5.3 Consent receipt . 3
6 Elements of a consent record and consent receipt . 3
6.1 Overall objectives . . 3
6.2 PII controller recordkeeping . 3
6.2.1 General . 3
6.2.2 Record keeping for consent records . 4
6.2.3 Recordkeeping for consent receipts . 5
6.2.4 Relationship between records and receipts — control . 6
6.3 Record information structure . 6
6.3.1 General . 6
6.3.2 Structure of the consent record . 6
6.3.3 Record header section contents. 7
6.3.4 PII processing section contents. 9
6.3.5 PII information . 17
6.3.6 Party identification section contents . 19
6.3.7 Event section contents . 21
6.4 Receipt information structure .23
6.4.1 General .23
6.4.2 Structure of the receipt — control . 23
6.4.3 Consent management — control . 23
6.4.4 PII principal participation — control . 23
6.4.5 Receipt metadata section contents . 24
6.4.6 Receipt content — control . 24
Annex A (informative) Examples of consent records and receipts .25
Annex B (informative) Example of consent record life cycle .29
Annex C (informative) Performance and efficiency considerations .33
Annex D (informative) Consent record encoding structure.38
Annex E (informative) Security of consent records and receipts .39
Annex F (informative) Signals as controls communicating PII principal's preferences and
decisions .41
Annex G (informative) Guidance on the application of consent receipts in the context of
privacy information management systems .43
Annex H (informative) Mapping to ISO/IEC 29184 .50
Bibliography .52
iii
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 3 ----------------------
ISO/IEC TS 27560:2023(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of
any claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC
had not received notice of (a) patent(s) which may be required to implement this document. However,
implementers are cautioned that this may not represent the latest information, which may be obtained
from the patent database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall
not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
iv
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC TS 27560:2023(E)
Introduction
This document specifies requirements and guidelines for organizations to record information about:
— consent obtained from individuals prior to collecting and processing personally identifiable
information (PII); and
— the means by which individuals keep track of such content.
ISO/IEC 29184 specifies controls which shape the content and the structure of online privacy notices,
and the process of asking for consent to collect and process PII from PII principals. ISO/IEC 29184 is
focused on the obligations of the PII controller, or entities processing PII on behalf of the PII controller,
to inform PII principals of how their PII is processed. ISO/IEC 29184 does not address the needs of PII
principals.
This document builds upon ISO/IEC 29184 by addressing the concept of giving the PII principal a record
for their own recordkeeping, which includes information about the PII processing agreement and
interaction. We call this record the “consent receipt”.
This document specifies a structure that is used by both principals in consent management: namely
a specification for data to be held by the organization to allow record-keeping with good integrity
(subject to the defined controls), and an artefact (the “consent receipt”) that is given to the individual
whose PII is being processed.
This document does not specify an exchange protocol for consent records or consent receipts, nor
structures for such exchanges.
v
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 5 ----------------------
TECHNICAL SPECIFICATION ISO/IEC TS 27560:2023(E)
Privacy technologies — Consent record information
structure
1 Scope
This document specifies an interoperable, open and extensible information structure for recording PII
principals' consent to PII processing. This document provides requirements and recommendations on
the use of consent receipts and consent records associated with a PII principal's PII processing consent,
aiming to support the:
— provision of a record of the consent to the PII principal;
— exchange of consent information between information systems;
— management of the life cycle of the recorded consent.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 29100:2011, Information technology — Security techniques — Privacy framework
ISO/IEC 29184:2020, Information technology — Online privacy notices and consent
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 29100, ISO/IEC 29184
and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
consent
personally identifiable information (PII) principal’s freely given, specific, and informed agreement to
the processing of their PII
Note 1 to entry: Consent is a freely given and unambiguous decision or a clear affirmative action of a PII principal
by which the PII principal, after being informed about a set of terms for the processing of their PII, denotes an
agreement to this processing.
Note 2 to entry: Processing of PII refers to operations such as its collection, use, disclosure, storage, erasure, or
transfer.
[SOURCE: ISO/IEC 29100:2011, 2.4, modified – Notes 1 and 2 to entry have been added]
1
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC TS 27560:2023(E)
3.2
consent receipt
information issued or provided as an acknowledgement of consent record(s), which may contain a
reference to the records and information within it
Note 1 to entry: The consent receipt is intended to facilitate inquiries or complaints by the personally identifiable
information (PII) principal about the processing of PII, and for the PII principal to exercise rights related to their
PII.
3.3
consent record
information record describing a personally identifiable information (PII) principal’s consent for
processing of their PII, and the time and manner of a PII principal’s acceptance of their PII processing
notice
3.4
consent type
description of the way in which consent is expressed by the personally identifiable information (PII)
principal
Note 1 to entry: The criteria or conditions associated with consent type can be derived from laws, regulations,
standards, and domain-specific guidelines.
Note 2 to entry: Commonly used types for consent are: explicit, explicitly expressed and implied. See
ISO/IEC 29184:2020, 3.1 for further details.
4 Abbreviated terms
ASCII American Standard Code for Information Interchange
GDPR General Data Protection Regulation
HMAC hash-based message authentication code
JSON JavaScript object notation
PII personally identifiable information
UTF unicode transformation format
UUID universally unique identifier
5 Overview of consent records and consent receipts
5.1 General
PII principals are often asked to provide PII by organizations who want to process information about
them. A PII principal can consent to the collection and processing of PII. A standardized record of a
consent enhances the ability to maintain and manage permissions for personal data by both the PII
principal and the PII controller. This document describes an extensible information structure for
recording a PII principal's consent to data processing.
This document elaborates on the example presented in ISO/IEC 29184. See Annex H for the mapping
between the clauses of this document and those in ISO/IEC 29184.
5.2 Consent record
A consent record documents the PII principal’s decision regarding consent to process their PII. Prior to
collecting and processing PII, PII controllers typically present a privacy notice describing the proposed
2
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC TS 27560:2023(E)
processing of PII and relevant information such as relevant privacy rights. The PII principal can decide
to provide their PII for processing. The PII controller can then document that decision and its context in
the form of a consent record, to satisfy their regulatory obligations and recordkeeping requirements.
The PII controller defines the detailed structure.
See Annex A for an example of a consent record in JSON format.
5.3 Consent receipt
A consent receipt is an authoritative document providing a reference to a consent record, or information
contained therein. Receipts are intended for entities to share information regarding consent, such
as a PII controller giving the PII principal a receipt regarding their given consent and its associated
processing. Receipts enable stakeholders such as PII principals to keep their own records and to ensure
that the consent decisions are acknowledged by relevant entities such as the PII controller. Receipts
also facilitate inquiries or complaints, such as from a PII principal to a PII controller or an authority
regarding consent or rights associated with their PII.
See Annex A for an example of a consent receipt in JSON format.
6 Elements of a consent record and consent receipt
6.1 Overall objectives
The first overall objective of this document is to describe a consent record as an information structure
for recordkeeping activities related to:
— the PII requested by a PII controller to perform certain activities;
— the provision of notices that indicate which treatments or uses of the PII will be made by the PII
controller and possibly other third parties;
— the reception of PII by the PII controller because it is either provided directly by the PII principal, or
derived or inferred from existing PII, or obtained from a third party; and
— the dates when: the PII is requested by the PII controller, the PII principal gives consent, and the PII
is received by the PII controller.
A second overall objective of the document is to describe consent receipt as an information structure
for the optional transmission of PII controller to a PII principal. It either refers to a consent record
or contains information from a consent record. This information can be used by the PII principal
independent of the PII controller to form the basis for the PII principal’s personal recordkeeping
activities.
See Annex D for information on the consent record encoding structure.
See Annex G for guidance to implementors of ISO/IEC 27701.
6.2 PII controller recordkeeping
6.2.1 General
This clause describes requirements for recording details of online privacy notices and consent
exchanged by a PII controller and the PII principal prior to commencement of PII processing. This
clause also describes requirements for recording sufficient details to enable ongoing reference to the
notice provided in accordance with ISO/IEC 29184:2020, 6.2.8 and to enable management of changing
conditions with respect to the notice and consent in ISO/IEC 29184:2020, 6.5.
3
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC TS 27560:2023(E)
6.2.2 Record keeping for consent records
6.2.2.1 Presentation of notice — control
The organization shall keep records of the specific version or iterations of a notice as it was presented
to the PII principal. Such records shall be kept in a format and manner that provide assurances that the
records’ integrity is maintained over time and accurately reflects the notice, its contents, and context of
use at the time of presentation to the PII principal.
6.2.2.2 Timeliness of notice — control
The organization shall keep records of the time of and the manner in which the notice was presented,
and if available, the location.
NOTE The content of notices is described in ISO/IEC 29184:2020, 5.3.
6.2.2.3 Obtaining consent — control
Where consent is the basis for PII processing, the organization shall keep consent records in a format
and manner that provides assurances that the records’ integrity is maintained over time and accurately
reflects the activities related to obtaining consent.
6.2.2.4 Time and manner of consent — control
The organization shall keep records of the time of and the manner in which the consent was obtained,
and if available, the location.
6.2.2.5 Technical implementation — control
Technical implementation shall include communication, storage, security, serialization, modelling,
language selection, and other activities related to maintenance of records and its information described
in this document (see 6.3).
See Annex C for information on performance and efficiency considerations and Annex D for consent
record encoding structures.
See Annex E for security of consent records and receipt.
6.2.2.6 Unique reference — control
The organization shall assign, maintain and use unique references to the specific version of information
within a consent record where such information is expected to change over time.
NOTE An example of information present within consent records that can change over time includes privacy
notices, where the unique reference refers to the specific version applicable at the time of record creation.
6.2.2.7 Legal compliance — control
The organization shall determine and document how its activities and processes comply with
requirements for processing of PII. Where consent records are used to demonstrate legal compliance,
the organization shall keep records of specific legal requirements which can apply and their relationship
to the information provided in consent records.
NOTE A consent record also serves to demonstrate compliance where consent is used as the legal basis for
processing activities in some jurisdictions.
4
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC TS 27560:2023(E)
6.2.3 Recordkeeping for consent receipts
6.2.3.1 Provision of consent receipt — control
The organization shall make available information on how the PII controller transmits the consent
record or consent receipt to the PII principal.
NOTE 1 This control refers to creation and transmission of the consent receipt from PII controller to PII
principal. The PII principal is then able to establish and maintain their own independent records.
NOTE 2 See Annex F for signals as controls communicating the PII principal’s preferences and decisions.
6.2.3.2 Contents of consent receipts — control
The information provided as a consent receipt can include some or all of the information present in the
consent record.
NOTE The PII controller decides the contents of the consent receipt, balancing operational requirements
and the rights of the PII principal for an independent copy of the consent record.
6.2.3.3 Integrity of consent receipts — control
The information provided as a consent receipt may include information integrity controls to hinder
modification.
6.2.3.4 Technical implementation — control
The organization shall determine and document how its implementation of consent receipts conforms
to information requirements related to consent records as described in 6.3.
NOTE Technical implementation includes data serialization, data modelling, language selection and other
activities.
6.2.3.5 Unique reference — control
The organization shall assign, maintain, and use unique references to the specific version of information
within a consent receipt where such information is expected to change over time.
NOTE An example of information present within consent records or consent receipts that can change over
time includes privacy notices, where the unique reference refers to the specific version applicable at the time of
record creation.
6.2.3.6 Accuracy and verifiability — control
The organization shall ensure information provided in the consent receipt is accurate, traceable, and
verifiable.
NOTE The PII principal can utilize the consent receipt in contexts other than communication with the PII
controller.
6.2.3.7 Use of receipts by PII principal — control
The organization shall make available information necessary for the PII principal to interpret,
comprehend, and use the consent receipt.
Where the consent receipt is provided in a machine-readable format, the receipt interpretation
information may be given directly or given by reference.
5
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC TS 27560:2023(E)
6.2.4 Relationship between records and receipts — control
The organization shall include sufficient information in the consent receipt such that the PII principal
is able to communicate about the related consent record and its context as referenced by the receipt.
Based on information in the receipt, the PII principal can inform the PII controller or a regulator of the
context of an inquiry, complaint or exercise of rights, even if the original consent record managed by the
PII controller is no longer available.
NOTE 1 If the amount of information replicated between the consent record and consent receipt is minimal,
then the PII controller assumes that the PII principal will trust the PII controller to maintain the availability and
integrity of the consent records over a given period of time, as indicated by the organization.
NOTE 2 The consent receipt is intended to facilitate inquiries or complaints by the PII principal about the
processing of PII, and for the PII principal to exercise rights related to their PII.
6.3 Record information structure
6.3.1 General
This clause describes requirements for the consent record information structure.
NOTE Annex A provides examples in JSON and JSON-LD formats of consent record structure and its contents.
6.3.2 Structure of the consent record
6.3.2.1 Consent record schema — control
Where the organization creates its own schema for the implementation of consent records, it shall
publish or reference the schema(s) being used and maintain documentation necessary for its correct
technical implementation and conformance to the requirements specified in this document.
6.3.2.2 Structure of consent record — control
The consent record should be organized into six sections:
— record header section;
— PII processing;
— event;
— purposes;
— PII information section; and
— party identification section.
The organization should document the expected (or acceptable) syntax, values and forms for each field
when creating schemas or utilizing them in technical implementations.
NOTE 1 The structure of the record, consisting of its sections, fields, and their expected formats and values, is
collectively referred to as a "schema" so as to permit declaring information about the representation of fields in a
record for its correct technical interpretation.
NOTE 2 Implementers can organize the structure of record and receipt fields within their schema according
to the implementers’ operational needs.
Figure 1 shows one representation of fields in a technical implementation. The “purposes” section in
Figure 1 represents the fields which are directly related to the purposes for PII processing.
6
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC TS 27560:2023(E)
The PII controller may have one or more services each with its own list of purposes for the PII
processing. Separate records may be created with a single service and one purpose, or they may be
combined all within one record. If the record contains multiple purposes the recorded event applies to
all the purposes.
This document makes no recommendation to combine or have separate records. Implementers shall
organize record contents for the most optimal management of the life cycle of the consent record
and consent receipt (see Annex B). In addition, implementors may choose to make optimizations.
For example, avoiding duplication of information by reorganizing or restructuring the storage and
utilization of records by using common references.
Key
a
These fields can be included under the
...
Style Definition
1 ISO/IEC TS DTS 27560 (DTS DoC Version 1:2023(E)
...
Formatted: Font: 11 pt
2 ISO/IEC JTC 1/SC 27/WG 5
Formatted
...
3 Secretariat: DIN
Formatted: zzCover, Left
4 Date: 2023-01-1103-15
Formatted
...
5 Privacy technologies — Consent record information structure
Formatted: Font: Not Bold, English (United States)
6 Structure de l'information pour l'enregistrement des
Formatted: English (United States)
7 consentements
Formatted: zzCover, Left, Space After: 0 pt, Don't
adjust space between Latin and Asian text, Don't adjust
space between Asian text and numbers
8
Formatted: Font: 11 pt, English (United States)
Formatted: zzCover, Line spacing: single, Don't adjust
space between Latin and Asian text, Don't adjust space
between Asian text and numbers
Formatted
...
9
10 DTS stage
11
12 Warning for WDs and CDs
13 This document is not an ISO International Standard. It is distributed for review and comment. It is subject to
14 change without notice and may not be referred to as an International Standard.
15 Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of
16 which they are aware and to provide supporting documentation.
17
18
19
© ISO 2021 – All rights reserved
---------------------- Page: 1 ----------------------
© ISO 2021
© ISO 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation,
Formatted: Font: 11 pt, Font color: Blue
no part of this publication may be reproduced or utilized otherwise in any form or by any means,
Formatted: Indent: Left: 0 cm, Right: 0 cm, Border:
electronic or mechanical, including photocopying, or posting on the internet or an intranet,
Left: (No border), Right: (No border)
without prior written permission. Permission can be requested from either ISO at the address
below or ISO’sISO's member body in the country of the requester.
Formatted: Font: 11 pt, Font color: Blue
Formatted: Font: 11 pt, Font color: Blue
ISO copyright officeCopyright Office
Formatted: Font: 11 pt, Font color: Blue
CP 401 • Ch. de Blandonnet 8
Formatted: Font: 11 pt
CH-1214 Vernier, Geneva
Formatted: Font: 11 pt, Font color: Blue
Formatted: Indent: Left: 0 cm, First line: 0 cm, Right: 0
Phone: + 41 22 749 01 11
cm, Border: Left: (No border), Right: (No border)
Email: copyright@iso.org
Formatted: Font: 11 pt, Font color: Blue
Email: copyright@iso.org
Formatted: Font: 11 pt, Font color: Blue, English (United
Kingdom)
Website: www.iso.orgwww.iso.org
Formatted: Font: 11 pt, Font color: Blue, English (United
Kingdom)
Published in Switzerland.
Formatted: Font: 11 pt, Font color: Blue, English (United
Kingdom)
Formatted: Font: 11 pt, Font color: Blue, English (United
Kingdom)
Formatted: Indent: Left: 0 cm, First line: 0 cm, Right: 0
cm, Border: Bottom: (No border), Left: (No border),
Right: (No border)
Formatted: Font: 11 pt, Font color: Blue, English (United
Kingdom)
Formatted: Font: 11 pt, Font color: Blue, English (United
Kingdom)
---------------------- Page: 2 ----------------------
ISO/IEC 27560 (WD3)
Contents Formatted: Space Before: 48 pt, Don't adjust space
between Latin and Asian text, Don't adjust space
between Asian text and numbers
Foreword . v
Introduction . vi
1. Scope (mandatory) . 1
2. Normative references (mandatory) . 1
3. Terms and definitions (mandatory) . 1
4. Symbols and abbreviated terms . 2
5. Overview of consent records and consent receipts . 2
5.1 General . 2
5.2 Consent record . 2
5.3 Consent receipt . 2
6. Elements of a consent record and consent receipt . 2
6.1 Overall objectives . 2
6.2 Recordkeeping for online privacy notices and consent . 3
6.2.1 General . 3
6.2.2 PII controller recordkeeping . 3
6.2.3 Recordkeeping for consent receipts . 4
6.2.4 Relationship between records and receipts - control . 5
6.3 Record information structure . 5
6.3.1 General . 5
6.3.2 Structure of the consent record . 5
6.3.3 Record header section contents . 6
6.3.4 PII processing section contents . 8
6.3.5 PII information . 15
6.3.6 Party identification section contents . 17
6.3.7 Event section contents. 20
6.4 Receipt information structure. 22
6.4.1 General . 22
6.4.2 Structure of the receipt - control . 22
6.4.3 Consent management- control . 22
6.4.4 PII principal participation - control . 22
6.4.5 Receipt metadata section contents . 22
6.4.6 Receipt content - control . 23
Annex A (informative) Examples of consent records and receipts . 24
A.1 Consent receipt example using JSON . 24
A.2 Consent record example using JSON-LD . 26
Annex B (informative) Example of consent record lifecycle . 30
B.1. Consent record schema governance . 30
B.1.1 Consent notice and request . 30
B.1.2. Consent given . 31
B.1.3. Consent not given or refused . 31
B.1.4. Consent withdrawn or revoked. 31
B.1.5. Consent re-confirmed or reaffirmed . 31
B.1.6. Consent terminated . 32
ii © ISO 2021 – All rights reserved
---------------------- Page: 3 ----------------------
ISO/IEC TS 27560 (DTS DoC Version 1)
Annex C (informative) Performance and efficiency considerations . 33
C.1 General . 33
C.2 System properties . 33
C.2.1 High input rates . 33
C.2.2 Fine-grained consents . 33
C.2.3 Real-time access and consent propagation . 33
C.2.4 Designing for consistent consent experiences . 33
C.2.5 Acceptable propagation-time delay limits . 34
C.2.6 Flexibility and evolvability . 34
C.2.7 Real-world events . 34
C.2.8 User identification . 34
C.2.9 Consent records as “join hazards” . 34
C.2.10 User deletion requests . 34
C.2.11 Near-static information . 35
C.3 Common near-static data fields . 35
C.4 Consent purpose handling . 35
C.5 Consent receipt generation . 36
Annex D (informative) Storage and transmission of consent records . 37
Annex E (informative) Security of consent records and receipts . 38
E.1 Overview . 38
E.2 Confidentiality . 38
E.3 Forgery or unauthorized modification and repudiation . 38
E.4 Auditability . 38
Annex F (informative) Signals as controls communicating PII principal's preferences and
decisions . 39
Annex G (informative) Guidance on the application of consent receipts in the context of a
privacy information management systems . 40
G.1 General . 40
Annex H (informative) Mapping to ISO/IEC 29184: 2020 . 48
Bibliography . 50
Foreword . v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Overview of consent records and consent receipts . 3
5.1 General . 3
5.2 Consent record . 3
5.3 Consent receipt . 3
6 Elements of a consent record and consent receipt . 3
6.1 Overall objectives . 3
6.2 Recordkeeping for online privacy notices and consent . 4
6.2.1 General . 4
6.2.2 PII controller recordkeeping . 4
6.2.3 Recordkeeping for consent receipts . 5
© ISO 2021 – All rights reserved iii
---------------------- Page: 4 ----------------------
ISO/IEC 27560 (WD3)
6.2.4 Relationship between records and receipts — control . 6
6.3 Record information structure . 6
6.3.1 General . 6
6.3.2 Structure of the consent record . 7
6.3.3 Record header section contents . 9
6.3.4 PII processing section contents . 11
6.3.5 PII information . 20
6.3.6 Party identification section contents . 22
6.3.7 Event section contents. 24
6.4 Receipt information structure. 27
6.4.1 General . 27
6.4.2 Structure of the receipt — control . 27
6.4.3 Consent management — control . 27
6.4.4 PII principal participation — control . 27
6.4.5 Receipt metadata section contents . 27
6.4.6 Receipt content — control . 28
Annex A (informative) Examples of consent records and receipts . 29
Annex B (informative) Example of consent record life cycle . 35
Annex C (informative) Performance and efficiency considerations . 40
Annex D (informative) Consent record encoding structure . 45
Annex E (informative) Security of consent records and receipts . 46
Annex F (informative) Signals as controls communicating PII principal's preferences and
decisions . 48
Annex G (informative) Guidance on the application of consent receipts in the context of
privacy information management systems . 50
Annex H (informative) Mapping to ISO/IEC 29184 . 60
Bibliography . 63
iv © ISO 2021 – All rights reserved
---------------------- Page: 5 ----------------------
ISO/IEC TS 27560 (DTS DoC Version 1)
Formatted: Don't adjust space between Latin and Asian
Foreword
text, Don't adjust space between Asian text and
numbers
ISO (the International Organization for Standardization) is a and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide federation of national
standardsstandardization. National bodies (that are members of ISO member bodies). The workor IEC
participate in the development of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. Internationalby the respective
organization to deal with particular fields of technical activity. ISO and IEC technical committees
collaborate in fields of mutual interest. Other international organizations, governmental and non-
governmental, in liaison with ISO and IEC, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documentsdocument should be noted. This document was drafted in accordance
with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives 2 (see
www.iso.org/directives or www.iec.ch/members_experts/refdocs).
Attention is drawnISO and IEC draw attention to the possibility that some of the
elementsimplementation of this document may beinvolve the subjectuse of (a) patent rights. ISO(s). ISO
and IEC take no position concerning the evidence, validity or applicability of any claimed patent rights
in respect thereof. As of the date of publication of this document, ISO and IEC had not received notice of
(a) patent(s) which may be required to implement this document. However, implementers are
cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights. Details of any patent rights identified during
the development of the document will be in the Introduction and/or on the ISO list of patent
declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
Formatted: Font: Font color: Auto
www.iso.org/iso/foreword.html) see www.iso.org/iso/foreword.html. In the IEC, see
Formatted: std_publisher, Font: Font color: Auto
www.iec.ch/understanding-standards.
Formatted: Font: Font color: Auto
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Formatted: std_docNumber, Font: Font color: Auto
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
Formatted: Foreword Text, Don't adjust space between
Latin and Asian text, Don't adjust space between Asian
Any feedback or questions on this document should be directed to the user’s national standards body. A
text and numbers, Border: Top: (No border), Bottom:
complete listing of these bodies can be found at
(No border), Left: (No border), Right: (No border),
www.iso.org/members.htmlwww.iso.org/members.html and www.iec.ch/national-committees.
Between : (No border), Tab stops: Not at 1.4 cm + 2.1
cm + 2.8 cm + 3.5 cm + 4.2 cm + 4.9 cm + 5.6 cm +
6.3 cm + 7 cm
Formatted: std_docNumber, Font: Font color: Auto
Formatted: Font: Font color: Auto
Formatted: Don't adjust space between Latin and Asian
text, Don't adjust space between Asian text and
numbers
© ISO 2021 – All rights reserved v
---------------------- Page: 6 ----------------------
ISO/IEC 27560 (WD3)
Formatted: Don't adjust space between Latin and Asian
Introduction
text, Don't adjust space between Asian text and
numbers
This document specifies recommendationsrequirements and guidelines for organisationsorganizations
to record information about:
- — consent obtained from individuals prior to the collecting and processing personally identifiable
Formatted: List Continue 1, No bullets or numbering,
information (PII); and Don't adjust space between Latin and Asian text, Don't
adjust space between Asian text and numbers, Tab
- — the means by which individuals keep track of such content. stops: 0.7 cm, Left + 1.4 cm, Left + 2.1 cm, Left + 2.8
cm, Left + 3.5 cm, Left + 4.2 cm, Left + 4.9 cm, Left +
5.6 cm, Left + 6.3 cm, Left + 7 cm, Left
ISO/IEC 29184 [9] specifies controls which shape the content and the structure of online privacy
notices, and, the process of asking for consent to collect and process personally identifiable information
Formatted: std_publisher, Font:
(PII) from PII principals. ISO/IEC 29184 [9] is focused on the obligations of the PII controller, or entities
Formatted: Body Text, Don't adjust space between Latin
processing PII on behalf of the PII controller, to inform PII principals of how their PII is processed.
and Asian text, Don't adjust space between Asian text
ISO/IEC 29184 [9] does not address the needs of PII principals.
and numbers
This document builds upon ISO/IEC 29184 [9], by addressing the concept of giving the PII principal a
Formatted: std_docNumber, Font:
record for their own recordkeeping, which includes information about the PII processing agreement
Formatted: std_publisher, Font:
and interaction. We call this record the “consent receipt”.
Formatted: std_docNumber, Font:
This document specifies a structure that is used by both principals in consent management: an
Formatted: std_publisher, Font:
organization that keeps records with good integrity (subject to the defined controls), and an
artifactartefact (the “consent receipt”) that is given to the individual whose PII is being processed.
Formatted: std_docNumber, Font:
This document does not specify an exchange protocol for consent records or consent receipts, nor
Formatted: std_publisher, Font:
structures for such exchanges.
Formatted: std_docNumber, Font:
vi © ISO 2021 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC TS DTS 27560 (DTS DoC Version 1:2023(E)
Formatted: Font: 11.5 pt, Bold, English (United
Kingdom)
Formatted: Font: 11.5 pt, Bold, English (United
Kingdom)
Information
Formatted: Normal
Formatted: Font: 11.5 pt, Bold, English (United
Kingdom)
Formatted: English (United Kingdom)
Formatted: Font: 11 pt
Formatted: Space After: 0 pt, Line spacing: single
© ISO 2021 – All rights reserved 7
© ISO/IEC 2023 – All rights reserved vii
---------------------- Page: 8 ----------------------
TECHNICAL SPECIFICATION ISO/IEC DTS 27560:2023(E)
Formatted: Section start: New page, Different first page
header
Privacy technologies — Consent record information structure
Formatted: Space Before: 20 pt, After: 38 pt, Don't
adjust space between Latin and Asian text, Don't adjust
space between Asian text and numbers
Formatted: Font color: Blue, English (United Kingdom)
1.1 Scope Formatted: Font: Bold, Font color: Blue, English (United
Kingdom)
This document specifies an interoperable, open and extensible information structure for recording PII
Formatted: Don't adjust space between Latin and Asian
principals' consent to PII processing. This document further provides requirements and
text, Don't adjust space between Asian text and
recommendations on the use of consent receipts and consent records associated with a PII principal's
numbers
PII processing consent, aiming to support the:
Formatted: Bullets and Numbering
— — provision of a record of the consent to the PII principal;
Formatted: List Continue 1, Don't adjust space between
Latin and Asian text, Don't adjust space between Asian
— — exchange of consent information between information systems;
text and numbers, Tab stops: 0.7 cm, Left + 1.4 cm, Left
+ 2.1 cm, Left + 2.8 cm, Left + 3.5 cm, Left + 4.2 cm,
— — management of the lifecyclelife cycle of the recorded consent.
Left +
...
FINAL
TECHNICAL ISO/IEC DTS
DRAFT
SPECIFICATION 27560
ISO/IEC JTC 1/SC 27
Privacy technologies — Consent
Secretariat: DIN
record information structure
Voting begins on:
2023-03-30
Voting terminates on:
2023-05-25
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/IEC DTS 27560:2023(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. © ISO/IEC 2023
---------------------- Page: 1 ----------------------
ISO/IEC DTS 27560:2023(E)
FINAL
TECHNICAL ISO/IEC DTS
DRAFT
SPECIFICATION 27560
ISO/IEC JTC 1/SC 27
Privacy technologies — Consent
Secretariat: DIN
record information structure
Voting begins on:
Voting terminates on:
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
RECIPIENTS OF THIS DRAFT ARE INVITED TO
ISO copyright office
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
CP 401 • Ch. de Blandonnet 8
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
CH-1214 Vernier, Geneva
DOCUMENTATION.
Phone: +41 22 749 01 11
IN ADDITION TO THEIR EVALUATION AS
Reference number
Email: copyright@iso.org
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO
ISO/IEC DTS 27560:2023(E)
Website: www.iso.org
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
Published in Switzerland
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN
DARDS TO WHICH REFERENCE MAY BE MADE IN
ii
© ISO/IEC 2023 – All rights reserved
NATIONAL REGULATIONS. © ISO/IEC 2023
---------------------- Page: 2 ----------------------
ISO/IEC DTS 27560:2023(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Overview of consent records and consent receipts . 2
5.1 General . 2
5.2 Consent record . . 2
5.3 Consent receipt . 3
6 Elements of a consent record and consent receipt . 3
6.1 Overall objectives . . 3
6.2 Recordkeeping for online privacy notices and consent . 3
6.2.1 General . 3
6.2.2 PII controller recordkeeping . 4
6.2.3 Recordkeeping for consent receipts . 5
6.2.4 Relationship between records and receipts — control . 6
6.3 Record information structure . 6
6.3.1 General . 6
6.3.2 Structure of the consent record . 6
6.3.3 Record header section contents. 7
6.3.4 PII processing section contents. 9
6.3.5 PII information . 17
6.3.6 Party identification section contents . 18
6.3.7 Event section contents . 21
6.4 Receipt information structure .23
6.4.1 General .23
6.4.2 Structure of the receipt — control . 23
6.4.3 Consent management — control . 23
6.4.4 PII principal participation — control . 23
6.4.5 Receipt metadata section contents . 23
6.4.6 Receipt content — control . 24
Annex A (informative) Examples of consent records and receipts .25
Annex B (informative) Example of consent record life cycle .29
Annex C (informative) Performance and efficiency considerations .33
Annex D (informative) Consent record encoding structure .37
Annex E (informative) Security of consent records and receipts .38
Annex F (informative) Signals as controls communicating PII principal's preferences and
decisions .40
Annex G (informative) Guidance on the application of consent receipts in the context of
privacy information management systems .42
Annex H (informative) Mapping to ISO/IEC 29184 .49
Bibliography .51
iii
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 3 ----------------------
ISO/IEC DTS 27560:2023(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and nongovernmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of
any claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC
had not received notice of (a) patent(s) which may be required to implement this document. However,
implementers are cautioned that this may not represent the latest information, which may be obtained
from the patent database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall
not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understandingstandards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/nationalcommittees.
iv
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC DTS 27560:2023(E)
Introduction
This document specifies requirements and guidelines for organizations to record information about:
— consent obtained from individuals prior to collecting and processing personally identifiable
information (PII); and
— the means by which individuals keep track of such content.
ISO/IEC 29184 specifies controls which shape the content and the structure of online privacy notices,
and the process of asking for consent to collect and process PII from PII principals. ISO/IEC 29184 is
focused on the obligations of the PII controller, or entities processing PII on behalf of the PII controller,
to inform PII principals of how their PII is processed. ISO/IEC 29184 does not address the needs of PII
principals.
This document builds upon ISO/IEC 29184 by addressing the concept of giving the PII principal a record
for their own recordkeeping, which includes information about the PII processing agreement and
interaction. We call this record the “consent receipt”.
This document specifies a structure that is used by both principals in consent management: an
organization that keeps records with good integrity (subject to the defined controls), and an artefact
(the “consent receipt”) that is given to the individual whose PII is being processed.
This document does not specify an exchange protocol for consent records or consent receipts, nor
structures for such exchanges.
v
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 5 ----------------------
TECHNICAL SPECIFICATION ISO/IEC DTS 27560:2023(E)
Privacy technologies — Consent record information
structure
1 Scope
This document specifies an interoperable, open and extensible information structure for recording PII
principals' consent to PII processing. This document provides requirements and recommendations on
the use of consent receipts and consent records associated with a PII principal's PII processing consent,
aiming to support the:
— provision of a record of the consent to the PII principal;
— exchange of consent information between information systems;
— management of the life cycle of the recorded consent.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 29100:2011, Information technology — Security techniques — Privacy framework
ISO/IEC 29184:2020, Information technology — Online privacy notices and consent
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 29100, ISO/IEC 29184
and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
consent
personally identifiable information (PII) principal’s freely given, specific, and informed agreement to
the processing of their PII
Note 1 to entry: Consent is a freely given and unambiguous decision or a clear affirmative action of a PII principal
by which the PII principal, after being informed about a set of terms for the processing of their PII, denotes an
agreement to this processing.
Note 2 to entry: Processing of PII refers to operations such as its collection, use, disclosure, storage, erasure, or
transfer.
[SOURCE: ISO/IEC 29100:2011, 2.4, modified – Notes 1 and 2 to entry have been added]
1
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC DTS 27560:2023(E)
3.2
consent receipt
information issued or provided as an acknowledgement of consent record(s), which may contain a
reference to the records and information within it
Note 1 to entry: The consent receipt is intended to facilitate inquiries or complaints by the personally identifiable
information (PII) principal about the processing of PII, and for the PII principal to exercise rights related to their
PII.
3.3
consent record
information record describing a personally identifiable information (PII) principal’s consent for
processing of their PII, and the time and manner of a PII principal’s acceptance of PII processing notice
3.4
consent type
description of the way in which consent is expressed by the personally identifiable information (PII)
principal
Note 1 to entry: The criteria or conditions associated with consent type can be derived from laws, regulations,
standards, and domain-specific guidelines.
Note 2 to entry: Commonly used types for consent are: explicit, explicitly expressed and implied. See
ISO/IEC 29184:2020, 3.1 for further details.
4 Abbreviated terms
ASCII American Standard Code for Information Interchange
GDPR general Data Protection Regulation
HMAC hashbased message authentication code
JSON JavaScript object notation
UTF unicode transformation format
UUID universally unique identifier
5 Overview of consent records and consent receipts
5.1 General
PII principals are often asked to provide PII by organizations who want to process information about
them. A PII principal can consent to the collection and processing of PII. A standardized record of a
consent enhances the ability to maintain and manage permissions for personal data by both the PII
principal and the PII controller. This document describes an extensible information structure for
recording a PII principal's consent to data processing.
This document elaborates on the example presented in ISO/IEC 29184. See Annex H for the mapping
between the clauses of this document and those in ISO/IEC 29184.
5.2 Consent record
A consent record documents the PII principal’s decision regarding consent to process their PII. Prior to
collecting and processing PII, PII controllers typically present a privacy notice describing the proposed
processing of PII and relevant information such as relevant privacy rights. The PII principal can decide
to provide their PII for processing. The PII controller can then document that decision and its context in
2
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC DTS 27560:2023(E)
the form of a consent record, to satisfy their regulatory obligations and recordkeeping requirements.
The PII controller defines the detailed structure.
See Annex A for an example of a consent record in JSON format.
5.3 Consent receipt
A consent receipt is an authoritative document providing a reference to a consent record, or information
contained therein. Receipts are intended for entities to share information regarding consent, such
as a PII controller giving the PII principal a receipt regarding their given consent and its associated
processing. Receipts enable stakeholders such as PII principals to keep their own records and to ensure
that the consent decisions are acknowledged by relevant entities such as the PII controller. Receipts
also facilitate inquiries or complaints, such as from a PII principal to a PII controller or an authority
regarding consent or rights associated with their PII.
See Annex A for an example of a consent receipt in JSON format.
6 Elements of a consent record and consent receipt
6.1 Overall objectives
The first overall objective of this document is to describe consent record as an information structure
for recordkeeping activities related to:
— the PII requested by a PII controller to perform certain activities;
— the provision of notices that indicate which treatments or uses of the PII will be made by the PII
controller and possibly other third parties;
— the reception of PII by the PII controller because it is either provided directly by the PII principal, or
derived or inferred from existing PII, or obtained from a third party; and
— the dates when: the PII is requested by the PII controller, the PII principal gives consent, and the PII
is received by the PII controller.
A second overall objective of the document is to describe consent receipt as an information structure
for the optional transmission of PII controller to a PII principal. It either refers to a consent record
or contains information from a consent record. This information can be used by the PII principal
independent of the PII controller to form the basis for the PII principal’s personal recordkeeping
activities.
See Annex D for storage and transmission information of consent records.
See Annex G for guidance to implementors of ISO/IEC 27701.
6.2 Recordkeeping for online privacy notices and consent
6.2.1 General
This clause describes requirements for recording details of online privacy notices and consent
exchanged by a PII controller and the PII principal prior to commencement of PII processing. This
clause also describes requirements for recording sufficient details to enable ongoing reference to the
notice provided in accordance with ISO/IEC 29184:2020, 6.2.8 and to enable management of changing
conditions with respect to the notice and consent in ISO/IEC 29184:2020, 6.5.
3
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC DTS 27560:2023(E)
6.2.2 PII controller recordkeeping
6.2.2.1 Presentation of notice — control
The organization shall keep records of the specific version or iterations of a notice as it was presented
to the PII principal. Such records shall be kept in a format and manner that provide assurances that the
records’ integrity is maintained over time and accurately reflects the notice, its contents, and context of
use at the time of presentation to the PII principal.
6.2.2.2 Timeliness of notice — control
The organization shall keep records of the time of and the manner in which the notice was presented,
and if available, the location.
NOTE The content of notices is described in ISO/IEC 29184:2020, 5.3.
6.2.2.3 Obtaining consent — control
Where consent is the basis for PII processing, the organization shall keep records of the consent
obtained from the PII principal in a format and manner that provides assurances that the records’
integrity is maintained over time and accurately reflects the activities related to obtaining consent.
6.2.2.4 Time and manner of consent — control
The organization shall keep records of the time of and the manner in which the consent was obtained,
and if available, the location.
6.2.2.5 Technical implementation — control
Technical implementation shall include communication, storage, security, serialization, modelling,
language selection, and other activities related to maintenance of records and its information described
in this document (see 6.3).
See Annex C for information on performance and efficiency considerations.
See Annex E for security of consent records and receipt.
6.2.2.6 Unique reference — control
The organization shall assign, maintain and use unique references to the specific version of information
within a consent record where such information is expected to change over time.
NOTE An example of information present within consent records that can change over time includes privacy
notices, where the unique reference refers to the specific version applicable at the time of record creation.
6.2.2.7 Legal compliance — control
The organization shall determine and document how its activities and processes comply with
requirements for processing of PII. Where consent records are used to demonstrate legal compliance,
the organization shall keep records of specific legal requirements which can apply and their relationship
to the information provided in consent records.
4
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC DTS 27560:2023(E)
6.2.3 Recordkeeping for consent receipts
6.2.3.1 Provision of consent receipt — control
The organization shall make available information on how the PII controller transmits the consent
record or consent receipt to the PII principal.
NOTE 1 This control refers to creation and transmission of the consent receipt from PII controller to PII
principal. The PII principal is then able to establish and maintain their own independent records.
NOTE 2 A consent record also serves to demonstrate compliance where consent is used as the legal basis for
processing activities in some jurisdictions.
NOTE 3 See Annex F for signals as controls communicating the PII principal’s preferences and decisions.
6.2.3.2 Contents of consent receipts — control
The information provided as a consent receipt can include some or all of the information present in the
consent record.
NOTE The PII controller decides the contents of the consent receipt, balancing operational requirements
and the rights of the PII principal for an independent copy of the consent record.
6.2.3.3 Integrity of consent receipts — control
The information provided as a consent receipt may include information integrity controls to hinder
modification.
6.2.3.4 Technical implementation — control
The organization shall determine and document how its implementation of consent receipts conforms
to information requirements related to consent records as described in 6.3.
NOTE Technical implementation includes data serialization, data modelling, language selection and other
activities.
6.2.3.5 Unique reference — control
The organization shall assign, maintain, and use unique references to the specific version of information
within a consent receipt where such information is expected to change over time.
NOTE An example of information present within consent records or consent receipts that can change over
time includes privacy notices, where the unique reference refers to the specific version applicable at the time of
record creation.
6.2.3.6 Accuracy and verifiability — control
The organization shall ensure information provided in the consent receipt is accurate, accountable, and
verifiable.
NOTE The PII principal can utilize the consent receipt in contexts other than communication with the PII
controller.
6.2.3.7 Use of receipts by PII principal — control
The organization shall make available information necessary for the PII principal to interpret,
comprehend, and use the consent receipt.
Where the consent receipt is provided in a machinereadable format, the receipt interpretation
information may be given directly or given by reference.
5
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC DTS 27560:2023(E)
6.2.4 Relationship between records and receipts — control
The organization shall include sufficient information in the consent receipt such that the PII principal
is able to communicate about the related consent record and its context as referenced by the receipt.
Based on information in the receipt, the PII principal can inform the PII controller or a regulator of the
context of an inquiry, complaint or exercise of rights, even if the original consent record managed by the
PII controller is no longer available.
NOTE 1 The amount of information replicated between the consent record and consent receipt is determined
by the PII controller. If the replicated information is minimal, then the PII controller assumes that the PII principal
trusts the PII controller to maintain the availability and integrity of the records over time.
NOTE 2 The consent receipt is intended to facilitate inquiries or complaints by the PII principal about the
processing of PII, and for the PII principal to exercise rights related to their PII.
6.3 Record information structure
6.3.1 General
This clause describes requirements for the consent record information structure.
NOTE Annex A provides examples in JSON and JSON-LD formats of consent record structure and its contents.
6.3.2 Structure of the consent record
6.3.2.1 Consent record schema — control
Where the organization creates its own schema for the implementation of consent records, it shall
publish or reference the schema(s) being used and maintain documentation necessary for its correct
technical implementation and conformance to the requirements specified in this document.
6.3.2.2 Structure of consent record — control
The consent record should be organized into six sections:
— record header section;
— PII processing;
— event;
— purposes;
— PII information section; and
— party identification section.
The organization should document the expected (or acceptable) syntax, values and forms for each field
when creating schemas or utilizing them in technical implementations.
NOTE 1 The structure of the record, consisting of its sections, fields, and their expected formats and values, is
collectively referred to as a "schema" so as to permit declaring information about the representation of fields in a
record for its correct technical interpretation.
NOTE 2 Implementers can organize the structure of record and receipt fields within their schema according
to the implementers’ operational needs.
Figure 1 shows one representati
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.