GTR, PII and Consent Records (CRI) - discussion on ISO 27560 applicability

Background

In our meeting on 2026-02-20, Mark Lizar presented the work he and others have been doing that has led to the ISO standard 27560 (and other important work in consent records and their use in data exchange. See for example:

• ISO: https://www.iso.org/standard/80392.html
• W3C: https://w3c.github.io/dpv/guides/consent-27560
• https://kantara.atlassian.net/wiki/spaces/WA/overview?homepageId=2916356

Note that Mark was also making the offer that the Kantara working group would be willing/interested in participating in our UN/CEFACT work (I'm being deliberately broad here rather than narrowly focused on the GTR project).

Mark's contribution to the meeting starts about 14 minutes in - this link should take you there: https://youtu.be/iFIpa91qgM4?si=-xx6gu77LFBE8vAg&t=862

Previously in our work on the GTR project we have separated out the responsibilities that we propose are ones the GRID can/should accept, and those that participating Registrars and supply chain participants should accept (and already have under their national and international legal obligations).

A general principle is that the GRID does not add or take away existing legal responsibilities.

Similarly, the UNTP and the use of credentials does not aim to create new legal meanings or change existing meanings. Rather, it aims to offer a transparent and trustworthy record of what is claimed and has been claimed in a trade and supply chain process so that they can be proven to meet regulatory requirements.

I will argue below that we don't include any direct PII in our data structures for GTR or UNTP. Nevertheless, it is clear that people are very much involved in trade and supply chains. For example, registering a company requires registration of the people claiming ownership and taking responsibility for the company. Trade interactions are authorised/enacted by people (or by systems acting on behalf of people).

So the question is: are standards such as ISO 27560 directly relevant to GTR and UNTP - do we need to explicitly include them in our work, or is it more correct to see their relevance in the context of the supply chain participants (registrars, traders, regulators, border control etc.)?

Proposed approach

I want to propose a simple and direct answer to the question that we can test/explore. In this sense, my proposed approach is not a decision, but a "what if" suggestion that we can discuss in this issue.

Start with the end in mind: I don't think that ISO 27560 standard should be used as part of the foundation of our work in the GTR project nor in the UNTP specification.

This is not to say that ISO 27560 is not important. I think it, and related efforts to protect privacy and prove meaningful consent are very important to all of us as people in this digital life. But neither GTR nor UNTP include any direct elements of PII. Yes, company registers (for example) ultimately describe "who" is responsible for a company, but saying that a company is involved in a transaction is not in itself a PII exchange.

Within GTR we have two data structures to consider:

1. The meta data of registrars and their registers that we harvest and display as part of the GRID, none of which have personal identifiable information
2. The contents of the DIA, which at its simplest are an identifier of the subject created by the Registrar and DID proposed by the subject. The "subject" of the DIA is not a person. That the "Digital Identity Anchor" has the word "identity" in the middle can cause confusion. It would perhaps be better expressed as a "Digital Identifier Anchor" or perhaps even better a "Digital Register Anchor" - but UNTP has momentum (which is a good thing), and changing terms like DIA risks causing confusion and losing momentum.

We also have, or will have, "operational data" for the GRID itself. This data will likely include personal contact points of Registrars, members of the GRID Board etc, GRID staff details etc. This data DOES require the usual privacy protections afforded under national and international law. These NEED NOT be explicitly European. We do not yet know where the GRID operation will be based, it may be in Canada (like ICAO PKD) or any other appropriate participating UN Member State. Imposing specific regional regulations (such as GDPR) is inappropriate.

So, taking the narrow view of current work on UNTP and GTR, I think that the ISO standard is not relevant to our work in specifying the GRID and use of DIA.

Potential role

Within the broader UNTP ecosystem (i.e. beyond the direct use of the core data elements of the UNTP specified credentials and GTR GRID), whenever the traceability of supply chains necessitates the collection and/or presentation of human PII (such as worker welfare checks or auditor identification), ISO 27560 could be recommended as the specific payload schema within a W3C Verifiable Credential. This allows the GTR infrastructure—powered by did:webvh SCIDs and cryptographic proofs—to securely and interoperably manage privacy compliance without compromising the primary architecture of the global trade network. This decision would rest more with UNTP and/or could be a UN/CEFACT recommendation rather than a core specification of the UNTP.

Thoughts?