Home
TrustMark Roadmap & Active-State Signalling
The HABNI (High Assurance Broadcast Network Icon) TrustMark is an internationally recognised symbol of active privacy and consent state, enabling real-time transparency for AI governance and digital identification. Unlike traditional privacy approaches that rely on static policies and assumptions, TrustMark creates a dynamic ecosystem where privacy status is continuously broadcast and verifiable.
The Active-State Signalling Protocol
Traditional Privacy (Passive)
  • Static privacy policies reviewed infrequently
  • Notice provided only at point of collection
  • No visibility into ongoing processing activities
  • Users assume data is being used without confirmation
  • Reactive approach to privacy incidents
Active-State Signalling (Dynamic)
  • Real-time status indication — TrustMark shows current privacy state instantly
  • Event-driven updates — Signals change when processing occurs
  • Machine-readable status — AI systems verify consent before processing
  • User control interface — Click TrustMark to view and manage permissions
  • Proactive transparency and continuous verification
HABNI TrustMark: Visual Language of Trust
The High Assurance Broadcast Network Icon serves as a universal signal that privacy infrastructure is active and verifiable. This standardised visual language transcends borders, languages, and technical implementations, providing immediate clarity about privacy status to both humans and machines. The TrustMark represents a fundamental shift from opaque data practices to transparent, accountable digital ecosystems.
TrustMark States
🟢 Active & Verified
The green state indicates optimal privacy conditions where all transparency requirements are met and verifiable.
  • Consent records current and valid across all processing purposes
  • Controller registered and verified in the Controller Registry
  • Notice infrastructure operational with active endpoints
  • Third-party disclosures transparent and machine-readable
  • Audit trails complete and accessible
🟡 Attention Required
The amber state signals that user action or review is recommended to maintain optimal privacy protection.
  • Consent expiring within 30 days or update needed
  • New processing purposes require explicit authorisation
  • Rights request pending response from controller
  • Review recommended for recent policy changes
  • Optional features available for enhanced privacy
🔴 Issue Detected
The red state indicates critical privacy issues requiring immediate attention or intervention.
  • Consent expired, revoked, or otherwise invalid
  • Processing occurring without valid authorisation
  • Controller verification failed or expired
  • Transparency requirements not met per regulations
  • Security incident or breach detected
Not Participating
The grey state indicates the organisation has not implemented TrustMark infrastructure.
  • No TrustMark implementation or registration
  • Traditional privacy model with static policies
  • No active-state signalling capabilities
  • No consent receipt infrastructure deployed
  • Limited real-time transparency mechanisms
Implementation Levels
Organisations can implement TrustMark at different maturity levels, with each level building upon the previous to create increasingly sophisticated privacy infrastructure. This tiered approach enables organisations to begin their transparency journey whilst working towards full high-assurance implementation.
Level 1: Basic Transparency
Entry-level implementation establishing foundational transparency practices and public accountability.
  • Controller Registry participation with verified identity
  • Machine-readable privacy notice using standard formats
  • Contact information and rights access clearly published
  • TrustMark display authorisation and branding rights
Level 2: Consent Records
Implementation of standardised consent management with auditable record-keeping infrastructure.
  • ISO/IEC 27560 consent receipt generation for all data subjects
  • Anchored Notice and Consent Receipt pattern implementation
  • Event logging for all consent exchanges and modifications
  • User access portal for consent history and receipts
Level 3: Active Signalling
Dynamic status broadcasting enabling real-time privacy state visibility and verification.
  • Real-time status broadcast via public API endpoints
  • Dynamic state updates triggered by processing events
  • Third-party verification integration for trust chains
  • Consent token infrastructure for portable authorisation
Level 4: High Assurance
Maximum trust level with certified personnel, audited performance, and international interoperability.
  • Certified Digital Privacy Officer signatures on all receipts
  • Regular audited transparency performance reviews
  • Verified micro-credentials for attribute disclosures
  • International interoperability with multiple jurisdictions
Human Consent Protocol
The Human Consent Protocol standardises how consent is requested, recorded, and verified across digital systems. This protocol inverts traditional identification patterns by requiring controllers to identify themselves first, establishing accountability before requesting personal information. The protocol creates machine-readable consent infrastructure that AI systems can verify before processing, enabling true consent-driven data ecosystems.
Protocol Components
01
Controller Identity (Not User Identity)
The protocol begins with controller self-identification, establishing accountability before requesting personal data.
  • Controller-ID replaces User-ID in initial exchange sequence
  • Organisations identify themselves first with verified credentials
  • Individuals remain anonymous until they choose to authenticate
  • Privacy-by-default through controller transparency requirements
02
Anchored Notice Pattern
Machine-readable privacy notices are pulled by individuals using the Controller-ID, creating verifiable notice delivery.
  • Notice Receipt pulled by individual using Controller-ID reference
  • Machine-readable notice structure following ISO/IEC 27560 standard
  • Verifiable notice anchoring for immutable audit trails
  • Portable notice format enabling cross-system verification
03
Consent Receipt Exchange
Standardised consent records enable portable, verifiable authorisation across multiple systems and jurisdictions.
  • Signed consent records issued by certified Digital Privacy Officers
  • Reusable micro-credentials for attribute verification without re-disclosure
  • Consent tokens establishing provenance for AI training data
  • Revocation and modification infrastructure with real-time updates
04
Audit Trail Architecture
Immutable logging infrastructure provides accountability whilst preserving individual privacy during verification.
  • Notice Event Ledger recording all consent exchanges chronologically
  • Immutable record of authorisation history for dispute resolution
  • Regulatory access protocols for oversight and investigation
  • Privacy-preserving audit capabilities using cryptographic proofs
Universal Transparency Privacy Controls
Standardised control mechanisms enable individual oversight and authorisation at scale, transforming privacy from a passive legal obligation into an active, user-driven practice. These controls provide granular authority over data processing whilst maintaining usability and practical implementation for both individuals and organisations. The control framework balances comprehensive authority with streamlined user experience.
Control Categories
Access Controls
  • View complete consent history across all controllers
  • Download machine-readable consent receipts
  • Verify third-party disclosures and data flows
  • Request comprehensive data access reports
Authorisation Controls
  • Grant granular permissions for specific purposes
  • Revoke consent for individual processing activities
  • Authorise or deny secondary uses of data
  • Manage AI training data consent separately
Preference Controls
  • Set default authorisation levels for new requests
  • Configure notification preferences and channels
  • Establish trust policies for controller categories
  • Define acceptable use parameters and boundaries
Rights Controls
  • Exercise deletion rights with verification
  • Request data correction or completion
  • Object to specific processing activities
  • Withdraw consent with cascading updates
Technical Implementation
API Specifications
Standardised API endpoints enable consistent implementation across diverse systems and platforms.
  • RESTful consent management endpoints with versioned schemas
  • OAuth 2.0 authorisation flows for secure authentication
  • W3C Verifiable Credentials format for portable credentials
  • OpenID Connect identity integration for federated systems
Data Formats
Machine-readable formats ensure interoperability and automated processing verification.
  • JSON-LD for machine-readable privacy notices with semantic context
  • ISO/IEC 27560 consent record structure for standardised receipts
  • W3C Data Privacy Vocabulary for consistent terminology
  • Schema.org extensions for transparency markup in web contexts
Open Privacy Network Architecture
The Open Privacy Network (OPN) provides the infrastructure enabling TrustMark verification and active-state signalling across organisational and jurisdictional boundaries. This distributed architecture establishes trust chains without creating centralised control points, balancing coordination needs with privacy protection. The OPN enables global interoperability whilst respecting regional regulatory frameworks and sovereignty.
Controller Registry
Public registry establishing verified identity for all participating data controllers.
  • Public registry of verified PII Controllers with audit history
  • Controller-ID issuance and lifecycle management
  • Transparency Performance Indicator Reports (TPI-R) publication
  • International verification and cross-border trust establishment
Notice Event Ledger
Immutable audit infrastructure recording consent events whilst preserving privacy.
  • Immutable audit trail of all consent events and modifications
  • Privacy-preserving verification using cryptographic commitments
  • Regulatory oversight access with appropriate authorisation
  • Cross-border accountability mechanisms for international flows
Gateway Services
Integration layer enabling diverse systems to participate in the transparency network.
  • API gateway for transparency infrastructure with rate limiting
  • Real-time status synchronisation across distributed nodes
  • Third-party verification routing and response aggregation
  • Protocol translation and interoperability bridging
Micro-Credential Verification
Trust infrastructure validating credentials and establishing verifiable claims.
  • Digital Privacy Officer certification validation and revocation checking
  • Signed consent receipt cryptographic verification
  • Attribute credential verification without full disclosure
  • Trust chain establishment across multiple verification authorities
International Deployment Roadmap
The phased deployment strategy balances ambition with pragmatism, enabling iterative refinement whilst building momentum towards global adoption. Each phase establishes foundation for the next, with clear milestones enabling stakeholders to track progress and adjust strategy based on implementation learnings.
1
Phase 1: Foundation
Q4 2025 - Q1 2026
Establishing technical and governance foundations for international deployment.
  • Finalise Human Consent Protocol specification with international consultation
  • Launch Controller Registry (beta) in Australia and UK
  • Certify initial cohort of Digital Privacy Officers
  • Establish Australian accelerator programme with government support
Key Milestones: December 2025 regulatory consultation | January 2026 Task Force Sprint | March 2026 Protocol v1.0 release
2
Phase 2: Pilot Deployment
Q2-Q3 2026
Testing implementation at scale with diverse organisations across key sectors.
  • Deploy TrustMark pilots in 3-5 organisations per region
  • Test active-state signalling in production environments
  • Validate consent receipt infrastructure under load
  • Refine protocols based on implementation feedback and edge cases
Geographic Focus: Australia (GDTA accelerator) | UK (ICO partnership) | Canada (PACC partnership)
Priority Sectors: Digital identification | AI/ML platforms | Healthcare | Government services
3
Phase 3: Scale and Certify
Q4 2026 - Q2 2027
Expanding deployment whilst establishing certification infrastructure for service providers.
  • Expand TrustMark to 100+ organisations across six continents
  • Certify OPN Data Notary service providers in multiple jurisdictions
  • Establish regional gateway hubs for infrastructure resilience
  • Submit international standards to W3C, ISO, and ITU
Key Activities: Data Notary certification programmes | Gateway deployment | Micro-credential infrastructure | Standards progression
4
Phase 4: International Interoperability
Q3 2027 onwards
Achieving seamless cross-border operation with universal TrustMark recognition.
  • Cross-border consent verification with legal recognition
  • Multi-jurisdiction trust chains and mutual recognition
  • Universal TrustMark recognition in major economies
  • Global transparency infrastructure as digital public good
Australian Leadership Opportunity
Australia has a unique opportunity to establish first-mover advantage in privacy infrastructure, positioning itself as the global leader in digital trust innovation. By investing strategically now, Australia can shape international standards, create export opportunities, and establish regulatory frameworks that other nations will emulate. The timing is optimal, with regulatory reform underway and strong digital economy foundations already established.
1
Government Funding
Strategic investment accelerating protocol development, pilot deployment, and ecosystem creation for Australian first-movers.
2
Standards Leadership
Australian privacy experts leading international standards bodies, shaping global frameworks around Australian innovations and values.
3
Economic Advantage
Australian companies certified as first-wave Data Notaries, capturing early market share in emerging privacy infrastructure sector.
4
Export Market
Australian privacy infrastructure expertise becoming globally recognised, creating consulting and technology export opportunities.
5
Regulatory Innovation
Australian co-regulation model demonstrating effective privacy governance, becoming international template for balanced oversight.
The Australian accelerator programme, led by GDTA, provides the coordinating mechanism to realise this opportunity. With government support for initial pilots and DPO certification programmes, Australia can establish the infrastructure that other nations will adopt, securing long-term strategic and economic advantages in the digital trust economy.
UK Leadership Opportunity
The United Kingdom can leverage its unique position post-Brexit to bridge European and Commonwealth privacy frameworks, establishing London as the global hub for privacy infrastructure innovation. The UK's regulatory sophistication, combined with its historical ties across continents, positions it ideally to coordinate international privacy standards. ICO's forward-thinking approach to privacy regulation provides fertile ground for active-state signalling innovation.
European Coordination Hub
UK serving as gateway bridging Convention 108+ and GDPR frameworks with Commonwealth and international standards, enabling multi-jurisdictional interoperability.
ICO Partnership
Information Commissioner's Office pioneering regulatory innovation model demonstrating how active-state signalling can strengthen enforcement whilst reducing compliance burden.
Financial Services Leadership
UK fintech and banking sector leading early adoption, with London's financial district establishing TrustMark as standard for trusted digital transactions.
AI Governance Excellence
UK AI governance framework integrating seamlessly with TrustMark infrastructure, demonstrating how consent management enables responsible AI development.
Commonwealth Coordination
UK-Australia partnership extending across Commonwealth nations, creating alignment on privacy infrastructure throughout former British territories and trading partners.
The UK's regulatory independence allows it to innovate beyond EU constraints whilst maintaining strong alignment with European privacy values. This positions the UK uniquely to demonstrate how active-state signalling can work across different regulatory regimes, establishing patterns that others can adapt to their own contexts.
Apply for TrustMark Pilot
Organisations interested in implementing HABNI TrustMark in pilot programmes can apply now for priority consideration. Pilot participants receive comprehensive technical support, certification assistance, and international recognition as privacy infrastructure pioneers. This is your opportunity to shape the future of digital trust whilst gaining competitive advantage through early adoption.
Eligibility Requirements
  • Australian or UK organisation (priority), or international entity with AU/UK operations
  • Digital identification, AI/ML, or sensitive data processing operations
  • Commitment to transparency and willingness to certify Digital Privacy Officer
  • Technical capacity for API integration and consent receipt infrastructure
  • Executive sponsorship for privacy infrastructure transformation
Pilot Benefits
No-Cost Technical Implementation Support
Full technical assistance during integration and deployment phases
DPO Certification for Key Personnel
Certification programme for your privacy leadership team
International Showcase Opportunity
Case study development and conference presentation opportunities
Early Adopter Recognition
Public recognition as privacy infrastructure pioneer and innovator
Apply for Pilot Programme

Application Timeline: Applications reviewed on rolling basis. Priority given to organisations ready to begin implementation in Q2 2026. Limited pilot slots available in initial deployment phase.
Technical Resources
Comprehensive documentation and tools for implementers, developers, and technical decision-makers. These resources provide everything needed to integrate TrustMark infrastructure into existing systems, from high-level architecture guidance to detailed API specifications and reference implementations.
Human Consent Protocol Specification
Complete technical specification including data formats, exchange patterns, and security requirements. Available in multiple formats with machine-readable schemas.
TrustMark Integration Guide
Step-by-step implementation guide covering Controller Registry integration, consent receipt generation, and active-state signalling deployment.
API Documentation
Interactive API documentation with code examples in multiple languages, authentication guides, and testing sandboxes for development.
Reference Implementation
Open-source reference implementation demonstrating best practices for consent receipt generation, notice anchoring, and TrustMark integration patterns.
Developer Community
Join our active developer community for technical support, implementation discussions, and collaboration on privacy infrastructure innovation.
Video Tutorials
Comprehensive video series covering architecture concepts, integration patterns, and common implementation challenges with practical solutions.
All technical resources are available under open-source licences, enabling transparent review, community contribution, and broad adoption. We maintain active channels for feedback and continuously update documentation based on implementation experience.
Contact
Get in touch with the appropriate team for your enquiry. Whether you're interested in pilot participation, technical implementation support, or strategic partnership opportunities, we're here to assist your privacy infrastructure journey.
TrustMark Programme
General enquiries about the TrustMark programme, governance structure, and strategic partnerships.
Technical Support
Technical implementation questions, API documentation, and developer resources.
Australian Pilot Enquiries
Questions specific to Australian pilot programme, GDTA accelerator, and AU regulatory context.
UK Pilot Enquiries
Questions specific to UK pilot programme, ICO partnership, and UK regulatory alignment.
We typically respond to enquiries within 2 business days. For urgent technical issues, please use our developer community channels for faster response from our technical team and community experts.