1、 Reference number ISO 22307:2008(E) ISO 2008INTERNATIONAL STANDARD ISO 22307 First edition 2008-05-01 Financial services Privacy impact assessment Services financiers valuation de limpact priv ISO 22307:2008(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes li
2、censing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The
3、ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has
4、been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. COPYRIGHT PROTECTED DOCUMENT ISO 2008 All rights reserved. Unless otherwise specified, no part
5、of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56
6、CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO 2008 All rights reservedISO 22307:2008(E) ISO 2008 All rights reserved iii Contents Page Foreword iv Introduction v 1 Scope . 1 2 Normative references . 1 3 Terms an
7、d definitions. 1 4 Abbreviated terms 2 5 PIA requirements 3 5.1 Overview of PIA requirements. 3 5.2 General PIA process requirements. 3 5.3 Specific PIA process requirements 3 Annex A (informative) Frequently asked questions related to PIA . 8 Annex B (informative) General questionnaire to determine
8、 when to begin a PIA. 16 Annex C (informative) Questionnaire for PIA objectives . 17 Annex D (informative) Questionnaire on PIA initial procedures . 18 Annex E (informative) Questionnaire on adequacy of internal controls and procedures 19 Annex F (informative) PIA questionnaire for assessing privacy
9、 impacts for retail financial systems 20 Bibliography . 28 ISO 22307:2008(E) iv ISO 2008 All rights reservedForeword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is n
10、ormally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part i
11、n the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prep
12、are International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that s
13、ome of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO 22307 was prepared by Technical Committee ISO/TC 68, Financial services, Subcommittee SC 7, Core banking. ISO 22307:2008(E) ISO 2008 All righ
14、ts reserved v Introduction Rapid advances in computer systems and networking allow financial institutions to record, store, and retrieve vast amounts of consumer data with more speed and efficiency than ever before. These advances enable financial services companies to acquire and process consumer d
15、ata in ways that were previously out of reach to many due to the cost or to the specialized knowledge and training necessary to build and use these technologies. Advanced data processing, storage, collection, and retrieval technology is now available to all sectors of business and government. Busine
16、sses have access to extremely powerful technology with significantly better price and performance than in the past. With these new abilities, businesses can effortlessly process information in ways that, intentionally or unintentionally, impinge on the privacy rights of their customers and partners.
17、 These capabilities raise concerns about the privacy of individuals in these large networked information technology environments. Furthermore, regulated industries such as financial services, law, and policy now place additional conditions on how personal information is collected, stored, shared and
18、 used. The financial services community recognizes how important it is to protect and not abuse their customers privacy, not just because it is required by law, but also because as systems are developed or updated, there is an opportunity to enhance business processes and to provide improved service
19、s to customers. Ensuring compliance with the Organization for Economic Cooperation and Development (OECD) privacy principles means that an institutions privacy policies are consistent with established privacy principles such as having an external body establish a set of rules, guidelines or prohibit
20、ions. The presence of an external body can encourage corporations to protect financial information, either simply to comply with the letter of the law, or to enhance their privacy protection in general. New ways of using existing technology and new technologies bring new or unknown risks. It is advi
21、sable that corporations handling financial information be proactive in protecting and not abusing the privacy of their consumers and partners. One way of proactively addressing privacy principles and practices is to follow a standardized privacy impact assessment process for a proposed financial sys
22、tem (PFS), such as the one recommended in this International Standard. A privacy impact assessment (PIA) is a tool that, when used effectively, can identify risks associated with privacy and help organizations plan to mitigate those risks. Recognizing that the framework for privacy protection in eac
23、h country is different, the internationalization of privacy impact assessments is critical for global banking, in particular for cross-border financial transactions. INTERNATIONAL STANDARD ISO 22307:2008(E) ISO 2008 All rights reserved 1 Financial services Privacy impact assessment 1 Scope This Inte
24、rnational Standard recognizes that a privacy impact assessment (PIA) is an important financial services and banking management tool to be used within an organization, or by “contracted” third parties, to identify and mitigate privacy issues and risks associated with processing consumer data using au
25、tomated, networked information systems. This International Standard describes the privacy impact assessment activity in general, defines the common and required components of a privacy impact assessment, regardless of business systems affecting financial institutions, and provides informative guidan
26、ce to educate the reader on privacy impact assessments. A privacy compliance audit differs from a privacy impact assessment in that the compliance audit determines an institutions current level of compliance with the law and identifies steps to avoid future non-compliance with the law. While there a
27、re similarities between privacy impact assessments and privacy compliance audits in that they use some of the same skills and that they are tools used to avoid breaches of privacy, the primary concern of a compliance audit is simply to meet the requirements of the law, whereas a privacy impact asses
28、sment is intended to investigate further in order to identify ways to safeguard privacy optimally. This International Standard recognizes that the choices of financial and banking system development and risk management procedures are business decisions and, as such, the business decision makers need
29、 to be informed in order to be able to make informed decisions for their financial institutions. This International Standard provides a privacy impact assessment structure (common PIA components, definitions and informative annexes) for institutions handling financial information that wish to use a
30、privacy impact assessment as a tool to plan for, and manage, privacy issues within business systems that they consider to be vulnerable. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited appl
31、ies. For undated references, the latest edition of the referenced document (including any amendments) applies. OECD Guidelines on the protection of privacy and transborder flows of personal data, 1980 3 Terms and definitions For the purposes of this document, the following terms and definitions appl
32、y. 3.1 financial activities activities including lending, exchanging, transferring, investing for others, or safeguarding money or securities, ISO 22307:2008(E) 2 ISO 2008 All rights reserved insuring, guaranteeing or indemnifying against loss, harm, damage, illness, disability or death, providing f
33、inancial investment or economic advisory services, underwriting or dealing with securities 3.2 financial system all services, facilities, business processes and data flows used by financial institutions to implement and perform financial activities 3.3 proposed financial system all of the components
34、 of a financial system assessed in a privacy impact assessment 3.4 business process process with clearly defined deliverable or outcome, which entails the execution of a sequence of one or more process steps NOTE A business process is defined by the business event that triggers the process, the inpu
35、ts and outputs, all the operational steps required to produce the output, the sequential relationship between the process steps, the business decisions that are part of the event response, and the flow of material and/or information between process steps. 3.5 data model representation of the specifi
36、c information requirements of a business area 3.6 information access model model that depicts access to key process and organization information for reporting and/or security purposes NOTE An information flow model is a model that visually depicts information flows in the business between business f
37、unctions, business organizations, and applications. 3.7 preliminary privacy impact assessment assessment conducted when the proposed financial system is at the early conception or design phase and detailed information is not known NOTE A preliminary privacy impact assessment can be planned for a pro
38、posed financial system in defining the need and/or scope of a full privacy impact assessment for a proposed financial system. 4 Abbreviated terms CPO Chief Privacy Officer NPI Non-public Personal Information OECD Organization for Economic Cooperation and Development PIA Privacy Impact Assessment PII
39、 Personally Identifiable Information PFS Proposed Financial System ISO 22307:2008(E) ISO 2008 All rights reserved 3 5 PIA requirements 5.1 Overview of PIA requirements The objectives of a PIA include: ensuring that privacy protection is a core consideration in the initial considerations of a PFS and
40、 in all subsequent activities during the system development life cycle; ensuring that accountability for privacy issues is clearly incorporated into the responsibilities of respective system developers, administrators and any other participants, including those from other institutions, jurisdictions
41、 and sectors; providing decision-makers with the information necessary to make fully-informed policy, system design and procurement decisions for proposed financial systems based on an understanding of the privacy implications and risks and the options available for avoiding and/or mitigating those
42、risks; reducing the risk of having to terminate or substantially modify a financial service after its implementation to comply with privacy requirements; providing documentation on the business processes and flow of personal information for use and review by departmental and agency staff and to serv
43、e as the basis for consultations with clients, the privacy officers and other stakeholders. To meet these objectives, PIAs have common process elements that shall be followed to be effective. The following are minimum process requirements for a PIA which addresses the impacts of a PFS. 5.2 General P
44、IA process requirements The following are the six common elements that are required of any PIA process: PIA plan; assessment; PIA report; competent expertise; degree of independence and public aspects; use in the PFS decision-making. More specific requirements of the PIA plan, PIA assessment and the
45、 PIA report are addressed in 5.3. 5.3 Specific PIA process requirements 5.3.1 PIA plan 5.3.1.1 Scope of PIA plan The PIA process requires a plan with a scope. This scope shall guide the PIA process for a specific PFS by stating: the business objectives of the PFS; the privacy policy compliance objec
46、tives of the PIA, which, at a minimum, shall be to comply with OECD privacy principles and any financial sector agreements regarding compliance with OECD privacy principles (e.g. international standards addressing financial sector and security); ISO 22307:2008(E) 4 ISO 2008 All rights reserved wheth
47、er the PFS is creating a new business system or a proposed change of an existing business system or its supporting system; whether the PIA is a preliminary PIA; any assumptions and constraints regarding the applicable jurisdiction(s) of the PFS and the consideration of alternative systems to the pro
48、posed financial system; the assessment of any alternative shall also be based on documented business objectives and the appropriate management shall approve the business objectives; the life-cycle phase of the PFS. 5.3.1.2 Documented report The PIA process requires a plan resulting in a documented r
49、eport. The PIA plan shall systematically establish the steps to be followed, questions to be answered and options to be examined for the PFS being assessed. The steps shall include obtaining the following prior to the assessment: a description of the PFS and, if necessary, the description of the existing financial systems relevant to the PFS; identification of the competent expertise needed to perform the PIA and to develop the PIA report within the defined scope; agreement by the identifie
