1、raising standards worldwide NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAW BSI Standards Publication BS ISO/IEC 29100:2011 Information technology Security techniques Privacy frameworkBS ISO/IEC 29100:2011 BRITISH STANDARD National foreword This British Standard is the UK impl
2、ementation of ISO/IEC 29100:2011. The UK participation in its preparation was entrusted to Technical Committee IST/33, IT - Security techniques. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the nec
3、essary provisions of a contract. Users are responsible for its correct application. BSI 2011 ISBN 978 0 580 59539 4 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the Standards Policy and Strateg
4、y Committee on 31 December 2011. Amendments issued since publication Date Text affectedBS ISO/IEC 29100:2011Reference number ISO/IEC 29100:2011(E) ISO/IEC 2011INTERNATIONAL STANDARD ISO/IEC 29100 First edition 2011-12-15 Information technology Security techniques Privacy framework Technologies de li
5、nformation Techniques de scurit Cadre privBS ISO/IEC 29100:2011 ISO/IEC 29100:2011(E) COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2011 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including
6、photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in
7、 Switzerland ii ISO/IEC 2011 All rights reservedBS ISO/IEC 29100:2011 ISO/IEC 29100:2011(E) ISO/IEC 2011 All rights reserved iiiContents Page Foreword . v Introduction vi 1 Scope 1 2 Terms and definitions . 1 3 Symbols and abbreviated terms 4 4 Basic elements of the privacy framework . 5 4.1 Overvie
8、w of the privacy framework . 5 4.2 Actors and roles 5 4.2.1 PII principals 5 4.2.2 PII controllers . 5 4.2.3 PII processors 5 4.2.4 Third parties . 6 4.3 Interactions 6 4.4 Recognizing PII 7 4.4.1 Identifiers . 7 4.4.2 Other distinguishing characteristics . 7 4.4.3 Information which is or might be l
9、inked to a PII principal 8 4.4.4 Pseudonymous data . 9 4.4.5 Metadata . 9 4.4.6 Unsolicited PII 9 4.4.7 Sensitive PII . 9 4.5 Privacy safeguarding requirements 10 4.5.1 Legal and regulatory factors 11 4.5.2 Contractual factors 11 4.5.3 Business factors 12 4.5.4 Other factors 12 4.6 Privacy policies
10、. 13 4.7 Privacy controls . 13 5 The privacy principles of ISO/IEC 29100 . 14 5.1 Overview of privacy principles 14 5.2 Consent and choice 14 5.3 Purpose legitimacy and specification . 15 5.4 Collection limitation 15 5.5 Data minimization 16 5.6 Use, retention and disclosure limitation . 16 5.7 Accu
11、racy and quality 16 5.8 Openness, transparency and notice . 17 5.9 Individual participation and access . 17 5.10 Accountability 18 5.11 Information security 18 5.12 Privacy compliance . 19 Annex A (informative) Correspondence between ISO/IEC 29100 concepts and ISO/IEC 27000 concepts . 20 Bibliograph
12、y 21 BS ISO/IEC 29100:2011 ISO/IEC 29100:2011(E) iv ISO/IEC 2011 All rights reservedFigures Figure 1 Factors influencing privacy risk management 11 Tables Table 1 Possible flows of PII among the PII principal, PII controller, PII processor and a third party and their roles 7 Table 2 Example of attri
13、butes that can be used to identify natural persons 8 Table 3 The privacy principles of ISO/IEC 29100 14 Table A.1 Matching ISO/IEC 29100 concepts to ISO/IEC 27000 concepts 20 BS ISO/IEC 29100:2011 ISO/IEC 29100:2011(E) ISO/IEC 2011 All rights reserved vForeword ISO (the International Organization fo
14、r Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective or
15、ganization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information techn
16、ology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standard
17、s adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subj
18、ect of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 29100 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. BS ISO/IEC 29100:2011 ISO/IEC 29100:2011(E) vi ISO
19、/IEC 2011 All rights reservedIntroduction This International Standard provides a high-level framework for the protection of personally identifiable information (PII) within information and communication technology (ICT) systems. It is general in nature and places organizational, technical, and proce
20、dural aspects in an overall privacy framework. The privacy framework is intended to help organizations define their privacy safeguarding requirements related to PII within an ICT environment by: - specifying a common privacy terminology; - defining the actors and their roles in processing PII; - des
21、cribing privacy safeguarding requirements; and - referencing known privacy principles. In some jurisdictions, this International Standards references to privacy safeguarding requirements might be understood as being complementary to legal requirements for the protection of PII. Due to the increasing
22、 number of information and communication technologies that process PII, it is important to have international information security standards that provide a common understanding for the protection of PII. This International Standard is intended to enhance existing security standards by adding a focus
23、 relevant to the processing of PII. The increasing commercial use and value of PII, the sharing of PII across legal jurisdictions, and the growing complexity of ICT systems, can make it difficult for an organization to ensure privacy and to achieve compliance with the various applicable laws. Privac
24、y stakeholders can prevent uncertainty and distrust from arising by handling privacy matters properly and avoiding cases of PII misuse. Use of this International Standard will: - aid in the design, implementation, operation, and maintenance of ICT systems that handle and protect PII; - spur innovati
25、ve solutions to enable the protection of PII within ICT systems; and - improve organizations privacy programs through the use of best practices. The privacy framework provided within this International Standard can serve as a basis for additional privacy standardization initiatives, such as for: - a
26、 technical reference architecture; - the implementation and use of specific privacy technologies and overall privacy management; - privacy controls for outsourced data processes; - privacy risk assessments; or - specific engineering specifications. Some jurisdictions might require compliance with on
27、e or more of the documents referenced in ISO/IEC JTC 1/SC 27 WG 5 Standing Document 2 (WG 5 SD2) Official Privacy Documents References 3 or with other applicable laws and regulations, but this International Standard is not intended to be a global model policy, nor a legislative framework. BS ISO/IEC
28、 29100:2011 INTERNATIONAL STANDARD ISO/IEC 29100:2011(E) ISO/IEC 2011 All rights reserved 1Information technology Security techniques Privacy framework 1 Scope This International Standard provides a privacy framework which - specifies a common privacy terminology; - defines the actors and their role
29、s in processing personally identifiable information (PII); - describes privacy safeguarding considerations; and - provides references to known privacy principles for information technology. This International Standard is applicable to natural persons and organizations involved in specifying, procuri
30、ng, architecting, designing, developing, testing, maintaining, administering, and operating information and communication technology systems or services where privacy controls are required for the processing of PII. 2 Terms and definitions For the purposes of this document, the following terms and d
31、efinitions apply. NOTE In order to make it easier to use the ISO/IEC 27000 family of International Standards in the specific context of privacy and to integrate privacy concepts in the ISO/IEC 27000 context, the table in Annex A provides the ISO/IEC 27000 concepts that correspond with the ISO/IEC 29
32、100 concepts used in this International Standard. 2.1 anonymity characteristic of information that does not permit a personally identifiable information principal to be identified directly or indirectly 2.2 anonymization process by which personally identifiable information (PII) is irreversibly alte
33、red in such a way that a PII principal can no longer be identified directly or indirectly, either by the PII controller alone or in collaboration with any other party 2.3 anonymized data data that has been produced as the output of a personally identifiable information anonymization process 2.4 cons
34、ent personally identifiable information (PII) principals freely given, specific and informed agreement to the processing of their PII BS ISO/IEC 29100:2011 ISO/IEC 29100:2011(E) 2 ISO/IEC 2011 All rights reserved2.5 identifiability condition which results in a personally identifiable information (PI
35、I) principal being identified, directly or indirectly, on the basis of a given set of PII 2.6 identify establish the link between a personally identifiable information (PII) principal and PII or a set of PII 2.7 identity set of attributes which make it possible to identify the personally identifiabl
36、e information principal 2.8 opt-in process or type of policy whereby the personally identifiable information (PII) principal is required to take an action to express explicit, prior consent for their PII to be processed for a particular purpose NOTE A different term that is often used with the priva
37、cy principle consent and choice is “opt-out”. It describes a process or type of policy whereby the PII principal is required to take a separate action in order to withhold or withdraw consent, or oppose a specific type of processing. The use of an opt-out policy presumes that the PII controller has
38、the right to process the PII in the intended way. This right can be implied by some action of the PII principal different from consent (e.g., placing an order in an online shop). 2.9 personally identifiable information PII any information that (a) can be used to identify the PII principal to whom su
39、ch information relates, or (b) is or might be directly or indirectly linked to a PII principal NOTE To determine whether a PII principal is identifiable, account should be taken of all the means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to ident
40、ify that natural person. 2.10 PII controller privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing personally identifiable information (PII) other than natural persons who use data for personal purposes NOTE A PII controller sometimes instructs others (e
41、.g., PII processors) to process PII on its behalf while the responsibility for the processing remains with the PII controller. 2.11 PII principal natural person to whom the personally identifiable information (PII) relates NOTE Depending on the jurisdiction and the particular data protection and pri
42、vacy legislation, the synonym “data subject” can also be used instead of the term “PII principal”. 2.12 PII processor privacy stakeholder that processes personally identifiable information (PII) on behalf of and in accordance with the instructions of a PII controller 2.13 privacy breach situation wh
43、ere personally identifiable information is processed in violation of one or more relevant privacy safeguarding requirements BS ISO/IEC 29100:2011 ISO/IEC 29100:2011(E) ISO/IEC 2011 All rights reserved 32.14 privacy controls measures that treat privacy risks by reducing their likelihood or their cons
44、equences NOTE 1 Privacy controls include organizational, physical and technical measures, e.g., policies, procedures, guidelines, legal contracts, management practices or organizational structures. NOTE 2 Control is also used as a synonym for safeguard or countermeasure. 2.15 privacy enhancing techn
45、ology PET privacy control, consisting of information and communication technology (ICT) measures, products, or services that protect privacy by eliminating or reducing personally identifiable information (PII) or by preventing unnecessary and/or undesired processing of PII, all without losing the fu
46、nctionality of the ICT system NOTE 1 Examples of PETs include, but are not limited to, anonymization and pseudonymization tools that eliminate, reduce, mask, or de-identify PII or that prevent unnecessary, unauthorized and/or undesirable processing of PII. NOTE 2 Masking is the process of obscuring
47、elements of PII. 2.16 privacy policy overall intention and direction, rules and commitment, as formally expressed by the personally identifiable information (PII) controller related to the processing of PII in a particular setting 2.17 privacy preferences specific choices made by a personally identi
48、fiable information (PII) principal about how their PII should be processed for a particular purpose 2.18 privacy principles set of shared values governing the privacy protection of personally identifiable information (PII) when processed in information and communication technology systems 2.19 priva
49、cy risk effect of uncertainty on privacy NOTE 1 Risk is defined as the “effect of uncertainty on objectives” in ISO Guide 73 and ISO 31000. NOTE 2 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood. 2.20 privacy risk assessment overall process of risk identification, risk analysis and risk evaluation with regard to the processing of personally identifiable information (PII) NOTE This process is also known as a pri