1、Information technology Security techniques Guidelines for privacy impact assessment BS ISO/IEC 29134:2017 BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06Information technology Security techniques Guidelines for privacy impact assessment Technologies de linformation
2、 Techniques de scurit Lignes directrices pour lvaluation dimpacts sur la vie prive INTERNATIONAL STANDARD ISO/IEC 29134 Reference number ISO/IEC 29134:2017(E) First edition 2017-06 ISO/IEC 2017 National foreword This British Standard is the UK implementation of ISO/IEC 29134:2017. The UK participati
3、on in its preparation was entrusted to Technical Committee IST/33/5, Identity Management and Privacy Technologies. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contrac
4、t. Users are responsible for its correct application. The British Standards Institution 2017 Published by BSI Standards Limited 2017 ISBN 978 0 580 82001 4 ICS 35.030 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the autho
5、rity of the Standards Policy and Strategy Committee on 31 July 2017. Amendments/corrigenda issued since publication Date Text affected BRITISH STANDARD BS ISO/IEC 29134:2017Information technology Security techniques Guidelines for privacy impact assessment Technologies de linformation Techniques de
6、scurit Lignes directrices pour lvaluation dimpacts sur la vie prive INTERNATIONAL STANDARD ISO/IEC 29134 Reference number ISO/IEC 29134:2017(E) First edition 2017-06 ISO/IEC 2017 BS ISO/IEC 29134:2017 ii ISO/IEC 2017 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2017, Published in Switzer
7、land All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requ
8、ested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 29134:2017(E) BS ISO/IEC 29134:2017 ii
9、ISO/IEC 2017 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or
10、posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 F
11、ax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 29134:2017(E)ISO/IEC 29134:2017(E)Foreword v Introduction vi 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Abbreviated terms 3 5 Preparing the grounds for PIA . 4 5.1 Benefits of carrying out a PIA. 4 5.2 Objectives of PI
12、A reporting 5 5.3 Accountability to conduct a PIA . 5 5.4 Scale of a PIA . 6 6 Guidance on the process for conducting a PIA 6 6.1 General . 6 6.2 Determine whether a PIA is necessary (threshold analysis) 7 6.3 Preparation of the PIA 7 6.3.1 Set up the PIA team and provide it with direction . 7 6.3.2
13、 Prepare a PIA plan and determine the necessary resources for conducting the PIA . 9 6.3.3 Describe what is being assessed .10 6.3.4 Stakeholder engagement .11 6.4 Perform the PIA .13 6.4.1 Identify information flows of PII .13 6.4.2 Analyse the implications of the use case 14 6.4.3 Determine the re
14、levant privacy safeguarding requirements .15 6.4.4 Assess privacy risk 16 6.4.5 Prepare for treating privacy risks 19 6.5 Follow up the PIA .23 6.5.1 Prepare the report .23 6.5.2 Publication .24 6.5.3 Implement privacy risk treatment plans .24 6.5.4 Review and/or audit of the PIA25 6.5.5 Reflect cha
15、nges to the process 26 7 PIA report .26 7.1 General 26 7.2 Report structure .27 7.3 Scope of PIA 27 7.3.1 Process under evaluation 27 7.3.2 Risk criteria .29 7.3.3 Resources and people involved 29 7.3.4 Stakeholder consultation .29 7.4 Privacy requirements .29 7.5 Risk assessment 29 7.5.1 Risk sourc
16、es 29 7.5.2 Threats and their likelihood .29 7.5.3 Consequences and their level of impact .30 7.5.4 Risk evaluation .30 7.5.5 Compliance analysis .30 7.6 Risk treatment plan .30 7.7 Conclusion and decisions 30 7.8 PIA public summary 30 Annex A (informative) Scale criteria on the level of impact and
17、on the likelihood.32 ISO/IEC 2017 All rights reserved iii Contents Page BS ISO/IEC 29134:2017 ISO/IEC 29134:2017(E)Annex B (informative) Generic threats .34 Annex C (informative) Guidance on the understanding of terms used 38 Annex D (informative) Illustrated examples supporting the PIA process 40 B
18、ibliography .42 iv ISO/IEC 2017 All rights reserved BS ISO/IEC 29134:2017 ISO/IEC 29134:2017(E)Annex B (informative) Generic threats .34 Annex C (informative) Guidance on the understanding of terms used 38 Annex D (informative) Illustrated examples supporting the PIA process 40 Bibliography .42 iv I
19、SO/IEC 2017 All rights reserved ISO/IEC 29134:2017(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the
20、 development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-gov
21、ernmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IE
22、C Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives). Attention is drawn to the possibili
23、ty that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of pat
24、ent declarations received (see www .iso .org/ patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and expressions related to
25、 conformity assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www .iso .org/ iso/ foreword .html. This document was prepared by Technical Committee ISO/IEC JTC 1, Information techno
26、logy, Subcommittee SC 27, IT Security techniques. ISO/IEC 2017 All rights reserved v BS ISO/IEC 29134:2017 ISO/IEC 29134:2017(E) Introduction A privacy impact assessment (PIA) is an instrument for assessing the potential impacts on privacy of a process, information system, programme, software module
27、, device or other initiative which processes personally identifiable information (PII) and, in consultation with stakeholders, for taking actions as necessary in order to treat privacy risk. A PIA report may include documentation about measures taken for risk treatment, for example, measures arising
28、 from the use of the information security management system (ISMS) in ISO/IEC 27001. A PIA is more than a tool: it is a process that begins at the earliest possible stages of an initiative, when there are still opportunities to influence its outcome and thereby ensure privacy by design. It is a proc
29、ess that continues until, and even after, the project has been deployed. Initiatives vary substantially in scale and impact. Objectives falling under the heading of “privacy” will depend on culture, societal expectations and jurisdiction. This document is intended to provide scalable guidance that c
30、an be applied to all initiatives. Since guidance specific to all circumstances cannot be prescriptive, the guidance in this document should be interpreted with respect to individual circumstance. A PII controller may have a responsibility to conduct a PIA and may request a PII processor to assist in
31、 doing this, acting on the PII controllers behalf. A PII processor or a supplier may also wish to conduct their own PIA. A suppliers PIA information is especially relevant when digitally connected devices are part of the information system, application or process being assessed. It may be necessary
32、for suppliers of such devices to provide privacy-relevant design information to those undertaking the PIA. When the provider of digital devices is unskilled in and not resourced for PIAs, for example: a small retailer, or a small and medium-sized enterprise (SME) using digitally connected devices in
33、 the course of its normal business operations, then, in order to enable it to undertake minimal PIA activity, the device supplier may be called upon to provide a great deal of privacy information and undertake its own PIA with respect to the expected PII principal/SME context for the equipment they
34、supply. A PIA is typically conducted by an organization that takes its responsibility seriously and treats PII principals adequately. In some jurisdictions, a PIA may be necessary to meet legal and regulatory requirements. This document is intended to be used when the privacy impact on PII principal
35、s includes consideration of processes, information systems or programmes, where: the responsibility for the implementation and/or delivery of the process, information system or programme is shared with other organizations and it should be ensured that each organization properly addresses the identif
36、ied risks; an organization is performing privacy risk management as part of its overall risk management effort while preparing for the implementation or improvement of its ISMS (established in accordance with ISO/IEC 27001 or equivalent management system); or an organization is performing privacy ri
37、sk management as an independent function; an organization (e.g. government) is undertaking an initiative (e.g. a public-private-partnership programme) in which the future PII controller organization is not known yet, with the result that the treatment plan could not get implemented directly and, the
38、refore, this treatment plan should become part of corresponding legislation, regulation or the contract instead; the organization wants to act responsible towards the PII principals.vi ISO/IEC 2017 All rights reserved BS ISO/IEC 29134:2017 ISO/IEC 29134:2017(E) Introduction A privacy impact assessme
39、nt (PIA) is an instrument for assessing the potential impacts on privacy of a process, information system, programme, software module, device or other initiative which processes personally identifiable information (PII) and, in consultation with stakeholders, for taking actions as necessary in order
40、 to treat privacy risk. A PIA report may include documentation about measures taken for risk treatment, for example, measures arising from the use of the information security management system (ISMS) in ISO/IEC 27001. A PIA is more than a tool: it is a process that begins at the earliest possible st
41、ages of an initiative, when there are still opportunities to influence its outcome and thereby ensure privacy by design. It is a process that continues until, and even after, the project has been deployed. Initiatives vary substantially in scale and impact. Objectives falling under the heading of “p
42、rivacy” will depend on culture, societal expectations and jurisdiction. This document is intended to provide scalable guidance that can be applied to all initiatives. Since guidance specific to all circumstances cannot be prescriptive, the guidance in this document should be interpreted with respect
43、 to individual circumstance. A PII controller may have a responsibility to conduct a PIA and may request a PII processor to assist in doing this, acting on the PII controllers behalf. A PII processor or a supplier may also wish to conduct their own PIA. A suppliers PIA information is especially rele
44、vant when digitally connected devices are part of the information system, application or process being assessed. It may be necessary for suppliers of such devices to provide privacy-relevant design information to those undertaking the PIA. When the provider of digital devices is unskilled in and not
45、 resourced for PIAs, for example: a small retailer, or a small and medium-sized enterprise (SME) using digitally connected devices in the course of its normal business operations, then, in order to enable it to undertake minimal PIA activity, the device supplier may be called upon to provide a great
46、 deal of privacy information and undertake its own PIA with respect to the expected PII principal/SME context for the equipment they supply. A PIA is typically conducted by an organization that takes its responsibility seriously and treats PII principals adequately. In some jurisdictions, a PIA may
47、be necessary to meet legal and regulatory requirements. This document is intended to be used when the privacy impact on PII principals includes consideration of processes, information systems or programmes, where: the responsibility for the implementation and/or delivery of the process, information
48、system or programme is shared with other organizations and it should be ensured that each organization properly addresses the identified risks; an organization is performing privacy risk management as part of its overall risk management effort while preparing for the implementation or improvement of
49、 its ISMS (established in accordance with ISO/IEC 27001 or equivalent management system); or an organization is performing privacy risk management as an independent function; an organization (e.g. government) is undertaking an initiative (e.g. a public-private-partnership programme) in which the future PII controller organization is not known yet, with the result that the treatment plan could not get implemented directly and, therefore, this treatment plan should become part of correspondi
