1、Information technology Cloud computing Cloud services and devices: Data flow, data categories and data use BS ISO/IEC 19944:2017 BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06National foreword This British Standard is the UK implementation of ISO/IEC 19944:2017. T
2、he UK participation in its preparation was entrusted to Technical Committee IST/38, Cloud Computing and Distributed Platforms. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions
3、of a contract. Users are responsible for its correct application. The British Standards Institution 2017 Published by BSI Standards Limited 2017 ISBN 978 0 580 88037 7 ICS 35.210 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published und
4、er the authority of the Standards Policy and Strategy Committee on 31 October 2017. Amendments/corrigenda issued since publication Date Text affected BRITISH STANDARD BS ISO/IEC 19944:2017Information technology Cloud computing Cloud services and devices: Data flow, data categories and data use Techn
5、ologies de linformation Informatique en nuage Services et dispositifs en nuage : Dbits, catgories et utilisation des donnes INTERNATIONAL STANDARD ISO/IEC 19944 Reference number ISO/IEC 19944:2017(E) First edition 2017-09-15 ISO/IEC 2017 BS ISO/IEC 19944:2017 ii ISO/IEC 2017 All rights reserved COPY
6、RIGHT PROTECTED DOCUMENT ISO/IEC 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intrane
7、t, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org
8、www.iso.org ISO/IEC 19944:2017(E) BS ISO/IEC 19944:2017 ISO/IEC 19944:2017(E)Foreword v Introduction vi 1 Scope . 1 2 Normative references 1 3 Terms and definitions . 1 4 Abbreviated terms 4 5 Structure of this document 5 6 Overview of devices and cloud services ecosystems . 5 6.1 Background and con
9、text Impact of devices and personalized cloud services 5 6.2 Ecosystem of devices and cloud services . 6 6.3 Devices and multiple user sub-roles 7 6.3.1 General 7 6.3.2 Bring your own device (BYOD) 8 7 Extending the CCRA to the devices and cloud services ecosystem .9 7.1 Overview 9 7.2 Personal and
10、organizational environments . 9 7.3 Device impact on the CCRA: User view .10 7.3.1 Cloud service provider . 10 7.3.2 Cloud service customer .11 7.4 Device impact on the CCRA: Functional view 11 7.4.1 General.11 7.4.2 Functional components in the functional view 12 7.4.3 Functional view: Data flows 1
11、4 8 Data taxonomy .16 8.1 Overview .16 8.2 Data categories 16 8.2.1 General.16 8.2.2 Customer content data 17 8.2.3 Derived data 18 8.2.4 Cloud service provider data 21 8.2.5 Account data .21 8.3 Data identification qualifiers .21 8.3.1 General.21 8.3.2 Identified data .22 8.3.3 Pseudonymized data .
12、22 8.3.4 Unlinked pseudonymized data .22 8.3.5 Anonymized data 22 8.3.6 Aggregated data .22 9 Data processing and use categories 22 9.1 Overview .22 9.2 Data processing categories 23 9.2.1 General.23 9.2.2 Data partitioning .23 9.2.3 Data integration .23 9.2.4 Data fusion .24 9.2.5 Data improvement
13、.24 9.2.6 Encryption 24 9.2.7 Replication .24 9.2.8 Data Deletion 24 9.2.9 Re-identification 25 9.3 Data use categories 25 ISO/IEC 2017 All rights reserved iii Contents Page BS ISO/IEC 19944:2017 ISO/IEC 19944:2017(E)9.3.1 General.25 9.3.2 Provide 26 9.3.3 Improve .26 9.3.4 Personalize .27 9.3.5 Off
14、er upgrades or upsell .27 9.3.6 Market/advertise/promote .27 9.3.7 Share 28 9.4 Scopes: Boundaries of collection and use of data 29 9.4.1 Scope concepts .29 9.4.2 Scope types 29 10 Data use statements .31 10.1 Overview .31 10.2 Data use statement structure 32 10.2.1 Structure definition 32 10.2.2 De
15、scribing the scope of applications and cloud services that apply to use statements 34 10.2.3 Assumptions about when data is collected and used .35 10.2.4 Defining promotion targets .35 10.2.5 Data types .36 10.2.6 Data qualifiers for data types .36 10.2.7 Examples of statements about data flow in th
16、e devices and cloud services ecosystem . .37 10.2.8 Exceptional use statements .38 Annex A (informative) Diagrams of data categories and data identification qualifiers 41 Bibliography .42 iv ISO/IEC 2017 All rights reserved BS ISO/IEC 19944:2017 ISO/IEC 19944:2017(E) Foreword ISO (the International
17、Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by th
18、e respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of in
19、formation technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the di
20、fferent types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IE
21、C shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this docu
22、ment is information given for the convenience of users and does not constitute an endorsement. For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the World Trade O
23、rganization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html. This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 38, Cloud computing and distributed platforms. ISO/IEC 2017 All rights
24、reserved v BS ISO/IEC 19944:2017 ISO/IEC 19944:2017(E) IntroductionObjective and target audience This document provides a description of the ecosystem of devices and cloud services and the related flows of data between cloud services, cloud service customers, cloud service users and their devices. T
25、hese are necessary to provide guidance about how data is used on the devices in the context of the cloud computing ecosystem and the associated location and identity issues that emerge from such use. This document proposes a scheme for the structure of data use statements that can be used by cloud s
26、ervice providers to help cloud service customers understand and protect the privacy and confidentiality of their data and their users data through increased transparency of policies and practices. This document can be used in several ways including, but not limited to, the following: a) by cloud ser
27、vice providers and application developers to guide them in describing what they intend to do with data in their designs, so as to simplify privacy and data use reviews and to communicate this information to non-technical departments such as internal compliance, marketing and legal teams; b) by organ
28、izations drawing up data use statements as part of drafting cloud service agreements and application contracts, privacy statements, etc., which could apply to documents internal to an organization, in addition to public or legal documents; c) by government regulators and agencies to advise on suitab
29、le ways of describing data flow and use; d) by those preparing information on data flow and data use for communication to the press and the public. This document is descriptive and not prescriptive. It cannot be used for compliance directly. Instead, it provides a set of concepts and definitions, in
30、cluding a data taxonomy and data use statement structure, that can be used for transparency about how data is used in an ecosystem of devices and cloud services.Providing a clear description of data flows This document aims to improve the understanding of the data flows that take place in an ecosyst
31、em consisting of devices accessing cloud services. It does this through an extended cloud computing reference architecture (CCRA) (based on the architecture described in ISO/IEC 17789) that describes the impact of devices on cloud service ecosystems and the impact of cloud services on devices. It al
32、so describes the data flows that take place within the extended reference architecture.Providing transparency to all stakeholders To maintain a relationship of trust between the stakeholders of the ecosystem of devices and cloud services and also to meet the demands of laws and regulations, it is ne
33、cessary for the device platform providers and the cloud service providers to be transparent about how they make use of the various data types that flow within the ecosystem. There is a particular need to provide simple and clear statements to end users about what is done with data that relates to th
34、em. The data may be personally identifiable information (PII) and may be sensitive, in other words, this can be a privacy issue. Cloud service customers are likely to be concerned about how their data is used, even when the customer is an organization rather than an individual. The cloud service cus
35、tomer may be a data controller, holding personal data about their employees or their customers; in such a role, the cloud service customer has obligations relating to the processing of that data. To assist cloud service providers and device platform providers in being transparent about their use of
36、data, this document defines a simple language for making statements about data use, which can be used to create clear notification to end users and other interested parties.vi ISO/IEC 2017 All rights reserved BS ISO/IEC 19944:2017 Information technology Cloud computing Cloud services and devices: Da
37、ta flow, data categories and data use 1 Scope This document extends the existing cloud computing vocabulary and reference architecture in ISO/IEC 17788 and ISO/IEC 17789 to describe an ecosystem involving devices using cloud services, describes the various types of data flowing within the devices an
38、d cloud computing ecosystem, describes the impact of connected devices on the data that flow within the cloud computing ecosystem, describes flows of data between cloud services, cloud service customers and cloud service users, provides foundational concepts, including a data taxonomy, and identifie
39、s the categories of data that flow across the cloud service customer devices and cloud services. This document is applicable primarily to cloud service providers, cloud service customers and cloud service users, but also to any person or organization involved in legal, policy, technical or other imp
40、lications of data flows between devices and cloud services. 2 Normative references There are no normative references in this document. 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. ISO and IEC maintain terminological databases for use in standa
41、rdization at the following addresses: IEC Electropedia: available at http:/ /www.electropedia.org/ ISO Online browsing platform: available at http:/ /www.iso.org/obp 3.1 cloud service one or more capabilities offered through cloud computing invoked using a defined interface SOURCE: ISO/IEC 17788:201
42、4, 3.2.8 3.2 cloud service customer party which is in a business relationship for the purpose of using cloud services (3.1) Note 1 to entry: A business relationship does not necessarily imply financial agreements. SOURCE: ISO/IEC 17788:2014, 3.2.11 INTERNATIONAL ST ANDARD ISO/IEC 19944:2017(E) ISO/I
43、EC 2017 All rights reserved 1 BS ISO/IEC 19944:2017 ISO/IEC 19944:2017(E) 3.3 cloud service partner party which is engaged in support of, or auxiliary to, activities of either the cloud service provider (3.4) or the cloud service customer (3.2), or both SOURCE: ISO/IEC 17788:2014, 3.2.14 3.4 cloud s
44、ervice provider party which makes cloud services (3.1) available SOURCE: ISO/IEC 17788:2014, 3.2.15 3.5 cloud service user natural person, or entity acting on their behalf, associated with a cloud service customer (3.2) that uses cloud services (3.1) Note 1 to entry: Examples of such entities includ
45、e devices and applications. SOURCE: ISO/IEC 17788:2014, 3.2.17 3.6 device physical entity that communicates directly or indirectly with one or more cloud services (3.1) 3.7 account data class of data specific to each CSC that is required to administer the cloud service (3.1) Note 1 to entry: Account
46、 data is typically generated when a cloud service is purchased and is under the control of the CSP. Note 2 to entry: Account data consists of data elements provided by CSC, such as; name, address, telephone, etc. 3.8 cloud service customer data class of data objects under the control of the cloud se
47、rvice customer (3.2) that were input to the cloud service (3.1), or resulted from exercising the capabilities of the cloud service by or on behalf of the cloud service customer through the published interface of the cloud service Note 1 to entry: An example of legal controls is copyright. Note 2 to
48、entry: It may be that the cloud service contains or operates on data that is not cloud service customer data; this might be data made available by the cloud service providers, or obtained from another source, or it might be publicly available data. However, any output data produced by the actions of
49、 the cloud service customer using the capabilities of the cloud service on this data is likely to be cloud service customer data, following the general principles of copyright, unless there are specific provisions in the cloud service agreement to the contrary. SOURCE: ISO/IEC 17788:2014, 3.2.12 3.9 cloud service derived data class of data objects under cloud service provider (3.4) control that are derived as a result of interaction with the cloud service (3.1) by the cloud service customer (3.2) Note 1 to ent