Frank Fransen | 8 September 2014

ISO/IEC 29134 Privacy Impact Assessment

Privacy standardizations @ ISO JTC1 SC27

 1
24 september 2013
Frank Fransen

Inhoudsopgave

Introduction

Privacy Framework (ISO/IEC 29100 )

Privacy Impact Assessment (ISO/IEC 29134 )

Summary
 2
24 september 2013
Frank Fransen

ISO JTC1 SC27 Work Group 5

Identity Management & Privacy Technology
Established in 2006

Development and maintenance of standards and guidelines addressing security

aspects of:
Identity management,
Biometrics, and
Privacy In the area of Privacy, topics such as
• A Privacy Framework
• A Privacy Reference Architecture
• Privacy infrastructures
• Anonymity and credentials
• Specific Privacy Enhancing Technologies (PETs)
• Privacy Engineering
 3
24 september 2013
Frank Fransen

ISO JTC1 SC27 Work Group 5

Identity Management & Privacy Technology
Established in 2006

Development and maintenance of standards and guidelines addressing security

aspects of:
Identity management,
Biometrics, and
Privacy In the area of Privacy, topics such as
• A Privacy Framework
• A Privacy Reference Architecture
• Privacy infrastructures
• Anonymity and credentials
• Specific Privacy Enhancing Technologies (PETs)
• Privacy Engineering
 4
24 september 2013
Frank Fransen

ISO JTC SC27 family of privacy standards

Framework
IS Privacy
WG 5
29100 Privacy Reference List
SD2
:2011 Framework (freely available)
http://www.jtc1sc27.din.de/
Management

IS Privacy Impact Privacy Capability

IS
29134 Assessment – Maturity Model 29190
4th WD Methodology 1st CD

IS IS IS IS IS

Technology
Controls

27002 29151 27018 29101 29191

:2013 3rd WD :2014 :2013 :2012
Code of Code of Code of Practice for Privacy Req. for
practice for practice for PII protection in Architecture partially anony-
info. sec. PII protection public clouds Framework mous, partially
management acting as PII processors unlinkable authent.
 5
24 september 2013
Frank Fransen

ISO JTC SC27 family of privacy standards

Framework
IS Privacy
WG 5
29100 Privacy Reference List
SD2
:2011 Framework (freely available)
http://www.jtc1sc27.din.de/
Focus
Management

of this
IS Privacy Impact Privacy Capability
IS
talk 29134 Assessment – 29190
Maturity Model
4th WD Methodology 1st CD

IS IS IS IS IS

Technology
Controls

27002 29151 27018 29101 29191

:2013 3rd WD :2014 :2013 :2012
Code of Code of Code of Practice for Privacy Req. for
practice for practice for PII protection in Architecture partially anony-
info. sec. PII protection public clouds Framework mous, partially
management acting as PII processors unlinkable authent.
 6
24 september 2013
Frank Fransen

ISO/IEC 29100 – Privacy Framework

Protection of personally identifiable information (PII)
The privacy framework is intended to help organizations define their privacy
safeguarding requirements related to PII within an ICT environment by:
specifying a common privacy terminology;
defining the actors and their roles in processing PII;
describing privacy safeguarding requirements; and
referencing known privacy principles.

Terms and definitions

PII - any information that (a) can be used to identify the PII
principal to whom such information relates, or (b) is or might
be directly or indirectly linked to a PII principal.
 7
24 september 2013
Frank Fransen

ISO/IEC 29100 – Privacy Framework

Personally Identifiable Information
 8
24 september 2013
Frank Fransen

ISO/IEC 29100 – Privacy Framework

Actors & roles

PII principal – natural person to whom the personally identifiable

information (PII) relates

PII controller – privacy stakeholder (or privacy stakeholders) that

determines the purposes and means for processing personally
identifiable information (PII) other than natural persons who use data
for personal purposes

PII processor – privacy stakeholder that processes personally

identifiable information (PII) on behalf of and in accordance with the
instructions of a PII controller
 9
24 september 2013
Frank Fransen

ISO/IEC 29100 – Privacy Framework

The privacy principles

1. Consent and choice

3rd WD
2. Purpose legitimacy and specification ISO/IEC
3. Collection limitation 29151
4. Data minimization Code of practice
for PII protection
5. Use, retention and disclosure limitation
6. Accuracy and quality
Adds guidance on
7. Openness, transparency and notice PII protection in
8. Individual participation and access 27002 controls
+
9. Accountability Adds new control
objectives & controls
10. Information security in accordance with
these privacy
11. Privacy compliance principles (excl. IS)
 10
24 september 2013
Frank Fransen

ISO/IEC 29100 – Privacy Framework

Correspondence with ISO/IEC 27000 concepts

ISO/IEC 27005 – Information security risk management

ISO/IEC 29134 – Privacy Impact Assessment

 11
24 september 2013
Frank Fransen

ISO/IEC 29134 – Privacy Impact Assessment

Status, planning and scope
ISO/IEC 4th WD 29134 - Information technology - Security techniques -
Privacy impact assessment - Methodology
Change title to “Guidelines” is pending

Status & Planning

Status 4th WD CD DIS IS

Date May 2014 Nov 2014 Nov 2015 May 2016
Source :ISO/IEC JTC 1/SC 27 Programme of Work (SD4)

Scope: this International Standard

gives guidelines for a process on privacy impact assessments;
describes a structure and content of a PIA report.
 12
24 september 2013
Frank Fransen

ISO/IEC 29134 – Privacy Impact Assessment

Terms and definitions
Inconsistency between ISO/IEC 29100 and ISO/IEC 29134

ISO/IEC 29100
Privacy risk assessment – overall process of risk identification, risk
analysis and risk evaluation with regard to the processing of personally
identifiable information (PII)
NOTE This process is also known as a Privacy Impact Assessment (PIA)

ISO/IEC 4th WD 29134

Privacy Impact Assessment – systematic application of management
policies, procedures and practices to the activities of communicating,
consulting, establishing the context, and identifying, analyzing,
evaluating, treating, monitoring and reviewing privacy risk

Seems more like “Privacy Risk Management”

 13
24 september 2013
Frank Fransen

ISO/IEC 29134 – Privacy Impact Assessment

Purpose for carrying out a PIA

identify the risks to privacy;

Privacy by Design

plan a response for privacy impacts;

aid in stakeholder management where

privacy may be a sensitive issue; or

show compliance
e.g. Data protection act
 14
24 september 2013
Frank Fransen

ISO/IEC 29134 – Privacy Impact Assessment

Guidelines for a process
The process for conducting a PIA consists of 20 steps

Section Title # steps

6.1 Preparation of the PIA 8
6.2 Iterative phases
6.2.1 Analyze the information flows 1
6.2.2 Check the business process under scope
1
meets the privacy safeguarding requirements
6.2.3 Assess privacy risk 3
6.2.4 Treat privacy risks 3
6.3 Follow up of the PIA 4
20
 15
24 september 2013
Frank Fransen

ISO/IEC 29134 – Privacy Impact Assessment

Guidelines for a process – structure
Each step is structured as follows:
Goal Implementation guidance
Input Output
Action
 16
24 september 2013
Frank Fransen

ISO/IEC 29134 – Privacy Impact Assessment

Guidelines for a process – steps
Preparation of the PIA (6.1)
(Need, establish team, make plan, resources,
Assess privacy risk (6.2.3)
describe business process, identify stakeholders,
comm. plan, consultation with stakeholders) Privacy risk identification (6.2.3.1)

Iterative phases (6.2) Privacy impact analysis (6.2.3.2)

Analyze the information flows (6.2.1)
Privacy impact evaluation (6.2.3.3)
Check business process meets privacy
safeguarding requirements (6.2.2)

Assess privacy risk (6.2.3)

Treat privacy risks (6.2.4)

 17
24 september 2013
Frank Fransen

ISO/IEC 29134 – Privacy Impact Assessment

Privacy risk identification (6.2.3.1)
Goal: This step aims to identify risks occurring to the PII principal by executing the
business process under scope
Actions:
…
For each processing of PII, the potential consequences on the PII principals’
privacy should be identified in case of:
an access to the PII by an unauthorized person (loss of confidentiality);
a modification of the PII (loss of integrity);
a disappearance of the PII (loss of availability); Information security
a misappropriate linking of PII (loss of linkage prevention);
non sufficient information on the processing of PII (loss of transparency);
non considering the rights of the PII principal (loss of intervention capability);
collection and processing of PII without the knowledge of PII principal
(loss of control)
 18
24 september 2013
Frank Fransen

ISO/IEC 29134 – Privacy Impact Assessment

Guidelines for a process – steps
Preparation of the PIA (6.1)
(Need, establish team, make plan, resources,
Assess privacy risk (6.2.3)
describe business process, identify stakeholders,
comm. plan, consultation with stakeholders) Privacy risk identification (6.2.3.1)

Iterative phases (6.2) Privacy impact analysis (6.2.3.2)

Analyze the information flows (6.2.1)
Privacy impact evaluation (6.2.3.3)
Check business process meets privacy
safeguarding requirements (6.2.2) 6.2.4 Treat privacy risks

Assess privacy risk (6.2.3) Choose the privacy risk treatment

options (6.2.4.1)
Treat privacy risks (6.2.4) Determine controls (6.2.4.2)

Follow up of the PIA (6.3) Create privacy risk treatment

(Prepare & publish report, Implement privacy risk plans (6.2.4.3)
treatment plans, review/audit PIA, Re-Initiate PIA)
 19
24 september 2013
Frank Fransen

ISO/IEC 29134 – Privacy Impact Assessment

PIA report
Specification of the structure and content of a PIA Report
The style is “the report should …”

The PIA report should containing at least

the introduction (Clause 7.1);
the scope of the assessment (Clause 7.2);
the privacy requirements (Clause 7.3);
the risk assessment (Clause 7.4);
the risk treatment (Clause 7.5); and
the conclusion and decisions taken on the basis of the outcome of the PIA (Clause 7.6).
 20
24 september 2013
Frank Fransen

Summary

The family of privacy standards from ISO JTC1 SC27 is getting shape
Privacy framework (terminology, privacy principles, etc.)
Privacy Impact Assessment (draft)
Code of practice for PII protection (draft)

Extension to ISO/IEC 2700x

ISO/IEC 29134 – Privacy Impact Assessment

Expected publication date: May 2016
Gives guidelines for a process on privacy impact assessments.
Specifies the structure and content of a PIA report.
 21
24 september 2013
Frank Fransen

Questions

Frank Fransen
+31 (0)88 866 7729
frank.fransen@tno.nl