ISO_IEC_29100-2011.pdf

INTERNATIONALISO/IECSTANDARD29100First edition2011-12-15Information technology-Securitytechniques-Privacy frameworkTechnologies de linformation-Techniques de securite-Cadre priveReference number1S0/1EC29100:2011(E)ISOIEC1S0/1EC20111S0/1EC29100:2011(E)COPYRIGHT PROTECTED DOCUMENTIS0/1EC2011All rights reserved.Unless otherwise specified,no part of this publication may be reproduced or utilized in any form or by any means,electronic or mechanical,including photocopying and microfilm,without permission in writing from either ISO at the address below orISOs member body in the country of the requester.ISO copyright officeCase postale 56.CH-1211 Geneva 20Tel.+41227490111Fax+41227490947E-mail copyrightiso.orgWeb www.iso.orgPublished in SwitzerlandlSO/小EC2011-All rights reserved1S0/1EC29100:2011(E)ContentsPagentroduction.1.12Terms and definitions.3Symbols and abbreviated terms.4Basic elements of the privacy framework4.1Overview of the privacy framework.5.54.2Actors and roles.54.2.1Pl principals4.2.2Pl controlers.54.2.3Pll processors.4.2.4Third Partie4.3Interactions.64.4Recognizing Pl.74.4.1dentifiers.74.4.2Other distinguishing characteristics.4.4.3Information which is or might be linked to a Pll principal7.84.4.4Pseudonym0 us data94.4.54.4.6MetadataUnsolicited Pll.994.4.7Sensitive Pll.94.5Privacy safeguarding requirements.104.5.1Legal and regulato门y factors.114.5.2Contractual factors.14.5.3BuSineS4.5.4Other factors.124.6Privacy policies.4.7Privacy controls.135The privacy principles of ISO/IEC 29100.145.1Overview of privacy principles.145.2Consent and choice.145.3Purpose legitimacy and specification.5.4Copection limitation155.55.6Use,retention and disclosure limitation.165.7Accuracy and guality165.8Openness,transparency and notice.175.9Individual participation and access.5.10Accountability.185.11Information security.5.12Privacy compliance.19Annex A(informative)Correspondence between ISO/IEC 29100 concepts and ISO/IEC 27000concepts.20Bibliography.21All rights reserved1S0/1EC29100:2011(E)FiguresFigure 1-Factors influencing privacy risk management.11TablesTable 1-Possible flows of Pll among the Pll principal,Pll controller,Pll processor and a third party and theirroles7Table 2-Example of attributes that can be used to identify natural persons8Table 3-The privacy principles of ISO/IEC 2910014Table A.1-Matching ISO/IEC 29100 concepts to ISO/IEC 27000 concepts20ISO/IEC 2011-All rights reserved1S0/1EC29100:2011(E)ForewordISO(the International Organization for Standardization)and IEC(the International ElectrotechnicalCommission)form the specialized system for worldwide standardization.National bodies that are members ofISO or IEC participate in the development of International Standards through technical committeesestablished by the respective organization to deal with particular fields of technical activity.ISO and IECtechnical committees collaborate in fields of mutual interest.Other international organizations,governmentaland non-governmental,in liaison with ISO and IEC,also take part in the work.In the field of informationtechnology,ISO and IEC have established a joint technical committee,ISO/IEC JTC 1.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives,Part 2.The main task of the joint technical committee is to prepare International Standards.Draft InternationalStandards adopted by the joint technical committee are circulated to national bodies for voting.Publication asan International Standard requires approval by at least 75%of the national bodies casting a vote.Attention is drawn to the possibility that some of the elements of this document may be the subject of patentrights.ISO and IEC shall not be held responsible for identifying any or all such patent rights.ISO/IEC 29100 was prepared by Joint Technical Committee ISO/IEC JTC 1,Information technology,Subcommittee SC 27,IT Security techniques.All rights reservedV