ISO_IEC_15944-8_2012.pdf

Reference numberISO/IEC 15944-8:2012(E)ISO/IEC 2012 INTERNATIONAL STANDARD ISO/IEC15944-8First edition2012-04-01Information technology Business Operational View Part 8:Identification of privacy protection requirements as external constraints on business transactions Technologies de linformation Vue oprationnelle daffaires Partie 8:Identification des exigences de protection de la vie prive en tant que contraintes externes sur les transactions daffaires ISO/IEC 15944-8:2012(E)COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2012 All rights reserved.Unless otherwise specified,no part of this publication may be reproduced or utilized in any form or by any means,electronic or mechanical,including photocopying and microfilm,without permission in writing from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel.+41 22 749 01 11 Fax +41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2012 All rights reserved ISO/IEC 15944-8:2012(E)ISO/IEC 2012 All rights reserved iii Contents Page Foreword.vii0Introduction.viii0.1Purpose and overview.viii0.1.1ISO/IEC 14662 Open-edi Reference Model.viii0.1.2ISO/IEC 15944-1“Business Agreement Semantic Descriptive Techniques”(“Business Operational View(BOV”).x0.2Introducing the use of Person,organization and party in the context of business transaction and commitment exchange.xi0.3Importance and role of terms and definitions.xiii0.4Importance of the two classes of constraints of the Business Transaction Model(BTM).xiii0.5Need for a standard based on rules and guidelines.xiv0.6Use of jurisdictional domain,and jurisdiction(and country)in the context of business transaction and commitment exchange.xv0.7Use of identifier as identifier(in business transaction)to prevent ambiguity.xvi0.8Use of“privacy protection”in the context of business transaction and commitment exchange.xvi0.9Organization and description of this document.xvii1Scope.11.1Statement of scope.11.2Exclusions.21.2.1Functional Services View(FSV).21.2.2Internal behaviour of organizations(and public administration).21.2.3“organization Person”.21.2.4Overlap of and/or conflict among jurisdictional domains as sources of privacy protection requirements.21.2.5Publicly available personal information.31.3Aspects currently not addressed.41.4IT-systems environment neutrality.72Normative references.92.1ISO/IEC,ISO and ITU.92.2Referenced specifications.103Terms and definitions.114Symbols and abbreviations.415Fundamental principles and assumptions governing privacy protection requirements in business transactions involving individuals(external constraints perspective).435.1Introduction.435.2Exceptions to the application of the privacy protection principles.465.3Fundamental Privacy Protection Principles.465.3.1Privacy Protection Principle 1:Preventing Harm.465.3.2Privacy Protection Principle 2:Accountability.475.3.3Privacy Protection Principle 3:Identifying Purposes.505.3.4Privacy Protection Principle 4:Informed Consent.505.3.5Privacy Protection Principle 5:Limiting Collection.525.3.6Privacy Protection Principle 6:Limiting Use,Disclosure and Retention.545.3.7Privacy Protection Principle 7:Accuracy.575.3.8Privacy Protection Principle 8:Safeguards.585.3.9Privacy Protection Principle 9:Openness.595.3.10Principle Protection Principle 10:Individual Access.605.3.11Privacy Protection Principle 11:Challenging Compliance.62ISO/IEC 15944-8:2012(E)iv ISO/IEC 2012 All rights reserved 5.4Requirement for tagging(or labelling)data elements in support of privacy protection requirements.636Collaboration space and privacy protection.656.1Introduction.656.2Basic Open-edi collaboration space:Buyer and seller.656.3Collaboration space:The role of buyer(as individual),seller and regulator.667Public policy requirements of jurisdictional domains.697.1Introduction.697.2Jurisdictional domains and public policy requirements.697.2.1Privacy protection.707.2.2Person and external constraints:Consumer protection.727.2.3Individual accessibility.737.2.4Human rights.747.2.5Privacy as a right of an“individual”and not the right of an organization or public administration.748Principles and rules governing the establishment,management and use of identities of an individual.778.1Introduction.778.2Rules governing the establishment of personae,identifiers and signatures of an individual.788.3Rules governing the assignment of unique identifiers to an individual by Registration Authorities(RAs).848.4Rules governing individual identity,authentication,recognition,and use.858.5Legally recognized individual identifies(LRIIs).909Person component individual sub-type.939.1Introduction.939.2Role qualification of a Person as an individual.939.3Persona and legally recognized names(LRNs)of an individual.949.4Truncation of legally recognized names of individuals.949.5Rules governing anonymization of individuals in a business transaction.959.6Rules governing pseudonymization of per