For reference purposes

The privacy principles of ISO/IEC 29100

This standard is freely available at https://standards.iso.org/ittf/PubliclyAvailableStandards/c045123_ISO_IEC_29100_2011.zip

1. Consent and Choice.

Adhering to the consent principle means:

• presenting to the PII principal the choice whether or not to allow the processing of their PII except where the PII principal cannot freely withhold consent or where applicable law specifically allows the processing of PII without the natural person’s consent. The PII principal’s choice must be given freely, specific and on a knowledgeable basis;

obtaining the opt-in consent of the PII principal for collecting or otherwise processing sensitive PII except where applicable law allows the processing of sensitive PII without the natural person’s consent;

• informing PII principals, before obtaining consent, about their rights under the individual participation and access principle;

• providing PII principals, before obtaining consent, with the information indicated by the openness, transparency and notice principle; and

• explaining to PII principals the implications of granting or withholding consent.

For a PII controller, adhering to the choice principle means:

• providing PII principals with clear, prominent, easily understandable, accessible and affordable mechanisms to exercise choice and to give consent in relation to the processing of their PII at the time of collection, first use or as soon as practicable thereafter; and

• implementing the PII principal’s preferences as expressed in their consent.

2. Purpose legitimacy and specification.

• Adhering to the purpose legitimacy and specification principle means:

• ensuring that the purpose(s) complies with applicable law and relies on a permissible legal basis;

• communicating the purpose(s) to the PII principal before the time the information is collected or used for the first time for a new purpose;

• using language for this specification which is both clear and appropriately adapted to the circumstances; and

• if applicable, giving sufficient explanations for the need to process sensitive PII.

3. Collection limitation

Adhering to the collection limitation principle means:

• limiting the collection of PII to that which is within the bounds of applicable law and strictly necessary for the specified purpose(s).

4. Data minimization

Adhering to the data minimization principle means designing and implementing data processing procedures and ICT systems in such a way as to:

• minimize the PII which is processed and the number of privacy stakeholders and people to whom PII is disclosed or who have access to it;

• ensure adoption of a “need-to-know” principle, i.e. one should be given access only to the PII which is necessary for the conduct of his/her official duties in the framework of the legitimate purpose of the PII processing;

• use or offer as default options, wherever possible, interactions and transactions which do not involve the identification of PII principals, reduce the observability of their behaviour and limit the linkability of the PII collected; and

• delete and dispose of PII whenever the purpose for PII processing has expired, there are no legal requirements to keep the PII or whenever it is practical to do so.

5. Use, retention and disclosure limitation

Adhering to the use, retention and disclosure limitation principle means:

• limiting the use, retention and disclosure (including transfer) of PII to that which is necessary in order to fulfil specific, explicit and legitimate purposes;

• limiting the use of PII to the purposes specified by the PII controller prior to collection, unless a different purpose is explicitly required by applicable law;

• retaining PII only as long as necessary to fulfil the stated purposes, and after that securely destroying or anonymizing it; and

• locking (i.e. archiving, securing and exempting the PII from further processing) any PII when and for as long as the stated purposes have expired, but where retention is required by applicable laws.

6. Accuracy and quality

Adhering to the accuracy and quality principle means:

• ensuring that the PII processed is accurate, complete, up-to-date (unless there is a legitimate basis for keeping outdated data), adequate and relevant for the purpose of use;

• ensuring the reliability of PII collected from a source other than from the PII principal before it is processed;

• verifying, through appropriate means, the validity and correctness of the claims made by the PII principal prior to making any changes to the PII (in order to ensure that the changes are properly authorized), where it is appropriate to do so;

• establishing PII collection procedures to help ensure accuracy and quality; and

• establishing control mechanisms to periodically check the accuracy and quality of collected and stored PII.

7. Openness, transparency and notice

Adhering to the openness, transparency and notice principle means:

• providing PII principals with clear and easily accessible information about the PII controller’s policies, procedures and practices with respect to the processing of PII;

• including in notices the fact that PII is being processed, the purpose for which this is done, the types of privacy stakeholders to whom the PII might be disclosed, and the identity of the PII controller including information on how to contact the PII controller;

• disclosing the choices and means offered by the PII controller to PII principals for the purposes of limiting the processing of, and for accessing, correcting and removing their information; and

• giving notice to the PII principals when major changes in the PII handling procedures occur.

In addition, the purpose of the processing of PII should be sufficiently detailed in order to allow the PII principal to understand:

• the specified PII required for the specified purpose;

• the specified purpose for PII collection;

• the specified processing (including collection, communication and storage mechanisms);

• the types of authorized natural persons who will access the PII and to whom the PII can be transferred; and

• the specified PII data retention and disposal requirements.

8. Individual participation and access

Adhering to the individual participation and access principle means:

• giving PII principals the ability to access and review their PII, provided their identity is first authenticated with an appropriate level of assurance and such access is not prohibited by applicable law;

• allowing PII principals to challenge the accuracy and completeness of the PII and have it amended, corrected or removed as appropriate and possible in the specific context;

• providing any amendment, correction or removal to PII processors and third parties to whom personal data had been disclosed, where they are known; and

• establishing procedures to enable PII principals to exercise these rights in a simple, fast and efficient way, which does not entail undue delay or cost.

9. Accountability

The processing of PII entails a duty of care and the adoption of concrete and practical measures for its protection. Adhering to the accountability principle means:

• documenting and communicating as appropriate all privacy-related policies, procedures and practices;

• assigning to a specified individual within the organization (who might in turn delegate to others in the organization as appropriate) the task of implementing the privacy-related policies, procedures and practices;

• when transferring PII to third parties, ensuring that the third party recipient will be bound to provide an equivalent level of privacy protection through contractual or other means such as mandatory internal policies (applicable law can contain additional requirements regarding international data transfers);

• providing suitable training for the personnel of the PII controller who will have access to PII;

• setting up efficient internal complaint handling and redress procedures for use by PII principals;

• informing PII principals about privacy breaches that can lead to substantial damage to them (unless prohibited, e.g., while working with law enforcement) as well as the measures taken for resolution;

• notifying all relevant privacy stakeholders about privacy breaches as required in some jurisdictions (e.g., the data protection authorities) and depending on the level of risk;

• allowing an aggrieved PII principal access to appropriate and effective sanctions and/or remedies, such as rectification, expungement or restitution if a privacy breach has occurred; and

• considering procedures for compensation for situations in which it will be difficult or impossible to bring the natural person’s privacy status back to a position as if nothing had occurred.

10. Information Security

Adhering to the information security principle means:

• protecting PII under its authority with appropriate controls at the operational, functional and strategic level to ensure the integrity, confidentiality and availability of the PII, and protect it against risks such as unauthorized access, destruction, use, modification, disclosure or loss throughout the whole of its life cycle;

• choosing PII processors that provide sufficient guarantees with regard to organizational, physical and technical controls for the processing of PII and ensuring compliance with these controls;

• basing these controls on applicable legal requirements, security standards, the results of systematic security risk assessments as described in ISO 31000, and the results of a cost/benefit analysis;

• implementing controls in proportion to the likelihood and severity of the potential consequences, the sensitivity of the PII, the number of PII principals that might be affected, and the context in which it is held;

• limiting access to PII to those individuals who require such access to perform their duties, and limit the access those individuals have to only that PII which they require access to in order to perform their duties;

• resolving risks and vulnerabilities that are discovered through privacy risk assessments and audit processes; and

• subjecting the controls to periodic review and reassessment in an ongoing security risk management process.

11. Privacy compliance

Adhering to the privacy compliance principle means:

• verifying and demonstrating that the processing meets data protection and privacy safeguarding requirements by periodically conducting audits using internal auditors or trusted third-party auditors;

• having appropriate internal controls and independent supervision mechanisms in place that assure compliance with relevant privacy law and with their security, data protection and privacy policies and procedures; and

• developing and maintaining privacy risk assessments in order to evaluate whether program and service delivery initiatives involving PII processing comply with data protection and privacy requirements.

The privacy principles of ISO/IEC 18013-5

From Annex E:

1. Consent and Choice — The Data Subject must consent to the processing of their personal data.

2. Purpose Specification — The Data Subject should be fully aware of the purpose for which their personal data is being collected, processed, and potentially stored.

3. Collection Limitation — The Data Controller and Data Processors should only collect the data necessary for their purpose and should only collect data consistent with these principles.

4. Data Minimization — Processing of Data should be minimized to that specifically necessary for the purpose specified.

5. Use, Retention, and Disclosure Limitation — Data Processors should not use personal data of the Data Subject except for the purposes specified and consistent with these other principles. Personal Data should only be retained for the period necessary to provide the service.

6. Data Accuracy and Quality — High accuracy of data being processed and held is in the best interest of the Data Subject, and processors should take measures to ensure accuracy.

7. Openness and Transparency — What data and how data is being processed should be well-known to the Data Subject, including obtaining consent, and posting and updating clear notices.

8. Individual Participation — The Data Subject should be involved in the collection, consent, processing, and storage management of their personal data.

9. Information Security (of Data and Data Subject) — Personal data should be protected by security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure.

10. Privacy Compliance, Accountability and Auditing — The Data Controller and Data Processors must be accountable for all aspects of the processing of Personal Data and provide audit logs and auditability to the Data Subject.