ISO/IEC 19944-1:2020

DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 19944-1
ISO/IEC JTC 1/SC 38 Secretariat: ANSI
Voting begins on: Voting terminates on:
2019-12-04 2020-02-26
Cloud computing – Cloud services and devices: data flow,
data categories and data use —
Part 1:
Fundamentals
ICS: 35.210
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
This document is circulated as received from the committee secretariat.
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 19944-1:2019(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
©
PROVIDE SUPPORTING DOCUMENTATION. ISO/IEC 2019

---------------------- Page: 1 ----------------------
ISO/IEC DIS 19944-1:2019(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2019
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2019 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC DIS 19944-1:2019(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 6
5 Structure of this document . 7
6 Overview of devices and cloud services ecosystems . 7
6.1 Background and context — Impact of devices and personalized cloud services . 7
6.2 Ecosystem of devices and cloud services . 8
6.3 Devices and multiple user sub-roles . 9
6.3.1 General. 9
6.3.2 Bring your own device (BYOD) .10
7 Extending the CCRA to the devices and cloud services ecosystem .12
7.1 Overview .12
7.2 Personal and organizational environments .12
7.3 Device impact on the CCRA: User view .12
7.3.1 Cloud service provider . .12
7.3.2 Cloud service customer .13
7.4 Device impact on the CCRA: Functional view .14
7.4.1 General.14
7.4.2 Functional components in the functional view .15
7.4.3 Functional view: Data flows .16
8 Data taxonomy .18
8.1 Overview .18
8.2 Data categories .19
8.2.1 General.19
8.2.2 Customer content data .20
8.2.3 Derived data .21
8.2.4 Cloud service provider data .23
8.2.5 Account data .23
8.3 Data identification qualifiers .24
8.3.1 General.24
8.3.2 Identified data .24
8.3.3 Pseudonymized data .25
8.3.4 Unlinked pseudonymized data .25
8.3.5 Anonymized data .25
8.3.6 Aggregated data .25
8.4 Orthogonal facets of data .25
8.4.1 General.25
8.4.2 Perspective used in the definition of data facets .28
8.4.3 Common orthogonal data facets .28
8.4.4 Use of data facets to describe data taxonomy .34
9 Data processing and use categories .34
9.1 Overview .34
9.2 Data processing categories .34
9.2.1 General.34
9.2.2 Data partitioning .35
9.2.3 Data integration .35
9.2.4 Data fusion .36
9.2.5 Data improvement .36
© ISO/IEC 2019 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC DIS 19944-1:2019(E)

9.2.6 Encryption .36
9.2.7 Replication .36
9.2.8 Data Deletion . . .36
9.2.9 Re-identification .37
9.3 Data use categories .37
9.3.1 General.37
9.3.2 Provide .37
9.3.3 Improve .38
9.3.4 Personalize .38
9.3.5 Offer upgrades or upsell .39
9.3.6 Market/advertise/promote .39
9.3.7 Share .40
9.3.8 Collect .40
9.3.9 Train (AI system) .41
9.4 Scopes: Boundaries of collection and use of data .41
9.4.1 Scope concepts .41
9.4.2 Scope types .41
9.4.3 Scope characteristics .43
9.4.4 Network connection between scopes .43
9.4.5 Control of source scope over result scope .44
10 Data use statements .44
10.1 Overview .44
10.2 Data use statement structure .45
10.2.1 Structure definition .45
10.2.2 Describing the scope of applications and cloud services that apply to use
statements .47
10.2.3 Assumptions about when data is collected and used .48
10.2.4 Defining promotion targets .48
10.2.5 Data types .48
10.2.6 Data qualifiers for data types .49
10.2.7 Examples of statements about data flow in the devices and cloud services
ecosystem . .50
10.2.8 Exceptional use statements .51
10.2.9 Data sharing .53
10.3 Use of orthogonal data facets in data use statement .54
10.3.1 General.54
10.3.2 Use of elements in the data facets as attributes .54
10.3.3 Hierarchy of elements/attributes of data based on facets .55
10.3.4 Use of attributes to describe PII .56
10.3.5 Use of attributes to tag IP data.56
10.3.6 Use of attributes to tag IP data from shared pools, while respecting partner IP .57
11 Data lineage and data provenance .59
11.1 General .59
11.2 Tracing data lineage.59
12 Use of taxonomy and data use statement in other computing environments .60
13 Use of data taxonomy and use statements in Artificial Intelligence scenarios .60
Annex A (informative) Diagrams of data categories and data identification qualifiers .63
Bibliography .64
iv © ISO/IEC 2019 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC DIS 19944-1:2019(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/ iso/ foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 38, Cloud computing and distributed platforms.
© ISO/IEC 2019 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC DIS 19944-1:2019(E)

Introduction
Objective and target audience
This document provides a description of the ecosystem of devices and cloud services and the related
flows of data between cloud services, cloud service customers, cloud service users and their devices.
These are necessary to provide guidance about how data is used on the devices in the context of the
cloud computing ecosystem and the associated location and identity issues that emerge from such use.
This document proposes a scheme for the structure of data use statements that can be used by cloud
service providers to help cloud service customers understand and protect the privacy and confidentiality
of their data and their users’ data through increased transparency of policies and practices.
This document can be used in several ways including, but not limited to, the following:
a) by cloud service providers and application developers to guide them in describing what they intend to
do with data in their designs, so as to simplify privacy and data use reviews and to communicate this
information to non-technical departments such as internal compliance, marketing and legal teams;
b) by organizations drawing up data use statements as part of drafting cloud service agreements
and application contracts, privacy statements, etc., which could apply to documents internal to an
organization, in addition to public or legal documents;
c) by government regulators and agencies to advise on suitable ways of describing data flow and use;
d) by those preparing information on data flow and data use for communication to the press and
the public.
This document is descriptive and not prescriptive. It cannot be used for compliance directly. Instead, it
provides a set of concepts and definitions, including a data taxonomy and data use statement structure,
that can be used for transparency about how data is used in an ecosystem of devices and cloud services.
Providing a clear description of data flows
This document aims to improve the understanding of the data flows that take place in an ecosystem
consisting of devices accessing cloud services. It does this through an extended cloud computing
reference architecture (CCRA) (based on the architecture described in ISO/IEC 17789) that describes
the impact of devices on cloud service ecosystems and the impact of cloud services on devices. It also
describes the data flows that take place within the extended reference architecture.
Providing transparency to all stakeholders
To maintain a relationship of trust between the stakeholders of the ecosystem of devices and cloud
services and also to meet the demands of laws and regulations, it is necessary for the device platform
providers and the cloud service providers to be transparent about how they make use of the various
data types that flow within the ecosystem.
There is a particular need to provide simple and clear statements to end users about what is done with
data that relates to them. The data may be personally identifiable information (PII) and may be sensitive,
in other words, this can be a privacy issue. Cloud service customers are likely to be concerned about how
their data is used, even when the customer is an organization rather than an individual. The cloud service
customer may be a data controller, holding personal data about their employees or their customers; in
such a role, the cloud service customer has obligations relating to the processing of that data.
To assist cloud service providers and device platform providers in being transparent about their use of
data, this document defines a simple language for making statements about data use, which can be used
to create clear notification to end users and other interested parties.
This revision of ISO/IEC 19944 contains additional material which principally deals with organizational
data and the need to treat some organizational data in particular ways in order to ensure confidentiality,
integrity and so on.
vi © ISO/IEC 2019 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/IEC DIS 19944-1:2019(E)

To assist with this, the new concept of data facets is introduced and data facets are used to extend
the expressiveness of data use statements, including adding the concept of which individuals or
organizations have control over data.
New data use categories are introduced, including some that address the newer uses of data associated
with artificial intelligence systems.
© ISO/IEC 2019 – All rights reserved vii

---------------------- Page: 7 ----------------------
DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 19944-1:2019(E)
Cloud computing – Cloud services and devices: data flow,
data categories and data use —
Part 1:
Fundamentals
1 Scope
This document
— extends the existing cloud computing vocabulary and reference architecture in ISO/IEC 17788 and
ISO/IEC 17789 to describe an ecosystem involving devices using cloud services,
— describes the various types of data flowing within the devices and cloud computing ecosystem,
— describes the impact of connected devices on the data that flow within the cloud computing
ecosystem,
— describes flows of data between cloud services, cloud service customers and cloud service users,
— provides foundational concepts, including a data taxonomy, and
— identifies the categories of data that flow across the cloud service customer devices and cloud
services.
This document is applicable primarily to cloud service providers, cloud service customers and cloud
service users, but also to any person or organization involved in legal, policy, technical or other
implications of data flows between devices and cloud services.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http:// www .electropedia .org/
— ISO Online browsing platform: available at http:// www .iso .org/ obp
3.1
cloud service
one or more capabilities offered through cloud computing invoked using a defined interface
[SOURCE: ISO/IEC 17788:2014, 3.2.8]
3.2
cloud service customer
party which is in a business relationship for the purpose of using cloud services (3.1)
Note 1 to entry: A business relationship does not necessarily imply financial agreements.
© ISO/IEC 2019 – All rights reserved 1

---------------------- Page: 8 ----------------------
ISO/IEC DIS 19944-1:2019(E)

[SOURCE: ISO/IEC 17788:2014, 3.2.11]
3.3
cloud service partner
party which is engaged in support of, or auxiliary to, activities of either the cloud service provider (3.4)
or the cloud service customer (3.2), or both
[SOURCE: ISO/IEC 17788:2014, 3.2.14]
3.4
cloud service provider
party which makes cloud services (3.1) available
[SOURCE: ISO/IEC 17788:2014, 3.2.15]
3.5
cloud service user
natural person, or entity acting on their behalf, associated with a cloud service customer (3.2) that uses
cloud services (3.1)
Note 1 to entry: Examples of such entities include devices and applications.
[SOURCE: ISO/IEC 17788:2014, 3.2.17]
3.6
device
physical entity that communicates directly or indirectly with one or more cloud services (3.1)
3.7
account data
class of data specific to each CSC that is required to administer the cloud service (3.1)
Note 1 to entry: Account data is typically generated when a cloud service is purchased and is under the control of
the CSP.
Note 2 to entry: Account data consists of data elements provided by CSC, such as; name, address, telephone, etc.
3.8
cloud service customer data
class of data objects under the control of the cloud service customer (3.2) that were input to the cloud
service (3.1), or resulted from exercising the capabilities of the cloud service by or on behalf of the cloud
service customer through the published interface of the cloud service
Note 1 to entry: An example of legal contro
...