Cloud computing and distributed platforms ─ Data flow, data categories and data use — Part 1: Fundamentals

This document — extends the existing cloud computing vocabulary and reference architecture in ISO/IEC 17788 and ISO/IEC 17789 to describe an ecosystem involving devices using cloud services, — describes the various types of data flowing within the devices and cloud computing ecosystem, — describes the impact of connected devices on the data that flow within the cloud computing ecosystem, — describes flows of data between cloud services, cloud service customers and cloud service users, — provides foundational concepts, including a data taxonomy, and — identifies the categories of data that flow across the cloud service customer devices and cloud services. This document is applicable primarily to cloud service providers, cloud service customers and cloud service users, but also to any person or organisation involved in legal, policy, technical or other implications of data flows between devices and cloud services.

Informatique en nuage et plates-formes distribuées ─ Flux de données, catégories de données et utilisation des données — Partie 1: Principes de base

General Information

Status
Published
Publication Date
25-Oct-2020
Current Stage
6060 - International Standard published
Start Date
26-Oct-2020
Completion Date
26-Oct-2020
Ref Project

RELATIONS

Buy Standard

Standard
ISO/IEC 19944-1:2020 - Cloud computing and distributed platforms ─ Data flow, data categories and data use
English language
65 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/IEC FDIS 19944-1:Version 25-apr-2020 - Cloud computing -- Cloud services and devices: data flow, data categories and data use
English language
65 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO/IEC
STANDARD 19944-1
First edition
2020-10
Cloud computing and distributed
platforms ─ Data flow, data categories
and data use —
Part 1:
Fundamentals
Informatique en nuage et plates-formes distribuées ─ Flux de
données, catégories de données et utilisation des données —
Partie 1: Principes de base
Reference number
ISO/IEC 19944-1:2020(E)
ISO/IEC 2020
---------------------- Page: 1 ----------------------
ISO/IEC 19944-1:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 19944-1:2020(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................vi

Introduction ..............................................................................................................................................................................................................................vii

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

3.1 Terms related to data categories ............................................................................................................................................. 2

3.2 Terms related to cloud services and devices ecosystem ..................................................................................... 2

3.3 Terms related to privacy ................................................................................................................................................................. 3

3.4 Terms related to organizational data ......... .......................................................................................................................... 3

3.5 Terms related to artificial intelligence ................................................................................................................................ 4

3.6 General terms ........................................................................................................................................................................................... 6

4 Abbreviated terms .............................................................................................................................................................................................. 6

5 Structure of this document ........................................................................................................................................................................ 7

5.1 Document organization ................................................................................................................................................................... 7

5.2 Overview and reference architecture .................................................................................................................................. 7

5.3 Data taxonomies, data categories and data use statement structure ...................................................... 7

6 Overview of devices and cloud services ecosystems ....................................................................................................... 7

6.1 Background and context — Impact of devices and personalized cloud services .......................... 7

6.2 Ecosystem of devices and cloud services ......................................................................................................................... 8

6.3 Devices and multiple user sub-roles .................................................................................................................................... 9

6.3.1 General...................................................................................................................................................................................... 9

6.3.2 Bring your own device .............................................................................................................................................10

7 Extending the CCRA to the devices and cloud services ecosystem ................................................................12

7.1 Overview ...................................................................................................................................................................................................12

7.2 Personal and organizational environments ................................................................................................................12

7.3 Device impact on the CCRA: User view ...........................................................................................................................12

7.3.1 Cloud service provider ........................................................................................................................................... ..12

7.3.2 Cloud service customer ...........................................................................................................................................13

7.4 Device impact on the CCRA: functional view .............................................................................................................14

7.4.1 General...................................................................................................................................................................................14

7.4.2 Functional components in the functional view ..................................................................................15

7.4.3 Functional view: data flows .................................................................................................................................16

8 Data taxonomy .....................................................................................................................................................................................................18

8.1 Overview ...................................................................................................................................................................................................18

8.2 Data categories ....................................................................................................................................................................................19

8.2.1 General...................................................................................................................................................................................19

8.2.2 Customer content data ............................................................................................................................................20

8.2.3 Derived data ......................................................................................................................................................................21

8.2.4 Cloud service provider data ................................................................................................................................23

8.2.5 Account data .....................................................................................................................................................................24

8.3 Data identification qualifiers ...................................................................................................................................................24

8.3.1 General...................................................................................................................................................................................24

8.3.2 Identified data .................................................................................................................................................................25

8.3.3 Pseudonymized data .................................................................................................................................................25

8.3.4 Unlinked pseudonymized data .........................................................................................................................25

8.3.5 Anonymized data ..........................................................................................................................................................25

8.3.6 Aggregated data .............................................................................................................................................................25

8.4 Orthogonal facets of data ............................................................................................................................................................26

8.4.1 General...................................................................................................................................................................................26

8.4.2 Perspective used in the definition of data facets ...............................................................................28

8.4.3 Common orthogonal data facets .....................................................................................................................28

© ISO/IEC 2020 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 19944-1:2020(E)

8.4.4 Use of data facets to describe data taxonomy ......................................................................................34

9 Data processing and use categories ..............................................................................................................................................34

9.1 Overview ...................................................................................................................................................................................................34

9.2 Data processing categories ........................................................................................................................................................34

9.2.1 General...................................................................................................................................................................................34

9.2.2 Data partitioning ...........................................................................................................................................................35

9.2.3 Data integration .............................................................................................................................................................35

9.2.4 Data fusion .........................................................................................................................................................................36

9.2.5 Data improvement .......................................................................................................................................................36

9.2.6 Encryption ..........................................................................................................................................................................36

9.2.7 Replication .........................................................................................................................................................................36

9.2.8 Data Deletion .................. .................................................... ..............................................................................................36

9.2.9 Re-identification ............................................................................................................................................................37

9.3 Data use categories ..........................................................................................................................................................................37

9.3.1 General...................................................................................................................................................................................37

9.3.2 Provide ..................................................................................................................................................................................38

9.3.3 Improve .................................................................................................................................................................................38

9.3.4 Personalize .........................................................................................................................................................................39

9.3.5 Offer upgrades or upsell .........................................................................................................................................39

9.3.6 Market/advertize/promote .................................................................................................................................39

9.3.7 Share ........................................................................................................................................................................................40

9.3.8 Collect .....................................................................................................................................................................................41

9.3.9 Train (AI system) ..........................................................................................................................................................41

9.4 Scopes: Boundaries of collection and use of data ..................................................................................................41

9.4.1 Scope concepts ...............................................................................................................................................................41

9.4.2 Scope types ........................................................................................................................................................................41

9.4.3 Scope characteristics .................................................................................................................................................43

9.4.4 Network connection between scopes .........................................................................................................43

9.4.5 Control of source scope over result scope ..............................................................................................44

10 Data use statements .......................................................................................................................................................................................44

10.1 Overview ...................................................................................................................................................................................................44

10.2 Data use statement structure ..................................................................................................................................................45

10.2.1 Structure definition ....................................................................................................................................................45

10.2.2 Describing the scope of applications and cloud services that apply to use

statements ..........................................................................................................................................................................47

10.2.3 Assumptions about when data are collected and used ...............................................................47

10.2.4 Defining promotion targets .................................................................................................................................48

10.2.5 Data types ...........................................................................................................................................................................48

10.2.6 Data qualifiers for data types .............................................................................................................................49

10.2.7 Examples of statements about data flow in the devices and cloud services

ecosystem ........................................................................................................................................... .................................49

10.2.8 Exceptional use statements .................................................................................................................................50

10.2.9 Data sharing ......................................................................................................................................................................53

10.3 Use of orthogonal data facets in data use statement ..........................................................................................54

10.3.1 General...................................................................................................................................................................................54

10.3.2 Use of elements in the data facets as attributes .................................................................................54

10.3.3 Hierarchy of elements/attributes of data based on facets .......................................................55

10.3.4 Use of attributes to describe PII ......................................................................................................................55

10.3.5 Use of attributes to tag IP data..........................................................................................................................56

10.3.6 Use of attributes to tag IP data from shared pools, while respecting partner IP ..57

11 Data lineage and data provenance ..................................................................................................................................................59

11.1 General ........................................................................................................................................................................................................59

11.2 Tracing data lineage.........................................................................................................................................................................59

12 Use of taxonomy and data use statement in other computing environments ...................................60

13 Use of data taxonomy and use statements in Artificial Intelligence scenarios ................................60

iv © ISO/IEC 2020 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 19944-1:2020(E)

Annex A (informative) Diagrams of data categories and data identification qualifiers ..............................63

Bibliography .............................................................................................................................................................................................................................64

© ISO/IEC 2020 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 19944-1:2020(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that

are members of ISO or IEC participate in the development of International Standards through

technical committees established by the respective organization to deal with particular fields of

technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other

international organizations, governmental and non-governmental, in liaison with ISO and IEC, also

take part in the work.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC

list of patent declarations received (see https:// patents .iec .c).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to

the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see

www .iso .org/ iso/ foreword .html.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information Technology,

Subcommittee SC 38, Cloud Computing and Distributed Platforms.

This first edition of ISO/IEC 19944-1, along with ISO/IEC 19944-2 cancels and replaces

ISO/IEC 19944:2017, which has been technically revised.
The main changes compared to the previous edition are as follows:

— provides additional material which principally deals with organizational data and the need to treat

some organizational data in particular ways in order to ensure confidentiality, integrity and so on,

— the new concept of data facets is introduced and data facets are used to extend the expressiveness

of data use statements, including adding the concept of which individuals or organizations have

control over data,

— the new data use categories are introduced, including some that address the newer uses of data

associated with artificial intelligence systems.
A list of all parts in the ISO/IEC 19944 series can be found on the ISO website.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.

1) Under preparation. Stage at the time of publication: ISO/IEC PWI 19944-2:2020.

vi © ISO/IEC 2020 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC 19944-1:2020(E)
Introduction

This document provides a description of the ecosystem of devices and cloud services and the related

flows of data between cloud services, cloud service customers, cloud service users and their devices.

These are necessary to provide guidance about how data are used on the devices in the context of the

cloud computing ecosystem and the associated location and identity issues that emerge from such use.

This document proposes a scheme for the structure of data use statements that can be used by cloud

service providers to help cloud service customers understand and protect the privacy and confidentiality

of their data and their users’ data through increased transparency of policies and practices.

This document may be used in several ways including, but not limited to:

a) by cloud service providers and application developers to guide them in describing what they intend to

do with data in their designs, so as to simplify privacy and data use reviews and to communicate this

information to non-technical departments such as internal compliance, marketing and legal teams;

b) by organisations drawing up data use statements as part of drafting cloud service agreements

and application contracts, privacy statements, etc., which could apply to documents internal to an

organisation, in addition to public or legal documents;

c) by government regulators and agencies to advise on suitable ways of describing data flow and use;

d) by those preparing information on data flow and data use for communication to the press and

the public.

This document cannot be used for compliance directly. Instead, it provides a set of concepts and

definitions, including a data taxonomy and data use statement structure, that can be used for

transparency about how data are used in an ecosystem of devices and cloud services.

This document also aims to improve the understanding of the data flows that take place in an ecosystem

consisting of devices accessing cloud services. It does this through an extended cloud computing

reference architecture (CCRA) (based on the architecture described in ISO/IEC 17789) that describes

the impact of devices on cloud service ecosystems and the impact of cloud services on devices. It also

describes the data flows that take place within the extended reference architecture.

To maintain a relationship of trust between the stakeholders of the ecosystem of devices and cloud

services and also to meet the demands of laws and regulations, it is necessary for the device platform

providers and the cloud service providers to be transparent about how they make use of the various

data types that flow within the ecosystem.

There is a particular need to provide simple and clear statements to end users about what is done

with data that relates to them. The data may be personally identifiable information (PII) and may be

sensitive, in other words, this can be a privacy issue. Cloud service customers are likely to be concerned

about how their data are used, even when the customer is an organization rather than an individual.

The cloud service customer may be a data controller, holding personal data about their employees or

their customers; in such a role, the cloud service customer has obligations relating to the processing of

that data.

To assist cloud service providers and device platform providers in being transparent about their use of

data, this document defines a simple language for making statements about data use, which can be used

to create clear notification to end users and other interested parties.

This version of ISO/IEC 19944 contains additional material which principally deals with organizational

data and the need to treat some organizational data in particular ways in order to ensure confidentiality,

integrity and so on.

To assist with this, the new concept of data facets is introduced and data facets are used to extend

the expressiveness of data use statements, including adding the concept of which individuals or

organizations have control over data.
© ISO/IEC 2020 – All rights reserved vii
---------------------- Page: 7 ----------------------
ISO/IEC 19944-1:2020(E)

New data use categories are introduced, including some that address the newer uses of data associated

with artificial intelligence systems.
viii © ISO/IEC 2020 – All rights reserved
---------------------- Page: 8 ----------------------
INTERNATIONAL STANDARD ISO/IEC 19944-1:2020(E)
Cloud computing and distributed platforms ─ Data flow,
data categories and data use —
Part 1:
Fundamentals
1 Scope
This document

— extends the existing cloud computing vocabulary and reference architecture in ISO/IEC 17788 and

ISO/IEC 17789 to describe an ecosystem involving devices using cloud services,

— describes the various types of data flowing within the devices and cloud computing ecosystem,

— describes the impact of connected devices on the data that flow within the cloud computing

ecosystem,

— describes flows of data between cloud services, cloud service customers and cloud service users,

— provides foundational concepts, including a data taxonomy, and

— identifies the categories of data that flow across the cloud service customer devices and cloud

services.

This document is applicable primarily to cloud service providers, cloud service customers and cloud

service users, but also to any person or organisation involved in legal, policy, technical or other

implications of data flows between devices and cloud services.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 17788:2014, Information technology — Cloud computing — Overview and vocabulary

ISO/IEC 17789:2014, Information techno
...

DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 19944-1
ISO/IEC JTC 1/SC 38 Secretariat: ANSI
Voting begins on: Voting terminates on:
2019-12-04 2020-02-26
Cloud computing – Cloud services and devices: data flow,
data categories and data use —
Part 1:
Fundamentals
ICS: 35.210
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
This document is circulated as received from the committee secretariat.
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 19944-1:2019(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. ISO/IEC 2019
---------------------- Page: 1 ----------------------
ISO/IEC DIS 19944-1:2019(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2019

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2019 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC DIS 19944-1:2019(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Abbreviated terms .............................................................................................................................................................................................. 6

5 Structure of this document ........................................................................................................................................................................ 7

6 Overview of devices and cloud services ecosystems ....................................................................................................... 7

6.1 Background and context — Impact of devices and personalized cloud services .......................... 7

6.2 Ecosystem of devices and cloud services ......................................................................................................................... 8

6.3 Devices and multiple user sub-roles .................................................................................................................................... 9

6.3.1 General...................................................................................................................................................................................... 9

6.3.2 Bring your own device (BYOD) .........................................................................................................................10

7 Extending the CCRA to the devices and cloud services ecosystem ................................................................12

7.1 Overview ...................................................................................................................................................................................................12

7.2 Personal and organizational environments ................................................................................................................12

7.3 Device impact on the CCRA: User view ...........................................................................................................................12

7.3.1 Cloud service provider ........................................................................................................................................... ..12

7.3.2 Cloud service customer ...........................................................................................................................................13

7.4 Device impact on the CCRA: Functional view ............................................................................................................14

7.4.1 General...................................................................................................................................................................................14

7.4.2 Functional components in the functional view ..................................................................................15

7.4.3 Functional view: Data flows ................................................................................................................................16

8 Data taxonomy .....................................................................................................................................................................................................18

8.1 Overview ...................................................................................................................................................................................................18

8.2 Data categories ....................................................................................................................................................................................19

8.2.1 General...................................................................................................................................................................................19

8.2.2 Customer content data ............................................................................................................................................20

8.2.3 Derived data ......................................................................................................................................................................21

8.2.4 Cloud service provider data ................................................................................................................................23

8.2.5 Account data .....................................................................................................................................................................23

8.3 Data identification qualifiers ...................................................................................................................................................24

8.3.1 General...................................................................................................................................................................................24

8.3.2 Identified data .................................................................................................................................................................24

8.3.3 Pseudonymized data .................................................................................................................................................25

8.3.4 Unlinked pseudonymized data .........................................................................................................................25

8.3.5 Anonymized data ..........................................................................................................................................................25

8.3.6 Aggregated data .............................................................................................................................................................25

8.4 Orthogonal facets of data ............................................................................................................................................................25

8.4.1 General...................................................................................................................................................................................25

8.4.2 Perspective used in the definition of data facets ...............................................................................28

8.4.3 Common orthogonal data facets .....................................................................................................................28

8.4.4 Use of data facets to describe data taxonomy ......................................................................................34

9 Data processing and use categories ..............................................................................................................................................34

9.1 Overview ...................................................................................................................................................................................................34

9.2 Data processing categories ........................................................................................................................................................34

9.2.1 General...................................................................................................................................................................................34

9.2.2 Data partitioning ...........................................................................................................................................................35

9.2.3 Data integration .............................................................................................................................................................35

9.2.4 Data fusion .........................................................................................................................................................................36

9.2.5 Data improvement .......................................................................................................................................................36

© ISO/IEC 2019 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC DIS 19944-1:2019(E)

9.2.6 Encryption ..........................................................................................................................................................................36

9.2.7 Replication .........................................................................................................................................................................36

9.2.8 Data Deletion .................. .................................................... ..............................................................................................36

9.2.9 Re-identification ............................................................................................................................................................37

9.3 Data use categories ..........................................................................................................................................................................37

9.3.1 General...................................................................................................................................................................................37

9.3.2 Provide ..................................................................................................................................................................................37

9.3.3 Improve .................................................................................................................................................................................38

9.3.4 Personalize .........................................................................................................................................................................38

9.3.5 Offer upgrades or upsell .........................................................................................................................................39

9.3.6 Market/advertise/promote .................................................................................................................................39

9.3.7 Share ........................................................................................................................................................................................40

9.3.8 Collect .....................................................................................................................................................................................40

9.3.9 Train (AI system) ..........................................................................................................................................................41

9.4 Scopes: Boundaries of collection and use of data ..................................................................................................41

9.4.1 Scope concepts ...............................................................................................................................................................41

9.4.2 Scope types ........................................................................................................................................................................41

9.4.3 Scope characteristics .................................................................................................................................................43

9.4.4 Network connection between scopes .........................................................................................................43

9.4.5 Control of source scope over result scope ..............................................................................................44

10 Data use statements .......................................................................................................................................................................................44

10.1 Overview ...................................................................................................................................................................................................44

10.2 Data use statement structure ..................................................................................................................................................45

10.2.1 Structure definition ....................................................................................................................................................45

10.2.2 Describing the scope of applications and cloud services that apply to use

statements ..........................................................................................................................................................................47

10.2.3 Assumptions about when data is collected and used ...................................................................48

10.2.4 Defining promotion targets .................................................................................................................................48

10.2.5 Data types ...........................................................................................................................................................................48

10.2.6 Data qualifiers for data types .............................................................................................................................49

10.2.7 Examples of statements about data flow in the devices and cloud services

ecosystem ........................................................................................................................................... .................................50

10.2.8 Exceptional use statements .................................................................................................................................51

10.2.9 Data sharing ......................................................................................................................................................................53

10.3 Use of orthogonal data facets in data use statement ..........................................................................................54

10.3.1 General...................................................................................................................................................................................54

10.3.2 Use of elements in the data facets as attributes .................................................................................54

10.3.3 Hierarchy of elements/attributes of data based on facets .......................................................55

10.3.4 Use of attributes to describe PII ......................................................................................................................56

10.3.5 Use of attributes to tag IP data..........................................................................................................................56

10.3.6 Use of attributes to tag IP data from shared pools, while respecting partner IP ..57

11 Data lineage and data provenance ..................................................................................................................................................59

11.1 General ........................................................................................................................................................................................................59

11.2 Tracing data lineage.........................................................................................................................................................................59

12 Use of taxonomy and data use statement in other computing environments ...................................60

13 Use of data taxonomy and use statements in Artificial Intelligence scenarios ................................60

Annex A (informative) Diagrams of data categories and data identification qualifiers ..............................63

Bibliography .............................................................................................................................................................................................................................64

iv © ISO/IEC 2019 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC DIS 19944-1:2019(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work. In the field of information technology, ISO and IEC have established a joint technical committee,

ISO/IEC JTC 1.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following

URL: www .iso .org/ iso/ foreword .html.

This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 38, Cloud computing and distributed platforms.
© ISO/IEC 2019 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC DIS 19944-1:2019(E)
Introduction
Objective and target audience

This document provides a description of the ecosystem of devices and cloud services and the related

flows of data between cloud services, cloud service customers, cloud service users and their devices.

These are necessary to provide guidance about how data is used on the devices in the context of the

cloud computing ecosystem and the associated location and identity issues that emerge from such use.

This document proposes a scheme for the structure of data use statements that can be used by cloud

service providers to help cloud service customers understand and protect the privacy and confidentiality

of their data and their users’ data through increased transparency of policies and practices.

This document can be used in several ways including, but not limited to, the following:

a) by cloud service providers and application developers to guide them in describing what they intend to

do with data in their designs, so as to simplify privacy and data use reviews and to communicate this

information to non-technical departments such as internal compliance, marketing and legal teams;

b) by organizations drawing up data use statements as part of drafting cloud service agreements

and application contracts, privacy statements, etc., which could apply to documents internal to an

organization, in addition to public or legal documents;

c) by government regulators and agencies to advise on suitable ways of describing data flow and use;

d) by those preparing information on data flow and data use for communication to the press and

the public.

This document is descriptive and not prescriptive. It cannot be used for compliance directly. Instead, it

provides a set of concepts and definitions, including a data taxonomy and data use statement structure,

that can be used for transparency about how data is used in an ecosystem of devices and cloud services.

Providing a clear description of data flows

This document aims to improve the understanding of the data flows that take place in an ecosystem

consisting of devices accessing cloud services. It does this through an extended cloud computing

reference architecture (CCRA) (based on the architecture described in ISO/IEC 17789) that describes

the impact of devices on cloud service ecosystems and the impact of cloud services on devices. It also

describes the data flows that take place within the extended reference architecture.

Providing transparency to all stakeholders

To maintain a relationship of trust between the stakeholders of the ecosystem of devices and cloud

services and also to meet the demands of laws and regulations, it is necessary for the device platform

providers and the cloud service providers to be transparent about how they make use of the various

data types that flow within the ecosystem.

There is a particular need to provide simple and clear statements to end users about what is done with

data that relates to them. The data may be personally identifiable information (PII) and may be sensitive,

in other words, this can be a privacy issue. Cloud service customers are likely to be concerned about how

their data is used, even when the customer is an organization rather than an individual. The cloud service

customer may be a data controller, holding personal data about their employees or their customers; in

such a role, the cloud service customer has obligations relating to the processing of that data.

To assist cloud service providers and device platform providers in being transparent about their use of

data, this document defines a simple language for making statements about data use, which can be used

to create clear notification to end users and other interested parties.

This revision of ISO/IEC 19944 contains additional material which principally deals with organizational

data and the need to treat some organizational data in particular ways in order to ensure confidentiality,

integrity and so on.
vi © ISO/IEC 2019 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC DIS 19944-1:2019(E)

To assist with this, the new concept of data facets is introduced and data facets are used to extend

the expressiveness of data use statements, including adding the concept of which individuals or

organizations have control over data.

New data use categories are introduced, including some that address the newer uses of data associated

with artificial intelligence systems.
© ISO/IEC 2019 – All rights reserved vii
---------------------- Page: 7 ----------------------
DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 19944-1:2019(E)
Cloud computing – Cloud services and devices: data flow,
data categories and data use —
Part 1:
Fundamentals
1 Scope
This document

— extends the existing cloud computing vocabulary and reference architecture in ISO/IEC 17788 and

ISO/IEC 17789 to describe an ecosystem involving devices using cloud services,

— describes the various types of data flowing within the devices and cloud computing ecosystem,

— describes the impact of connected devices on the data that flow within the cloud computing

ecosystem,

— describes flows of data between cloud services, cloud service customers and cloud service users,

— provides foundational concepts, including a data taxonomy, and

— identifies the categories of data that flow across the cloud service customer devices and cloud

services.

This document is applicable primarily to cloud service providers, cloud service customers and cloud

service users, but also to any person or organization involved in legal, policy, technical or other

implications of data flows between devices and cloud services.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— IEC Electropedia: available at http:// www .electropedia .org/
— ISO Online browsing platform: available at http:// www .iso .org/ obp
3.1
cloud service

one or more capabilities offered through cloud computing invoked using a defined interface

[SOURCE: ISO/IEC 17788:2014, 3.2.8]
3.2
cloud service customer

party which is in a business relationship for the purpose of using cloud services (3.1)

Note 1 to entry: A business relationship does not necessarily imply financial agreements.

© ISO/IEC 2019 – All rights reserved 1
---------------------- Page: 8 ----------------------
ISO/IEC DIS 19944-1:2019(E)
[SOURCE: ISO/IEC 17788:2014, 3.2.11]
3.3
cloud service partner

party which is engaged in support of, or auxiliary to, activities of either the cloud service provider (3.4)

or the cloud service customer (3.2), or both
[SOURCE: ISO/IEC 17788:2014, 3.2.14]
3.4
cloud service provider
party which makes cloud services (3.1) available
[SOURCE: ISO/IEC 17788:2014, 3.2.15]
3.5
cloud service user

natural person, or entity acting on their behalf, associated with a cloud service customer (3.2) that uses

cloud services (3.1)
Note 1 to entry: Examples of such entities include devices and applications.
[SOURCE: ISO/IEC 17788:2014, 3.2.17]
3.6
device

physical entity that communicates directly or indirectly with one or more cloud services (3.1)

3.7
account data

class of data specific to each CSC that is required to administer the cloud service (3.1)

Note 1 to entry: Account data is typically generated when a cloud service is purchased and is under the control of

the CSP.

Note 2 to entry: Account data consists of data elements provided by CSC, such as; name, address, telephone, etc.

3.8
cloud service customer data

class of data objects under the control of the cloud service customer (3.2) that were input to the cloud

service (3.1), or resulted from exercising the capabilities of the cloud service by or on behalf of the cloud

service customer through the published interface of the cloud service
Note 1 to entry: An example of legal contro
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.