ISO/IEC CD 29187-1

FINAL
INTERNATIONAL ISO/IEC
DRAFT
STANDARD FDIS
29187-1
ISO/IEC JTC 1/SC 36
Information technology —
Secretariat: KATS
Identification of privacy protection
Voting begins on:
2016-04-22 requirements pertaining to learning,
education and training (LET) —
Voting terminates on:
2016-06-22
Part 1:
Framework and reference model
Technologies de l’information — Identification des exigences de
protection privée concernant l’apprentissage, l’éducation et la
formation (AÉF) —
Partie 1: Cadre général et modèle de référence
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/IEC FDIS 29187-1:2016(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
©
NATIONAL REGULATIONS. ISO/IEC 2016

---------------------- Page: 1 ----------------------
ISO/IEC FDIS 29187-1:2016(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2016, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2016 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC FDIS 29187-1:2016(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
1.1 Statement of scope — ISO/IEC 29187 series . 1
1.2 Statement of scope — this part of ISO/IEC 29187 . 1
1.3 Exclusions . 1
1.3.1 Functional services view (FSV) . 1
1.3.2 Overlap of and/or conflict among jurisdictional domains as sources of
privacy protection requirements . 2
1.3.3 Publicly available personal information . 2
1.4 Aspects currently not addressed . 3
1.5 IT-systems environment neutrality . 6
2 Normative references . 6
2.1 ISO/IEC, ISO and ITU . 6
2.2 Referenced specifications . 7
3 Terms and definitions . 7
4 Symbols and abbreviated terms .38
5 Fundamental principles and assumptions governing privacy protection
requirements in learning transactions involving individual learners (external
constraints perspective) .41
5.1 Overview and sources of requirements .41
5.2 Exceptions to the application of the privacy protection principles .43
5.3 Fundamental Privacy Protection Principles .43
5.3.1 General.43
5.3.2 Privacy Protection Principle 1: Preventing Harm .43
5.3.3 Privacy Protection Principle 2: Accountability .44
5.3.4 Privacy Protection Principle 3: Identifying Purposes .47
5.3.5 Privacy Protection Principle 4: Informed Consent .47
5.3.6 Privacy Protection Principle 5: Limiting Collection . .49
5.3.7 Privacy Protection Principle 6: Limiting Use, Disclosure and Retention .50
5.3.8 Privacy Principle 7: Accuracy.54
5.3.9 Privacy Protection Principle 8: Safeguards .55
5.3.10 Privacy Protection Principle 9: Openness .56
5.3.11 Principle 10: Individual Access .56
5.3.12 Privacy Protection Principle 11: Challenging Compliance .59
5.4 Requirement for tagging (or labelling) data elements in support of privacy
protection requirements .60
6 Collaboration space and privacy protection .60
6.1 General .60
6.2 Privacy collaboration space: Role of individual learner, LET provider and regulator.61
6.3 Learning collaboration space (of a learning transaction).62
7 Public policy requirements of jurisdictional domains .63
7.1 General .63
7.2 Jurisdictional domains and public policy requirements .64
7.2.1 Privacy protection . . .65
7.2.2 Consumer protection .66
7.2.3 Individual accessibility .67
7.2.4 Human rights .67
7.2.5 Privacy as a right of an “individual” and not as right of an organization or
public administration .68
7.2.6 Need to differentiate between (a) “privacy protection” and, (b)
“confidentiality”, “security”, etc. .68
© ISO/IEC 2016 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC FDIS 29187-1:2016(E)

8 Principles and rules governing the establishment, management and use of
identities of an individual (and “individual learner”) .69
8.1 General .69
8.2 Rules governing the establishment of personae, identifiers and signatures of
an individual.70
8.3 Rules governing the assignment of unique identifiers to an individual by
Registration Authorities (RAs) .75
8.4 Rules governing individual identity(ies), authentication, recognition, and use .76
8.5 Legally recognized individual identity(ies) (Lrii) .81
9 Person component – individual sub-type .82
9.1 General .82
9.2 Role qualification of a Person as an individual (learner) .82
9.3 Persona and legally recognized names (LRNs) of an individual .83
9.4 Truncation and transliteration of legally recognized names of individuals .83
9.5 Rules governing anonymization of individuals in a learning transaction .84
9.6 Rules governing pseudonymization of personal information in a learning transaction .86
10 Process component .86
10.1 General .86
10.2 Planning .87
10.3 Identification .87
10.4 Negotiation .88
10.5 Actualization .88
10.6 Post-actualization .88
11 Data (element) component of a learning transaction .89
11.1 General .89
11.2 Rules governing the role of Learning Transaction Identifier (LTI) in support of
privacy protection requirements .89
11.3 Rules governing state change management of SRIs in a learning transactions in
support of privacy protection requirements . .90
11.4 Rules governing records retention of personal information in a learning transaction .91
11.5 Rules governing time/date referencing of personal information in a
learning transaction .92
12 Conformance statement .92
12.1 General .92
12.2 Conformance to the ISO/IEC 29187-1 Reference Model .93
12.3 Conformance to other parts of ISO/IEC 29187 .94
Annex A (normative) Consolidated list of terms and definitions with cultural adaptability:
ISO English and ISO French language equivalency .95
Annex B (normative) Learning Transaction Model (LTM): Classes of constraints.137
Annex C (normative) Integrated set of information life cycle management (ILCM) principles
in support of information law compliance .143
Annex D (normative) Coded domains for specifying state changes and record retention
management in support of privacy protection requirements .146
Annex E (informative) Use and adaptation of the ISO/IEC 14662 Open-edi Reference Model .156
Annex F (informative) Potential parts for ISO/IEC 29187 based on results of the ISO/
IEC JTC 1/SC 36 Ad-Hoc on Privacy (AHP) .161
Bibliography .165
iv © ISO/IEC 2016 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC FDIS 29187-1:2016(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment,
as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the
Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html.
The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee
SC 36, Information technology for learning, education, and training.
This second edition cancels and replaces the first edition (ISO/IEC 29187-1:2013), of which it constitutes
a minor revision.
ISO/IEC 29187 consists of the following parts, under the general title Information technology —
Identification of privacy protection requirements pertaining to learning, education and training (LET):
— Part 1: Framework and reference model
Further parts may be added in the future.
© ISO/IEC 2016 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC FDIS 29187-1:2016(E)

Introduction
Purpose and overview
For the purposes of this part of ISO/IEC 29187, the use of LET covers learning, education and training. In
order to determine the need and focus of LET standards in support of privacy protection requirements
applicable to personal information of an individual learner, ISO/IEC JTC 1/SC 36 established an “Ad-
Hoc on Privacy (AHP)” (the majority of the ISO/IEC JTC 1/SC 36 P-members represent jurisdictional
domains which are governed by privacy/data protection requirements of a legislative/regulatory

nature which apply to “individual learners). The results of this detailed preparatory work and survey
by this JTC 1/SC 36 AHP identified user requirements and served as the basis for the need for this
International Standard. See Annex F.
NOTE 1 The mandate and objectives of this JTC 1/SC 36 AHP, as well as the Survey instrument, are stated in
document 36N1436.
ISO/IEC JTC 1/SC 36 considers it important that International Standards which facilitate the use
of information and communication technologies (ICT) be structured to be able to support legal
requirements of the jurisdictional domains in which they are to be implemented and used. This is
particularly so in cases where such standards are used to capture and manage recorded information
for decision-making about individuals. Common legal and regulatory requirements of this nature,
which impact the development of ICT-based standards, include those of a public policy nature such as
those pertaining to consumer protection, privacy protection, individual accessibility, human rights, etc.
The role of ISO/IEC JTC 1/SC 36 is to develop ICT-based standards in the fields of learning, education
and training (LET). Since the application and use of a majority of JTC 1/SC 36 standards involve the role
of an individual as “learner”, i.e. as an “individual learner”, this means that any recorded information
on or about an identifiable individual as a “learner” is subject to applicable privacy/data protection a
requirement.
This part of ISO/IEC 29187 serves as a “Framework and Reference Model”. Based on a set of (primary)
principles, the “Framework and Reference Model” is composed of a number of conceptual and structural

models. These are represented via “illustrative” figures and associated lexical models in the form of rules.
NOTE 2 One such lexical model is the key concepts and their definitions of the Framework and Reference
Model as presented in Clause 3.
More specific and detailed “typical models” are to be developed in future parts of this International
Standard. These future parts will focus on more detailed specifications of particular components of the
Framework and Reference Model.
Benefits of using a multipart ISO/IEC 29187 standard approach
There are several benefits from taking an integrated approach.
— A multipart standard approach provides for a systematic, cost-efficient and effective approach to
the creation of robust, (re-)useable components in support of LET privacy protection requirements,
including those needed to facilitate the use of generic global requirements perspective, as well as
added requirements of particular jurisdictional domains of human interface equivalents (HIEs) at
any level of granularity.
— This multipart standard will provide cost savings to those organizations and public administrations,
individual learners and suppliers of LET-based products and services, i.e. “LET providers”. It will do

so from a multilingual requirements perspective and in support of cultural adaptability, individual
accessibility and diversity.
NOTE 3 Multilingual communications (whatever the supporting IT platform used including the Internet)
is already supported by existing technologies. Many ISO/IEC and ISO standards already exist (or are under
development) whose contents can and will be used as building blocks for the integration of this new LET
standard.
vi © ISO/IEC 2016 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/IEC FDIS 29187-1:2016(E)

— having a common IT-facilitated approach will (a) benefit individual users world-wide (doing so in
respect and support of cultural diversity), (b) ensure that requirements of jurisdictional domains (at
whatever level) can be supported in a very cost-effective and efficient manner, and (c) also benefit
suppliers of LET focused products and services.
The concept of (semantic) collaboration space (SCS), introduced in Clause 7 is directed at supporting
the implementation of the UN Convention on the Rights of Persons with Disabilities in an ITLET context
including those of a privacy protection nature.
Informed consent and learning transaction
NOTE 4 Annex E provides informative information on the key modelling constructs introduced in this part of
ISO/IEC 29187.
A key privacy protection requirement is that it requires informed consent of the individual, including
in the role of an individual learner. It also requires the identification of the purpose(s), goal for which
the personal information is to be created/collected, used, managed, shared, deleted, etc. In addition to
identifying purpose(s) and informed consent (presented below) as Privacy Protection principles in 5.3.3
and 5.3.4, there are also the Privacy Protection Principles of “accountability” of “limiting collection”,
“limiting use, disclosure and retention”, “accuracy”, “openness”, “individual access”, and “challenging
compliance” (presented below Privacy Protection principles in 5.3.2, 5.3.5, 5.3.6, 5.3.7, 5.3.9, 5.3.10, and
5.3.11, respectively).
Requirements of this nature focus on what might be considered the LET operational view (LOV). In
addition, there are ICT technical support requirements for privacy protection principles #8 “safeguards”
(see 5.3.8). These include security services, communication services, etc.
Requirements of this nature are not unique to an LET (or ITLET) context. They have already been
identified and addressed in a generic manner in the ISO/IEC 14662 Open-edi Reference Model as being
a “transaction” nature in support of an agreed upon commitment exchange between an individual
learner and an LET provider.
Consequently, the “LET Privacy Protection Framework and Reference Model” (presented in Figure 1)
is based on the “Open-edi Reference Model”. A key construct of the Open-edi Reference Model is that it
recognizes that a commitment exchange, modelled as a transaction needs to be treated and supported
as a whole. At the same time, and from an ICT (including ITLET) perspective, it is recognized that ICT-
based support services, i.e. functional support services view change as ICT changes on the whole, but
those of the user and operational requirements view remain fairly constant. The interaction and inter-
working between (a) the user operational view and (b) the ICT support services view in modelling
a transaction and then developing standards in support of the same as presented in the Open-edi
Reference Model as the need to differentiate between the business operation view (BOV) and functional

services view (FSV) (see Annex E). LET privacy protection Framework and Reference Model uses these
two views of the Open-edi Reference Model to describe the relevant aspects of a learning transaction:
a) the “Learning Operational View (LOV) aspects of a learning transaction;
b) the “LET- FSV view of a learning transaction.
The Learning Operational View (LOV) addresses the aspects of the context and semantic aspects of
personal information in a learning transaction including data management and interchange aspects.
The LOV also can be referred to as the operational and user requirements view.
The LET-FSV addresses the ICT infrastructure and support services meeting the mechanical needs of the
Learning Operational View. Its purpose is to support the demands on the supporting ICT infrastructure
of the Learning Operational View. It focuses on ICT aspects of
a) functional capabilities,
b) service interfaces, and
c) protocols and APIs.
© ISO/IEC 2016 – All rights reserved vii

---------------------- Page: 7 ----------------------
ISO/IEC FDIS 29187-1:2016(E)

Figure 1 — Learning Transaction — Privacy Protection — Framework and Reference Model
Use of “jurisdictional domain”, jurisdiction, country
NOTE 5 For more detailed information on this and related matters pertaining to “jurisdictional domain”,
see ISO/IEC 15944-5. This is a freely available ISO/IEC standard (see http://standards.iso.org/ittf/
PubliclyAvailableStandards/).
Multiple different definitions are currently in use for “jurisdiction”. Some have legal status and others
do not. Further, it is a common practice to equate “jurisdiction” with “country”. Yet, at the time, it is also
a common practice to refer to “provinces”, “states”, “länder”, “cantons”, “territories”, “municipalities”,
etc., as jurisdictions. In addition, several UN member states can combine to form a “jurisdiction” (e.g.
the European Union, NAFTA, etc.).
In this standard,
a) the use of “jurisdictional domain” represents its use as a defined term, and
b) the use of “jurisdiction(s)” and/or country(ies) represents their use in generic contexts.
Most often in this International Standard, “jurisdictional domain” is used as it represents the primary
source of external constraints pertaining to “privacy protection” rights of individuals. It also reflects
the fact that in UN member states which are “federated” in nature, that it is the “province”, “state”,
“länder”, “territory”, in that UN member state which is often responsible for LET-related activities and
thus is the responsible jurisdictional domain.
This International Standard incorporates the common aspects of such laws and regulations as
pertaining to privacy protec
...