ISO/IEC 22624:2020

INTERNATIONAL ISO/IEC
STANDARD 22624
First edition
2020-02
Information technology — Cloud
computing — Taxonomy based data
handling for cloud services
Reference number
©
ISO/IEC 2020
© ISO/IEC 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 2
5 Overview: The need for a structured expression of data policies and practices
based on a common data taxonomy . 3
6 Framework for the structured expression of data related policies and practices .4
6.1 General . 4
6.2 Framework elements . 4
6.2.1 General. 4
6.2.2 Data categories . 5
6.2.3 Data identification qualifiers . 6
6.2.4 Data usage scopes . 7
6.2.5 Actions . 8
6.2.6 Data classification . 9
6.2.7 Further elements specific to the application domain .10
7 Using the framework .10
7.1 Modes of framework usage .10
7.2 Framework element usage .11
7.2.1 Data categories .11
7.2.2 Data identification qualifiers .11
7.2.3 Scopes and actions .11
7.3 Policy expressions .11
7.4 Example .11
8 Expression of data related policies in relation to specific areas of concern .12
8.1 General .12
8.2 Data geolocation .12
8.3 Cross border flow of data .13
8.3.1 Data jurisdictions considerations .13
8.3.2 Cross border data transfer .15
8.4 Data portability and data access .17
8.4.1 General.17
8.4.2 Data required for data portability or data access .17
8.4.3 Formats and portability .18
8.5 Data use .19
8.6 Data management .19
8.6.1 Data security . .19
8.6.2 Data quality .21
8.7 Data governance .22
9 Application of the framework to codes of conduct .26
Annex A (informative) Example for use of this document .30
Bibliography .37
© ISO/IEC 2020 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC
list of patent declarations received (see http:// patents .iec .ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence
to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT)
see www .iso .org/ iso/ foreword .html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 38, Cloud Computing and Distributed Platforms.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO/IEC 2020 – All rights reserved

Introduction
Many of the policies and practices in place for handling data in the cloud computing ecosystem need
to be described based on the category of the data they address. For instance, personally identifiable
information (PII) impose specific data management requirements not only in terms of security but also
with regard to mechanisms that allow cloud service users to whom such data relate to exercise control
on the usage and transfer of such data. Organisational data such as cloud service usage information and
telemetry data from cloud services, which can be used for operational purposes such as improvement
of service quality, may have to fulfil specific quality requirements to be useful for a given application.
Customer content data can be related to intellectual property rights and possibly needs appropriate
protection by the cloud service provider (CSP). Certain data can be transferred from one jurisdiction
to another. Depending on their data category, different instruments (multi-national laws, corporate
binding rules, bilateral agreements) are applicable to enable such transfers.
When such policies and practices are to be described, it is helpful to do so in a structured and consistent
way so that they can be better expressed, evaluated, analysed, and compared by the stakeholders in
the cloud computing ecosystem. ISO/IEC 19944 provides a comprehensive taxonomy defining a fine-
grained system of data categories that can be applied to various domains of policies for the handling
of data in a cloud computing ecosystem such as cross border data transfer, data geolocation, data
usage, data access and data portability, data management including data quality management and data
security, or data governance, and provides guidelines on how to describe data handling policies and
practices within codes of conduct (CoC).
This document describes such a structured and common approach to express any desired data handling
policies and practices. It is important to emphasize that the policies and practices themselves are out of
the scope of this document. This document describes a common structure and approach to express any
desired data handling policies and practices. It is important to emphasize that the policies and practices
are out of the scope of this document. A set of examples from data handling domains are provided in the
document as guidance to understand how to use ISO/IEC 19944 regarding application of policies and
analysis of policy requirements to such domains.
© ISO/IEC 2020 – All rights reserved v

INTERNATIONAL STANDARD ISO/IEC 22624:2020(E)
Information technology — Cloud computing — Taxonomy
based data handling for cloud services
1 Scope
This document:
— describes a framework for the structured expression of data-related policies and practices in the
cloud computing environment, based on the data taxonomy in ISO/IEC 19944;
— provides guidelines on application of the taxonomy for handling of data based on data subcategory
and classification;
— covers expression of data-related policies and practices including, but not limited to data geolocation,
cross border flow of data, data access and data portability, data use, data management, and data
governance;
— describes how the framework can be used in codes of conduct for practices regarding data at rest
and in transit, including cross border data transfer, as well as remote access to data;
— provides use cases for data handling challenges, i.e. control, access and location of data according to
ISO/IEC 19944 data categories.
This document is applicable primarily to cloud service providers, cloud service customers (CSCs) and
cloud service users, but also to any person or organization involved in legal, policy, technical or other
implications of taxonomy-based data management in cloud services.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 17788, Information technology — Cloud computing — Overview and vocabulary
ISO/IEC 19944, Information technology — Cloud computing — Cloud services and devices: Data flow, data
categories and data use
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 17788, ISO/IEC 19944
and the following apply:
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http:// www .electropedia .org/
— ISO Online browsing platform: available at https:// www .iso .org/ obp
3.1
codes of conduct
CoC
agreed set of behaviours between organisations to enhance customer and/or partner outcomes and
experiences
© ISO/IEC 2020 – All rights reserved 1

3.2
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or
processes
[SOURCE: ISO 24534-5:2011, 3.11]
3.3
integrity
property of being designed such that any modification of the electronically stored information, without
proper authorization, is not possible
3.4
availability
property of being accessible and useable upon demand by an authorized entity
[SOURCE: ISO 22600-1:2014, 3.7]
3.5
data access
process by which a system can read published data on another system
Note 1 to entry: This data access happens over a network connection and the data typically does not persist after
the connection is terminated.
3.6
data transfer
copying or moving data from one system to another
3.7
data geolocation
geographic location of a data object at rest
4 Symbols and abbreviated terms
APEC Asia-Pacific Economic Cooperation
BCR Binding Corporate Rules
CBPR Cross-border Privacy Rules
CPTPP Comprehensive and Progressive Agreement for Trans-Pacific Partnership
CoC Codes of Conduct
CSC Cloud Service Customer
CSN Cloud Service partner
CSP Cloud Service Provider
DRM Digital Rights Management
EU European Union
EUII End User Identifiable Information
GDPR General Data Protection Regulation
GPS Global Positioning System
2 © ISO/IEC 2020 – All rights reserved

HBI High Business Impact
IaaS Infrastructure as a Service
IPR Intellectual Property Rights
IRM Information Rights Management
IT Information Technology
LBI Low Business Impact
MBI Medium Business Impact
NASPO National Associations of State Procurement Officials
OII Organization Identifiable Information
PII Personally Identifiable Information
5 Overview: The need for a structured expression of data policies and practices
based on a common data taxonomy
Data policies and practices, at corporate or government level, need to be crisply expressed with the
desired degree of precision and clarity. The need for varying degree of precision, along with the need
to compare and analyse various policies in an efficient manner, calls for a common and structured
approach to the expression of these policies and practices, an approach that is based on a common data
taxonomy.
ISO/IEC 19944 provides a comprehensive set of elements which can be used to
a) assign a data category to a given data set (e.g. personally identifiable information (PII),
organisational identifiable information, customer content data),
b) provide classes of actions applied to such data (e.g. use to provide a service, to optimize it, to
provide marketing information),
c) include scopes explaining on what level the use of data happens (e.g. service level vs. enterprise/
organisational level vs. use by 3rd parties), and
d) define the level of de-identification (or anonymization) applied to a data set (qualifiers such as
"identified", "anonymized", "aggregated").
These elements are referred to in the document as “data categories” or “data taxonomy”, “actions”,
“scopes”, and “qualifiers” without explicitly referencing ISO/IEC 19944. Clause 6 provides a
comprehensive overview of the elements. The framework described in this document references the
framework in ISO/IEC 19944.
In order to define application specific data handling policies and practices, these elements need
to be applied to the application domain at hand. This includes data classifications with regards to
security or risk levels that apply to data, as well as technical and organisational qualifications of data.
Hence, the approach described in this document requires the considerations of data categories as
described in ISO/IEC 19944 as well as orthogonal information dependent on the concrete application
under consideration. Examples which are used to explain this approach therefore employ a tabular
representation format emphasizing the orthogonal character of generic data categorization (rows) and
application specific elements (columns). Therefore, for a person who is concerned with the development
of, for example, enterprise policies for data use by a set of cloud services, all relevant cases which need
to be considered are visible.
© ISO/IEC 2020 – All rights reserved 3

Implicitly, ISO/IEC 19944 focuses on personal data and PII, and does not explicitly cover non-personal
data, or mixed sets of data that contain both PII and non-personal data. Non-personal data is defined as
any data that is not personal and is not covered under PII, e.g. scientific data, sales data. Mixed data sets
contain both PII and non-personal data such as human resource data that contains both organizational
structures and personal employee data. It is important to recognize these different sets as different
[9]
policies and regulations could apply to each. For example, the EU GDPR regulates aspects of PII and the
[10]
free-flow of non-personal data regulation sets policies concerning the geo-location and movement of
non-personal data. In line with ISO/IEC 19944, this document focuses on PII and does not delve deeper
into aspects explicitly related to non-personal or mixed sets of data.
The document is structured as follows:
— Clause 6 describes the framework for the structured expression of data related policies and practices
including elements of the framework building on ISO/IEC 19944. It then expands discussion on data
classification (6.2.6).
— Clause 7 discusses guidance for using the framework defined in Clause 6.
— Clause 8 covers use of framework in specific areas of concern.
— Clause 9 describes the application of the framework to codes of conduct.
Examples for data handling challenges are provided throughout the document.
6 Framework for the structured expression of data related policies and practices
6.1 General
This document uses the taxonomy and data use expression structure specified in ISO/IEC 19944. Any
policy or practice that conforms to this document and uses the taxonomy or data use expression shall
meet the requirements of ISO/IEC 19944 as appropriate.
To handle key data management topics, Clause 6 describes a harmonized structure to express a desired
policy for data management based on various data types, using data taxonomy in ISO/IEC 19944. The
data management policies based on a common structure specified by this document can be expressed,
compared and negotiated.
It is important to point out that this document does not define one or more data policies, rather it offers
a common structure and framework for others to use in order to express their policy of choice.
Moreover, this document does not stipulate any specific format or syntax to be used to express policies
and practices related to a categorization of data. Although tables are frequently employed throughout
this document to illustrate the usage of the framework, the use of tabular formats is not normative or
mandatory but serves for the presentation of examples only.
6.2 Framework elements
6.2.1 General
ISO/IEC 19944 defines a number of elements to express statements that describe the use of data by a
CSP, namely a data categorization hierarchy, a set of qualifiers indicating the level of de-identification of
data, and a hierarchy of scopes that describe at which level data are collected and processed by the CSP,
a number of actions used to process data, and on which level the result of data processing is used. This
clause provides an overview of the elements that are described in detail in ISO/IEC 19944.
4 © ISO/IEC 2020 – All rights reserved

6.2.2 Data categories
6.2.2.1 General
The data taxonomy described in ISO/IEC 19944:2017,A.1 as shown in Figure 1 below defines four main
data categories, namely customer content data, derived data, CSP data, and account data
Figure 1 — Data categorization hierarchy according to ISO/IEC 19944:2017, A.1
6.2.2.2 Customer content data
Customer content data is cloud service customer (CSC) data extended to include similar data objects
provided to applications executing locally on the device. This includes content directly created by
customers and their users and all data that customers provide to the cloud service, or are provided to
the cloud service on behalf of customers, through the capabilities of the service or application. This also
includes data that the user intentionally creates through the use of the app or cloud service. This data
category contains a large variety of sub-categories. The reader is referred to ISO/IEC 19944:2017, 8.2.2
for details.
6.2.2.3 Derived data
6.2.2.3.1 General
Derived data is cloud service derived data extended to include similar data objects derived as a user
exercises the capabilities of an application executing locally on the device.
© ISO/IEC 2020 – All rights reserved 5

6.2.2.3.2 End user identifiable information
End user identifiable information (EUII) is defined as data associated with a user that are captured
or generated from the use of the service by that user; EUII is linkable to that user but is not customer
content data. This data category contains a large variety of sub-categories. The reader is referred to
ISO/IEC 19944:2017, 8.2.3.2 for details.
6.2.2.3.3 Organization identifiable information
Organization identifiable information (OII) is the data that can be used to identify a particular tenant
(general configuration or usage data), is not linkable to a user and does not contain customer content data.
This also includes data aggregated from the users of a tenant that is not linkable to the individual user.
6.2.2.4 CSP data
6.2.2.4.1 General
This category includes data that is exclusively under the control of the CSP. It is unique to the system
and under the control of the CSP.
6.2.2.4.2 Access and authentication data
Access and authentication data is the data used within the cloud service to manage access to other
categories of data or capabilities within the service.
6.2.2.4.3 Operations data
Operations data is data which is used for supporting the operation of CSPs and system maintenance,
such as service logs, technical information about a subscription (e.g. service topology), technical
information about a tenant (e.g. customer role name), configuration settings/files.
6.2.2.5 Account data
Account data is a class of data specific to each CSC that is required to sign up for, purchase or administer
the cloud service. This data includes information such as names, addresses, payment information.
Account data is generally under the control of the CSP although each CSC usually has the capability to
input, read and edit their own account data but not the records of other CSCs.
6.2.3 Data identification qualifiers
Data in any category can provide or contribute to information that identifies or can be linked to an
individual. The extent to which individuals are directly identified in the data, and how easy it is to
associate a set of characteristics in the data to an individual is described by the following set of
qualifiers (see Figure 2):
6 © ISO/IEC 2020 – All rights reserved

Figure 2 — Data identification qualifiers according to ISO/IEC 19944:2017, A.2
— Identified data. Data that can unambiguously be associated with a specific person because PII is
observable in the information.
— Pseudonymized data. Data for which all identifiers are substituted by aliases for which the alias
assignment is such that it cannot be reversed by reasonable efforts of anyone other than the party
that performed them.
— Unlinked pseudonymized data. Data for which all identifiers are erased or substituted by aliases
for which the assignment function is erased or irreversible, such that the linkage cannot be re-
established by reasonable efforts of anyone including the party that performed them.
— Anonymized data. Data that is unlinked and which attributes are altered in such a way that there
is a reasonable level of confidence that a person cannot be identified, directly or indirectly, by the
data alone or in combination with other data.
— Aggregated data. Statistical data that does not contain individual-level entries and is combined
from information about enough different persons that individual-level attributes are not identifiable.
6.2.4 Data usage scopes
ISO/IEC 19944:2017, 9.4.1 defines that “scope” provides a way to clearly describe the boundaries
of collection and use of data in the devices and cloud services ecosystem. These scopes can be used to
describe the applications and services associated with data use (see Figure 3). The definitions are listed
in increasing breadth of scope and the wider scopes include the narrower scopes, except for “third
party” items which exist in an independent scope. Capabilities are parts of an application or a cloud
service which could be one of the services listed in the service agreement. These are parts of the cloud
services that a CSP provides, and are a subset of the CSPs overall product and service palette.
© ISO/IEC 2020 – All rights reserved 7

Figure 3 — Data usage scopes according to ISO/IEC 19944:2017
6.2.5 Actions
ISO/IEC 19944:2017 defines a list of actions that can be applied to data of the various categories (see
Figure 4):
Figure 4 — Actions on data according to ISO/IEC 19944:2017
— Provide. The use of data to provide or protect a certain service or service capability, and to
communicate with the customer about the status and availability of capabilities.
— Improve. To use data to improve or increase the quality of functional capabilities.
— Personalize. To use data to change the presentation of the capabilities or to change the selection
and presentation of data or promotions accessed through these capabilities to be specific to the
user, based on information about the user.
— Offer upgrades or upsell. To use data to offer to the customer increased capacity or resources for
or new capabilities in exchange for compensation.
— Market/advertise/promote. To promote specified products and services to users or customers
based on data.
8 © ISO/IEC 2020 – All rights reserved

— Share. To transfer data to an entity other than the CSP who originally has stored or processed
those data.
6.2.6 Data classification
Data classification is the process of organizing data into specific classes to enable the secure,
effective and efficient use of the data. An effective data classification process is typically an element
of an enterprise's risk assessment process and risk mitigation strategies. This classification is
generally based on the needs of the various stakeholders in the data being classified, which can
include government regulators, external customers or suppliers, or other parties. Most organisations
are involved in networks of suppliers and customers which can involve movement of data across
organisational boundaries. Where this happens, measures are needed to ensure that equivalent (not
inferior) protections established at source remain in force at each destination.
Data classification therefore assigns classes to data based on the level of sensitivity and the impact
to the organisation should that data be used, disclosed, altered or destroyed without the proper
authorization. For instance:
— The classification of data, from an information security perspective, helps to determine what the set
of appropriate security controls is for safeguarding that data.
— The classification of personally identifiable data, from a data protection perspective, helps
organizations to set up a privacy impact assessment to identify risks for individuals when processing
their personal data.
One challenge is that data classifications can change over time (something previously considered
“public” is now considered “sensitive”). Another challenge is the temptation to “over-classify the data”,
due to concerns related to potential derivation of PII or other sensitive data based on combining non-
sensitive attributes. Evaluating the “likelihood” of disclosure and the “impact of disclosure” helps
classify the data accordingly. Using appropriate encryption and tokenization techniques, further helps
reduce the overall risks, however, these also will have their own considerations, such as cost and
performance.
Data classification can also be used to define policies for various other data management related issues
including:
— data retention periods;
— access policies;
— performance requirements regarding access and transmission speed;
— data compliance and risk management;
— data predefined storage;
— simplification of data encryption;
— data indexing;
— data protection.
Good practice in data classification is based on a risk assessment that considers critical elements for
the service quality and continuity. The risk assessment is used to develop implementation policies that
support those elements to ensure the secure, effective and efficient use of the data.
Each government or enterprise will have their own approach to data classification, and to the policies
that apply to data that is marked in this way. Organisations wishing to establish a data classification
system need to do so carefully and following best practice. For information security, standards such
[8]
as BS 10010:2017 on information classification, marking and handling can be helpful in doing this
correctly, if applied appropriately.
© ISO/IEC 2020 – All rights reserved 9

Exactly which data is classified at which level is a matter that should be decided by policy. Which policy
applies is generally determined by a combination of “Value”, “Risk”, and “Stakeholders”.
— Value refers to the actual value of the data to the organisation, such as a new manufacturing process,
or financial information, and could also consider the potential cost of recreating the data.
— Risk refers to consequences of data loss, leakage, or corruption, such as loss of business, loss of
reputation, or even criminal or civil proceedings.
— Stakeholders refers to those who care about the data remaining secure, such as other departments
of the organisation, valued clients, or government regulators.
For example, an enterprise might decide that all PII should be classified as medium business impact
(MBI) or higher, and “sensitive” PII (such as medical information) should always be classified as high
business impact (HBI) or higher so as to avoid risk under privacy regulations. However, there will be
other information classified at these levels which contains no PII at all, such as valuable financial or
design information. It is normal to also have a “default” policy for handling of data that has no specific
data classification assigned to it.
From a data management perspective, the type of classification is orthogonal to the other criteria
discussed in this document, including the process of data categorization (see 6.2.2). Generally, when
data is covered by both a policy for data management and a policy for data classification, the most
restrictive policy will be applied. So, from a practical perspective, data management systems need to
consider both the content-based policy (as described in this document) and the classification-
based policy used in the organisation, and apply controls taking into account both aspects using
appropriate technical mechanisms.
The selection of an appropriate scheme for data classification depends on the application context. Thus,
this document imposes no restriction on the data classification scheme used in connection to the data
taxonomy defined in ISO/IEC 19944.
6.2.7 Further elements specific to the application domain
The framework elements described in 6.2.2 to 6.2.4 have to be complemented by elements related to
the selected application domain. For instance, policies for data security can be defined depending on
overall security objectives such as confidentiality, integrity and availability of specific categories of
data, taking into account application dependent data classifications as explained in 6.2.6. In some cases,
further application domain specific aspects need to be taken into account. For instance, policies related
to data governance can be expressed with regard to a data governance lifecycle.
This document does not impose any restriction on domain specific elements.
7 Using the framework
7.1 Modes of framework usage
The data handling framework can be used
— analytically, to understand which existing legal or organizational policies are to be applied when
handling a specific type of data, or
— to synthetize data handling policies for specific data types.
Usually, both modes have to be applied: The analytical mode provides conditions, terminology and
restrictions for the synthesis of data handling policies that are to be implemented by technical or
organizational means.
10 © ISO/IEC 2020 – All rights reserved

7.2 Framework element usage
7.2.1 Data categories
If data categories (6.2.2) are used to structure the definition of policies, not the whole category tree is
useful for all applications. Instead, policy analysis or definition should focus on those sub-categories
which are useful for a given purpose:
— Focus on selected categories only: For instance, for the expression of policies regarding CSP data,
the other three top level categories (and all sub-categories of these categories) can be ignored.
— Sub-categories can be ignored if the policies under consideration can be adequately expressed in
terms of general categories.
— Adding further data categories if needed: ISO/IEC 19944 allows adding new sub-categories of the
four top level categories if needed.
7.2.2 Data identification qualifiers
If required, policy expression can make use of the data identification qualifiers described in 6.2.3. For
instance, if PII are considered, different data handling policies can be applied with regard to the level of
de-identification of the PII.
7.2.3 Scopes and actions
ISO/IEC 19944 provides an elaborated concept of the level on which a certain action uses data.
— Source scope: The source of the data under consideration.
— Use scope: The applications or services that are using the data.
— Result scope: The collection of elements changed, as a result of the data use.
Policies can directly employ these different notions of scopes to express requirements and restrictions
on the origin of data, the application or service that uses these data, and the result of such data
processing. The list of actions explained in 6.2.5 is not exclusive but can be extended to include further
actions.
7.3 Policy expressions
This document does not impose any restrictions on the way policies can be expressed. In particular,
using qualifiers (7.2.2) and scopes and actions (7.2.3) are optional elements which can be useful for
certain types of policies.
A very simple expression of policies can comprise a singular entry in a table (such as “locally”,
“regionally” or “globally” to describe policies expressing localization requirements on data storage
and processing), but can also be complex descriptions of security or privacy objectives and controls
stipulated for a certain type of data.
The data use statement structure defined in ISO/IEC 19944 provides a means to express policies
on data usage in a standardized way. Hence, for policies that restrict the usage of data or a certain
category (taking further into account scopes or data use, data processing actions, and degrees of data
de-identification as explained in 6.2 and Clause 7), this structure is available as a tool to express and to
communicate data handling policies.
7.4 Example
The following table is an example for an instance of a policy for data management based on the common
structure proposed by this document. Notice that the rows are data categories, and the columns are
common aspects of data geolocation management practices. The intersection of each row and column
© ISO/IEC 2020 – All rights reserved 11

therefore describes a specific choice or setting selected to express a specific data management practice
for a given type of data. The cells in this example table collectively describe an overall policy for data
management on geolocation perspectives.
Table 1 — Example of expression of data geolocation policy
The four sub-columns under “Data geolocation” column in Table 1 provides the set of example items that
needs to be considered for the data geolocation policy. Storage requirements address where specific
types of data are stored. Controller and Processor shows who is the data controller or processor for
specific data types. The Jurisdiction column shows the subject of applicable regulatory requirements if
it exists.
It is important to point out that this document does not define one or more data policies, rather it offers
a common structure and framework for others to use in order to express their policy of choice. The
result would be commonly structured, harmonious policy expressions.
8 Expression of data related policies in relation to specific areas of concern
8.1 General
The data practices and polices listed in this clause are common examples for data management practices
that need to be applied based on data categories. Therefore, such considerations are examples of issues
to be considered for policy definition. An actual policy for data management is defined for each data
category and each data management practice.
The data management policies and practices discussed below are related to most common practices. The
list is by no means a finite one, and it is possible to add additional policy aspects and practices as needed.
8.2 Data geolocation
As an example, consider the policies or practices in effect for geolocation of data controlled by globally
available cloud services. Although there are many reasons CSPs could invest in multiple datacentres
globally, including reducing latency and business continuity, a primary reason is to support local
processing of data to comply with geolocation regulation, policy or preference, e.g. the General Data
Protection Regulation (GDPR) of the European Union (EU). However, the technical and engineering
constraints still apply to multiple datacentres dispersed geographically. In fact the constraints are
aggravated by the distributed nature of the datacentres. The cloud services will be more cost efficient
and more reliable if they can be managed centrally as a group.
Therefore, CSPs need to be transparent and pragmatic about what data is processed locally and what
is allowed to cross borders to allow efficient regional and global data centre and services management.
This can be helped by a common and structured method to express such polices, allowing CSPs to
be precise about the geolocation of data types and use, and also defining a few broad classes of data
that can used in geolocation policy and contract discussions. Therefore, data geolocation policies are
a good example of the type of data polices that could benefit from this document. If such policies are
expressed in a common and structured way, based on a common data taxonomy, the stakeholders
12 © ISO/IEC 2020 – All rights reserved

in cloud computing ecosystem will be able to understand, compare, and analyse such policies more
easily and efficiently. I
...