iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/IEC 29134

(Main)

Information technology — Security techniques — Guidelines for privacy impact assessment

Information technology — Security techniques — Guidelines for privacy impact assessment

This document gives guidelines for: — a process on privacy impact assessments, and — a structure and content of a PIA report. It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations. This document is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.

Technologies de l'information — Techniques de sécurité — Lignes directrices pour l'étude d'impacts sur la vie privée

Le présent document établit des lignes directrices pour: — un processus d'évaluation des impacts sur la vie privée; et — une structure et un contenu d'un rapport d'évaluation des impacts sur la vie privée (PIA). Il s'applique aux organismes de tous types et de toutes tailles, y compris les entreprises publiques et privées, les entités gouvernementales et les organisations à but non lucratif. Le présent document s'adresse à toute personne impliquée dans la conception ou la réalisation de projets, y compris les parties qui exploitent des systèmes et services de traitement des données qui traitent des DCP.

General Information

Status
Not Published
ICS
35.030 - IT Security
Technical Committee
ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection
Drafting Committee
ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection
Current Stage
6000 - International Standard under publication
Completion Date
25-Mar-2023
Ref Project

Relations

Revises
ISO/IEC 29134:2017 - Information technology — Security techniques — Guidelines for privacy impact assessment
Effective Date
05-Nov-2022

Buy Standard

REDLINE ISO/IEC FDIS 29134 - Information technology — Security techniques — Guidelines for privacy impact assessment Released:13. 01. 2023REDLINE ISO/IEC FDIS 29134 - Information technology — Security techniques — Guidelines for privacy impact assessment Released:13. 01. 2023
PreviousNext
Draft
REDLINE ISO/IEC FDIS 29134 - Information technology — Security techniques — Guidelines for privacy impact assessment Released:13. 01. 2023
English language
44 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/IEC FDIS 29134 - Information technology — Security techniques — Guidelines for privacy impact assessment Released:13. 01. 2023ISO/IEC FDIS 29134 - Information technology — Security techniques — Guidelines for privacy impact assessment Released:13. 01. 2023
PreviousNext
Draft
ISO/IEC FDIS 29134 - Information technology — Security techniques — Guidelines for privacy impact assessment Released:13. 01. 2023
English language
44 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

Reference number of working document: ISO/IEC JTC 1/SC 27 N 16930
Date: 2016-11-202023-01-13
Reference number of document: ISO/IEC FDIS 29134:2023(E)
Committee identification: ISO/IEC JTC 1/SC 27/WG 5
Secretariat: DIN

Information technology — Security techniques — Guidelines for privacy impact assessment

Technologies de l'information — Techniques de sécurité — Lignes directrices pour l'évaluation d'impacts

sur la vie privée
---------------------- Page: 1 ----------------------
ISO/IEC FDIS 29134:20172023(E)
© ISO 2023

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no

part of this publication may be reproduced or utilized otherwise in any form or by any means,

electronic or mechanical, including photocopying, or posting on the internet or an intranet, without

prior written permission. Permission can be requested from either ISO at the address below or

ISO's member body in the country of the requester.
ISO Copyright Office
CP 401 • CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland.
ii © ISO/IEC 2023 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC FDIS 29134:20172023(E)
Contents Page

Foreword ................................................................................................................................................................. v

Introduction .......................................................................................................................................................... vi

1 Scope .......................................................................................................................................................... 1

2 Normative references .......................................................................................................................... 1

3 Terms and definitions .......................................................................................................................... 1

4 Abbreviated terms ................................................................................................................................ 3

5 Preparing the grounds for PIA .......................................................................................................... 4

5.1 Benefits of carrying out a PIA ............................................................................................................ 4

5.2 Objectives of PIA reporting ................................................................................................................ 5

5.3 Accountability to conduct a PIA ........................................................................................................ 6

5.4 Scale of a PIA ............................................................................................................................................ 6

6 Guidance on the process for conducting a PIA ............................................................................ 6

6.1 General ...................................................................................................................................................... 6

6.2 Determine whether a PIA is necessary (threshold analysis) ................................................. 7

6.3 Preparation of the PIA ......................................................................................................................... 8

6.3.1 Set up the PIA team and provide it with direction ..................................................................... 8

6.3.2 Prepare a PIA plan and determine the necessary resources for conducting the PIA ... 9

6.3.3 Describe what is being assessed ................................................................................................... 10

6.3.4 Stakeholder engagement ................................................................................................................. 12

6.4 Perform the PIA ................................................................................................................................... 15

6.4.1 Identify information flows of PII ................................................................................................... 15

6.4.2 Analyse the implications of the use case .................................................................................... 15

6.4.3 Determine the relevant privacy safeguarding requirements ............................................ 16

6.4.4 Assess privacy risk ............................................................................................................................. 17

6.4.5 Prepare for treating privacy risks ................................................................................................ 20

6.5 Follow up the PIA ................................................................................................................................ 25

6.5.1 Prepare the report ............................................................................................................................. 25

6.5.2 Publication ............................................................................................................................................ 25

6.5.3 Implement privacy risk treatment plans ................................................................................... 26

6.5.4 Review and/or audit of the PIA ..................................................................................................... 26

6.5.5 Reflect changes to the process ....................................................................................................... 27

7 PIA report .............................................................................................................................................. 27

7.1 General ................................................................................................................................................... 27

7.2 Report structure ................................................................................................................................. 28

7.3 Scope of PIA........................................................................................................................................... 28

7.3.1 Process under evaluation ................................................................................................................ 28

7.3.2 Risk criteria .......................................................................................................................................... 30

7.3.3 Resources and people involved ..................................................................................................... 30

7.3.4 Stakeholder consultation ................................................................................................................. 30

7.4 Privacy requirements ....................................................................................................................... 30

7.5 Risk assessment .................................................................................................................................. 31

7.5.1 Risk sources .......................................................................................................................................... 31

7.5.2 Threats and their likelihood........................................................................................................... 31

7.5.3 Consequences and their level of impact ..................................................................................... 31

7.5.4 Risk evaluation .................................................................................................................................... 31

7.5.5 Compliance analysis .......................................................................................................................... 31

7.6 Risk treatment plan ........................................................................................................................... 31

7.7 Conclusion and decisions ................................................................................................................. 31

© ISO/IEC 2023 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC FDIS 29134:20172023(E)

7.8 PIA public summary ...........................................................................................................................31

Annex A (informative) Scale criteria on the level of impact and on the likelihood ...............33

Annex B (informative) Generic threats ..................................................................................................35

Annex C (informative) Guidance on the understanding of terms used ......................................40

Annex D (informative) Illustrated examples supporting the PIA process ................................43

Bibliography ......................................................................................................................................................43

iv © ISO/IEC 2023 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC FDIS 29134:20172023(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical activity.

ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work. In the field of information technology, ISO and IEC have established a joint technical committee,

ISO/IEC JTC 1.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents document should be noted. This document was drafted in accordance

with the editorial rules of the ISO/IEC Directives, Part 2 (see

www.iso.org/directiveswww.iso.org/directives or www.iec.ch/members_experts/refdocs).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details

of any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www.iso.org/patentswww.iso.org/patents) or the IEC

list of patent declarations received (see https://patents.iec.ch).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation onof the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the World

Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL:

www.iso.org/iso/foreword.htmlwww.iso.org/iso/foreword.html. In the IEC, see
www.iec.ch/understanding-standards.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, Information security, cybersecurity and privacy protection.

This second edition incorporates cancels and replaces the first edition (ISO/IEC 29134:2017/DAmd 1),

which has been technically revised.
The main changes are as follows:
— minor editorial changes have been made.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www.iso.org/members.html and www.iec.ch/national-

committees.
© ISO/IEC 2023 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC FDIS 29134:20172023(E)
Introduction
A privacy impact assessment (PIA) is an instrument for:

— assessing the potential impacts on privacy of a process, information system, programme, software

module, device or other initiative which processes personally identifiable information (PII) and);

— taking necessary actions, in consultation with stakeholders, for taking actions as necessary in order to

treat privacy risk.

A PIA report maycan include documentation about measures taken for risk treatment, for example,

measures arising from the use of the information security management system (ISMS) in ISO/IEC 27001.

A PIA is more than a tool: it is a process that begins at the earliest possible stages of an initiative, when

there are still opportunities to influence its outcome and thereby ensure privacy by design. It is a process

that continues until, and even after, the project has been deployed.

Initiatives vary substantially in scale and impact. Objectives falling under the heading of “privacy” will

depend on culture, societal expectations and jurisdiction. This document is intended to provide scalable

guidance that can be applied to all initiatives. Since guidance specific to all circumstances cannot be

prescriptive, the guidance in this document should be interpreted with respect to individual

circumstancecircumstances.

A PII controller maycan have a responsibility to conduct a PIA and maycan request a PII processor to

assist in doing this, acting on the PII controller’s behalf. A PII processor or a supplier maycan also wish to

conduct their own PIA.

A supplier's PIA information is especially relevant when digitally connected devices are part of the

information system, application or process being assessed. It maycan be necessary for suppliers of such

devices to provide privacy-relevant design information to those undertaking the PIA. WhenIt is possible

that the provider of digital devices is unskilled in and not resourced for PIAs, for example:

— a small retailer, or

— a small and medium-sized enterprise (SME) using digitally connected devices in the course of its

normal business operations,.

thenIn such circumstances, in order to enable it to undertake minimal PIA activity, the device supplier

maycan be called upon to provide a great deal of privacy information and undertake its own PIA with

respect to the expected PII principal/SME context for the equipment they supply.

A PIA is typically conducted by an organization that takes its responsibility seriously and treats PII

principals adequately. In some jurisdictions, a PIA may be necessary to meet legal and regulatory

requirements regarding PIA can apply.

This document is intended to be used when the privacy impact on PII principals includes consideration

of processes, information systems or programmes, where:

— the responsibility for the implementation and/or delivery of the process, information system or

programme is shared with other organizations and it should be ensured that each organization

properly addresses the identified risks;

— an organization is performing privacy risk management as part of its overall risk management effort

while preparing for the implementation or improvement of its ISMS (established in accordance with

ISO/IEC 27001 or an equivalent management system); or an organization is performing privacy risk

management as an independent function;

— an organization (e.g. government) is undertaking an initiative (e.g. a public-private-partnership

programme) in which the future PII controller organization is not known yet, with the result that the

vi © ISO/IEC 2023 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC FDIS 29134:20172023(E)

treatment plan could not getcannot be implemented directly and, therefore, it is presupposed that

this treatment plan should becomebecomes part of corresponding legislation, regulation or the

contract instead;
— the organization wants to act responsible towards the PII principals.

Controls deemed necessary to treat the risks identified during the privacy impact analysis process

maycan be derived from multiple sets of controls, including ISO/IEC 27002 (for security controls) and

ISO/IEC 29151 (for PII protection controls)), or comparable national standards, or they maycan be

defined by the person responsible for conducting the PIA, independently of any other control set.

© ISO/IEC 2023 – All rights reserved vii
---------------------- Page: 7 ----------------------
ISO/IEC FDIS 29134:20172023(E)
Content

1 Scope ...................................................................................................... Error! Bookmark not defined.

2 Normative references ...................................................................... Error! Bookmark not defined.

3 Terms and definitions ..................................................................... Error! Bookmark not defined.

4 Abbreviations ..................................................................................... Error! Bookmark not defined.

5 Preparing the grounds for PIA ..................................................... Error! Bookmark not defined.

5.1 Benefits of carrying out a PIA ....................................................... Error! Bookmark not defined.

5.2 Objectives of PIA reporting ............................................................ Error! Bookmark not defined.

5.3 Accountability to conduct a PIA ................................................... Error! Bookmark not defined.

5.4 Scale of a PIA ....................................................................................... Error! Bookmark not defined.

6 Guidance on the process for conducting a PIA ....................... Error! Bookmark not defined.

6.1 General .................................................................................................. Error! Bookmark not defined.

6.2 Determine whether a PIA is necessary (threshold analysis) ............ Error! Bookmark not

defined.

6.3 Preparation of the PIA ..................................................................... Error! Bookmark not defined.

6.3.1 Set up the PIA team and provide it with direction ................ Error! Bookmark not defined.

6.3.2 Prepare a PIA plan and determine the necessary resources for conducting the PIA

.................................................................................................................. Error! Bookmark not defined.

6.3.3 Describe what is being assessed .................................................. Error! Bookmark not defined.

6.3.4 Stakeholder engagement ................................................................ Error! Bookmark not defined.

6.4 Perform the PIA ................................................................................. Error! Bookmark not defined.

6.4.1 Identify information flows of PII ................................................. Error! Bookmark not defined.

6.4.2 Analyse the implications of the use case .................................. Error! Bookmark not defined.

6.4.3 Determine the relevant privacy safeguarding requirements ........... Error! Bookmark not

defined.

6.4.4 Assess privacy risk............................................................................ Error! Bookmark not defined.

6.4.5 Prepare for treating privacy risks .............................................. Error! Bookmark not defined.

6.5 Follow up the PIA .............................................................................. Error! Bookmark not defined.

6.5.1 Prepare the report ............................................................................ Error! Bookmark not defined.

6.5.2 Publication ........................................................................................... Error! Bookmark not defined.

6.5.3 Implement privacy risk treatment plans ................................. Error! Bookmark not defined.

6.5.4 Review and/or audit of the PIA .................................................... Error! Bookmark not defined.

6.5.5 Reflect changes to the process ...................................................... Error! Bookmark not defined.

7 PIA report ............................................................................................. Error! Bookmark not defined.

7.1 General .................................................................................................. Error! Bookmark not defined.

7.2 Report structure ................................................................................ Error! Bookmark not defined.

7.3 Scope of PIA ......................................................................................... Error! Bookmark not defined.

7.3.1 Process under evaluation ............................................................... Error! Bookmark not defined.

7.3.2 Risk criteria ......................................................................................... Error! Bookmark not defined.

7.3.3 Resources and people involved ................................................... Error! Bookmark not defined.

7.3.4 Stakeholder consultation ............................................................... Error! Bookmark not defined.

7.4 Privacy requirements ...................................................................... Error! Bookmark not defined.

7.5 Risk assessment ................................................................................. Error! Bookmark not defined.

7.5.1 Risk sources ........................................................................................ Error! Bookmark not defined.

7.5.2 Threats and their likelihood ......................................................... Error! Bookmark not defined.

7.5.3 Consequences and their level of impact ................................... Error! Bookmark not defined.

7.5.4 Risk evaluation .................................................................................. Error! Bookmark not defined.

7.5.5 Compliance analysis ......................................................................... Error! Bookmark not defined.

7.6 Risk treatment plan .......................................................................... Error! Bookmark not defined.

7.7 Conclusion and decisions ............................................................... Error! Bookmark not defined.

viii © ISO/IEC 2023 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC FDIS 29134:20172023(E)

7.8 PIA public summary......................................................................... Error! Bookmark not defined.

Annex A (informative) Scale criteria on the level of impact and on the likelihood ............ Error!

Bookmark not defined.

A.1 General ................................................................................................. Error! Bookmark not defined.

A.2 How to estimate the level of impact ........................................... Error! Bookmark not defined.

A.3 How to estimate the likelihood .................................................... Error! Bookmark not defined.

Annex B (informative) Generic threats ................................................... Error! Bookmark not defined.

Annex C (informative) Guidance on the understanding of terms used ....... Error! Bookmark not

defined.

C.1 Scope of a PIA ..................................................................................... Error! Bookmark not defined.

C.2 Project ................................................................................................... Error! Bookmark not defined.

C.3 Process.................................................................................................. Error! Bookmark not defined.

C.4 Significance ......................................................................................... Error! Bookmark not defined.

C.5 Monitoring and reviewing ............................................................. Error! Bookmark not defined.

Annex D (informative) Illustrated examples supporting the PIA process . Error! Bookmark not

defined.

D.1 Workflow diagram of the PII processing.................................. Error! Bookmark not defined.

D.2 Example of a privacy risk map ..................................................... Error! Bookmark not defined.

© ISO/IEC 2023 – All rights reserved ix
---------------------- Page: 9 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/IEC FDIS 29134:2023(E)
Information technology — Security techniques — Privacy impact
assessment — Guidelines
1 Scope
This document gives guidelines for:
— a process on privacy impact assessments, and
— a structure and content of a PIA report.

It is applicable to all types and sizes of organizations, including public companies, private companies,

government entities and not-for-profit organizations.

This document is relevant to those involved in designing or implementing projects, including the parties

operating data processing systems and services that process PII.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO Guide 73:2009, Risk management — Vocabulary

ISO/IEC 27000:20162018, Information technology — Security techniques — Information security

management systems — Overview and vocabulary

ISO/IEC 29100:2011, Information technology — Security techniques — Privacy framework

3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 29100, ISO/IEC 27000,

ISO Guide 73 and the following apply.

ISO and IEC maintain terminologicalterminology databases for use in standardization at the following

addresses:
— IEC Electropedia: available at http://www.electropedia.org/

— ISO Online browsing platform: available at http://www.iso.org/obphttps://www.iso.org/obp

— IEC Electropedia: available at https://www.electropedia.org/
3.1
acceptance statement

formal management declaration to assume responsibility for risk ownership, risk treatment and residual

risk
3.2
© ISO/IEC 2023 – All rights reserved 1
---------------------- Page: 10 ----------------------
ISO/IEC FDIS 29134:2023(E)
asset

anythingthings that hashave value to anyone involved in the processing of personally identifiable

information (PII)

Note 1 to entry: In the context of a privacy risk management process, an asset is either PII or a supporting asset.

3.3
assessor
person who leads and conducts a privacy impact assessment (3.7)

Note 1 to entry: The assessor may be supported by one or more other internal and/or external experts as part of

their team.

Note 2 to entry: The assessor may be an expert internal or external to the organization.

3.4
process

set of interrelated or interacting activities which transforms inputs into outputs

[SOURCE: ISO/IEC Directives, Part 1, Consolidated ISO Supplement:2014 27000:2018, 3.1254]

3.5
device

combination of hardware and software, or solely software, that allows a user to perform actions

3.6
privacy impact

anything that has an effect on the privacy of a PII principal and/or group of PII principals

Note 1 to entry: The privacy impact couldcan result from the processing of PII in conformance or in violation of

privacy safeguarding requirements.
3.7
privacy impact assessment
PIA

overall process of identifying, analysing, evaluating, consulting, communicating and planning the

treatment of potential privacy impacts with regard to the processing of personally identifiable

information, framed within an organization’s broader risk management framework

Note 1 to entry: Adapted from[SOURCE: ISO/IEC 29100:2011, 2.20., modified — Note 1 to entry has been

deleted.]
3.8
privacy risk map

diagram that indicates the level of impact and likelihood of privacy risks identified

Note 1 to entry: The map is typically used to determine the order in which the privacy risks should be treated.

3.9
programme

group of projects managed in a coordinated way to obtain benefits not available from managing them

individually
[SOURCE: ISO 14300--1:2011, 3.2]
3.10
22 © ISO/IEC 2016 2023 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC FDIS 29134:2023(E)
project

unique process, consisting of a set of coordinated and controlled activities with start and finish dates,

undertaken to achieve an objective conforming to specific requirements, including the constraints of

time, cost and resources
[SOURCE: ISO 9000:2015, 3.4.2]
3.11
organization

person or group of people that has its own functions with responsibilities, authorities and relationships

to achieve its objectives

Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,

enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or

not, public or private.

[SOURCE: ISO/IEC Directives, Part 1, Consolidated ISO Supplement:2014 27000:2018, 3.0150]

3.12
severity

estimation of the magnitude of potential impacts on the privacy of a PII principal

3.13
system
information system
set of applications, services, information technology assets, or other inf
...

FINAL
INTERNATIONAL ISO/IEC
DRAFT
STANDARD FDIS
29134
ISO/IEC JTC 1/SC 27
Information technology — Security
Secretariat: DIN
techniques — Guidelines for privacy
Voting begins on:
2023-01-27 impact assessment
Voting terminates on:
Technologies de l'information — Techniques de sécurité — Lignes
2023-03-24
directrices pour l'étude d'impacts sur la vie privée
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/IEC FDIS 29134:2023(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. © ISO/IEC 2023
---------------------- Page: 1 ----------------------
ISO/IEC FDIS 29134:2023(E)
FINAL
INTERNATIONAL ISO/IEC
DRAFT
STANDARD FDIS
29134
ISO/IEC JTC 1/SC 27
Information technology — Security
Secretariat: DIN
techniques — Guidelines for privacy
Voting begins on:
impact assessment
Voting terminates on:
Technologies de l'information — Techniques de sécurité — Lignes
directrices pour l'étude d'impacts sur la vie privée
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2023

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on

the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below

or ISO’s member body in the country of the requester.
RECIPIENTS OF THIS DRAFT ARE INVITED TO
ISO copyright office
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
CP 401 • Ch. de Blandonnet 8
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
CH-1214 Vernier, Geneva
DOCUMENTATION.
Phone: +41 22 749 01 11
IN ADDITION TO THEIR EVALUATION AS
Reference number
Email: copyright@iso.org
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
ISO/IEC FDIS 29134:2023(E)
Website: www.iso.org
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
Published in Switzerland
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN­
DARDS TO WHICH REFERENCE MAY BE MADE IN
© ISO/IEC 2023 – All rights reserved
NATIONAL REGULATIONS. © ISO/IEC 2023
---------------------- Page: 2 ----------------------
ISO/IEC FDIS 29134:2023(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction .............................................................................................................................................................................................................................. vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ..................................................................................................................................................................................... 1

3 Terms and definitions .................................................................................................................................................................................... 1

4 Abbreviated terms ............................................................................................................................................................................................. 3

5 Preparing the grounds for PIA ..............................................................................................................................................................4

5.1 Benefits of carrying out a PIA ................................................................................................................................................... 4

5.2 O bjectives of PIA reporting ......................................................................................................................................................... 5

5.3 Accountability to conduct a PIA .............................................................................................................................................. 5

5.4 Scale of a PIA............................................................................................................................................................................................. 6

6 Guidance on the process for conducting a PIA ..................................................................................................................... 6

6.1 General ........................................................................................................................................................................................................... 6

6.2 Determine whether a PIA is necessary (threshold analysis) ........................................................................ 7

6.3 Preparation of the PIA ..................................................................................................................................................................... 7

6.3.1 Set up the PIA team and provide it with direction............................................................................... 7

6.3.2 Prepare a PIA plan and determine the necessary resources for conducting

the PIA ......................................................................................................................................................................................... 9

6.3.3 Describe what is being assessed ....................................................................................................................... 10

6.3.4 Stakeholder engagement .......................................................................................................................................... 11

6.4 Perform the PIA .................................................................................................................................................................................. 13

6.4.1 Identify information flows of PII ....................................................................................................................... 13

6.4.2 Analyse the implications of the use case ................................................................................................... 14

6.4.3 Determine the relevant privacy safeguarding requirements .................................................15

6.4.4 A ssess privacy risk ........................................................................................................................................................ 16

6.4.5 Prepare for treating privacy risks ................................................................................................................... 19

6.5 Follow up the PIA ......... .................................................................................................................................. ....................................23

6.5.1 Prepare the report ......................................................................................................................................................... 23

6.5.2 Publication ............................................................................................................................................................................ 24

6.5.3 Implement privacy risk treatment plans ................................................................................................... 24

6.5.4 R eview and/or audit of the PIA .......................................................................................................................... 25

6.5.5 Reflect changes to the process ............................................................................................................................ 26

7 PIA report .................................................................................................................................................................................................................26

7.1 General ........................................................................................................................................................................................................ 26

7.2 Report structure ................................................................................................................................................................................ 27

7.3 Scope of PIA ............................................................................................................................................................................................ 27

7.3.1 Process under evaluation ........................................................................................................................................ 27

7.3.2 Risk criteria .........................................................................................................................................................................29

7.3.3 Resources and people involved ..........................................................................................................................29

7.3.4 Stakeholder consultation .........................................................................................................................................29

7.4 Privacy requirements .................................................................................................................................................................... 29

7.5 Risk assessment .................................................................................................................................................................................. 29

7.5.1 Risk sources .........................................................................................................................................................................29

7.5.2 Threats and their likelihood .................................................................................................................................29

7.5.3 Consequences and their level of impact ......................................................................................................30

7.5.4 Risk evaluation..................................................................................................................................................................30

7.5.5 C ompliance analysis .....................................................................................................................................................30

7.6 Risk treatment plan......................................................................................................................................................................... 30

7.7 Conclusion and decisions ...........................................................................................................................................................30

7.8 PIA public summary ....................................................................................................................................................................... 30

Annex A (informative) Scale criteria on the level of impact and on the likelihood ........................................32

iii
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 3 ----------------------
ISO/IEC FDIS 29134:2023(E)

Annex B (informative) Generic threats ..........................................................................................................................................................34

Annex C (informative) Guidance on the understanding of terms used .......................................................................38

Annex D (informative) Illustrated examples supporting the PIA process ...............................................................41

Bibliography .............................................................................................................................................................................................................................43

© ISO/IEC 2023 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC FDIS 29134:2023(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non­governmental, in liaison with ISO and IEC, also take part in the

work.

The procedures used to develop this document and those intended for its further maintenance

are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria

needed for the different types of document should be noted. This document was drafted in

accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or

www.iec.ch/members_experts/refdocs).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC

list of patent declarations received (see https://patents.iec.ch).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to

the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see

www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding­standards.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, Information security, cybersecurity and privacy protection.

This second edition cancels and replaces the first edition (ISO/IEC 29134:2017), which has been

technically revised.
The main changes are as follows:
— minor editorial changes have been made.

Any feedback or questions on this document should be directed to the user’s national standards

body. A complete listing of these bodies can be found at www.iso.org/members.html and

www.iec.ch/national­committees.
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 5 ----------------------
ISO/IEC FDIS 29134:2023(E)
Introduction
A privacy impact assessment (PIA) is an instrument for:

— assessing the potential impacts on privacy of a process, information system, programme, software

module, device or other initiative which processes personally identifiable information (PII);

— taking necessary actions, in consultation with stakeholders, to treat privacy risk.

A PIA report can include documentation about measures taken for risk treatment, for example, measures

arising from the use of the information security management system (ISMS) in ISO/IEC 27001. A PIA is

more than a tool: it is a process that begins at the earliest possible stages of an initiative, when there are

still opportunities to influence its outcome and thereby ensure privacy by design. It is a process that

continues until, and even after, the project has been deployed.

Initiatives vary substantially in scale and impact. Objectives falling under the heading of “privacy”

will depend on culture, societal expectations and jurisdiction. This document is intended to provide

scalable guidance that can be applied to all initiatives. Since guidance specific to all circumstances

cannot be prescriptive, the guidance in this document should be interpreted with respect to individual

circumstances.

A PII controller can have a responsibility to conduct a PIA and can request a PII processor to assist in

doing this, acting on the PII controller’s behalf. A PII processor or a supplier can also wish to conduct

their own PIA.

A supplier's PIA information is especially relevant when digitally connected devices are part of the

information system, application or process being assessed. It can be necessary for suppliers of such

devices to provide privacy-relevant design information to those undertaking the PIA. It is possible that

the provider of digital devices is unskilled in and not resourced for PIAs, for example:

— a small retailer, or

— a small and medium-sized enterprise (SME) using digitally connected devices in the course of its

normal business operations.

In such circumstances, in order to enable it to undertake minimal PIA activity, the device supplier can

be called upon to provide a great deal of privacy information and undertake its own PIA with respect to

the expected PII principal/SME context for the equipment they supply.

A PIA is typically conducted by an organization that takes its responsibility seriously and treats PII

principals adequately. In some jurisdictions, legal and regulatory requirements regarding PIA can apply.

This document is intended to be used when the privacy impact on PII principals includes consideration

of processes, information systems or programmes, where:

— the responsibility for the implementation and/or delivery of the process, information system or

programme is shared with other organizations and it should be ensured that each organization

properly addresses the identified risks;

— an organization is performing privacy risk management as part of its overall risk management effort

while preparing for the implementation or improvement of its ISMS (established in accordance with

ISO/IEC 27001 or an equivalent management system); or an organization is performing privacy risk

management as an independent function;

— an organization (e.g. government) is undertaking an initiative (e.g. a public­private­partnership

programme) in which the future PII controller organization is not known yet, with the result that the

treatment plan cannot be implemented directly and, therefore, it is presupposed that this treatment

plan becomes part of corresponding legislation, regulation or the contract instead;

— the organization wants to act responsible towards the PII principals.
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC FDIS 29134:2023(E)

Controls deemed necessary to treat the risks identified during the privacy impact analysis process

can be derived from multiple sets of controls, including ISO/IEC 27002 (for security controls) and

ISO/IEC 29151 (for PII protection controls), or comparable national standards, or they can be defined

by the person responsible for conducting the PIA, independently of any other control set.

vii
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 7 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/IEC FDIS 29134:2023(E)
Information technology — Security techniques —
Guidelines for privacy impact assessment
1 Scope
This document gives guidelines for:
— a process on privacy impact assessments, and
— a structure and content of a PIA report.

It is applicable to all types and sizes of organizations, including public companies, private companies,

government entities and not-for-profit organizations.

This document is relevant to those involved in designing or implementing projects, including the parties

operating data processing systems and services that process PII.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO Guide 73:2009, Risk management — Vocabulary

ISO/IEC 27000:2018, Information technology — Security techniques — Information security management

systems — Overview and vocabulary

ISO/IEC 29100:2011, Information technology — Security techniques — Privacy framework

3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 29100, ISO/IEC 27000,

ISO Guide 73 and the following apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
acceptance statement

formal management declaration to assume responsibility for risk ownership, risk treatment and

residual risk
3.2
asset

things that have value to anyone involved in the processing of personally identifiable information (PII)

Note 1 to entry: In the context of a privacy risk management process, an asset is either PII or a supporting asset.

© ISO/IEC 2023 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC FDIS 29134:2023(E)
3.3
assessor
person who leads and conducts a privacy impact assessment (3.7)

Note 1 to entry: The assessor may be supported by one or more other internal and/or external experts as part of

their team.

Note 2 to entry: The assessor may be an expert internal or external to the organization.

3.4
process

set of interrelated or interacting activities which transforms inputs into outputs

[SOURCE: ISO/IEC 27000:2018, 3.54]
3.5
device

combination of hardware and software, or solely software, that allows a user to perform actions

3.6
privacy impact

anything that has an effect on the privacy of a PII principal and/or group of PII principals

Note 1 to entry: The privacy impact can result from the processing of PII in conformance or in violation of privacy

safeguarding requirements.
3.7
privacy impact assessment
PIA

overall process of identifying, analysing, evaluating, consulting, communicating and planning the

treatment of potential privacy impacts with regard to the processing of personally identifiable

information, framed within an organization’s broader risk management framework
[SOURCE: ISO/IEC 29100:2011, 2.20, modified — Note 1 to entry has been deleted.]
3.8
privacy risk map

diagram that indicates the level of impact and likelihood of privacy risks identified

Note 1 to entry: The map is typically used to determine the order in which the privacy risks should be treated.

3.9
programme

group of projects managed in a coordinated way to obtain benefits not available from managing them

individually
[SOURCE: ISO 14300­1:2011, 3.2]
3.10
project

unique process, consisting of a set of coordinated and controlled activities with start and finish dates,

undertaken to achieve an objective conforming to specific requirements, including the constraints of

time, cost and resources
[SOURCE: ISO 9000:2015, 3.4.2]
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC FDIS 29134:2023(E)
3.11
organization

person or group of people that has its own functions with responsibilities, authorities and relationships

to achieve its objectives

Note 1 to entry: The concept of organization includes but is not limited to sole-trader, company, corporation, firm,

enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated

or not, public or private.
[SOURCE: ISO/IEC 27000:2018, 3.50]
3.12
severity

estimation of the magnitude of potential impacts on the privacy of a PII principal

3.13
system
information system

set of applications, services, information technology assets, or other information handling components

[SOURCE: ISO/IEC 27000:2018, 3.36, modified — "system" added as a preferred term.]

3.14
stakeholder

person or organization that can affect, be affected by, or perceive itself to be affected by a decision or

activity

Note 1 to entry: Includes personally identifiable information principals, management, regulators and customers.

Note 2 to entry: Consultation with stakeholders is integral to a privacy impact assessment.

[SOURCE: ISO 37000:2021, 3.3.1, modified — Note 1 and Note 2 to entry have been modified.]

3.15
technology

hardware, software, and firmware systems and system elements including, but not limited to,

information technology, embedded systems, or any other electro-mechanical or processor-based

systems
[SOURCE: ISO/IEC 16509:1999, 3.3]
4 Abbreviated terms
API application programming interface
BYOD bring your own device
ICT information and communication technologies
IPMA International Project Management Association
ISMS information security management system
PII personally identifiable information
PRINCE PRojects IN controlled environments
SME small and medium­sized enterprises
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC FDIS 29134:2023(E)
5 Preparing the grounds for PIA
5.1 Benefits of carrying out a PIA

This document provides guidance that can be adapted to a wide range of situations where PII is

processed. However, in general, a PIA can be carried out for the purpose of:
— identifying privacy impacts, privacy risks and responsibilities;

— providing input to design for privacy protection (sometimes called privacy by design);

— reviewing a new information system’s privacy risks and assessing its impact and likelihood;

— providing the basis for the provision of privacy information to PII principals on any PII principal

mitigation action recommended;

— maintaining later updates or upgrades with additional functionality likely to impact the PII that are

handled;

— sharing and mitigating privacy risks with stakeholders, or providing evidence relating to compliance.

NOTE A PIA is sometimes referred to by other terms, for example, a “privacy review” or a “data protection

impact assessment”. These particular instances of a PIA can come with specific implications for both process and

reporting.

A PIA has often been described as an early warning system. It provides a way to detect potential privacy

risks arising from the processing of PII and thereby informing an organization of where they should take

precautions and build tailored safeguards before, not after, the organization makes heavy investments.

The costs of amending a project at the planning stage is usually a fraction of those incurred later on.

If the privacy impact is unacceptable, the project can even have to be cancelled altogether. Thus, a PIA

helps to identify privacy issues early and/or to reduce costs in management time, legal expenses and

potential media or public concern by considering privacy issues early. It can also help an organization

to avoid costly or embarrassing privacy mistakes.

Although a PIA should be more than simply a compliance check, it does nevertheless contribute to an

organization’s demonstration of its compliance with relevant privacy and data protection requirements

in the event of a subsequent complaint, privacy audit or compliance investigation. In the event of

a privacy risk or breach occurring, the PIA report can provide evidence that the organization acted

appropriately in attempting to prevent the occurrence. This can help to reduce or even eliminate any

liability, negative publicity and loss of reputation.

An appropriate PIA also demonstrates to an organization’s customers and/or citizens that it respects

their privacy and is responsive to their concerns. Customers or citizens are more likely to trust an

organization that performs a PIA than one that does not.

A PIA enhances informed decision-making and exposes internal communication gaps or hidden

assumptions on privacy issues about the project. A PIA is a tool to undertake the systematic analysis of

privacy issues arising from a project in order to inform decision makers. A PIA can be a credible source

of information.

A PIA enables an organization to learn about the privacy pitfalls of a process, information system or

programme upfront, rather than having its auditors or competitors point them out. A PIA assists in

anticipating and responding to the public’s privacy concerns.

A PIA can help an organization gain the public’s trust and confidence that privacy has been built into

the design of a process, information system or programme.

Trust is built on transparency, and a PIA is a disciplined process that promotes open communications,

common understanding and transparency. An organization that undertakes a PIA demonstrates to its

employees and contractors that it takes privacy seriously and expects them that they do too. A PIA is a

way of educating employees about privacy and making them alert to privacy problems that can damage

© ISO/IEC 2023 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC FDIS 29134:2023(E)
the organization. It is a way to affirm the organizatio
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEC 20008-2:2013/Amd 2:2023(Amendment)
Information technology — Security techniques — Anonymous digital signatures — Part 2: Mechanisms using a group public key — Amendment 2
  • Standard
    26 pages
    English language
    sale 15% off
  • Draft
    26 pages
    English language
    sale 15% off
  • Draft
    26 pages
    English language
    sale 15% off
ISO
ISO/IEC 29128-1:2023(Main)
Information security, cybersecurity and privacy protection — Verification of cryptographic protocols — Part 1: Framework

This document establishes a framework for the verification of cryptographic protocol specifications according to academic and industry best practices.

  • Standard
    15 pages
    English language
    sale 15% off
  • Draft
    15 pages
    English language
    sale 15% off
  • Draft
    15 pages
    English language
    sale 15% off
ISO
ISO/IEC 27035-1:2023(Main)
Information technology — Information security incident management — Part 1: Principles and process

This document is the foundation of the ISO/IEC 27035 series. It presents basic concepts, principles and process with key activities of information security incident management, which provide a structured approach to preparing for, detecting, reporting, assessing, and responding to incidents, and applying lessons learned. The guidance on the information security incident management process and its key activities given in this document are generic and intended to be applicable to all organizations, regardless of type, size or nature. Organizations can adjust the guidance according to their type, size and nature of business in relation to the information security risk situation. This document is also applicable to external organizations providing information security incident management services.

  • Standard
    33 pages
    English language
    sale 15% off
ISO
ISO/IEC 27035-2:2023(Main)
Information technology — Information security incident management — Part 2: Guidelines to plan and prepare for incident response

This document provides guidelines to plan and prepare for incident response and to learn lessons from incident response. The guidelines are based on the “plan and prepare” and “learn lessons” phases of the information security incident management phases model presented in ISO/IEC 27035-1:2023, 5.2 and 5.6. The major points within the “plan and prepare” phase include: — information security incident management policy and commitment of top management; — information security policies, including those relating to risk management, updated at both organizational level and system, service and network levels; — information security incident management plan; — Incident Management Team (IMT) establishment; — establishing relationships and connections with internal and external organizations; — technical and other support (including organizational and operational support); — information security incident management awareness briefings and training. The “learn lessons” phase includes: — identifying areas for improvement; — identifying and making necessary improvements; — Incident Response Team (IRT) evaluation. The guidance given in this document is generic and intended to be applicable to all organizations, regardless of type, size or nature. Organizations can adjust the guidance given in this document according to their type, size and nature of business in relation to the information security risk situation. This document is also applicable to external organizations providing information security incident management services.

  • Standard
    53 pages
    English language
    sale 15% off
  • Standard
    53 pages
    English language
    sale 15% off
ISO
ISO/IEC 24760-3:2016/Amd 1:2023(Amendment)
Information technology — Security techniques — A framework for identity management — Part 3: Practice — Amendment 1: Identity Information Lifecycle processes
  • Standard
    3 pages
    English language
    sale 15% off
  • Draft
    3 pages
    English language
    sale 15% off
  • Draft
    3 pages
    English language
    sale 15% off
ISO
ISO/IEC 24760-1:2019/Amd 1:2023(Amendment)
IT Security and Privacy — A framework for identity management — Part 1: Terminology and concepts — Amendment 1
  • Standard
    4 pages
    English language
    sale 15% off
  • Draft
    4 pages
    English language
    sale 15% off
  • Draft
    4 pages
    English language
    sale 15% off
ISO
ISO/IEC 27559:2022(Main)
Information security, cybersecurity and privacy protection – Privacy enhancing data de-identification framework

This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data. This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that are PII controllers or PII processors acting on a controller’s behalf, implementing data de-identification processes for privacy enhancing purposes.

  • Standard
    22 pages
    English language
    sale 15% off
ISO
ISO/IEC 27557:2022(Main)
Information security, cybersecurity and privacy protection — Application of ISO 31000:2018 for organizational privacy risk management

This document provides guidelines for organizational privacy risk management, extended from ISO 31000:2018. This document provides guidance to organizations for integrating risks related to the processing of personally identifiable information (PII) as part of an organizational privacy risk management programme. It distinguishes between the impact that processing PII can have on an individual with consequences for organizations (e.g. reputational damage). It also provides guidance for incorporating the following into the overall organizational risk assessment: — organizational consequences of adverse privacy impacts on individuals; and — organizational consequences of privacy events that damage the organization (e.g. by harming its reputation) without causing any adverse privacy impacts to individuals. This document assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization. This document is applicable to all types and sizes of organizations processing PII or developing products and services that can be used to process PII, including public and private companies, government entities, and non-profit organizations.

  • Standard
    19 pages
    English language
    sale 15% off
ISO
ISO/IEC 27553-1:2022(Main)
Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 1: Local modes

This document provides high-level security and privacy requirements and recommendations for authentication using biometrics on mobile devices, including security and privacy requirements and recommendations for functional components and for communication. This document is applicable to the cases that the biometric data and derived biometric data do not leave the device, i.e. local modes.

  • Standard
    30 pages
    English language
    sale 15% off
ISO
ISO/IEC 27005:2022(Main)
Information security, cybersecurity and privacy protection — Guidance on managing information security risks

This document provides guidance to assist organizations to: — fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks; — perform information security risk management activities, specifically information security risk assessment and treatment. This document is applicable to all organizations, regardless of type, size or sector.

  • Standard
    62 pages
    English language
    sale 15% off
  • Standard
    66 pages
    French language
    sale 15% off