Cloud computing and distributed platforms — Data flow, data categories and data use — Part 2: Guidance on application and extensibility

This document provides guidance on the application of the taxonomy and use statements from ISO/IEC 19944-1 in real world scenarios, and how to develop extensions to the data taxonomy, data processing and use categories and data use statements.

Titre manque — Partie 2: Titre manque

General Information

Status
Published
Publication Date
31-Mar-2022
Current Stage
4099 - Full report circulated: DIS approved for registration as FDIS
Start Date
27-Sep-2021
Completion Date
27-Sep-2021
Ref Project

Buy Standard

Standard
ISO/IEC 19944-2:2022 - Cloud computing and distributed platforms — Data flow, data categories and data use — Part 2: Guidance on application and extensibility Released:4/1/2022
English language
23 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO/IEC
STANDARD 19944-2
First edition
2022-04
Cloud computing and distributed
platforms — Data flow, data categories
and data use —
Part 2:
Guidance on application and
extensibility
Reference number
ISO/IEC 19944-2:2022(E)
© ISO/IEC 2022
---------------------- Page: 1 ----------------------
ISO/IEC 19944-2:2022(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2022

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on

the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below

or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 19944-2:2022(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction .............................................................................................................................................................................................................................. vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ..................................................................................................................................................................................... 1

3  Terms and definitions .................................................................................................................................................................................... 1

4 Abbreviated terms ............................................................................................................................................................................................. 2

5 Presentation of ISO/IEC 19944-1 ........................................................................................................................................................ 2

6  How to apply ISO/IEC 19944-1 ...............................................................................................................................................................3

6.1 General ........................................................................................................................................................................................................... 3

6.2 Generic eCommerce example .................................................................................................................................................... 3

6.2.1 General ........................................................................................................................................................................................ 3

6.2.2 Customer content data .................................................................................................................................................. 3

6.2.3 Derived data ........................................................................................................................................................................... 3

6.2.4 Data identification qualifiers .................................................................................................................................. 4

6.2.5 Orthogonal facets .............................................................................................................................................................. 4

6.2.6 Data processing categories ....................................................................................................................................... 5

6.2.7 Data use categories .......................................................................................................................................................... 6

6.2.8 Scopes ........................................................................................................................................................................................... 7

6.2.9 Data use statements ........................................................................................................................................................ 7

6.3 Privacy examples.................................................................................................................................................................................. 8

6.3.1 General ........................................................................................................................................................................................ 8

6.3.2 Describing the purpose of the processing of PII..................................................................................... 8

6.3.3 Using data identification qualifiers with PII ............................................................................................. 9

6.4 Organization identifiable data examples ........................................................................................................................ 9

6.4.1 General ........................................................................................................................................................................................ 9

6.4.2 Organization identifiable data location requirement examples ........................................... 10

6.4.3 Organization identifiable data sharing requirement examples ............................................ 10

6.5 AI example ............................................................................................................................................................................................... 11

6.5.1 General ..................................................................................................................................................................................... 11

6.5.2 Facial recognition — Privacy-centric AI example .............................................................................12

6.6 IoT example ............................................................................................................................................................................................. 14

6.6.1 General ..................................................................................................................................................................................... 14

6.6.2 Electrical vehicles ........................................................................................................................................................... 14

7  How to extend ISO/IEC 19944-1 ........................................................................................................................................................15

7.1 General ........................................................................................................................................................................................................ 15

7.2 Data taxonomy ..................................................................................................................................................................................... 15

7.2.1 General .....................................................................................................................................................................................15

7.2.2 Guidelines for extending the data categories defined in ISO/IEC 19944-1 .................15

7.2.3 Example of extending the cloud service provider (CSP) and customer

content data categories ............................................................................................................................................. 16

7.2.4 Example of extending the demographic information sub-type ............................................. 16

7.2.5 Example of extending the financial details sub-type ..................................................................... 17

7.3 Custom data facets ........................................................................................................................................................................... 17

7.3.1 General ..................................................................................................................................................................................... 17

7.3.2 Guidance on creating custom data facets ................................................................................................. 17

7.3.3 Example custom data facet .................................................................................................................................... 18

7.4 Data processing................................................................................................................................................................................... 18

7.4.1 General ..................................................................................................................................................................................... 18

7.4.2 Guidelines for extending data processing categories ..................................................................... 18

7.4.3 Examples for extending data processing categories ....................................................................... 18

7.5 Data use categories .......................................................................................................................................................................... 19

7.5.1 General ..................................................................................................................................................................................... 19

iii
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 3 ----------------------
ISO/IEC 19944-2:2022(E)

7.5.2 Guidelines for extending the data use categories .............................................................................. 19

7.5.3 Example for AI ................................................................................................................................................................... 19

7.5.4 Facial recognition — Privacy-centric AI example for extending the

taxonomy ................................................................................................................................................................................ 20

7.5.5 Automotive application — Intellectual property-centric AI/IoT example

for extending the taxonomy .................................................................................................................................. 21

Bibliography .............................................................................................................................................................................................................................23

© ISO/IEC 2022 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 19944-2:2022(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work.

The procedures used to develop this document and those intended for its further maintenance

are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria

needed for the different types of document should be noted. This document was drafted in

accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or

www.iec.ch/members_experts/refdocs).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC

list of patent declarations received (see https://patents.iec.ch).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to

the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see

www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.

This document was prepared by Technical Committee, ISO/IEC JTC 1, Information technology,

Subcommittee SC 38, Cloud computing and distributed platforms.

A list of all parts in the ISO/IEC 19944 series can be found on the ISO and IEC websites.

Any feedback or questions on this document should be directed to the user’s national standards

body. A complete listing of these bodies can be found at www.iso.org/members.html and

www.iec.ch/national-committees.
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 5 ----------------------
ISO/IEC 19944-2:2022(E)
Introduction

ISO/IEC 19944-1 provides a data taxonomy, data processing and use categories and other descriptive

facets that can be applied to data. All aspects of ISO/IEC 19944-1 are extensible to meet the needs of

diverse users. The standardized ability to categorize data, describe uses of data and apply other facets

is useful in several scenarios including the application of policy to data and in describing the use of data

to stakeholders.

The aim of this document is to assist users of ISO/IEC 19944-1 by providing examples and guidance

for its use across several domains. Additionally, this document provides users who need to extend

ISO/IEC 19944-1 with examples and guidance.
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 19944-2:2022(E)
Cloud computing and distributed platforms — Data flow,
data categories and data use —
Part 2:
Guidance on application and extensibility
1 Scope

This document provides guidance on the application of the taxonomy and use statements from

ISO/IEC 19944-1 in real world scenarios, and how to develop extensions to the data taxonomy, data

processing and use categories and data use statements.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 19944-1:2020, Cloud computing and distributed platforms ─ Data flow, data categories and data

use — Part 1: Fundamentals
ISO/IEC 22123-1, Information technology — Cloud computing — Part 1: Vocabulary

ISO/IEC 22989, Information technology — Artificial intelligence — Artificial intelligence concepts and

terminology
3  Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 19944-1, ISO/IEC 22123-1,

ISO/IEC 22989 and the following apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
Internet of Things
IoT

infrastructure of interconnected entities, people, systems and information resources together with

services which processes and reacts to information from the physical world and virtual world

[SOURCE: ISO/IEC 20924:2021, 3.2.1]
3.2
PII principal
natural person to whom the personally identifiable information (PII) relates

Note 1 to entry: Depending on the jurisdiction and the particular data protection and privacy legislation, the

synonym “data subject” can also be used instead of the term “PII principal”.
1) Under preparation. Stage at the time of publication: ISO/IEC FDIS 22989.
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 19944-2:2022(E)
[SOURCE: ISO/IEC 29100:2011, 2.11]
4 Abbreviated terms
AI Artificial Intelligence
CSA Cloud Service Agreement
CSC Cloud Service Customer
CSP Cloud Service Provider
DNN Deep Neural Network
EV Electric Vehicle
IaaS Infrastructure as a Service
IoT Internet of Things
IPR Intellectual Property Rights
OPD Organizational Protected Data
PaaS Platform as a Service
PII Personally Identifiable Information
SKU Stock Keeping Unit
5 Presentation of ISO/IEC 19944-1

To improve transparency and guidance about data flows and data use, ISO/IEC 19944-1 names and

describes the flows of data between a device and a supporting cloud service, and how to describe the

use of different categories of data by the CSP.
ISO/IEC 19944-1 provides a comprehensive set of elements which can be used to:

— assign a data category to a given dataset, e.g. personally identifiable information, organizational

protected data, customer content data;

— provide a set of actions applied to data, e.g. use to provide a service, to optimize it, to provide

marketing information;

— define the qualifiers for the level of de-identification applied to a dataset, e.g. "identified",

"anonymized", "aggregated";

— describe a use of a certain category of data for a specified purpose with a scope of its usage.

To maintain trust between the stakeholders in the ecosystem of cloud services and to meet the

requirements of laws and regulations, it is necessary for service providers to be transparent about

their use of the various data types that flow within the ecosystem. ISO/IEC 19944-1 also deals with

organizational data and the need to treat some organizational data in particular ways in order to

ensure properties such as confidentiality and integrity are maintained.

ISO/IEC 19944-1 introduces the concept of data facets, and data facets are used to extend the

expressiveness of data use statements, including adding the concept of which individuals or

organizations have control over data.
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 19944-2:2022(E)
6  How to apply ISO/IEC 19944-1
6.1 General

This clause provides examples of ISO/IEC 19944-1 applied to several different scenarios. Readers of this

document can use the examples in this clause to then apply the data categories, data use statements

and other facets to their situation.
6.2 Generic eCommerce example
6.2.1 General

Modern eCommerce applications use and generate many of the data categories specified in

ISO/IEC 19944-1. Additionally, the data in eCommerce applications involves other components of

ISO/IEC 19944-1 including data identification qualifiers, orthogonal facets, data processing and use

categories, scopes, and data use statements. eCommerce applications ordinarily involve organizational

protected data such as sales volumes, pricing, customer lists and inventory data.

This clause provides descriptions and examples of how the components of ISO/IEC 19944-1 can be used

in a generic retail eCommerce application.

NOTE 1 Per the definition of CSP in ISO/IEC 22123-1:2021, the operator of an eCommerce application is a CSP

to its CSCs, even if the application is run on third-party services of infrastructure or platform capabilities types.

NOTE 2 Unless otherwise indicated, all references to CSC and CSP in this document refer to the party, not to

the corresponding roles.
6.2.2 Customer content data

credentials: CSCs can provide data objects such as username, password, certificates and biometrics, to

access eCommerce services.

financial details: CSCs can provide financial details such as credit card numbers, bank information or

other payment information, to pay for purchased products and services.
6.2.3 Derived data
6.2.3.1  End user identifiable information

telemetry data: The CSP can collect data about the use of purchased products and services.

connectivity data: The CSP can collect data about the CSC’s connectivity to provide the eCommerce

service. For example, the CSP can use IP address information to determine the CSC’s location for

shipping or pickup information.

observed usage of the service capability: The CSP can collect data about the CSCs preferences and

settings for the eCommerce application along with commands issued to the application (e.g. clicking the

Submit button).

demographic information: The CSP can collect demographic data (e.g. age, gender) about the CSC.

profiling data: The CSP can use the various categories and instances of data to build a user profile that

helps the CSP understand the CSCs interests and preferences.

content consumption data: In cases where the eCommerce application offers content, the CSP can

collect data on the CSC’s content consumption.

client-side browsing history: The CSP can collect client-side browsing history to help build a profile of

the CSC’s interests and preferences.
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 19944-2:2022(E)

search commands and queries: The CSP can collect search commands and queries to improve the

eCommerce application and to understand the CSC’s interests and preferences.

user location: The CSP can collect the CSC’s location in order to tailor offers made to the CSC.

social data: The CSP can collect the CSC’s social data to better understand the CSC’s interests and

preferences.
6.2.3.2 Cloud service provider (CSP) data

access and authentication data: The CSP can use access and authentication data to allow CSCs to

access particular aspects of the eCommerce application.

operations data: The CSP can collect data regarding operation of the eCommerce application including

information about individual CSCs’ use of the eCommerce application.
6.2.3.3 Account data

account or administration contact information: The CSP will ordinarily collect account data for CSCs

of the eCommerce application in order to perform sales transactions.

payment instrument data: The CSP will ordinarily collect payment information from CSCs to perform

sales transactions.
6.2.3.4 Organizational protected data:

price lists and pricing algorithms: The CSP can designate pricing information as organizational

protected data.
sales data: The CSP can designate sales data as organizational protected data.

customer lists: The CSP can designate its customer lists as organizational protected data.

inventories: The CSP can designate its inventory data as organizational protected data.

6.2.4  Data identification qualifiers

identified data: CSPs operating eCommerce applications will ordinarily collect identified data such as

account data, transaction data and profiles linked to account data that contains PII.

pseudonymized data: The CSP can substitute aliases for PII to protect individual privacy when

processing of the data does not require PII but there is a potential need to link data back to specific

CSCs.

unlinked pseudonymized data: The CSP can delete PII or use aliases when processing data where

there is no desire to link the data back to specific CSCs.

anonymized data: The CSP can un-link and alter attributes of the data in a way that does not alter the

meaning of the data but makes it reasonably impossible to identify individual CSCs directly or indirectly

even if the data is combined with other data.

aggregated data: In some cases, CSPs operating eCommerce applications can aggregate transactional

data for reporting and analysis where the PII in each transaction is not relevant to the task.

6.2.5 Orthogonal facets

classification: The data used or generated by an eCommerce application can be classified as High

Business Impact, Medium Business Impact or Low Business Impact or using an alternate scheme that

describes the significance of the data.
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 19944-2:2022(E)

categorization: Data can be categorized according to what the data describes. Examples of eCommerce

data categories can include CSC account information, SKU information, price information, sales

transactions and inventory information.

operational control: This facet includes the basic actions that can be taken on the data. These actions

ordinarily include create, read, update, delete, copy and move.

legal entity: Legal entities that can control eCommerce data include individuals, organizations and

public institutions.

legal means: eCommerce data can be protected by several legal means according to local laws and

regulations.
6.2.6 Data processing categories

horizontal partitioning or sharding: eCommerce data can be horizontally partitioned based on

defined attributes. For example, a dataset of sales transactions can be partitioned by SKU or CSC.

vertical partitioning: eCommerce data can also be vertically partitioned by keeping only a subset of

attributes. For example, an inventory dataset can be vertically partitioned by removing the item weight

attribute.

data association: eCommerce data can be stored in different datasets which are then linked together.

For example, a dataset of transactions can link to other datasets that contain CSC information and to

datasets that have detailed information about the products or services purchased.

data aggregation/consolidation: Data analysis can require that different eCommerce datasets be

aggregated or consolidated. For example, sales transactions from different geographies can be stored

in different datasets which are then aggregated to see global sales information.

data accumulation: Datasets containing eCommerce data ordinarily accumulate new records over

time. For example, a dataset containing eCommerce transactions can grow by millions of records each

day. These datasets can then be used for time-series analysis to identify trends.

data fusion: eCommerce data from multiple datasets can be combined and then reduced to obtain an

improved dataset.

data standardization: Entries in eCommerce datasets can include data recorded in the wrong field.

For example, the first and last name of a CSC recorded in a field labelled “First Name” or a postal code

entered in a filed labelled “Street Address”. Data standardization means placing the data entries into

the correct fields across the entire dataset.

data validation and correction: Data in an eCommerce dataset can be the wrong type or format or

simply be incorrect. For example, if an entry of “Yes” is in a field labelled “Age”, the entry is probably

incorrect. If an entry of “2020” is in an “Age” field, it can be the correct type and format but is clearly

wrong. The process of data validation and correction is the process of correcting the type, format and

values of data entries.

data enrichment: Entries in eCommerce datasets can be missing which can interfere with transaction

calculations or analysis algorithms. For example, if the price field is blank for a purchase, the amount

charged for the sale will be incorrect as will any downstream analysis of the dataset. Data enrichment

means filling in missing data entries using some imputation process.

encryption: eCommerce data can be encrypted in flight and at rest to prevent unauthorized access and

use.

replication: Copies of eCommerce data can be made and stored in different locations for the purpose of

business continuity or recovery in the event of a disaster.

data deletion: CSPs operating eCommerce applications can delete data from time to time. Data deletion

is often done when the data is no longer relevant to the CSP, CSC or other interested parties.

© ISO/IEC 2022 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 19944-2:2022(E)

secure data deletion: In some cases, the CSP can delete eCommerce data in a way that prevents any

party from ever recovering it.

re-identification: An eCommerce CSP can have the need to re-identify data that had previously been

de-identified.
6.2.7 Data use categories

provide: eCommerce CSPs will ordinarily use many data categories from multiple scopes to provide

the eCommerce service to its CSCs. For example, account data can be used to populate the billing and

shipping address fields of a purchase transaction. The postal code portion of account data can be used

to calculate shipping costs and time.

improve: Data can be used to improve the eCommerce service. For example, the postal code portion

of account data can
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.