Information security, cybersecurity and privacy protection — User-centric privacy preferences management framework

This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

Sécurité de l’information, cybersécurité et protection de la vie privée — Cadre centré sur l'utilisateur pour le traitement des données à caractère personnel basé sur des préférences relatives au respect de la vie privée

General Information

Status
Published
Publication Date
09-Oct-2022
Current Stage
6060 - International Standard published
Start Date
10-Oct-2022
Due Date
09-Feb-2023
Completion Date
10-Oct-2022
Ref Project

Buy Standard

Standard
ISO/IEC 27556:2022 - Information security, cybersecurity and privacy protection — User-centric privacy preferences management framework Released:10. 10. 2022
English language
22 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

INTERNATIONAL ISO/IEC
STANDARD 27556
First edition
2022-10
Information security, cybersecurity
and privacy protection — User-centric
privacy preferences management
framework
Sécurité de l’information, cybersécurité et protection de la vie
privée — Cadre centré sur l'utilisateur pour le traitement des données
à caractère personnel basé sur des préférences relatives au respect de
la vie privée
Reference number
ISO/IEC 27556:2022(E)
© ISO/IEC 2022

---------------------- Page: 1 ----------------------
ISO/IEC 27556:2022(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
  © ISO/IEC 2022 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 27556:2022(E)
Contents Page
Foreword .iv
Introduction .v
1 S c op e . 1
2 Nor m at i ve r ef er enc e s . 1
3 Terms and definitions . 1
4 S ymbols and abbreviated terms.4
5 U ser-centric framework for handling PII . 4
5.1 G eneral . 4
5 . 2 Ac t or s . 6
5.3 R oles of actors in user-centric PII handling frameworks . 6
5.3.1 Roles of PII principals . 6
5.3.2 R oles of PII controllers . 6
5.3.3 Roles of PII processors . 6
5.3.4 R oles of privacy preference administrators . 7
5.4 C omponents in the user-centric PII handling framework . 7
5.4.1 O verview . 7
5.4.2 D ata collection . 7
5.4.3 Data transformation(s) . 7
5.4.4 P II transfer control . 7
5.4.5 P II recipient . 8
5.4.6 P rivacy preference manager . 8
5.5 R elationship between actors and components . 9
6 Re quirements and recommendations for the privacy preference manager .10
6 .1 O ver v iew . 10
6.2 P rivacy impact assessment . 10
6.3 Functional recommendations . 10
6.4 R equirements for life cycle management of privacy preferences . 11
7 F urther considerations for the PPM in a privacy information management system .11
Annex A (informative) Use cases of PII handling based on privacy preferences .13
Annex B (informative) Identifying an actor serving as a component for each example
service .16
Annex C (informative) Guidance on configuration of privacy preferences management.17
Annex D (informative) Supporting the design of a privacy preference management .19
Bibliography .22
iii
© ISO/IEC 2022 – All rights reserved

---------------------- Page: 3 ----------------------
ISO/IEC 27556:2022(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
iv
  © ISO/IEC 2022 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 27556:2022(E)
Introduction
This document describes a user-centric framework for handling personally identifiable information
(PII), based on privacy preferences and privacy preference administration within information and
communication technology (ICT) systems. ICT systems which handle PII implement privacy control
mechanisms. To ensure these mechanisms are implemented effectively in ICT systems, PII is controlled
using privacy preferences which are set (directly or indirectly) by the relevant PII principal, including
consent information. When PII is processed based upon authorities other than consent, ICT systems
can, where appropriate, incorporate mechanisms to improve transparency and adjust PII processing in
accordance with the preferences of the PII principal. PII principals can make informed use of a system
only when they understand the scope of its privacy implications, which is improved when the actionable
privacy control options align in an intuitive way with PII processing undertaken in the ICT system.
Mechanisms that incorporate a PII principal’s privacy preferences into machine-readable settings for
each PII handling system can be useful. Moreover, such collected PII may be shared or transferred
among other service providers according to the PII principal’s preferences.
The framework is intended to help organizations include user-centric PII handling mechanisms in their
systems following privacy-by-design principles and realize PII handling based on privacy preferences
of PII principals. The framework includes components designed to manage privacy preference
information, and sub-components that are implemented within that component are defined in this
document. However, this document does not specify the content and format of privacy preference
information.
This document can be used to:
— design and implement ICT systems that handle PII, or transfer PII between organizations;
— develop PII exchange platforms based on privacy preferences;
— provide privacy preference management services.
v
© ISO/IEC 2022 – All rights reserved

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27556:2022(E)
Information security, cybersecurity and privacy
protection — User-centric privacy preferences
management framework
1 S cope
This document provides a user-centric framework for handling personally identifiable information
(PII), based on privacy preferences.
2 Normat ive references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
personally identifiable information
PII
information that (a) can be used to identify the PII principal (3.2) to whom such information relates, or
(b) is or may be directly or indirectly linked to a PII principal
Note 1 to entry: To determine whether a PII principal is identifiable, account should be taken of all the means
which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to identify that
natural person.
[SOURCE: ISO/IEC 29100:2011, 2.9, modified — The word “any” has been removed, “might” has been
replaced by “may”.]
3.2
PII principal
natural person to whom the personally identifiable information (3.1) relates
Note 1 to entry: Depending on the jurisdiction and the particular data protection and privacy legislation, the
synonym “data subject” can also be used instead of the term “PII principal”.
[SOURCE: ISO/IEC 29100:2011, 2.11]
3.3
PII controller
privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing
personally identifiable information (3.1) other than natural persons who use data for personal purposes
Note 1 to entry: A PII controller sometimes instructs others (e.g. PII processors) to process personally identifiable
information on its behalf while the responsibility for the processing remains with the PII controller.
1
© ISO/IEC 2022 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/IEC 27556:2022(E)
Note 2 to entry: A PII principal (3.2) may sometimes be the “controller” of their own information where
information and communication technology (ICT) systems are designed to enable direct control by the PII
principal. In such cases the ICT system would be the PII processer responding to the PII controller who is also the
PII subject.
[SOURCE: ISO/IEC 29100:2011, 2.10 — Note 2 to entry has been added.]
3.4
PII processor
privacy stakeholder that processes personally identifiable information (3.1) on behalf of and in
accordance with the instructions of a PII controller (3.3)
[SOURCE: ISO/IEC 29100:2011, 2.12]
3.5
third party
privacy stakeholder other than the personally identifiable information (PII) principal (3.2), the PII
controller (3.3) and the PII processor (3.4), and the natural persons who are authorized to process the
data under the direct authority of the PII controller or the PII processor
[SOURCE: ISO/IEC 29100:2011, 2.27]
3.6
privacy stakeholder
natural or legal person, public authority, agency or any other body that can affect, be affected by, or
perceive themselves to be affected by a decision or activity related to personally identifiable information
(3.1) processing
[SOURCE: ISO/IEC 29100:2011, 2.22]
3.7
identifying attribute
attribute in a dataset that is able to contribute to uniquely identifying a PII principal (3.2) within a
specific operational context
Note 1 to entry: ISO/IEC 20889:2018 uses a term “data principal” that is broader than “PII principal”. However,
this document focuses on data sets related to PII principals.
[SOURCE: ISO/IEC 20889:2018, 3.14, modified — The word “data principal” has been changed to “PII
principal” and Note 1 to entry added.]
3.8
control
measure that is modifying risk
Note 1 to entry: Controls include any process, policy, device, practice, or other actions which modify risk.
Note 2 to entry: It is possible that controls do not always achieve the intended or assumed modifying effect.
[SOURCE: ISO Guide 73:2009, 3.8.1.1, modified — Note 2 to entry has been changed.]
3.9
data transformation
process which creates new data from an original source
EXAMPLE The process of migrating into a different format, or by creating a subset, by selection or query, to
create newly derived results, such as for publication.
[SOURCE: ISO 5127:2017, 3.1.11.06]
2
  © ISO/IEC 2022 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 27556:2022(E)
3.10
de-identification technique
method for transforming a dataset with the objective of reducing the extent to which information is
able to be associated with the PII principal (3.2)
Note 1 to entry: ISO/IEC 20889:2018 uses a term “data principal” that is broader than “PII principal”. However,
this document focuses on data sets related to PII principals.
[SOURCE: ISO/IEC 20889:2018, 3.7, modified — The word “data principal” has been changed to “PII
principal” and Note 1 to entry added.]
3.11
re-identification
process of associating data in a de-identified data set with the PII principal (3.2)
Note 1 to entry: A process that establishes the presence of a particular data principal in a dataset is included in
this definition.
Note 2 to entry: ISO/IEC 20889:2018 uses a term “data principal” that is broader than “PII principal. However,
this document focuses on datasets related to PII principals.
[SOURCE: ISO/IEC 20889:2018, 3.31, modified — The word “data principal” has been changed to “PII
principal” and Note 2 to entry added.]
3.12
redaction
removal of a field such that it results in the irreversible and permanent removal of information
contained within that field from the message
Note 1 to entry: The removal of a field only removes the information contained within that field. Information that
can be derived from other fields of the message or from other sources is not removed.
[SOURCE: ISO/IEC 23264-1:2021, 3.21]
3.13
unlinkability
property that ensures that a PII principal (3.2) may make multiple uses of resources or services without
others being able to link these uses together
[SOURCE: ISO/IEC TR 27550:2019, 3.25]
3.14
intervenability
property that ensures that PII principals (3.2), PII controllers (3.3), PII processors (3.4) and supervisory
authorities can intervene in all privacy-relevant data processing
Note 1 to entry: The extent to which any of these stakeholders can intervene in data processing may be limited by
relevant legislation or regulation.
[SOURCE: ISO/IEC TR 27550:2019, 3.6]
3.15
transparency
property that ensures that all privacy-relevant data processing including the legal, technical and
organizational setting can be understood and reconstructed
[SOURCE: ISO/IEC TR 27550:2019, 3.24]
3
© ISO/IEC 2022 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC 27556:2022(E)
3.16
privacy preferences
specific choices made by a personally identifiable information (PII) principal (3.2) about how their PII
(3.1) should be processed for a particular purpose
[SOURCE: ISO/IEC 29100:2011, 2.17]
3.17
privacy preference manager
PPM
component providing a capability allowing PII principals (3.2) to express privacy preferences (3.16) and
a capability to monitor PII processing according to these privacy preferences
3.18
privacy preference administrator
PPA
privacy stakeholder which administrates a privacy preference manager (3.17)
4 S ymbols and abbreviated terms
For the purposes of this document, the following abbreviations apply:
EHR electronic health record
ICT information and communications technology
PIA privacy impact assessment
PII personally identifiable information
PPA privacy preference administrator
PPM privacy preference manager
5 User-c entric framework for handling PII
5.1 General
Privacy preference handling is the key enabler for the construction of a user-centric PII handling
framework based on privacy preferences. As shown in Figure 1, such a framework can be used as a
technical reference for developers of ICT systems that process PII. Use cases of PII handling based on
privacy preferences are introduced in Annex A.
The framework consists of actors and components.
4
  © ISO/IEC 2022 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 27556:2022(E)
Key
actor
component
Figure 1 — User-centric framework for handling PII
The privacy preference manager (PPM) provides the following capabilities:
— the management of privacy preferences of PII principals;
— the management of privacy notices;
— the management of consent information where applicable;
— generation of information for handling PII processing in IT systems at a granularity level
corresponding to the preferences;
— the implementation of control mechanisms to enforce these preferences during PII processing,
including in the case of PII transfer.
As shown in Figure 1, the privacy preference manager acts as a proxy for the PII principal(s) in order
to realize privacy preference-based handling. From the point of view of PII principals, PII should
be processed appropriately by service providers (PII controllers or PII processors) based on the PII
principal’s privacy preferences. In this case, a PII principal should specify their privacy preferences,
such as the type of PII that can be collected, how their PII shall and shall not be processed and with
which entities, if any, their PII may be shared. In a complex service environment, the preference of PII
principals for PII usage should be configured flexibly. To this end, privacy preference handling enables
the following functionalities.
— PII principals can configure their PII privacy preferences. These preferences may include the list of
PII that a PII principal allows to be collected, and the service providers that the PII principal allows
to access the collected PII. A default setting of privacy preferences includes no PII list as a privacy by
default setting.
— The delivery of PII to a service provider is controlled by the privacy preferences which are made by
the PII principal in the context of a particular operation performed with that service provider.
5
© ISO/IEC 2022 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC 27556:2022(E)
— PII principals have access to a summary showing when their PII has been shared with other service
providers.
NOTE A third party is a recipient of PII, and the third party becomes either PII controller, PII processor, or
PII sub-processor once it has received the PII.
5.2 Actors
The actors in the user-centric PII handling framework are the following:
— the PII principals;
— PII controllers (including a third party);
— the PII processors;
— the privacy preference administrators (PPAs).
5.3 R oles of actors in user-centric PII handling frameworks
5.3.1 Roles of PII principals
PII principals give consent, where applicable, and determine their preferences for how their PII should
be collected and processed, and provide the privacy preferences to the PPM.
NOTE Consent and preferences can be provided indirectly by an authorized third party, who gives consent
and indicates privacy preferences on behalf of other PII principals. Examples of PII providers are employees that
provide information on their family members to an employer, or a job applicant that provides a contact number of
an ex-employer when applying for a new job.
5.3.2 Roles of PII controllers
A PII controller can, where appropriate:
— implement control mechanisms as required to protect the PII of the PII principal;
— process PII, respecting the preferences of the PII principal, e.g. as recorded in the PPM;
— implement mechanisms to allow the PII principal direct access and/or control to some or all of their
own PII;
— decide to have all or part of the processing operations carried out by a different privacy stakeholder
on its behalf (using a PII processor) where the PII principal has authorized this implicitly or explicitly,
e.g. via a preference stored in the PPM;
— transfer PII to another controller. The PII principal’s preferences, e.g. as reflected in the PPM,
continue to be respected when the new controller processes the PII.
A PII controller should provide appropriate privacy notices to PII principals.
NOTE ISO/IEC 29184 provides guidance on the structure and content of privacy notices.
5.3.3 Roles of PII processors
A PII processor can:
— implement control mechanisms as required to protect the PII principal’s PII, potentially including
additional controls as required by the PII controller;
— process PII as instructed by the PII controller, respecting the PII principal’s preferences, as recorded
in the PPM.
6
  © ISO/IEC 2022 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC 27556:2022(E)
5.3.4 Roles of privacy preference administrators
Privacy preference administrators (PPAs) are privacy stakeholders that administrate the PPM and
handle its contents. The purpose is to inform the PII processors and PII controllers on their actions.
NOTE 1 The provision of information can take place in real time.
NOTE 2 The PPA is a controller and processor of privacy preferences. The PPA is a specific role in the
organizational structure of a PII controller or a PII processor.
5.4 C omponents in the user-centric PII handling framework
5.4.1 Overview
Figure 2 shows the components in the user-centric PII handling framework that can have an influence
on the privacy preference manager.
Figure 2 — Components in the user-centric PII handling framework
5.4.2 Data collection
The data collection component collects PII from data sources. Data sources are individuals, devices,
databases, or systems that provide information including PII for data processing.
5.4.3 Data transformation(s)
The data transformation component provides an optional process. A typical example of a transformation
applied to data are de-identification and redaction. PII may be de-identified before or after PII transfer
control according to a privacy preference.
NOTE 1 An additional category of preference is de-identification policies. ISO/IEC 20889 specifies terminology,
a classification of de-identification techniques according to their characteristics, and their applicability for
reducing the risk of re-identification. These techniques include suppression, generalization, and randomization
techniques. Data sets can undergo redaction before or after transfer, which can reduce identifying attributes.
NOTE 2 ISO/IEC 27038 specifies the redaction of digital documents.
NOTE 3 ISO/IEC 23264-1 specifies properties of cryptographic mechanisms to redact authentic data (i.e. data
with associated attestations).
5.4.4 PII transfer control
The PII transfer control component handles PII transfer from data source(s) to PII recipient(s). The PII
transfer control component involves the use of control mechanisms to enforce privacy preferences.
NOTE 1 ISO/IEC 27701 can be used as guidance on controls that can be used by PII controllers and PII
processors.
7
© ISO/IEC 2022 – All rights reserved

---------------------- Page: 12 ----------------------
ISO/IEC 27556:2022(E)
NOTE 2 PII transfer is allowed only into controlled and authorized processors' systems.
5.4.5 PII recipient
The PII recipient component receives PII and executes operations according to the PII principal’s privacy
preferences.
5.4.6 Privacy preference manager
The privacy preference manager (PPM) component includes the following sub-components, as shown in
Figure 3.
— Consent information administration: this sub-component is optional. It provides an interface for
storing, updating and accessing consent information, and securely maintains the stored consent
information (providing confidentiality, integrity and availability). A receipt of consent can be
provided to PII principals based on the stored consent information. The consent information
administration sub-component may also provide a mechanism for obtaining the consent of the PII
principal.
— Privacy preference administration: this sub-component securely collects privacy preference
information and provides a mechanism for input, modification and deletion of privacy preferences
related to actions performed on a service provider. Privacy preferences should be configured so
that all choices are disabled by default and it should be able to be updated or modified by the PII
principals at any time. Annex C provides examples on the configuration of privacy preferences.
— Control rule generation: this sub-component provides data flow control rules to the PII transfer
control component. Data flow control rules are generated according to consent information and
privacy preferences chosen by PII principals. The rules are used for access control to PII by the PII
transfer control component.
— Transparency administration: this sub-component provides for logging and log inspection; the
logging involves logging PII transfer receipts and the associated transfer times. The log inspection
allows each PII principal to check the logs, where appropriate, using the log inspection.
NOTE 1 The PPM, itself being operated by a data controller or processor, can maintain records of processing.
NOTE 2 This subcomponent can also include mechanisms for collecting, holding, and displaying consent and
data use receipts.
Figure 3 — Structure of the privacy preference manager
8
  © ISO/IEC 2022 – All rights reserved

---------------------- Page: 13 ----------------------
ISO/IEC 27556:2022(E)
5.5 R elationship between actors and components
Figure 4 illustrates the relationships between the actors
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.