Information technology - Security techniques - Privacy framework (ISO/IEC 29100:2011, including Amd 1:2018)

This International Standard provides a privacy framework which
- specifies a common privacy terminology;
- defines the actors and their roles in processing personally identifiable information (PII);
- describes privacy safeguarding considerations; and
- provides references to known privacy principles for information technology.
This International Standard is applicable to natural persons and organizations involved in specifying,
procuring, architecting, designing, developing, testing, maintaining, administering, and operating
information and communication technology systems or services where privacy controls are required
for the processing of PII.

Informationstechnik - Sicherheitsverfahren - Rahmenwerk für Datenschutz (ISO/IEC 29100:2011, einschließlich Amd 1:2018)

Diese Internationale Norm enthält ein Rahmenwerk für Datenschutz, das
- eine gemeinsame Terminologie zum Datenschutz festlegt,
- die handelnden Stellen und ihre Rollen bei der Verarbeitung von personenbezogenen Daten (pbD) festlegt,
- Überlegungen zum Datenschutz beschreibt und
- Verweisungen auf bekannte Datenschutzprinzipien für Informationstechnologie enthält.
Diese Internationale Norm gilt für natürliche Personen und Organisationen, die mit Festlegung, Bereitstellung, Aufbau, Entwurf, Entwicklung, Prüfung, Aufrechterhaltung, Verwaltung und Betrieb von Informations- und Kommunikationstechniksystemen befasst sind, wenn Steuerungsmaßnahmen für den Datenschutz für die Verarbeitung von pbD erforderlich sind.

Technologies de l'information - Techniques de sécurité - Cadre privé (ISO/IEC 29100:2011, y compris Amd 1:2018)

ISO/IEC 29100:2011 provides a privacy framework which specifies a common privacy terminology;
defines the actors and their roles in processing personally identifiable information (PII);
describes privacy safeguarding considerations; and
provides references to known privacy principles for information technology.
ISO/IEC 29100:2011 is applicable to natural persons and organizations involved in specifying, procuring, architecting, designing, developing, testing, maintaining, administering, and operating information and communication technology systems or services where privacy controls are required for the processing of PII.

Informacijska tehnologija - Varnostne tehnike - Zasebni okvir (ISO/IEC 29100:2011, vključno z dopolnilom A1:2018)

General Information

Status
Published
Public Enquiry End Date
29-Apr-2020
Publication Date
28-Jul-2020
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
18-Jun-2020
Due Date
23-Aug-2020
Completion Date
29-Jul-2020

Buy Standard

Standard
SIST EN ISO/IEC 29100:2020
English language
37 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day
Standard
SIST EN ISO/IEC 29100:2020
English language
37 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day

Standards Content (sample)

SLOVENSKI STANDARD
SIST EN ISO/IEC 29100:2020
01-september-2020

Informacijska tehnologija - Varnostne tehnike - Zasebni okvir (ISO/IEC 29100:2011,

vključno z dopolnilom A1:2018)

Information technology - Security techniques - Privacy framework (ISO/IEC 29100:2011,

including Amd 1:2018)
Informationstechnik - Sicherheitsverfahren - Rahmenwerk für Datenschutz (ISO/IEC
29100:2011, einschließlich Amd 1:2018)
Technologies de l'information - Techniques de sécurité - Cadre privé (ISO/IEC
29100:2011, y compris Amd 1:2018)
Ta slovenski standard je istoveten z: EN ISO/IEC 29100:2020
ICS:
35.030 Informacijska varnost IT Security
SIST EN ISO/IEC 29100:2020 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN ISO/IEC 29100:2020
---------------------- Page: 2 ----------------------
SIST EN ISO/IEC 29100:2020
EUROPEAN STANDARD EN ISO/IEC 29100
NORME EUROPÉENNE
EUROPÄISCHE NORM
June 2020
ICS 35.030
English version
Information technology - Security techniques - Privacy
framework (ISO/IEC 29100:2011, including Amd 1:2018)

Technologies de l'information - Techniques de sécurité Informationstechnik - Sicherheitsverfahren -

- Cadre privé (ISO/IEC 29100:2011, y compris Amd Rahmenwerk für Datenschutz (ISO/IEC 29100:2011,

1:2018) einschließlich Amd 1:2018)
This European Standard was approved by CEN on 31 May 2020.

This European Standard was corrected and reissued by the CEN-CENELEC Management Centre on 1 July 2020.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for

giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical

references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to

any CEN and CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by

translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC

Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,

Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,

Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,

Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels

© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 29100:2020 E

reserved worldwide for CEN national Members and for
CENELEC Members.
---------------------- Page: 3 ----------------------
SIST EN ISO/IEC 29100:2020
EN ISO/IEC 29100:2020 (E)
Contents Page

European foreword ....................................................................................................................................................... 3

---------------------- Page: 4 ----------------------
SIST EN ISO/IEC 29100:2020
EN ISO/IEC 29100:2020 (E)
European foreword

The text of ISO/IEC 29100:2011, including Amd 1:2018 has been prepared by Technical Committee

ISO/IEC JTC 1 "Information technology” of the International Organization for Standardization (ISO) and

has been taken over as EN ISO/IEC 29100:2020 by Technical Committee CEN/CLC/JTC 13

“Cybersecurity and Data Protection” the secretariat of which is held by DIN.

This European Standard shall be given the status of a national standard, either by publication of an

identical text or by endorsement, at the latest by December 2020, and conflicting national standards

shall be withdrawn at the latest by December 2020.

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. CEN shall not be held responsible for identifying any or all such patent rights.

According to the CEN-CENELEC Internal Regulations, the national standards organizations of the

following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,

Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,

Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of

North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the

United Kingdom.
Endorsement notice
The text of ISO/IEC 29100:2011, including Amd 1:2018 has been approved by CEN as
EN ISO/IEC 29100:2020 without any modification.
---------------------- Page: 5 ----------------------
SIST EN ISO/IEC 29100:2020
---------------------- Page: 6 ----------------------
SIST EN ISO/IEC 29100:2020
INTERNATIONAL ISO/IEC
STANDARD 29100
First edition
2011-12-15
Information technology — Security
techniques — Privacy framework
Technologies de l'information — Techniques de sécurité — Cadre privé
Reference number
ISO/IEC 29100:2011(E)
ISO/IEC 2011
---------------------- Page: 7 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2011

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,

electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or

ISO's member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2011 – All rights reserved
---------------------- Page: 8 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
Contents Page

Foreword ............................................................................................................................................................. v

Introduction ........................................................................................................................................................ vi

1  Scope ...................................................................................................................................................... 1

2  Terms and definitions ........................................................................................................................... 1

3  Symbols and abbreviated terms .......................................................................................................... 4

4  Basic elements of the privacy framework ........................................................................................... 5

4.1  Overview of the privacy framework ..................................................................................................... 5

4.2  Actors and roles .................................................................................................................................... 5

4.2.1  PII principals .......................................................................................................................................... 5

4.2.2  PII controllers ......................................................................................................................................... 5

4.2.3  PII processors ........................................................................................................................................ 5

4.2.4  Third parties ........................................................................................................................................... 6

4.3  Interactions ............................................................................................................................................ 6

4.4  Recognizing PII ...................................................................................................................................... 7

4.4.1  Identifiers ............................................................................................................................................... 7

4.4.2  Other distinguishing characteristics ................................................................................................... 7

4.4.3  Information which is or might be linked to a PII principal ................................................................ 8

4.4.4  Pseudonymous data ............................................................................................................................. 9

4.4.5  Metadata ................................................................................................................................................. 9

4.4.6  Unsolicited PII ........................................................................................................................................ 9

4.4.7  Sensitive PII ........................................................................................................................................... 9

4.5  Privacy safeguarding requirements .................................................................................................. 10

4.5.1  Legal and regulatory factors .............................................................................................................. 11

4.5.2  Contractual factors .............................................................................................................................. 11

4.5.3  Business factors .................................................................................................................................. 12

4.5.4  Other factors ........................................................................................................................................ 12

4.6  Privacy policies ................................................................................................................................... 13

4.7  Privacy controls ................................................................................................................................... 13

5  The privacy principles of ISO/IEC 29100 ........................................................................................... 14

5.1  Overview of privacy principles .......................................................................................................... 14

5.2  Consent and choice ............................................................................................................................ 14

5.3  Purpose legitimacy and specification ............................................................................................... 15

5.4  Collection limitation ............................................................................................................................ 15

5.5  Data minimization ................................................................................................................................ 16

5.6  Use, retention and disclosure limitation ........................................................................................... 16

5.7  Accuracy and quality .......................................................................................................................... 16

5.8  Openness, transparency and notice ................................................................................................. 17

5.9  Individual participation and access ................................................................................................... 17

5.10  Accountability ...................................................................................................................................... 18

5.11  Information security ............................................................................................................................ 18

5.12  Privacy compliance ............................................................................................................................. 19

Annex A (informative) Correspondence between ISO/IEC 29100 concepts and ISO/IEC 27000

concepts ............................................................................................................................................... 20

Bibliography ...................................................................................................................................................... 21

© ISO/IEC 2011 – All rights reserved iii
---------------------- Page: 9 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
Figures

Figure 1 – Factors influencing privacy risk management .................................................................................. 11

Tables

Table 1 – Possible flows of PII among the PII principal, PII controller, PII processor and a third party and their

roles 7
Table 2 – Example of attributes that can be used to identify natural persons 8
Table 3 – The privacy principles of ISO/IEC 29100 14
Table A.1 – Matching ISO/IEC 29100 concepts to ISO/IEC 27000 concepts 20
iv © ISO/IEC 2011 – All rights reserved
---------------------- Page: 10 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are members of

ISO or IEC participate in the development of International Standards through technical committees

established by the respective organization to deal with particular fields of technical activity. ISO and IEC

technical committees collaborate in fields of mutual interest. Other international organizations, governmental

and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information

technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.

The main task of the joint technical committee is to prepare International Standards. Draft International

Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as

an International Standard requires approval by at least 75 % of the national bodies casting a vote.

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent

rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

ISO/IEC 29100 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, IT Security techniques.
© ISO/IEC 2011 – All rights reserved v
---------------------- Page: 11 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
Introduction

This International Standard provides a high-level framework for the protection of personally

identifiable information (PII) within information and communication technology (ICT) systems. It is

general in nature and places organizational, technical, and procedural aspects in an overall privacy

framework.

The privacy framework is intended to help organizations define their privacy safeguarding

requirements related to PII within an ICT environment by:
- specifying a common privacy terminology;
- defining the actors and their roles in processing PII;
- describing privacy safeguarding requirements; and
- referencing known privacy principles.

In some jurisdictions, this International Standard’s references to privacy safeguarding requirements

might be understood as being complementary to legal requirements for the protection of PII. Due to

the increasing number of information and communication technologies that process PII, it is

important to have international information security standards that provide a common understanding

for the protection of PII. This International Standard is intended to enhance existing security

standards by adding a focus relevant to the processing of PII.

The increasing commercial use and value of PII, the sharing of PII across legal jurisdictions, and the

growing complexity of ICT systems, can make it difficult for an organization to ensure privacy and to

achieve compliance with the various applicable laws. Privacy stakeholders can prevent uncertainty

and distrust from arising by handling privacy matters properly and avoiding cases of PII misuse.

Use of this International Standard will:

- aid in the design, implementation, operation, and maintenance of ICT systems that handle and protect

PII;

- spur innovative solutions to enable the protection of PII within ICT systems; and

- improve organizations’ privacy programs through the use of best practices.

The privacy framework provided within this International Standard can serve as a basis for additional

privacy standardization initiatives, such as for:
- a technical reference architecture;

- the implementation and use of specific privacy technologies and overall privacy management;

- privacy controls for outsourced data processes;
- privacy risk assessments; or
- specific engineering specifications.

Some jurisdictions might require compliance with one or more of the documents referenced in

ISO/IEC JTC 1/SC 27 WG 5 Standing Document 2 (WG 5 SD2) — Official Privacy Documents

References [3] or with other applicable laws and regulations, but this International Standard is not

intended to be a global model policy, nor a legislative framework.
vi © ISO/IEC 2011 – All rights reserved
---------------------- Page: 12 ----------------------
SIST EN ISO/IEC 29100:2020
INTERNATIONAL STANDARD ISO/IEC 29100:2011(E)
Information technology — Security techniques — Privacy
framework
1 Scope
This International Standard provides a privacy framework which
- specifies a common privacy terminology;

- defines the actors and their roles in processing personally identifiable information (PII);

- describes privacy safeguarding considerations; and
- provides references to known privacy principles for information technology.

This International Standard is applicable to natural persons and organizations involved in specifying,

procuring, architecting, designing, developing, testing, maintaining, administering, and operating

information and communication technology systems or services where privacy controls are required

for the processing of PII.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

NOTE In order to make it easier to use the ISO/IEC 27000 family of International Standards in the specific context of

privacy and to integrate privacy concepts in the ISO/IEC 27000 context, the table in Annex A provides the ISO/IEC 27000

concepts that correspond with the ISO/IEC 29100 concepts used in this International Standard.

2.1
anonymity

characteristic of information that does not permit a personally identifiable information principal to be

identified directly or indirectly
2.2
anonymization

process by which personally identifiable information (PII) is irreversibly altered in such a way that a

PII principal can no longer be identified directly or indirectly, either by the PII controller alone or in

collaboration with any other party
2.3
anonymized data

data that has been produced as the output of a personally identifiable information anonymization

process
2.4
consent

personally identifiable information (PII) principal’s freely given, specific and informed agreement to

the processing of their PII
© ISO/IEC 2011 – All rights reserved 1
---------------------- Page: 13 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
2.5
identifiability

condition which results in a personally identifiable information (PII) principal being identified, directly

or indirectly, on the basis of a given set of PII
2.6
identify

establish the link between a personally identifiable information (PII) principal and PII or a set of PII

2.7
identity

set of attributes which make it possible to identify the personally identifiable information principal

2.8
opt-in

process or type of policy whereby the personally identifiable information (PII) principal is required to

take an action to express explicit, prior consent for their PII to be processed for a particular purpose

NOTE A different term that is often used with the privacy principle ‘consent and choice’ is “opt-out”. It describes a

process or type of policy whereby the PII principal is required to take a separate action in order to withhold or withdraw

consent, or oppose a specific type of processing. The use of an opt-out policy presumes that the PII controller has the right

to process the PII in the intended way. This right can be implied by some action of the PII principal different from consent

(e.g., placing an order in an online shop).
2.9
personally identifiable information
PII

any information that (a) can be used to identify the PII principal to whom such information relates, or

(b) is or might be directly or indirectly linked to a PII principal

NOTE To determine whether a PII principal is identifiable, account should be taken of all the means which can

reasonably be used by the privacy stakeholder holding the data, or by any other party, to identify that natural person.

2.10
PII controller

privacy stakeholder (or privacy stakeholders) that determines the purposes and means for

processing personally identifiable information (PII) other than natural persons who use data for

personal purposes

NOTE A PII controller sometimes instructs others (e.g., PII processors) to process PII on its behalf while the

responsibility for the processing remains with the PII controller.
2.11
PII principal
natural person to whom the personally identifiable information (PII) relates

NOTE Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym “data

subject” can also be used instead of the term “PII principal”.
2.12
PII processor

privacy stakeholder that processes personally identifiable information (PII) on behalf of and in

accordance with the instructions of a PII controller
2.13
privacy breach

situation where personally identifiable information is processed in violation of one or more relevant

privacy safeguarding requirements
2 © ISO/IEC 2011 – All rights reserved
---------------------- Page: 14 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
2.14
privacy controls

measures that treat privacy risks by reducing their likelihood or their consequences

NOTE 1 Privacy controls include organizational, physical and technical measures, e.g., policies, procedures, guidelines,

legal contracts, management practices or organizational structures.
NOTE 2 Control is also used as a synonym for safeguard or countermeasure.
2.15
privacy enhancing technology
PET

privacy control, consisting of information and communication technology (ICT) measures, products,

or services that protect privacy by eliminating or reducing personally identifiable information (PII) or

by preventing unnecessary and/or undesired processing of PII, all without losing the functionality of

the ICT system

NOTE 1 Examples of PETs include, but are not limited to, anonymization and pseudonymization tools that eliminate,

reduce, mask, or de-identify PII or that prevent unnecessary, unauthorized and/or undesirable processing of PII.

NOTE 2 Masking is the process of obscuring elements of PII.
2.16
privacy policy

overall intention and direction, rules and commitment, as formally expressed by the personally

identifiable information (PII) controller related to the processing of PII in a particular setting

2.17
privacy preferences

specific choices made by a personally identifiable information (PII) principal about how their PII

should be processed for a particular purpose
2.18
privacy principles

set of shared values governing the privacy protection of personally identifiable information (PII) when

processed in information and communication technology systems
2.19
privacy risk
effect of uncertainty on privacy

NOTE 1 Risk is defined as the “effect of uncertainty on objectives” in ISO Guide 73 and ISO 31000.

NOTE 2 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an

event, its consequence, or likelihood.
2.20
privacy risk assessment

overall process of risk identification, risk analysis and risk evaluation with regard to the processing of

personally identifiable information (PII)
NOTE This process is also known as a privacy impact assessment.
2.21
privacy safeguarding requirements

set of requirements an organization has to take into account when processing personally identifiable

information (PII) with respect to the privacy protection of PII
2.22
privacy stakeholder

natural or legal person, public authority, agency or any other body that can affect, be affected by, or

perceive themselves to be affected by a decision or activity related to personally identifiable

information (PII) processing
© ISO/IEC 2011 – All rights reserved 3
---------------------- Page: 15 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
2.23
processing of PII

operation or set of operations performed upon personally identifiable information (PII)

NOTE Examples of processing operations of PII include, but are not limited to, the collection, storage, alteration,

retrieval, consultation, disclosure, anonymization, pseudonymization, dissemination or otherwise making available, deletion

or destruction of PII.
2.24
pseudonymization

process applied to personally identifiable information (PII) which replaces identifying information with

an alias

NOTE 1 Pseudonymization can be performed either by PII principals themselves or by PII controllers. Pseudonymization

can be used by PII principals to consistently use a resource or service without disclosing their identity to this resource or

service (or between services), while still being held accountable for that use.

NOTE 2 Pseudonymization does not rule out the possibility that there might be (a restricted set of) privacy stakeholders

other than the PII controller of the pseudonymized data which are able to determine the PII principal’s identity based on the

alias and data linked to it.
2.25
secondary use

processing of personally identifiable information (PII) in conditions which differ from the initial ones

NOTE Conditions that differ from the initial ones could involve, for example, a new purpose for processing PII, a new

recipient of the PII, etc.
2.26
sensitive PII

category of personally identifiable information (PII), either whose nature is sensitive, such as those

that relate to the PII principal’s most intimate sphere, or that might have a significant impact on the

PII principal

NOTE In some jurisdictions or in specific contexts, sensitive PII is defined in reference to the nature of the PII and can

consist of PII revealing the racial origin, political opinions or religious or other beliefs, personal data on health, sex life or

criminal convictions, as well as other PII that might be defined as sensitive.
2.27
third party

privacy stakeholder other than the personally identifiable information (PII) principal, the PII controller

and the PII processor, and the natural persons who are authorized to process the data under the

direct authority of the PII controller or the PII processor
3 Symbols and abbreviated terms
The following abbreviations are common to ISO/IEC 29100.
ICT Information and Communication Technology
PET Privacy Enhancing Technology
PII Personally Identifiable Information
4 © ISO/IEC 2011 – All rights reserved
---------------------- Page: 16 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
4 Basic elements of the privacy framework
4.1 Overview of the privacy framework

The following components relate to privacy and the processing of PII in ICT systems and make up

the privacy framework described in this International Standard:
- actors and roles;
- interactions;
- recognizing PII;
- privacy safeguarding requirements;
- privacy policies; and
- privacy controls.

For the development of this privacy framework, concepts, definitions and recommendations from

other official sources have been taken into consideration. These sources can be found in

ISO/IEC JTC 1/SC 27 WG 5 Standing Document 2 (WG 5 SD2) — Official Privacy Documents

References [3].
4.2 Actors and roles

For the purposes of this standard, it is important to identify the actors involved in the processing of

PII. There are four types of actors who can be involved in the processing of PII: PII principals, PII

controllers, PII processors and third parties.
4.2.1 PII principals

PII principals provide their PII for processing to PII controllers and PII processors and, when it is not

otherwise provided by applicable law, they give consent and determine their privacy preferences for

how their PII should be processed. PII principals can include, for example, an employee listed in the

human resources system of a company, the consumer mentioned in a credit report, and a pa

...

SLOVENSKI STANDARD
SIST EN ISO/IEC 29100:2020
01-september-2020

Informacijska tehnologija - Varnostne tehnike - Zasebni okvir (ISO/IEC 29100:2011,

vključno z dopolnilom A1:2018)

Information technology - Security techniques - Privacy framework (ISO/IEC 29100:2011,

including Amd 1:2018)
Informationstechnik - Sicherheitsverfahren - Rahmenwerk für Datenschutz (ISO/IEC
29100:2011, einschließlich Amd 1:2018)
Technologies de l'information - Techniques de sécurité - Cadre privé (ISO/IEC
29100:2011, y compris Amd 1:2018)
Ta slovenski standard je istoveten z: EN ISO/IEC 29100:2020
ICS:
35.030 Informacijska varnost IT Security
SIST EN ISO/IEC 29100:2020 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN ISO/IEC 29100:2020
---------------------- Page: 2 ----------------------
SIST EN ISO/IEC 29100:2020
EUROPEAN STANDARD EN ISO/IEC 29100
NORME EUROPÉENNE
EUROPÄISCHE NORM
June 2020
ICS 35.030
English version
Information technology - Security techniques - Privacy
framework (ISO/IEC 29100:2011, including Amd 1:2018)

Technologies de l'information - Techniques de sécurité Informationstechnik - Sicherheitsverfahren -

- Cadre privé (ISO/IEC 29100:2011, y compris Amd Rahmenwerk für Datenschutz (ISO/IEC 29100:2011,

1:2018) einschließlich Amd 1:2018)
This European Standard was approved by CEN on 31 May 2020.

This European Standard was corrected and reissued by the CEN-CENELEC Management Centre on 1 July 2020.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for

giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical

references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to

any CEN and CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by

translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC

Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,

Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,

Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,

Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels

© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 29100:2020 E

reserved worldwide for CEN national Members and for
CENELEC Members.
---------------------- Page: 3 ----------------------
SIST EN ISO/IEC 29100:2020
EN ISO/IEC 29100:2020 (E)
Contents Page

European foreword ....................................................................................................................................................... 3

---------------------- Page: 4 ----------------------
SIST EN ISO/IEC 29100:2020
EN ISO/IEC 29100:2020 (E)
European foreword

The text of ISO/IEC 29100:2011, including Amd 1:2018 has been prepared by Technical Committee

ISO/IEC JTC 1 "Information technology” of the International Organization for Standardization (ISO) and

has been taken over as EN ISO/IEC 29100:2020 by Technical Committee CEN/CLC/JTC 13

“Cybersecurity and Data Protection” the secretariat of which is held by DIN.

This European Standard shall be given the status of a national standard, either by publication of an

identical text or by endorsement, at the latest by December 2020, and conflicting national standards

shall be withdrawn at the latest by December 2020.

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. CEN shall not be held responsible for identifying any or all such patent rights.

According to the CEN-CENELEC Internal Regulations, the national standards organizations of the

following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,

Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,

Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of

North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the

United Kingdom.
Endorsement notice
The text of ISO/IEC 29100:2011, including Amd 1:2018 has been approved by CEN as
EN ISO/IEC 29100:2020 without any modification.
---------------------- Page: 5 ----------------------
SIST EN ISO/IEC 29100:2020
---------------------- Page: 6 ----------------------
SIST EN ISO/IEC 29100:2020
INTERNATIONAL ISO/IEC
STANDARD 29100
First edition
2011-12-15
Information technology — Security
techniques — Privacy framework
Technologies de l'information — Techniques de sécurité — Cadre privé
Reference number
ISO/IEC 29100:2011(E)
ISO/IEC 2011
---------------------- Page: 7 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2011

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,

electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or

ISO's member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2011 – All rights reserved
---------------------- Page: 8 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
Contents Page

Foreword ............................................................................................................................................................. v

Introduction ........................................................................................................................................................ vi

1  Scope ...................................................................................................................................................... 1

2  Terms and definitions ........................................................................................................................... 1

3  Symbols and abbreviated terms .......................................................................................................... 4

4  Basic elements of the privacy framework ........................................................................................... 5

4.1  Overview of the privacy framework ..................................................................................................... 5

4.2  Actors and roles .................................................................................................................................... 5

4.2.1  PII principals .......................................................................................................................................... 5

4.2.2  PII controllers ......................................................................................................................................... 5

4.2.3  PII processors ........................................................................................................................................ 5

4.2.4  Third parties ........................................................................................................................................... 6

4.3  Interactions ............................................................................................................................................ 6

4.4  Recognizing PII ...................................................................................................................................... 7

4.4.1  Identifiers ............................................................................................................................................... 7

4.4.2  Other distinguishing characteristics ................................................................................................... 7

4.4.3  Information which is or might be linked to a PII principal ................................................................ 8

4.4.4  Pseudonymous data ............................................................................................................................. 9

4.4.5  Metadata ................................................................................................................................................. 9

4.4.6  Unsolicited PII ........................................................................................................................................ 9

4.4.7  Sensitive PII ........................................................................................................................................... 9

4.5  Privacy safeguarding requirements .................................................................................................. 10

4.5.1  Legal and regulatory factors .............................................................................................................. 11

4.5.2  Contractual factors .............................................................................................................................. 11

4.5.3  Business factors .................................................................................................................................. 12

4.5.4  Other factors ........................................................................................................................................ 12

4.6  Privacy policies ................................................................................................................................... 13

4.7  Privacy controls ................................................................................................................................... 13

5  The privacy principles of ISO/IEC 29100 ........................................................................................... 14

5.1  Overview of privacy principles .......................................................................................................... 14

5.2  Consent and choice ............................................................................................................................ 14

5.3  Purpose legitimacy and specification ............................................................................................... 15

5.4  Collection limitation ............................................................................................................................ 15

5.5  Data minimization ................................................................................................................................ 16

5.6  Use, retention and disclosure limitation ........................................................................................... 16

5.7  Accuracy and quality .......................................................................................................................... 16

5.8  Openness, transparency and notice ................................................................................................. 17

5.9  Individual participation and access ................................................................................................... 17

5.10  Accountability ...................................................................................................................................... 18

5.11  Information security ............................................................................................................................ 18

5.12  Privacy compliance ............................................................................................................................. 19

Annex A (informative) Correspondence between ISO/IEC 29100 concepts and ISO/IEC 27000

concepts ............................................................................................................................................... 20

Bibliography ...................................................................................................................................................... 21

© ISO/IEC 2011 – All rights reserved iii
---------------------- Page: 9 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
Figures

Figure 1 – Factors influencing privacy risk management .................................................................................. 11

Tables

Table 1 – Possible flows of PII among the PII principal, PII controller, PII processor and a third party and their

roles 7
Table 2 – Example of attributes that can be used to identify natural persons 8
Table 3 – The privacy principles of ISO/IEC 29100 14
Table A.1 – Matching ISO/IEC 29100 concepts to ISO/IEC 27000 concepts 20
iv © ISO/IEC 2011 – All rights reserved
---------------------- Page: 10 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are members of

ISO or IEC participate in the development of International Standards through technical committees

established by the respective organization to deal with particular fields of technical activity. ISO and IEC

technical committees collaborate in fields of mutual interest. Other international organizations, governmental

and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information

technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.

The main task of the joint technical committee is to prepare International Standards. Draft International

Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as

an International Standard requires approval by at least 75 % of the national bodies casting a vote.

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent

rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

ISO/IEC 29100 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, IT Security techniques.
© ISO/IEC 2011 – All rights reserved v
---------------------- Page: 11 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
Introduction

This International Standard provides a high-level framework for the protection of personally

identifiable information (PII) within information and communication technology (ICT) systems. It is

general in nature and places organizational, technical, and procedural aspects in an overall privacy

framework.

The privacy framework is intended to help organizations define their privacy safeguarding

requirements related to PII within an ICT environment by:
- specifying a common privacy terminology;
- defining the actors and their roles in processing PII;
- describing privacy safeguarding requirements; and
- referencing known privacy principles.

In some jurisdictions, this International Standard’s references to privacy safeguarding requirements

might be understood as being complementary to legal requirements for the protection of PII. Due to

the increasing number of information and communication technologies that process PII, it is

important to have international information security standards that provide a common understanding

for the protection of PII. This International Standard is intended to enhance existing security

standards by adding a focus relevant to the processing of PII.

The increasing commercial use and value of PII, the sharing of PII across legal jurisdictions, and the

growing complexity of ICT systems, can make it difficult for an organization to ensure privacy and to

achieve compliance with the various applicable laws. Privacy stakeholders can prevent uncertainty

and distrust from arising by handling privacy matters properly and avoiding cases of PII misuse.

Use of this International Standard will:

- aid in the design, implementation, operation, and maintenance of ICT systems that handle and protect

PII;

- spur innovative solutions to enable the protection of PII within ICT systems; and

- improve organizations’ privacy programs through the use of best practices.

The privacy framework provided within this International Standard can serve as a basis for additional

privacy standardization initiatives, such as for:
- a technical reference architecture;

- the implementation and use of specific privacy technologies and overall privacy management;

- privacy controls for outsourced data processes;
- privacy risk assessments; or
- specific engineering specifications.

Some jurisdictions might require compliance with one or more of the documents referenced in

ISO/IEC JTC 1/SC 27 WG 5 Standing Document 2 (WG 5 SD2) — Official Privacy Documents

References [3] or with other applicable laws and regulations, but this International Standard is not

intended to be a global model policy, nor a legislative framework.
vi © ISO/IEC 2011 – All rights reserved
---------------------- Page: 12 ----------------------
SIST EN ISO/IEC 29100:2020
INTERNATIONAL STANDARD ISO/IEC 29100:2011(E)
Information technology — Security techniques — Privacy
framework
1 Scope
This International Standard provides a privacy framework which
- specifies a common privacy terminology;

- defines the actors and their roles in processing personally identifiable information (PII);

- describes privacy safeguarding considerations; and
- provides references to known privacy principles for information technology.

This International Standard is applicable to natural persons and organizations involved in specifying,

procuring, architecting, designing, developing, testing, maintaining, administering, and operating

information and communication technology systems or services where privacy controls are required

for the processing of PII.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

NOTE In order to make it easier to use the ISO/IEC 27000 family of International Standards in the specific context of

privacy and to integrate privacy concepts in the ISO/IEC 27000 context, the table in Annex A provides the ISO/IEC 27000

concepts that correspond with the ISO/IEC 29100 concepts used in this International Standard.

2.1
anonymity

characteristic of information that does not permit a personally identifiable information principal to be

identified directly or indirectly
2.2
anonymization

process by which personally identifiable information (PII) is irreversibly altered in such a way that a

PII principal can no longer be identified directly or indirectly, either by the PII controller alone or in

collaboration with any other party
2.3
anonymized data

data that has been produced as the output of a personally identifiable information anonymization

process
2.4
consent

personally identifiable information (PII) principal’s freely given, specific and informed agreement to

the processing of their PII
© ISO/IEC 2011 – All rights reserved 1
---------------------- Page: 13 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
2.5
identifiability

condition which results in a personally identifiable information (PII) principal being identified, directly

or indirectly, on the basis of a given set of PII
2.6
identify

establish the link between a personally identifiable information (PII) principal and PII or a set of PII

2.7
identity

set of attributes which make it possible to identify the personally identifiable information principal

2.8
opt-in

process or type of policy whereby the personally identifiable information (PII) principal is required to

take an action to express explicit, prior consent for their PII to be processed for a particular purpose

NOTE A different term that is often used with the privacy principle ‘consent and choice’ is “opt-out”. It describes a

process or type of policy whereby the PII principal is required to take a separate action in order to withhold or withdraw

consent, or oppose a specific type of processing. The use of an opt-out policy presumes that the PII controller has the right

to process the PII in the intended way. This right can be implied by some action of the PII principal different from consent

(e.g., placing an order in an online shop).
2.9
personally identifiable information
PII

any information that (a) can be used to identify the PII principal to whom such information relates, or

(b) is or might be directly or indirectly linked to a PII principal

NOTE To determine whether a PII principal is identifiable, account should be taken of all the means which can

reasonably be used by the privacy stakeholder holding the data, or by any other party, to identify that natural person.

2.10
PII controller

privacy stakeholder (or privacy stakeholders) that determines the purposes and means for

processing personally identifiable information (PII) other than natural persons who use data for

personal purposes

NOTE A PII controller sometimes instructs others (e.g., PII processors) to process PII on its behalf while the

responsibility for the processing remains with the PII controller.
2.11
PII principal
natural person to whom the personally identifiable information (PII) relates

NOTE Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym “data

subject” can also be used instead of the term “PII principal”.
2.12
PII processor

privacy stakeholder that processes personally identifiable information (PII) on behalf of and in

accordance with the instructions of a PII controller
2.13
privacy breach

situation where personally identifiable information is processed in violation of one or more relevant

privacy safeguarding requirements
2 © ISO/IEC 2011 – All rights reserved
---------------------- Page: 14 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
2.14
privacy controls

measures that treat privacy risks by reducing their likelihood or their consequences

NOTE 1 Privacy controls include organizational, physical and technical measures, e.g., policies, procedures, guidelines,

legal contracts, management practices or organizational structures.
NOTE 2 Control is also used as a synonym for safeguard or countermeasure.
2.15
privacy enhancing technology
PET

privacy control, consisting of information and communication technology (ICT) measures, products,

or services that protect privacy by eliminating or reducing personally identifiable information (PII) or

by preventing unnecessary and/or undesired processing of PII, all without losing the functionality of

the ICT system

NOTE 1 Examples of PETs include, but are not limited to, anonymization and pseudonymization tools that eliminate,

reduce, mask, or de-identify PII or that prevent unnecessary, unauthorized and/or undesirable processing of PII.

NOTE 2 Masking is the process of obscuring elements of PII.
2.16
privacy policy

overall intention and direction, rules and commitment, as formally expressed by the personally

identifiable information (PII) controller related to the processing of PII in a particular setting

2.17
privacy preferences

specific choices made by a personally identifiable information (PII) principal about how their PII

should be processed for a particular purpose
2.18
privacy principles

set of shared values governing the privacy protection of personally identifiable information (PII) when

processed in information and communication technology systems
2.19
privacy risk
effect of uncertainty on privacy

NOTE 1 Risk is defined as the “effect of uncertainty on objectives” in ISO Guide 73 and ISO 31000.

NOTE 2 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an

event, its consequence, or likelihood.
2.20
privacy risk assessment

overall process of risk identification, risk analysis and risk evaluation with regard to the processing of

personally identifiable information (PII)
NOTE This process is also known as a privacy impact assessment.
2.21
privacy safeguarding requirements

set of requirements an organization has to take into account when processing personally identifiable

information (PII) with respect to the privacy protection of PII
2.22
privacy stakeholder

natural or legal person, public authority, agency or any other body that can affect, be affected by, or

perceive themselves to be affected by a decision or activity related to personally identifiable

information (PII) processing
© ISO/IEC 2011 – All rights reserved 3
---------------------- Page: 15 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
2.23
processing of PII

operation or set of operations performed upon personally identifiable information (PII)

NOTE Examples of processing operations of PII include, but are not limited to, the collection, storage, alteration,

retrieval, consultation, disclosure, anonymization, pseudonymization, dissemination or otherwise making available, deletion

or destruction of PII.
2.24
pseudonymization

process applied to personally identifiable information (PII) which replaces identifying information with

an alias

NOTE 1 Pseudonymization can be performed either by PII principals themselves or by PII controllers. Pseudonymization

can be used by PII principals to consistently use a resource or service without disclosing their identity to this resource or

service (or between services), while still being held accountable for that use.

NOTE 2 Pseudonymization does not rule out the possibility that there might be (a restricted set of) privacy stakeholders

other than the PII controller of the pseudonymized data which are able to determine the PII principal’s identity based on the

alias and data linked to it.
2.25
secondary use

processing of personally identifiable information (PII) in conditions which differ from the initial ones

NOTE Conditions that differ from the initial ones could involve, for example, a new purpose for processing PII, a new

recipient of the PII, etc.
2.26
sensitive PII

category of personally identifiable information (PII), either whose nature is sensitive, such as those

that relate to the PII principal’s most intimate sphere, or that might have a significant impact on the

PII principal

NOTE In some jurisdictions or in specific contexts, sensitive PII is defined in reference to the nature of the PII and can

consist of PII revealing the racial origin, political opinions or religious or other beliefs, personal data on health, sex life or

criminal convictions, as well as other PII that might be defined as sensitive.
2.27
third party

privacy stakeholder other than the personally identifiable information (PII) principal, the PII controller

and the PII processor, and the natural persons who are authorized to process the data under the

direct authority of the PII controller or the PII processor
3 Symbols and abbreviated terms
The following abbreviations are common to ISO/IEC 29100.
ICT Information and Communication Technology
PET Privacy Enhancing Technology
PII Personally Identifiable Information
4 © ISO/IEC 2011 – All rights reserved
---------------------- Page: 16 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
4 Basic elements of the privacy framework
4.1 Overview of the privacy framework

The following components relate to privacy and the processing of PII in ICT systems and make up

the privacy framework described in this International Standard:
- actors and roles;
- interactions;
- recognizing PII;
- privacy safeguarding requirements;
- privacy policies; and
- privacy controls.

For the development of this privacy framework, concepts, definitions and recommendations from

other official sources have been taken into consideration. These sources can be found in

ISO/IEC JTC 1/SC 27 WG 5 Standing Document 2 (WG 5 SD2) — Official Privacy Documents

References [3].
4.2 Actors and roles

For the purposes of this standard, it is important to identify the actors involved in the processing of

PII. There are four types of actors who can be involved in the processing of PII: PII principals, PII

controllers, PII processors and third parties.
4.2.1 PII principals

PII principals provide their PII for processing to PII controllers and PII processors and, when it is not

otherwise provided by applicable law, they give consent and determine their privacy preferences for

how their PII should be processed. PII principals can include, for example, an employee listed in the

human resources system of a company, the consumer mentioned in a credit report, and a pa

...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.