ISO IEC 29134:2017 download.Information technology – Security techniques – Guidelines for privacy impact assessment.
Introduction
A privacy impact assessment (PIA) is an Instrument for assessing the potential Impacts on privacy of a process, information system, programme, software module, device or other initiative which processes personally identifiable information (P11) and, in consultation with stakeholders, for taking actions as necessary In order to treat privacy risk. A PtA report may include docu rnentation about measures taken for risk treatment, for example, measures arising from the use of the Information security management system (ISMS) in ISO/IEC 27001, A PIA Is more than a tool: it Is a process that begins t the earliest possible stages olan initiative, when there are still opportunities to influence Its outcome and thereby ensure privacy by design, It is a process that continues until, and even after, the protect has been deployed.
Initiatives vary substantially in scale and impact. Obectives falling under the heading of “privacy will depend on culture, societal expectations and jurisdiction. This document is intended to provide scalable guidance that can be applied to all Initiatives. Since guidance specific to all circumstances cannot be prescriptive, the guidance In this document should be interpreted with respect to individual circumstance.
A P11 controller may have a responsibility to conduct a PIA and may request a P11 processor to assist in doing this, acting on the Pit controller’s behalf. A P11 processor or a supplier may also wish to conduct their own PIA,
A supplier’s PtA Information is espedally relevant when digitally connected devices are part of the information system, application or process being assessed. It may be necessary for suppliers of such devices to provide privacy-relevant design information to those undertaking the PtA. When the provider of digital devices is unskilled in and not resourced for PIAs, for example:
— a small retailer, or
— a small and medium-sized enterprise (SME) using digitally connected devices in the course of its normal business operations.
then, in order to enable it to undertake minimal PtA activity, the device supplier may be called upon to provide a great deal of privacy information and undertake its own PtA with respect to the expected P11 principal/SME context for the equipment they supply.
A PtA is typically conducted by an organization that takes its responsibility seriously and treats P11 principals adequately. In some jurisdictions, a PIA may be necessary to meet legal and regulatory requirements.
ISO IEC 29134 Is Intended to be used when the privacy impact on P11 principals includes consideration of processes, Information systems or programmes, where:
— the responsibility For the implementation and/or delivery of the process, inFormation system or programme is shared with other organizations and It should be ensured that each organization properly addresses the identified risks;
— an organization is performing privacy risk management as part of Its overall risk management effort while preparing for the Implementation or Improvement of Its ISMS (established in accordance with ISO/IEC 27001 or equivalent management system); or an organization Is performing privacy risk management as an independent function;
— an organization (e.g. government) is undertaking an initiative (e.g. a public-private-partnership programme) in which the future P11 controller organization is not known yet, with the result that the treatment plan could not get Implemented directly and, therefore, this treatment plan should become part of corresponding legislation, regulation or the contract instead;
— the organization wants to act responsible towards the Pit principals.
3.3
assessor
person who leads and conducts a privacy impact assessment (3.2)
Note I to entry: The assessor may be supported by one or more other internal and/or external experts as part of their team,
Note 2 to entry: The assessor may be an expert Internal or external to the nrganlz.allon.
3.4
process
set of Interrelated or interacting activities which tra nslorms inputs into outputs
ISOURCE: ISO/fEC DirecUves Part 1. Consolidated ISO Supplement:20 14.3.121
3.5
device
combination of hardware and software, or solely software, that allows a user to perform actions
3.6
privacy impact
anything that has an effect on the privacy of a P11 principal and/or group of P11 prIncipals
Note 1 to entry: The privacy impact could result from the processing of P11 in conformance or in violation of privacy safeguarding requirements.
3.7
privacy impact assessment
PIA
overall process of Identifying, analysing, evaluating, consulting, communicating and planning the treatment of potential privacy impacts with regard to the processing of personally identifiable Information, framed within an organization’s broader risk management framework
Note 1 to entry: Adapted from ISO/JEC 29100:2011,2.20.
3.8
privacy risk map
diagram that indicates the level of impact and likelihood of privacy risks identified
Note ito entry: The map is typically used to determine the order in which the privacy risks should be treated.
3.9
programme
group of projects managed in a coordinated way to obtain benefits not available from managing them individually
jSOURCE: ISO 14300-1:2011, 3.2)
3.10
project
unique process, consisting of a set of coordinated and controlled activities with start and finish dates, undertaken to achieve an objective conforming to specific requirements. including the constraints of time, cost and resources
[SOURCE: ISO 9000:201S, 3.4.21
and/or external stakeholders or may contract an independent third party to do the work. There are advantages and dIsadvantages to each approach.
However, when the MA is perlormed directly by the organization, end-user associations or governmental agencies may request to have the PliVs adequacy verified by an independent auditor,
The organization should ensure that there Is accountability and authority for managing privacy risks. including the implementation and maintenance of the privacy risk management process and for ensuring the adequacy and effectiveness of any controls. This can be facilitated by
— specifying who is accountable for the development, implementation and maintenance of the framework for managing privacy risk, and
— specifying risk owners for implementing privacy risk treatment, maintaining privacy controls and reporting of relevant privacy risk information.
5.4 Scale of a PIA
The scale of the MA will depend on how significant the impacts are assumed to be. For example, if the impacts are assumed to affect only employees of the organization (e.g. the organization may wish to improve its access control by means of a biometric such as a thurnbpnnt from each employee), then the PIA could engage only employee representatives and be relatively small scale, However, if a government department wishes to introduce a new Identity management system for all citizens, it will need to conduct a much larger PIA involving a wide range of external stakeholders.
Organizations should provide sell-assessment on the required scale of the MA. in compliance with Laws and regulations. The amount and granularity of the P11 per person, the degree ol sensitivity of P11, the number of P11 principals and the number of people who have access to the P11 that will be processed are the critical factors In determining this scale.
In the case of SMEs, non-profit or governmental organizations, the determination of the appropriate scale of the PIA can be jointly, but not bindingly, achieved by the person conducting a PIA (as per £3). the SM Es senior management and/or advice from external experts as appropriate.
6 GuIdance on the process for conducting a PIA
6.1 General
The scope ola PtA. the specific details of what It covers and how it is conducted all need to be adapted to the size of the organization, the local jurisdiction and the specific programme, information system or process that is the subject of the PIA. In Clausrh.
— the ObFective is something that should be achieved,
— the inpuC provides guidance about what information may be needed to achieve the Objective,
— the Expected output” is the recommended target for the Actions.
— hctions, or their equivalents, are guidance on activities that may need to be carried out to achieve the Objective and create the recommended Expected output”, and
— implementation Guidance” provides more details of matters that may need to be considered in performing the “Actions”.
The Actions in this clause, or equivalents, adapted to the desired scope and scale of a PIA may be implemented stand-alone by an organization. They are Intended to form a reasonable basis for planning. implementing and Following up the MA In a wide range of circumstances.
The organization conducting a PtA process may wish to directly adapt the process guidance below to its specific PIA scale and scope or as one possible alternative to select a suitable risk-based management
— the decommissioning concept.
7.3.2 Risk criteria
This part should describe the chosen risk criteria. It should at least contain:
— the criteria to estimate level of impact;
— the criteria to estimate likelihood;
— the scales for both;
— the criterta for risk acceptance.
Input comes from 6.11,
7.3.3 Resources and people Involved
The organization’s management should provide a statement on the composition of the PIA team, the major milestones of the PtA plan and Ihe budget and resources spent on the PIA.
Input comes from 6.11 and 632-
73.4 Stakeholder consultation
In the PIA process, the organization is expected to have identified the types of stakeholders to be consulted (see 6.3.4.3). The PtA report should specify which stakeholder groups were consulted and how they were consulted (e.g. via surveys. Interviews, focus groups, workshops).
The PtA report should state the result of the stakeholder consultation. Did the consultation have any consequence for the design of the programme, process. information system or other initiative that has been the subject of the PIA’
Input conies from 6.34.1 to 6.3.4.3.
7.4 Privacy requirements
The PtA report should list the relevant sources for the requirements identified by the PtA team as needing to be met.
Input comes from 6.43.
7.5 Risk assessment
7.5.1 Risk sources
The PIA report should list the sources of privacy risk the organization has identified (see 6.4.4).
Input comes from 6.4,4.1.
7.5.2 Threats and their likelihood
For each processing of P11 and each potential consequence on the P11 princIpals’ privacy, the PIA report should list the determined threats that may allow the Identified risks to occur and their respective likelihood.
Input conies from 6.4.4.1 and 6.4.4.2.