ISO Privacy Framework - Principles of data protection - Part 1

Information security and privacy

Many companies are currently unsure whether their IT security measures and any existing ISMS already meet data protection requirements. Depending on the environment, companies must comply with the Swiss DPA, the GDPR and other industry-specific requirements. In our series of articles on privacy, we answer the following questions:

• What is the path to privacy protection?
• What standards can companies build on?
• Which tools can be used to document and demonstrate the measures to third parties?

The aim of privacy, as formulated in the Swiss Data Protection Act, is to"protect the personality and fundamental rights of persons about whom data is processed". The aim of information security is to protect information. The two topics are not identical, but they fit together perfectly: Information security learns through the conceptual work in privacy to better understand what protection needs it has to fulfill.

Privacy also raises the question of what data is collected and for what purpose. Privacy therefore has an influence on the definition of the business process and the service to be provided (what is collected, why and for what purpose). Ultimately, the specialist areas work hand in hand: the process must meet the requirements of privacy; information security must protect both the process and the data. One is not possible without the other.

The ISO Privacy Framework

ISO defines a"Privacy Framework" in standard 29100:2011. It provides a basic framework and terminology for dealing with PII. The latter - Personally Identifiable Information - refers to all forms of data that make a person identifiable, but also allow conclusions to be drawn about their behavior or personal situation. The wording is deliberately left open at this point. The standard itself contains longer explanations on how planners can identify the relevant data in their project.

For example, PII can be a credit card, telephone or customer number and associated transaction data that can be assigned to a person. It is irrelevant whether this person is your own customer. The data you have about your customers' employees or customers' customers can also be relevant. For an IT service provider, its ticketing system can therefore become relevant as soon as such data is copied into a ticket without being asked.

Involved parties and data exchange

The standard divides data processing into four entities, as shown in the following diagram. The PII Principal is the natural person who becomes identifiable. The PII Controller decides why the data must be collected and processed and also how. From a legal perspective, he is responsible for compliance with the regulations.

A PII Controller may also designate a PII Processor as a deputy to carry out the data processing in its place or in support of its instructions. The three entities mentioned above are fully interconnected, i.e. PII can flow freely back and forth.

It is irrelevant whether the PII Principal has a contractual relationship with the PII Controller or PII Processor, because ultimately they are both responsible for all PII they have, regardless of the incoming channel, and both must ensure that they act in accordance with the agreed guidelines. It must therefore also be clarified what happens if unsolicited data is sent to you via third parties.

All3rd parties are also relevant, as they receive PII and may process it, but do not act in accordance with the instructions of the PII controller. They set up their own privacy framework and thus become PII controllers themselves - albeit without the insight of the first, original PII controller.

This means that the PII can run through a chain of privacy frameworks until it finally ends up somewhere where neither the original PII controller nor the PII principal knows exactly how it is processed. Anyone who promises their customers strong privacy protection should therefore consider from the outset which third parties should be involved and, above all, why.

The eleven principles of privacy in data processing

The PII Controller is responsible for deciding why and how PII is processed. As part of the decision to handle the processing, it is also responsible for applying the"privacy principles " from the ISO 29100:2011 standard:

1. Consent and Choice: PII must be collected using "opt-in" procedures - i.e. the PII Principal can give or withdraw consent using a simple procedure.
2. Purpose Legitimacy and Specification:Data is only collected to the extent permitted by law. The PII Principal receives a simple explanation of the purpose of the collection and processing.
3. Collection Limitation: PII should only be collected to the extent necessary to provide the service. The PII Controller must be able to explain the purpose of the collection.
4. Data minimization: In processing operations, only the data that is necessary should be taken into account. This means that data should not be distributed everywhere, but only where the relevant processes take place.
5. Use, Retention and Disclosure Limitation: The transfer of PII, as well as the disclosure to third parties, may only take place to the extent necessary for the provision of the respective service.
6. Accuracy and Quality: Quality must be ensured - i.e. no incorrect or expired data must be collected - especially in cases where the PII Principal may suffer damage as a result of incorrect data.
7. Openness, Transparency and Notice: PII Principals have access to the PII Controller's policies and guidelines, which must be clear and easy to understand.
8. Individual Participation and Access: PII Principals have access to the data and may request corrections and removal. This must be done free of charge and after appropriate authentication.
9. Accountability: Responsibility for implementing measures to protect PII must be defined and the measures and their effectiveness must be regularly reviewed.
10. Information Security: All systems involved must be protected on a technical level, e.g. by applying controls from Annex A of ISO 27001 (or ISO 27002) and a standardized risk analysis procedure.
11. Privacy compliance: The entities involved must demonstrate that they comply with the requirements (including policy and legal requirements) and, where appropriate, carry out regular audits.

The PII Controller must ensure that the relevant specialists and business managers are familiar with these principles. He is also responsible for ensuring that the guidelines and decisions are documented and that the assigned PII Processors implement them.

Why this is important

These eleven privacy principles have no direct equivalent in IS. Decisions on confidentiality, integrity and availability do not per se mean a decision on the desired protection of PII principals.

Rather, the privacy principles are something that must be applied in parallel to information security. They must be determined and assessed separately. In a project, both the requirements of IS and privacy must be taken into account and coordinated with each other.

Outlook

The next article in our blog series will show how aPrivacy Impact Assessment (PIA)can be used to identify and assess these requirements in a structured manner.