AS 27701:2022 pdf – Security techniques – Extension to ISO/ IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines (ISO/IEC 27701:2019, MOD).
7.2.2 Identify lawful basis
The organization should determine, document and comply with the relevant lawful basis for the
processing of P11 for the identified purposes.
Implementation guidance
Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.
The legal basis for the processing of P11 can include:
— consent from P11 princIpals;
— performance of a contract;
— compliance with a legal obligation;
— protection of the vital interests of P11 principals;
— performance of a task carried out in the public interest;
— legitimate interests of the P11 controller.
The organization should document this basis for each P11 processing activity (see Z2.).
The legitimate interests of the organIzation can include, for instance. information security objectives. which should be balanced against the obligations to P11 principals with regards to privacy protection.
Whenever special categories of P11 are defined, either by the nature of the P11 (e.g. health information) or by the P11 principals concerned (e.g. Pit relating to children) the organization should include those categories of P11 in its classification schemes.
The classification of P11 that falls into these categories can vary from one jurisdiction to another and can vary between different regulatory regimes that apply to different kinds of business, so the organization needs to be aware of the classification(s) that apply to the P11 processing being performed.
The use of special categories of P11 can also he subject to more stringent controls.
Changing or extending the purposes for the processing of P11 can require updating and/or revision of
the legal basis. It can also require additional consent to he obtained from the P11 principal.
7.2.3 Determine when and how consent is to be obtained
The organization should determine and document a process by which it can demonstrate If, when and how consent for the processing of P11 was obtained from P11 principals.
Implementation guidance
Consent can be required for processing of P11 unless other lawful grounds apply. The organization should clearly document when consent needs to be obtained and the requirements for obtaining consent. It can be useful to correlate the purpose(s) for processing with information about if and how consent is obtained.
Some jurisdictions have specific requirements for how consent is collected and recorded (e.g. not bundled with other agreements). Additionally, certain types of data collection (for scientific research for example) and certain types of P11 principals, such as children, can be subject to additional requirements.
Implementation guidance
The organization should obtain and record consent from P11 principals in such a way that it can provide on request details of the consent provided (for example the time that consent was provided, the identification of the P11 principal, and the consent statement).
The Information delivered to the P11 prIncipal before the consent process should follow the guidance in 7.3.3.
The consent should be:
— freely given;
— specific regarding the purpose for processing; and
— unambiguous and explicit.
7.2.5 PrIvacy Impact assessment Control
The organization should assess the need for, and implement where appropriate, a privacy impact assessment whenever new processing of Pit or changes to existing processing of P11 Is planned.
Implementation guidance
P11 processing generates risks for P11 principals. These risks should be assessed through a privacy impact assessment Some jurisdictions define cases for which a privacy impact assessment is mandated. Criteria can include automated decision making which produces legal effects on P11 principals, large scale processing of special categories of P11 (e.g. health-related information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data or biometric data), or systematic monitoring of a publicly accessible area on a large scale.
The organization should determine the elements that are necessary for the completion of a privacy Impact assessment. These can Include a list of the types of P11 processed, where the P11 Is stored and where it can be transferred. Data (low diagrams and data maps can also be helpful in this context (see 7.2.8 for details of records of the processing of P11 that can inform a privacy impact or other risk assessment).
Other information
Guidance on privacy impact assessments related to the processing of P11 can be found in ISO/IEC 29134.