BS ISO IEC 29100:2011 pdf – Information technology —Security techniques – Privacy framework
BS ISO IEC 29100:2011 pdf – Information technology —Security techniques – Privacy framework.
4 Basic elements of the privacy framework
4.1 Overview of the privacy framework
The following components relate to privacy and the processing of P11 In ICT systems and make up the privacy framework described In this International Standard
• actors and roles;
– recognizing P11:
– privacy saleguard.ng requirements;
– privacy policie5; and
• privacy controls.
For the development of this privacy framework, concepts, definitions and recommendations from
other official sources have been taken into consideration. These sources can be found in
ISOIIEC JTC 1/SC 27 WG 5 Standing Document 2 (WG 5 SD2) — Official Privacy Documents
4.2 Actors and roles
For the purposes of this standard, it is important to identify the actors involved in the processing of P11 There are four types of actors who can be involved in the processing of P11: P11 principals, P11 controllers, P11 processors and third parties.
42.1 P11 principals
P11 principals provide their P11 for processing to P11 controllers and P11 processors and, when it is not otherwise provided by applicable law, they give consent and determine their privacy preferences for how their P11 should be processed. P11 principals can include, for example, an employee listed in the human resources system of a company, the consumer mentioned in a credit report, and a patient listed in an electronic health record. It is not always necessary that the respective natural person is identified directly by name in order to be considered a P11 principal. If the natural person to whom the P11 relates can be identified indirectly (e.g., through an account identifier, social security number, or even through the combination of available attributes), he or she is considered to be the P11 principal for that P11 set.
42.2 P11 controllers
A P11 controller determines why (purpose) and how (means) the processing of P11 takes place. The P11 controller should ensure adherence to the privacy principles in this framework during the processing of P11 under its control (e.g., by Implementing the necessary privacy controls). There might be more than one P11 controller for the same P11 set or set of operations performed upon P11 (for the same or different legitimate purposes). In this case the dIfferent P11 controllers shall work together and make the necessary arrangements to ensure the privacy principles are adhered to during the processing of P11. A P11 controller can also decide to have all or part of the processing operations carried out by a different privacy stakeholder on Its behalf. P11 controllers should carefully assess whether or not they are processing sensitive P11 and Implement reasonable and appropriate privacy and security controls based on the requirements set forth In the relevant jurisdiction as well as any potential adverse effects for P11 princIpals as identified during a privacy risk assessment.
4.2.3 P11 processors
A P11 processor carries Out the processing of P11 on behalf of a P11 controller, acts on behalf 01. or In accordance with the instructions of the P11 controller, observes the stipulated privacy requirements and Implements the correspondIng privacy controls. In some Jurisdictions, the P11 processor Is bound by a legal contract.
4.2.4 Third parties
A third party can receive P11 from a P11 controller or a P11 processor. A third party does not process
P11 on behalf of the P11 controller. Generally, the third party will become a P11 controller In its own
right once It has received the PIt in question.
The actors identified in the previous clause can interact with each other in a variety of ways. As far as the possible flows of P11 among the P11 principal, the P11 controller and the P11 processor are concerned, the following scenarios can be identified:
a) the P11 principal provides P11 to a P11 controller (e.g.. when registering for a service provided by the P11 controller);
b) the P11 controller provides P11 to a P11 processor which processes that P11 on behalf of the P11 controller (e.g., as part of an outsourcing agreement):
C) lhe P11 principal provides P11 to a P11 processor which processes that P11 on behalf of the P11 controller:
d) the P11 controller provides the P11 principal with P11 which is related to the P11 principal (e.g.. pursuant to a request made by the P11 principal):
e) the P11 processor provides P11 to the P11 principal (e.g., as directed by the P11 controller); and
f) the P11 processor provides P11 to the P11 controller (e.g.. after having performed the service for which it was appointed).
Thu roles of the P11 principal. P11 controller, Pit processor and a third party in these scenarios are illustrated in Table 1.