ISO IEC 29100:2011 pdf – Information technology一Security techniques一Privacy framework.
4.2.4 Third parties
A third party can receive P11 from a PIt controller or a P11 processor. A third party does not process
P11 on behalf of the P11 controller. Generally, the third party will become a P11 controller in its own
right once it has received the P11 in question.
4.3 Interactions
The actors Identified In the previous clause can interact with each other In a variety of ways. As far as the possible flows of P11 among the P11 principal, the P11 controller and the P11 processor are concerned, the following scenarios can be identified:
a) the P11 principal provides P11 to a P11 controller (e.g., when registering for a service provided by the PIP controller):
b) the P11 controller provides P11 to a P11 processor which processes that P11 on behalf of the P11 controller (e.g.. as part of an outsourcing agreement):
C) the P11 principal provides PIP to a P11 processor which processes that P11 on behalf of the P11 controller:
d) the P11 controller provides the P11 principal with P11 which is related to the P11 principal (eg, pursuant to a request made by the P11 principal).
e) the P11 processor provides P11 to the P11 principal (e.g., as directed by the P11 controller): and
f) the P11 processor provides P11 to the P11 controller (e.g., after having performed the service for which it was appointed).
The roles of the P11 principal. P11 controller, P11 processor and a third party in these scenarios are illustrated in Table 1.
There is a need to distinguish between P11 processors and third parties because the legal control of the P11 remains with the original P11 controller when it is sent over to the P11 processor, whereas a third party can become a P11 controller in Its own right once it has received the P11 in question. For instance, where a third party makes the decision to transfer P11 it has received from a P11 controller to yet another party, It will be acting as a P11 controller in Its own right and will therefore no longer be considered a third party.
As far as the possible flows of P11 among the P11 controllers and P11 processors on the one hand, and third parties on the other hand are concerned, the following scenarios can be identified:
g) the PIP controller provides P11 to a third party (e.g.. in the context of a business agreement): and Ii) the P11 processor provides P11 to a third party (e.g.. as directed by the P11 controller).
The roles of the P11 controller and a third party in these scenarios are also illustrated in Table 1.
4.4 Recognizing P11
To determine whether or not a natural person should be considered identifiable, several factors need to be taken into account. In particular, account should be taken of all the means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to identify that natural person. ICT systems should support mechanisms that will make the P11 principal aware of such P11 and provide the natural person with appropriate controls over the sharing of that information. The following sub-clauses provide additional clarification on how to determine whether or not a P11 principal should be considered identifiable.
4.4.1 Identifiers
In certain instances, identifiability of the P11 principal might be very clear (e.y. when the information contains or is associated with an identifier which is used to refer to or communicate with the P11 principal). Information can be considered to be P11 in at least the following instances:
– if it contains or is associated with an identifier which refers to a natural person (e.g.. a social security number);
– if it contains or is associated with an identifier which can be related to a natural person (e.g., a passport number, an account number);
• if it contains or is associated with an identifier which can be used to establish a communication with an identified natural person (e.g., a precise geographical location, a telephone number); or
– if it contains a reference which links the data 10 any of the identifiers above.
4.4.2 Other distinguishing characteristics
Information does not necessarily need to be associated with an identifier in order to be considered PIP. Information will also be considered P11 if it contains or is associated with a characteristic which distinguishes a natural person from other natural persons (e.g., biometric data).
Any attribute which takes on a value which uniquely identifies a P11 principal is to be considered as a distinguishing characteristic. Note that whether or not a given characteristic distinguishes a natural person from other natural persons might change depending on the context of use. For instance, while the last name of a natural person might be insufficient to identify that natural person on a global scale, it will often be sufficient to distinguish a natural person on a company scale.