A new ISO standard will help to safeguard the privacy of people's financial data when being processed by automated, networked information systems.

Rapid advances in the performance of computer systems and networking, along with a lowering of their cost, allow financial institutions to record, store and retrieve vast amounts of data faster and more efficiently than ever before. Advanced data processing, storage, collection, and retrieval technology is now available to all sectors of business and government.

With these new abilities, private and public sector organizations can effortlessly process information in ways that, intentionally or unintentionally, may impinge on the privacy rights of their stakeholders. These capabilities raise concerns about the privacy of individuals in large networked information technology environments.

“The financial services community recognizes how important it is to protect and not abuse their customers’ privacy, and not just because it may be required by law,” says Mr John M. Ferris, Convenor of ISO/TC 68/SC 7's working group WG 5, Privacy impact assessment standard. “As systems are developed or updated, there is an opportunity to enhance business processes and to provide improved services to customers. However, new ways of using existing technology and new technologies also bring new or unknown risks. It is advisable that corporations handling financial information be proactive in protecting and not abusing the privacy of their consumers and partners.

“One way of proactively addressing privacy principles and practices is to follow a standardized privacy impact assessment process for a proposed financial system, such as the one recommended in ISO 22307.”

The standard describes the privacy impact assessment (PIA) which should be carried out at an early stage in the development of a proposed financial system. As well as helping to identify optimal privacy options and solutions, it provides a way to ensure that the system complies with applicable laws and regulations governing customer and consumer privacy.

It is a tool that, when used effectively, can identify risks associated with privacy and help organizations plan to mitigate those risks. ISO 22307:

  • describes the PIA process in general
  • defines the common and required components of a privacy impact assessment, regardless of business systems affecting financial institutions, and
  • provides informative guidance, including frequently asked questions (FAQs) on PIAs and their implementation, together with a number of questionnaires designed to help users assess their needs and develop an effective PIA.

Bearing in mind that the legal framework for privacy protection differs from country to country, this internationally agreed standard on privacy impact assessments is an important step forward. The internationalization of PIAs is critical for global banking and, in particular, for cross-border financial transactions.

ISO 22307:2008, Financial services – Privacy impact assessment, was developed by ISO technical committee ISO/TC 68, Financial services, subcommittee SC 7, Core banking. It costs 114 Swiss francs and is available from ISO national member institutes (see the complete list with contact details) and from ISO Central Secretariat through the ISO Store or by contacting the Marketing & Communication department (see right-hand column).