Privacy has taken on new dimensions in our hyperconnected world. New guidance from IEC, ISO and ITU – the world’s three leading international standards bodies – has just been published, providing a code of practice for the protection of personally identifiable information.
Uber is making headlines for its reaction to the theft of personal data of 57 million drivers and users. The July 2017 breach of Equifax, a large US credit bureau, exposed the social security numbers, birthdates and addresses of 143 million people. And last month, Yahoo, just prior to its acquisition by telecommunications conglomerate Verizon, shared new intelligence that a data breach in 2013, thought to have affected only a billion users, had in fact compromised all three billion Yahoo user accounts.
The increasing prevalence of high-profile data breaches has motivated countries worldwide to investigate potential reforms to policy and regulation. One of the best-known examples is the European Union’s General Data Protection Regulation, due to come into force in May 2018, with global implications.
The need to protect personal data is growing in urgency with the digital transformation of sectors such as healthcare and financial services. More and more organizations are processing personal data, and all of them are dealing with increasing amounts of this data.
ISO/IEC 29151 | ITU-T X.1058 provides a valuable point of reference to government and industry as they intensify their bid to guarantee the protection of personal data. It establishes the objectives of data-protection controls, specifies the controls required and provides guidelines for their implementation. It also shows how arrangements of these controls can meet the requirements identified by organizations’ risk and impact assessments relevant to the protection of personal data.
The standard builds on ISO/IEC 27002 (code of practice for information security controls), with additional guidelines specific to personal data protection. Examples include proposed governance structures for employees handling personal data, matched with calls for efficient collaboration with legal teams to interpret relevant laws and regulations.
In addition, an annex integral to ISO/IEC 29151 | ITU-T X.1058 provides an extended set of controls for personal data, including control objectives relevant to “consent and choice” and the related “participation of personal data principals”, i.e. the people with whom data can be identified. It looks at “purpose legitimacy” to provide guidance as to whether or not the retention of personal data is appropriate and encourages the pursuit of “collection limitation” and “data minimization”, as well as the “openness and transparency” of organizational policy with respect to personal data.
ISO/IEC 29151 | ITU-T X.1058 was developed in collaboration by ISO/IEC JTC 1/SC 27, the ISO/IEC standardization expert group for security techniques, and ITU-T Study Group 17, responsible for building confidence and security in the use of information and communication technologies.
ISO/IEC 29151 can be purchased from the ISO Store or from your national ISO or IEC member.
- Information technologySecurity techniquesCode of practice for personally identifiable information protection