ISO IEC 29100:2011 pdfダウンロード

ISO IEC 29100:2011 pdfダウンロード。Information technology — Security techniques — Privacy framework
Scope
This International Standard provides a privacy framework which
specifies a common privacy terminology;
defines the actors and their roles in processing personally identifiable information (Pll):
describes privacy safeguarding considerations; and
provides references to known privacy principles for information technology.
This lnternational Standard is applicable to natural persons and organizations involved in specifyingprocuring, architecting,designing, developing, testing, maintaining, administering, and operatinginformation and communication technology systems or services where privacy controls are requiredfor the processing of PIl.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
NOTEIn order to make it easier to use the ISO/1EC 27000 family of lnternational Standards in the specific context ofprivacy and to integrate privacy concepts in the lSO/EC 27000 context, the table in Annex A provides the lSOIEC 27000concepts that correspond with the ISO/IEC 29100 concepts used in this international Standard.
2.1
anonymitycharacteristic of information that does not permit a personally identifiable information principal to beidentified directly or indirectly
2.2
anonymization
process by which personally identifiable information (Pl) is irreversibly altered in such a wav that aPll principal can no longer be identified directly or indirectly, either by the Pll controller alone or incollaboration with any other party
2.3
anonymized datadata that has been produced as the output of a personally identifiable information anonymizationprocess
2.4
consent
personally identifiable information (Pll) principal’s freely given, specific and informed agreement tothe processing of their PIl
2.5
identifiability
condition which results in a personally identifiable information (Pll) principal being identified, directlyor indirectly,on the basis of a given set of PIl
2.6
identify
establish the link between a personally identifiable information (Pll) principal and Pll or a set of Pll
2.7
identity
set of attributes which make it possible to identify the personally identifiable information principa
2.8
opt-in
process or type of policy whereby the personally identifiable information (Pll) principal is required totake an action to express explicit, prior consent for their Pll to be processed for a particular purpose
NOTEA different term that is often used with the privacy principle ‘consent and choice’ is “opt-out”. it describes aprocess or lype oi policy wherby ie principal is required io take a separate aclion in order to withhold or witndraiconsent, or oppose a specific type of processing. The use of an opt-out policy presumes that the Pl controller has the rightto process the Pll in the intended way. This right can be implied by some action of the Pll principal different from consent(eg., placing an order in an online shop)-
2.9
personally identifiable informationPl
any information that (a) can be used to identify the Pll principal to whom such information relates, or(b) is or might be directly or indirectly linked to a PIl principal
NOTETo determine whether a Pll principal is identifiable, account should be taken of all the means which canreasonably be used by the privacy stakeholder holding the data, or by any other party, to identify that natural person.
2.10
Pll controller
privacy stakeholder (or privacy stakeholders) that determines the purposes and means forprocessing personally identifiable information (Pll) other than natural persons who use data forpersonal purposes
NOTE A Pl controller sometimes instructs others (e.g., Pll processors) to process Pll on its behalf while theresponsibility for the processing remains with the Pll controller
2.11
Pll principal
natural person to whom the personally identifiable information (PIl) relates
NOTEDepending on the jurisdiction and the particular data protection and privacy legislation, the synonym “datasubiect”can also be used instead of the term “Pll principal”.
2.12
Pll processorprivacy stakeholder that processes personally identifiable information (Pll) on behalf of and inaccordance with the instructions of a PIl controller