Topic-specific policies
ISO/IEC 27556


Search this site
 

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

ISO/IEC 27556 — Information security, cybersecurity and privacy protection — User-centric privacy preferences management framework [DRAFT]

 

Abstract

[TBA]
 

Introduction

The standard will lay out a “user-centric framework” (an architecture) to handle personal information in a controlled manner in accordance with the privacy-by-design and other requirements of applicable privacy laws and regulations.

The standard will outline a mechanism for organisations handling personal data to comply with the data subject’s privacy requirements, even as the organisations share and collaborate on processing the data.

 

Scope of the standard

The standard will describe a generic high-level system architecture without specifying the content and format of privacy preference information.

The architecture, in turn, will inform the design and implementation of IT systems handling personal information and communicating it between organisations, while managing the privacy preferences of data subjects (known as ‘PII Principals’ in the standard i.e. the people whose personal information is being handled).

The standard will expand upon ISO/IEC 29100 “Privacy framework”.

 

Content of the standard

The 3 main clauses are:

  1. User-centric framework for handling PII.
  2. Requirements and recommendations for the Privacy Preference Manager (defined as “component providing a capability allowing PII principals to express privacy preferences and a capability to monitor PII processing according to these privacy preferences” - normally an IT system component, not a person).
  3. Further considerations for the PPM in a Privacy Information Management System.

plus 4 annexes:

  • Use cases of PII handling based on privacy preferences
  • Identifying an actor serving as a component for each example service
  • Guidance on configuration of privacy preferences management
  • Supporting the design of a privacy preference management

 

Status

SC 27 started drafting the standard in 2019.

Status updated June The standard was due to be published this year.  Addressing substantive comments and adding a new use case may delay publication to 2023, although it is now at Final Draft International Standard stage, with a more succinct title (see above).

 

Personal notes

I appreciate the intent to standardise the handling and management of users’ privacy consents, perhaps allowing the preferences to be shared among systems. However, given strong commercial incentives for social media and related systems to exploit every scrap of personal information they can obtain, I doubt this will be widely adopted, at least not without pressure from regulators and legislators on behalf of private individuals. That said, I am not a privacy expert and I am not full, up to speed with current thinking in this area.

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2022 IsecT Ltd.