Topic-specific policies
ISO/IEC 27556


Search this site
 

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

Published end of Oct ISO/IEC 27556:2022 — Information security, cybersecurity and privacy protection — User-centric privacy preferences management framework

 

Abstract

“This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.”
[Source: ISO/IEC 27556:2022]

Introduction

The standard lays out a “user-centric framework” (an architecture) to handle personal information in a controlled manner in accordance with the privacy-by-design and other requirements of applicable privacy laws and regulations.

The standard outlines a mechanism for organisations handling personal data to comply with the data subject’s privacy requirements, even as the organisations share and collaborate on processing the data.

 

Scope of the standard

The standard describes a generic high-level system architecture without specifying the content and format of privacy preference information.

The architecture, in turn, informs the design and implementation of IT systems handling personal information and communicating it between organisations, while managing the privacy preferences of data subjects (known as ‘PII Principals’ in the standard i.e. the people whose personal information is being handled).

The standard expands upon ISO/IEC 29100 “Privacy framework”.

 

Content of the standard

The 3 main clauses are:

  1. User-centric framework for handling PII.
  2. Requirements and recommendations for the Privacy Preference Manager (defined as “component providing a capability allowing PII principals to express privacy preferences and a capability to monitor PII processing according to these privacy preferences” - normally an IT system component, not a person).
  3. Further considerations for the PPM in a Privacy Information Management System.

plus 4 annexes:

  • Use cases of PII handling based on privacy preferences
  • Identifying an actor serving as a component for each example service
  • Guidance on configuration of privacy preferences management
  • Supporting the design of a privacy preference management

 

Status

Published end of Oct The first edition was published in 2022.

 

Personal notes

I appreciate the intent to standardise the handling and management of users’ privacy consents, perhaps allowing the preferences to be shared among systems. However, given strong commercial incentives for social media and related systems to exploit every scrap of personal information they can obtain, it may take pressure from regulators and legislators on behalf of private individuals to see this widely adopted in practice.

 

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2022 IsecT Ltd.