Information technology - Business operational view - Part 8: Identification of privacy protection requirements as external constraints on business transactions

Designation Number:
CSA ISO/IEC 15944-8:15 (R2019)
Standard Type:
National Standard of Canada - Adoption of International Standard
Standard Development Activity:
Reaffirmation
ICS code(s):
35.240.60
Status:
Proceeding to development
SDO Comment Period Start Date:
SDO Comment Period End Date:
Posted On:

Scope:

Scope

1.1 Statement of scope

 

This part of ISO/IEC 15944:

 

- provides method(s) for identifying, in Open-edi modelling technologies and development of scenarios, the additional requirements in Business Operational View (BOV) specifications for identifying the additional external constraints to be applied to recorded information in business transactions relating to personal information of an individual, as required by legal and regulatory requirements of applicable jurisdictional domains having governance over the personal information exchanged among parties to a business transaction;

 

- integrates existing normative elements in support of privacy and data protection requirements as are already identified in the current editions of ISO/IEC 14662 and ISO/IEC 15944-1, ISO/IEC 15944-2, ISO/IEC 15944-4, and ISO/IEC 15944-5 which apply to information concerning identifiable living individuals as buyers in a business transaction or whose personal information is used in the transaction;

- provides overarching operational best practice statements for associated (and not necessarily automated) processes, procedures, practices and governance requirements that must act in support of implementing and enforcing technical mechanisms needed to support privacy/data protection requirements necessary for the implementation in Open-edi transaction environments;

- identifies and provides a sample scenario and implementation (use case) for one or more use cases of privacy/data protection in business transactions; and

- provides guidelines on the need for procedural mechanisms in the event that mandatory disclosure rules of transactional information must be implemented.

 

This part of ISO/IEC 15944 is a BOV-related standard which addresses basic (or primitive) requirements of a privacy protection environment, as legal requirements represented through jurisdictional domains, on business transactions, and also integrates the requirements of the information technology and telecommunications environments.

 

This part of ISO/IEC 15944 contains a methodology and tool for specifying common classes of external constraints through the construct of jurisdictional domains. It meets the requirements set in ISO/IEC 15944-1 and ISO/IEC 15944-2 through the use of explicitly stated rules, templates, and Formal Description Techniques (FDTs).

 

1.2 Exclusions

 

1.2.1 Functional Services View (FSV)

 

This part of ISO/IEC 15944 focuses on the BOV aspects of a business transaction, and does not concern itself with the technical mechanisms needed to achieve the business requirements (the FSV aspects, including the specification of requirements of a Functional Services View (FSV) nature which include security techniques and services, communication protocols, etc.). The FSV includes any existing standard (or standards development of an FSV nature), which have been ratified by existing ISO, IEC, UN/ECE and/or ITU standards.

 

1.2.2 Internal behaviour of organizations (and public administration)

 

Excluded from the scope of this part of ISO/IEC 15944 is the application of privacy protection requirements within an organization itself. The Open-edi Reference Model, considers these to be internal behaviours of an organization and thus not germane to business transactions (which focus on external behaviours pertaining to electronic data interchange among the autonomous parties to a business transaction). As such, excluded from the scope of this part of ISO/IEC 15944 are any:

 

1) internal use and management of recorded information pertaining to an identifiable organization Person an organization (or public administration) within an organization; and

 

2) implementation of internal information management controls, internal procedural controls or operational controls within an organization or public administration necessary for it to comply with applicable privacy requirements that may be required in observance of their lawful or contractual rights, duties and obligations as a legal entity in the jurisdictional domain(s) of which they are part.

 

This should not be taken to mean that an organization could not adapt this part of ISO/IEC 15944 in order to model internal behaviour if they so wished, say when moving personal data within the organization.

 

1.2.3 organization Person

 

From a public policy privacy protection requirements perspective, an organization Person is a natural person who acts on behalf of and makes commitments on behalf of the organization (or public administration) of which that natural person is an organization part. But, as an organization Person, they do not attract inherent rights to privacy. Privacy protection requirements which do apply to an organization Person are placed in an employee-employer context with associated contractual elements. In addition, some jurisdictional domains have privacy protection laws and regulations which apply specifically to employees of their public administrations.

 

As such, from a business transaction perspective, it is an internal behaviour of an organization, as to who makes commitments on behalf of an organization or public administration. How and why organization Persons make decisions and commitments is not germane to the scope and purpose of this part of ISO/IEC 15944. {See further ISO/IEC 15944-1:2011, Clause 6.2 Person and external constraints: Individual, organization, and public administration as well as its Figure 17 Illustration of commitment exchange versus information exchange for organization, organization part(s) and organization Person (s)}

 

1.2.4 Overlap of and/or conflict among jurisdictional domains as sources of privacy protection requirements

 

A business transaction requires an exchange of commitments among autonomous parties. Commitment is the making or accepting of a right, an obligation, liability or responsibility by a Person. In the context of a business transaction, the making of commitments pertains to the transfer of a good, service and/or right among the Persons involved.

 

Consequently, it is not an uncommon occurrence, depending on the goal and nature of the business transaction, that the Persons (and parties associated) are in different jurisdictional domains, and that multiple sets of external constraints apply, and overlap will occur. It is also not an uncommon occurrence that there is overlap among such sets of external constraints and/or conflict among them. This is also the case with respect to laws and regulations of a privacy protection nature. Resolving issues of this nature is outside the scope of this part of ISO/IEC 15944.

 

However, modelling business transaction as scenarios and scenario components as re-useable business objects may well serve as a useful methodology for identifying specific overlaps and conflicts (thereby serving as a tool for their harmonization, if only within the context of a specific transaction).

 

The application of business semantic descriptive techniques to laws, regulations, etc., of jurisdictional domains and their modelling of such sets of external constraints as scenarios and scenario components is an essential step to their application in a systematic manner to (electronic) business transactions (and especially e-government, e-commerce, e-education, etc.).

 

Open-edi business agreement descriptive techniques methodologies can serve as a tool in the harmonization and simplification of external constraints arising from jurisdictional domains.

 

NOTE This part of ISO/IEC 15944 is based on the following assumptions:

 

1) the privacy protection requirements of the individual, as a buyer in a business transaction, are those of the jurisdictional domain in which the individual made the commitments associated with the instantiated business transaction; and

2) where the seller is in a jurisdictional domain other than that of the individual, as the buyer, this edition of ISO/IEC 15944 incorporates and supports the OECD Guidelines on the Protection of Privacy and Transborder Data Flows of Personal Data.[See further below Clause 2.2]

 

1.2.5 Publicly available personal information

 

Excluded from the scope of this part of ISO/IEC 15944 is publicly available personal information (PAPI). In a business transaction context, the seller does not collect personal information of this nature from the individual (particularly in the planning phase of the business transaction process).

 

For example, the seller in advertising product to the market may:

 

1) publish personal information that is publicly available personal information, such as that found in telephone directories;

2) make use of any personal information declared to be of a public information by a regulation based on an law or regulation of the applicable jurisdictional domain; and, or,

3) include that which the individual itself chose to make public, (e.g., via one or more Internet based applications such as Facebook).

 

In a privacy protection context, publicly available personal information is defined as follows:

 

publicly available personal information (PAPI)

 

personal information about an individual that the individual knowingly makes or permits to be made available to the public, or is legally obtained and accessed from: (a) government records that are available to the public; or, (b) information required by law to be made available to the public

 

EXAMPLE 1 Examples of personal information which an individual knowingly makes or permits to be made available include public telephone directories, advertisements in newspapers, published materials, postings of a similar nature on the internet, etc.

 

EXAMPLE 2 Examples of government records that are publicly available include registers of individuals who are entitled to vote, buy or sell a property, or any other personal information that a jurisdictional domain requires to be publicly available, etc.

 

Further, determining whether or not personal information is of a PAPI nature is also excluded from the scope of this part of ISO/IEC 15944.

 

1.3 Aspects currently not addressed

 

This part of ISO/IEC 15944 focuses on the essential and basic aspects of privacy protection requirements. The purpose of this Clause is to identify aspects not currently addressed. These will be addressed in either:

 

a) an Amendment to this part of ISO/IEC 15944,

b) new editions of this part of ISO/IEC 15944,

c) through a new part of ISO/IEC 15944,

d) in a new edition of an existing part of ISO/IEC 15944 (as may be applicable),

e) through a new edition of an existing standard of ISO/IEC JTC1, or another existing ISO/IEC JTC1/SC, or ISO, IEC or ITU; and/or,

f) new standard(s) by any of the above noted committees.

 

ISO/IEC 15944-8 also does yet address the following requirements:

 

1) differences in equality in the use of official languages by an individual, in being informed and exercising privacy protection rights within a jurisdictional domain;

2) interworking between privacy protection and consumer protection requirements as two sets of external constraints applicable to an individual as a buyer in a business transaction;

3) identification and registration of schemas involving the control and management of legally recognized names (LRNs) as personas and associated unique identifiers for the unambiguous identification of an individual and/or the role qualification of an individual in a specific context;

4) more detailed information management and audit requirements pertaining to ensuring privacy protection of personal information that should be enacted by and among organizations and public administrations as parties to a business transaction;

5) more detailed rules and associated text pertaining to the BOV perspective with respect to transborder data flows of personal information;

6) inter-operation between jurisdictional domains where they do not possess defined equivalents to their protection requirements (interoperability) or where protection requirements simply are different;

7) instances in which privacy protection requirements continue to apply to the personal information of an individual after his/her death;

 

In addition, from a business transaction perspective, there may be some continuity in privacy protection requirements, (e.g., those pertaining to temporal aspects of post-actualization aspects of an instantiated business transaction, (e.g., health care matters, warranties on products, service contracts, rights (including IP), etc.). Instantiated business transactions may require personal information to be retained and continue to be protected following the death of the individual.

 

NOTE 1 This may also include a settlement of wills, probate, investments, etc., pertaining to that individual once proved deceased.

 

NOTE 2 Tax information filed has 4-6 years record retention requirements in most jurisdictional domains. In some jurisdictional domains, tax matters are confidential and in others they are public. The status of personal information may change as a result of litigation and public hearings.

 

NOTE 3 Instantiated business transactions may require personal information to be retained and continue to be protected following the death of an individual, (e.g., many credit card agreements exist after the death of the credit card holder).

 

NOTE 4 One may need to have an added Clause on privacy protection of personal information on individuals consequent upon the death of the individual.

 

8) personal information found in journalistic reports:

 

The use of personal information in a business transaction which is found in journalistic reports including news items, public broadcasts, items published by news media about an individual, personal information published and made available by third parties on the internet, (e.g., via Google, Facebook, Twitter, etc.), which in some jurisdictional domains is held to be in the public interest, is not included in this part of ISO/IEC 15944.

 

The reasons for exclusion are that a journalistic report containing personal information about an individual:

 

* may contain inaccurate information, allegations, and thus should not (can not) be used as personal information;

* may be subject to libel and other legal actions by the individual;

* etc.

 

Further issues pertaining to privacy protection versus journalistic reports on identified individuals resulting in the publishing of personal information is a grey area which courts in various jurisdictional domains are addressing and thus not yet resolved;

 

9) this part of ISO/IEC 15944 does not address the question of negotiated consent, but rather considers the simplest case, that a scenario may be registered which includes a specific form of consent within it;

10) the use of biological characteristics and attributes of an individual which require the physical presence of an individual and are physically taken from an individual in a particular context and for a specified role action of an individual;

 

These include the use of biometrics, biological (such as hair, blood, DNA samples), dentistry records, etc.

 

11) the application of the rights of individuals who are disabled as stated in the UN Convention on the Rights of Persons with Disabilities (2006);

 

Of particular importance here is that this UN Convention takes as its basis the need to support individuals with disabilities to be a fully functioning member of society means that information necessary for these individuals to be able to make commitments including the undertaking of business transactions shall be made available in a form and format so that the semantics are fully communicated, the individual is able to have informed consent, etc.

 

12) this part of ISO/IEC 15944 does not address the role of an ombudsperson, Privacy Commissioner, a Data Protection Commissioner, etc., who serves as an independent adjudicator of complaints and ensures compliance with privacy protection requirements (including of internally of the organization or public administration themselves);

 

Many jurisdictional domains provide for the role of an ombudsperson which may be a role similar in application to public administration.

 

13) detailed rules pertaining to the use of agents and/or third parties by a seller in a business transaction

 

This includes their qualification and assurance of compliance with applicable privacy protection requirements for the personal information pertaining to a business transaction.

 

14) an agent acting on behalf of an individual

 

An individual may request an agent to act on its behalf and this may or may not include the individual to require the agent not to reveal the individual identity or any personal information about the individual, i.e., as an anonymous client of the agent.

 

15) detailed rules governing the requirement to tag (or label) at the data elements (or field) level which form part of personal information of an individual generally as is required for as the business transactions(s) and its associated BTI(s);

 

16) mergers and acquisitions

 

It is presumed that when an organization A merges with, or is acquired by another organization B, that the privacy protection requirements applicable to personal information under the control of organization A continue to apply and be enforced. It is also assumed the personal information under the control of organization A remains under its control and that a merger with or acquisition by organization B does not allow organization B to access and/or use personal information held by organization A without the express and informed consent of the individuals whose personal information is/was organization A.

 

17) ICT and other service providers

 

It is presumed that any ICT (or other) services provider which is under contract to provide ICT services to an organization or public administration (which has personal information under its control) shall not access or use such personal information processed as part of its services offering to that organization, unless it has a formal contractual arrangement to do so, in compliance with applicable privacy protection requirements.

 

18) data mining

 

It is also presumed that an organization shall ensure that any data mining activities undertaken by itself (or via an agent or third party on its behalf) shall be in compliance with applicable privacy protection requirements, and not involve any secondary use or any other use of personal information for which the individual(s) concerned have not provided explicitly informed consent.

 

19) formal Conformance Statements

 

Clause 13 below deals with conformance requirements at the most primitive level only. More detailed conformance statements with associated rules and procedures are required in implementation. It is also necessary to ensure that any such conformance statement, i.e., declaration by an organization or public administration is verifiable.

 

20) linkages and similarities between privacy protection and consumer protection requirements

 

Many of the external constraints pertaining to personal information of a privacy protection nature in a business transaction are similar to consumer protection requirements. {See further below Clause 7.2.2}

 

It is anticipated that some or all of these requirements will be addressed in future editions of ISO/IEC 15944-8 or in companion standards or technical reports (including possible new parts of ISO/IEC 15944).

 

1.4 IT-systems environment neutrality

 

This part of ISO/IEC 15944 does not assume nor endorse any specific system environment, database management system, database design paradigm, system development methodology, data definition language, command language, system interface, user interface, syntax, computing platform, or any technology required for implementation, i.e., it is information technology neutral. At the same time, this part of ISO/IEC 15944 maximizes an IT-enabled approach to its implementation and maximizes semantic interoperability.

Project need:

Project Need

To review the Standard within the required 5 year period.

Note: The information provided above was obtained by the Standards Council of Canada (SCC) and is provided as part of a centralized, transparent notification system for new standards development. The system allows SCC-accredited Standards Development Organizations (SDOs), and members of the public, to be informed of new work in Canadian standards development, and allows SCC-accredited SDOs to identify and resolve potential duplication of standards and effort.

Individual SDOs are responsible for the content and accuracy of the information presented here. The text is presented in the language in which it was provided to SCC.