ISO/IEC 27701:2019 is the international standard for privacy information management.
It is structured in the same way as ISO/IEC 27001 – hence from the establishment of the privacy information management system (PIMS) through to its review and adaptation. There are also sections on performance evaluation and improvement. Addressing the requirements in this order, though, is not a requirement in itself.
One of the challenges of the International Standard is the variation of the definition of privacy information processing around the world. Indeed, the definition of personal information differs internationally. The ISO/IEC committee that develops privacy-related standards (ISO/IEC JTC1/SC27/WG5) has decided on the term ‘personally identifiable information’ (see ISO/IEC 29100 for a definition) – ISO/IEC 27701 uses this term. The EU GDPR uses the term ‘personal data’. To address this issue, ISO/IEC 27701 allows users to adopt local definitions for their own implementations.
One of the six data protection principles (see Chapter 1) is a requirement for appropriate information security arrangements. This requirement is dealt with in ISO/IEC 27701 by a requirement to comply with ISO/IEC 27001, backed up by the guidance in ISO/IEC 27002. Chapter 5 of ISO/IEC 27701 takes the requirements from ISO/IEC 27001 and, where appropriate, extends them taking into account PIMS requirements. Similarly, Chapter 6 takes the guidance from ISO/IEC 27002 and, where appropriate, extends it taking into account PIMS guidance. Thus, it is implicit when implementing a PIMS based on ISO/IEC 27701 that ISO/IEC 27001 must also be implemented.
As an ISO standard, ISO/IEC 27701 is written in accordance with the ISO procedures for management system standards, hence the requirements for a PIMS defined in ISO/IEC 27701 includes a number of requirements in common with other management systems.
It is important, both in the short and long term, to be able to demonstrate how the corporate policies, operating procedures and work instructions were formulated. The organisation is likely to find it useful to retain records of developments and activities upon which it can call should it need to in the future. Hence the requirement that many of these items are recorded and that the organisation retains appropriate records for as long as necessary.
It is also important to create records of operating activities, for the purposes of review and decision making. These records may include audit trail data, both in manual and automated forms. These records need to be safeguarded once created, by ensuring that only the appropriate people have access to them, and that the integrity of their contents can be demonstrated.
Operating procedures need to describe the processes that support the corporate policies and explain who does what, where and when.
Work instructions might be introduced to detail how certain tasks are carried out.
All documentation needs to have been written and approved by the right people, and it must be ensured that only the latest approved versions are available to those who need to be aware of and follow them.
Audits can be undertaken at either an internal or external level.
The auditing of management systems in general (and a PIMS in particular) has the objective of demonstrating that the management system conforms to the organisation’s requirements, conforms to the requirements of the appropriate international standard, and is effectively implemented and maintained.
Thus, the main objective for a management system audit programme is to monitor conformity between the management system requirements and working practices.
Such audits can be carried out internally, either by an organisation’s audit function or by individuals who are familiar with audit programmes and can act independent of the operation they are auditing, or externally by specialist auditors. Typically, audits involve the selection of individual work processes and checking actual practice against requirements. Audit reports will identify any non-conformances between the actual practice and the requirements. The organisation will need to review any identified non-conformances and make the appropriate adjustments, either to the work practices or, where it is within their remit, the requirement.
Audits also provide the opportunity for improvement. Therefore, audit programmes and audit programme objectives can include the identification of potential improvements to the PIMS. This could include updates to policy (perhaps prompted by changes to legislation/regulations and their interpretation), operating procedures and/or work instructions. Where specific areas of concern have been identified, they could inform the selection of individual work processes.
Top management (defined in management system terms as a ‘person or group of people who directs and controls an organisation at the highest level’ – where the organisation is that in scope of the PIMS) has a significant role in the management of management systems such as the PIMS. They initiate the development of the management system, approve the resource necessary and approve corporate policies that define the objectives of the management system.
It is therefore appropriate that top management reviews the progress of the PIMS from its inception through to operation, ensuring that it is effective and meets corporate requirements, over time.
It is appropriate to carry out management reviews at regular intervals (such as every 12 months) to achieve these objectives. These reviews could consider audit reports, any changes to legislation/regulations, any privacy-related incidents, and suggestions from operational staff. The review could also examine the effectiveness measures that have been developed and any opportunities for continual improvement that have been identified or implemented.
Chapter 4: Legal, regulatory and contractual requirements and business risk
As noted above, the processing of personal information is covered in most countries by legislation and/or regulations. Hence, any processing needs to be carried out within the local rules. Further, where the organisation is acting as a data processor, contractual requirements will be in place that dictate how the organisation is to act to ensure that the local rules are not compromised.
Thus, the specific requirements of a privacy information management system (PIMS) need to be determined in light of the appropriate local rules and contractual requirements. These requirements will need to be devised by the organisation, using whatever resources are available. This could include:
- Top management;
- Data protection officer (DPO) or other similar legal expertise;
- Senior operational staff;
- Records management;
- Human resources;
- Information security;
- Technical IT expertise;
- Risk management; and
- Sales and marketing.
Top management will need to be included so that corporate direction (in the form of corporate policies) can be devised and agreed.
Legal expertise will need to be up to date with current legislation and regulations in all the countries that the organisation covers. In some countries, some organisations are required to employ (either internal or external) a suitably qualified individual to cover this legal expertise, referenced in the EU GDPR by the term ‘data protection officer’.
Senior operational staff will need to provide input on the operating procedures being used, and how these implement the corporate policies.
Those with records management responsibilities will have knowledge of how records are captured/created within the organisation, where they are stored and the appropriate retention periods.
Human resources will need to be involved if the processing of personal information related to employees is within the scope of the PIMS. HR will understand what personal information it holds, how it is managed and for how long it is retained.
Information security and/or IT will be aware of the systems being used to manage the personal information, and how it is secured from unauthorised access.
Risk management will understand the risk profile of the organisation, and be able to give risk management advice where necessary. Risk management staff, in conjunction with the legal expertise described above, ought to be able to carry out the necessary privacy impact assessments (PIAs), sometimes called a data protection impact assessment (DPIA), to determine the necessary privacy controls on which the organisation will rely.
Sales and marketing will have their own needs for personal information. They need to be involved to ensure that their requirements are met by the PIMS.
This is an extract from chapter 3 of ISO/IEC 27701:2019: An introduction to privacy information management
©IT Governance Publishing Ltd
An ideal book for anyone implementing a Privacy Information Management System
- What privacy information management means;
- How to manage privacy information successfully using a PIMS aligned to ISO/IEC 27701;
- Key areas of investment for a business-focused PIMS; and
- How your organisation can demonstrate the degree of assurance it offers with regard to privacy information management.