g-docweb-display Portlet

Resolution on a Draft ISO Privacy Framework Standard26a Conferenza internazionale sulla protezione dei dati - Breslavia (Polonia) 13-16 settem...

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF

Resolution on a Draft ISO Privacy Framework Standard

Following a proposal by the Berlin Commissioner for Data Protection and Freedom of Information, the Commissioner for Data Protection and Access to Information for the State of Brandenburg, the Belgian Data Protection Commission, the British Information Commissioner, the German Federal Data Protection Commissioner, the Independent Centre for Privacy Protection Schleswig-Holstein, the Ontario Information and Privacy Commissioner, the Polish Inspector General for Personal Data Protection, the Privacy Commissioner for Personal Data, Hong Kong, the Spanish Data Protection Agency, the State Data Protection Inspectorate, Republic of Lithuania, and the Swiss Data Protection Commissioner propose the International Conference resolves that:

Whereas the International Organisation for Standardisation (ISO) has established a Privacy Technology Study Group (PTSG) under Joint Technical Committee 1 (JTC1) to examine the need for developing a privacy technology standard and if so how to proceed and the scope of such an exercise and report in November 2004;

Whereas the Joint Technical Committee 1 (JTC1) in ISO forwards submissions to Sub-committee 27 (Information Technology Security) for decision regarding privacy frameworks for fast-tracked approval;

Whereas the International Security, Trust, and Privacy Alliance (ISTPA) is a global alliance of companies, institutions and technology providers working together to clarify and resolve existing and evolving issues related to security, trust, and privacy;

Whereas ISO has received a Draft International Standard (ISO/IEC (PAS) DIS 20886) for a Privacy Framework put forward by ISTPA (1) in a fast track procedure to be voted on by letter ballot ending 11 December 2004;

Whereas the Privacy Enhancing Technology Testing & Evaluation Project (PETTEP)(2) is global team of privacy and data protection commissioners, academics, government and private sector organizations and privacy experts committed to developing internationally accepted testing and evaluation criteria for the privacy claims of information technologies and systems;

Whereas the International Working Group on Data Protection in Telecommunications at their 35th meeting in Buenos Aires on 14-15 April 2004 has adopted a Working Paper on a future ISO Privacy Standard(3);

Whereas the International Conference of Data Protection and Privacy Commissioners (hereafter "Conference") wishes to support the development of an effective and universally accepted international privacy technology standard and make available to ISO its expertise for the development of such a standard;

Whereas the Conference recognizes that compliance with any present or future ISO standard does not necessarily imply or replace compliance with legal regulations. Rather, the Conference views the development of such information technology standards as a means for assisting parties in complying with legal requirements of a data protection and privacy nature. The Conference does recognize that while each jurisdictional domain represented by its members has and will continue to maintain its own privacy legislation which does differ in certain aspects, on the whole there is a high degree of commonality among these legal requirements which would be best served in being captured in an information technology enabled manner through the development of an international standard(s).

The Conference adopts the following Resolutions;

Resolution for an ISO Privacy Standard(s)

1. The Conference respectfully recommends a global privacy standard(s) and specifically a privacy technology standard be developed by ISO that would support the implementation of legal rules on privacy and data protection where they exist and the formulation of such rules where they are still lacking.

Resolution for content of Privacy Standard

2. The Conference resolves that developing an international privacy standard must be based on the fair information practices as well as the concepts of data scarcity, minimisation and anonymity. To be effective, an information technology standard(s) must:

  • provide evaluation and testing criteria regarding the privacy functionality of any system or technology to assist controllers to comply with national and international legal instruments on data protection,
  • provide a level of assurance regarding the privacy claims of technologies and systems used to manage personal information,
  • be able to support privacy requirements pertaining to the personal information on or about an individual, independent of the combinations and number of organizations that may be involved in handling and interchanging such personal information.
 Resolutions in support of developing a Privacy Standard 3. The Conference supports the recent establishment of an interim Privacy Technology Study Group (PTSG) to assess the need for a standard as well as the scope and method for developing such a standard within the International Organisation for Standardization.
  4. The Conference strongly supports expediting, and not delaying establishment of a new, permanent Sub-Committee of the ISO for the development of information technology standards regarding privacy. The new Sub-Committee should take into account the work on specific privacy issues currently being done in existing Sub-Committees.
 Resolutions for Commissioner involvement in ISO

5. The Conference strongly supports the inclusion of the Privacy Enhancing Technology Testing & Evaluation Project (PETTEP), as an official liaison organisation to the ISO JTC1 Privacy Technology Study Group (PTSG). This provides a vehicle for Privacy & Data Protection Commissioners to work directly within the ISO PTSG as well as gives PETTEP members the official standing to present, discuss and contribute to the work of the PTSG.

  6. The Conference supports and encourages interested Data Protection Commissioners to join PETTEP, thus allowing them, as PETTEP members, an immediate voice in the discussions regarding the development of an ISO privacy technology standard.

7. The Conference recognizes that PETTEP already has official standing in the PTSG and respectfully requests PETTEP to adopt the Conference´s resolutions and present them to the PTSG at the earliest possible date.

Resolutions regarding current and future PAS´

8. The Conference, while acknowledging the intent and commitment of ISTPA in the area of privacy, respectfully requests the withdrawal of the ISTPA framework as a Publicly Available Specification (PAS) until the following is addressed:

  • The concept of privacy on which the Draft Privacy Framework Standard is based and that the framework needs to recognize the limits of collection. The Draft defines "privacy" as "the proper handling and use of personal information throughout its life cycle, consistent with data protection principles and the preferences of the subject"(4). The authors of the Draft understand that the collection and processing of personal information are essential to the proper functioning of modern society and commerce.(5)This statement rests on the assumption that there are no limits to the collection of personal data. There may be situations where the collection and processing of personal information is essential in this sense. But this should not be assumed to be the rule.

9. The Conference respectfully requests the ISO to suspend any existing PAS submissions for fast-track procedure and adoption in the field of privacy and data protection (or the introduction of new PAS submissions related to privacy and data protection) as the development of a privacy standard requires thorough discussion.


10. The Conference respectfully requests that ISO treats PAS submissions and any others submissions in the field of data protection and privacy as inputs and contributions to the development of an overall framework as well as potential future standards development in the context of such a framework.


(1) Cf. http://www.istpa.org
(2) PETTEP is a project led by the Ontario Information & Privacy Commissioner that has undertaken research and analysis in developing testing and evaluation criteria for privacy information technology and information systems.
(3) http://www.datenschutz-berlin.de/doc/int/iwgdpt/index.htm
(4) Ibid., p.13
(5) Ibid., p.10