eBook - ePub
ISO/IEC 27701:2019: An introduction to privacy information management
- 50 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
ISO/IEC 27701:2019: An introduction to privacy information management
About this book
An ideal primer for anyone implementing a PIMS based on ISO/IEC 27701
ISO/IEC 27701: 2019 is a privacy extension to the international information security management standard, ISO/IEC 27001. It has been designed to integrate with ISO 27001 to extend an existing ISMS (information security management system) with additional requirements, enabling an organisation to establish, implement, maintain and continually improve its PIMS.
ISO 27701 provides guidance on the protection of privacy, including how organisations should manage personal information, and helps demonstrate compliance with privacy regulations around the world, such as the GDPR (General Data Protection Regulation).
ISO/IEC 27701: 2019: An introduction to privacy information management offers a concise introduction to the Standard, aiding those organisations looking to improve their privacy information management regime, particularly where ISO/IEC 27701: 2019 is involved. It is intended for:
- Individuals looking for general information about privacy information management; and
- Organisations implementing, or considering improving, a PIMS, particularly where the use of ISO/IEC 27701: 2019 is being considered.
It will enable you to understand the basics of privacy information management, including:
- What privacy information management means;
- How to manage privacy information successfully using a PIMS aligned to ISO/IEC 27701;
- Key areas of investment for a business-focused PIMS; and
- How your organisation can demonstrate the degree of assurance it offers with regard to privacy information management.
This guide will prove useful throughout a number of stages in any privacy information management project ā buy your copy today!
Frequently asked questions
Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
- Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
- Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere ā even offline. Perfect for commutes or when youāre on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access ISO/IEC 27701:2019: An introduction to privacy information management by Alan Shipman,Steve Watkins in PDF and/or ePUB format, as well as other popular books in Law & Computer Science General. We have over one million books available in our catalogue for you to explore.
Information
CHAPTER 1: WHAT IS PRIVACY INFORMATION MANAGEMENT?
āPrivacyā is a term that is being increasingly used in life ā but its meaning is not well understood. Wikipedia1 describes it as āthe ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectivelyā.
This guide to ISO/IEC 27701 focuses on the āinformationā aspects of privacy. Hence, a privacy information management system (PIMS) deals with the processing of personal information ā typically by organisations that an individual deals with.
How you and the organisations that you deal with look after your personal information and allow others to use it without adversely affecting your privacy is a matter for concern. Some examples of this issue are discussed below.
Example one
You do not want other people to use your personal information without your permission. This means limiting access to your personal information, and thus keeping it confidential.
This makes good sense, and initially may seem to be the only thing that matters. However, if restricting access to your personal information is all that matters, you could have it stored in a totally sealed iron box. Not very useful when you want an organisation to use it for your benefit!
Example two
You want to be able to share your personal information with an organisation when it will be to your advantage. This means you value the availability of your personal information. Not only this but you also need it to be available in a usable format and timely manner, and not be used to your disadvantage.
This also makes good sense. We have identified that in controlling our personal information, we need to consider both restricting access to it (an appropriate degree of confidentiality) and ensuring this is balanced with a suitable degree of availability.
Example three
When providing your personal information, you do not ā at least when first dealing with a new organisation ā know how they will use it or with whom they will share it. Most people are content to rely on the organisationās reputation. Nonetheless, you do value the fact that you are confident in dealing with the chosen organisation, i.e. you value the trustworthiness of the services that you receive.
So, with personal information, there is value in knowing where it is stored and how it is being used, having it accessible when needed, knowing what is being retained and being confident that it will be in a format that can be used.
Thus, when referring to privacy information management, this is not only about the security aspects of the personal information (which deals with confidentiality, integrity and availability) but also about the who, where, how, what and why of the management of personal information.
Organisations wish to manage the personal information that they process in a way that ensures their clients and customers can be confident that their privacy is protected. This is often achieved by setting up management arrangements that introduce a set of policies, processes and working arrangements that help them exercise the degree of control required to provide the necessary assurances. Such arrangements are generically described as a PIMS ā this is the focus of ISO/IEC 27701.
Who does it matter to?
Privacy information management (defined as the protection of privacy) is affected by the processing of personal information. This processing is subdivided by the EU General Data Protection Regulation (GDPR) into six data protection principles:
1.Processing shall be fair and lawful, and for specific purposes.
2.Processing shall not be used for any other purpose.
3.Personal information shall be adequate and relevant for the specified purposes, and shall be limited to what is needed for the purposes.
4.Personal information shall be accurate and where necessary up to date.
5.Personal information shall not be retained for longer than is necessary.
6.Personal information shall be processed in a secure manner.
It is obvious that it is not just the personal information itself that we need to be concerned with, but its collection, storage, handling, sharing/transferring and processing. When considering all of these processes, it is easy to conclude that every organisation should be concerned with their privacy information management arrangements.
Individuals are referred to by legislation as ādata subjectsā; this can include members of the public, customers and staff. These individuals will want to know that their personal information is being managed and protected appropriately. Security breaches can result in the disclosure of large volumes of personal information to criminal hackers, which in turn can result in a loss of trust in the organisations that suffer the breaches.2
Organisations in the private sector will be driven by a number of factors, including client and customer requirements, the need to comply with legal and regulatory requirements, and the need to remain competitive. Public-sector organisations have similar drivers to maintain a strong privacy management stance and safeguard against privacy-related incidents.
Where matters!
It is worth noting that not all countries operate the same levels of privacy protection. While the European Union has the GDPR, there is scope within this regulation for countries to operate some of their own rules and regulations. As an example, the EU GDPR talks about charging āa reasonable feeā for a subject access request. The actual fee-charging regime is set by the local supervisory authority (in the UK, this is the Information Commissionerās Office (ICO)). In the UK, there is the Data Protection Act 2018, which in effect is the UKās interpretation of the EU GDPR.
What this means for individuals is that they need to know where their personal information is being processed. They may also need to be concerned about the location of any other organisations with which their personal information is shared.
How is processing managed?
In many cases, individuals will assume that the organisation that they are sharing their personal information with will be processing it on its own systems. However, with the increasing trend towards relying on business partners for key services and processes, organisations will need policies and agreements to be in place for any sub-contracted processing of personal information (especially Cloud-based service providers). Organisations may need to disclose to their stakeholders the location and contractual arrangements for any such sub-contracted processing.
Outsourcing and other contracts are now increasingly specifying compliance with some form of information governance regime as a mandatory requirement.3
What is āpersonal informationā?
The term āpersonal informationā needs some clarification. A number of terms that have the same or similar meanings are used in different jurisdictions. The EU GDPR uses the term āpersonal dataā, whereas some jurisdictions (typically in the US) use āpersonally identifiab...
Table of contents
- Cover
- Title
- Copyright
- About the Authors
- Contents
- Introduction
- Chapter 1: What is privacy information management?
- Chapter 2: What needs to be considered?
- Chapter 3: ISO/IEC 27701 and the privacy information management system requirements
- Chapter 4: Legal, regulatory and contractual requirements and business risk
- Chapter 5: Privacy information management controls
- Chapter 6: Certification
- Chapter 7: Terms and definitions
- Further reading