https://ipen.trialog.com/api.php?action=feedcontributions&user=IreneKamara&feedformat=atomIPEN Wiki - User contributions [en]2024-03-29T14:03:18ZUser contributionsMediaWiki 1.37.6https://ipen.trialog.com/?title=ISO&diff=376ISO2016-02-03T17:48:29Z<p>IreneKamara: Undo revision 375 by IreneKamara (talk)</p>
<hr />
<div>[[File:ISO.png]]<br />
<br />
== <span style="font-size:larger">Introduction</span> ==<br />
<br />
The objective of this page is to provide a high-level view of activities related to privacy standards in ISO, in particular in&nbsp;<span style="line-height: 1.6">'''ISO/IEC JTC1/SC27'''</span><br />
<br />
<span style="line-height: 1.6">More info can be found on in the SC27 portal:</span><br />
<br />
*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]<br />
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707]&nbsp;(set of slides)<br />
<br />
<span style="line-height: 1.6">Note that the portal will in general contain more information that in this wiki, which</span><span style="line-height: 1.6">&nbsp;focuses mainly on work carried out in&nbsp;</span>'''ISO/IEC JTC1/SC27/WG5'''''<span style="line-height: 1.6">.</span>''<span style="line-height: 1.6">The convenor is Kai Rannenberg, and the vice convenor is Jan Schallaböck.</span><br />
<br />
== <span style="font-size:larger">Some conventions on ISO standards</span> ==<br />
<br />
The important things to know concerning ISO standards steps:<br />
<br />
{| style="width: 500px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| <span style="line-height: 18.9090900421143px">Standard</span><br/><br />
| <ul style="line-height: 18.9090900421143px;"><br />
<li>SP: Study period</li><br />
<li>NWIP: New Work Item Proposal</li><br />
<li>NP: New Work Item</li><br />
<li>WD: Working Draft</li><br />
<li>CD: Committee Draft</li><br />
<li>DIS: Draft International Standard</li><br />
<li>FDIS: Final Draft International Standard</li><br />
<li>IS: International Standard</li><br />
</ul><br />
<br />
|-<br />
| <span style="line-height: 20.7999992370605px">Technical report</span><br/><br />
| <ul style="line-height: 20.7999992370605px;"><br />
<li>PDTR: Proposed Draft Technical Report</li><br />
<li>DTR:&nbsp;Draft Technical Report</li><br />
<li>TR: Technical Report</li><br />
</ul><br />
<br />
|-<br />
| <span style="line-height: 20.7999992370605px">Technical specification</span><br/><br />
| <ul style="line-height: 20.7999992370605px;"><br />
<li>PDTS:&nbsp;Proposed Draft Technical Specification</li><br />
<li>DTS: Draft Technical Specification</li><br />
<li>Technical Specification</li><br />
</ul><br />
<br />
|}<br />
<br />
Progress is finalised in plenary&nbsp;meetings (taking place every 6 months). Here is a list of meetings that took place or that will take place.<br />
<br />
{| style="width: 500px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| 2014<br />
| <br />
*<span style="line-height: 1.6">April 7-15, 2014 Hong Kong</span><br />
*<span style="line-height: 1.6">Oct 20-24, 2014 Mexico City, Mexico</span><br />
<br />
|-<br />
| 2015<br />
| <br />
*May 4-12, 2015 Kuching, Malaysia<br />
*Oct 26-30, 2015 Jaipur, India<br />
<br />
|-<br />
| 2016<br />
| <br />
*April 11-15 Tampa, USA<br />
*Oct 23 (sunday) - 27 (thursday), UAE<br />
<br />
|-<br />
| 2017<br />
| <br />
*April/May Hamilton, New Zealand<br />
*Oct/Nov Crete, Greece<br />
<br />
|}<br />
<br />
== <span style="font-size:larger">Standards and Projects</span> ==<br />
<br />
=== <span style="font-size:larger">29100 IS Privacy framework</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br/><br />
| <span style="line-height: 20.7999992370605px">Stefan Weiss</span><br/><br />
|-<br />
| Scope<br />
| <span style="line-height: 20.7999992370605px">This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.</span><span style="line-height: 1.6">This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems.</span><br/><br />
|-<br />
| Documentation<br />
| <span style="line-height: 20.7999992370605px">Is a free standard&nbsp;: see&nbsp;</span>[http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html]<br/><br />
|-<br />
| Comments<br />
| <br/><br />
|}<br />
<br />
=== <span style="font-size:larger">29101 IS Privacy architecture framework</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br />
| <span style="line-height: 20.7999992370605px">Stefan Weiss and Dan Bogdanov</span><br/><br />
|-<br />
| Scope<br />
| <br />
This International Standard describes a privacy architecture framework that<br />
<ol style="line-height: 18.9090900421143px;"><br />
<li>describes concerns for ICT systems that process PII;</li><br />
<li>lists components for the implementation of such systems; and</li><br />
<li>provides architectural views contextualizing these components.</li><br />
</ol><br />
<br />
This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.<br />
<br />
|-<br />
| Documentation<br />
| <span style="line-height: 20.7999992370605px">Must be purchased. [http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124 http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124]&nbsp;(preview available)</span><br/><br />
|-<br />
| Comments<br />
| <br/><br />
|}<br />
<br />
=== <span style="font-size:larger">29134 Privacy impact assessment -- Methodology&nbsp;Privacy impact assessment - Guidelines</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br />
| <span style="line-height: 20.7999992370605px">Mathias Reinis</span><br/><br />
|-<br />
| Scope<br />
| <br />
This Standard establishes guidelines for the conduct of privacy impact assessments that are used for the protection of personally identifiable information (PII).<br />
<br />
It should be used by organizations that are establishing or operating programs or systems that involve the processing of PII, or that are making significant changes to existing programs or systems. This International Standard also provides guidance on privacy risk treatment options. Privacy Impact Assessments can be conducted at various stages in the life cycle of a programme or systems ranging from the prelaunch phase and decommissioning.<br />
<br />
In particular, it will provide a framework for privacy safeguarding and specific method for privacy impact assessment.<br />
<br />
It will be applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations and will be relevant to any staff involved in designing or implementing projects which will have an impact on privacy within an organization, including operating data processing systems and services and, where appropriate, external parties supporting such activities.<br />
<br />
This Standard describes privacy risk assessment as introduced by ISO/IEC 29100:2011. For the basic elements of the privacy framework and the privacy principles, reference is made to ISO/IEC 29100:2011.<br />
<br />
For principles and guidelines on risk management, reference is made to ISO 31000:2009.<br />
<br />
|-<br />
| Documentation<br />
| <br/><br />
|-<br />
| Calendar<br />
| <span style="line-height: 1.6">Currently CD</span><br/><br />
|-<br />
| Comments<br />
| <br/><br />
|}<br />
<div></div><br />
=== <span style="font-size:larger">29151 Code of Practice for PII Protection</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br />
| <span style="line-height: 20.7999992370605px">Heung Youl Youm, Alan Shipman</span><br/><br />
|-<br />
| Scope<br />
| <br />
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).<br />
<br />
In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).<br />
<br />
This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.<br />
<br />
|-<br />
| Documentation<br />
| March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE):&nbsp;[http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]<br />
|-<br />
| Calendar<br />
| <span style="line-height: 20.7999992370605px">Currently CD</span><br/><br />
|-<br />
| Comments<br />
| Also an ITU reference (ITU-T X.gpim)<br />
|}<br />
<br />
=== <span style="font-size:larger">29190 Privacy capability assessment model</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br />
| <span style="line-height: 20.7999992370605px">Alan Shipman</span><br/><br />
|-<br />
| Scope<br />
| <br />
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes.&nbsp;<span style="line-height: 1.6">In particular, it:</span><br />
<ul style="line-height: 18.9090900421143px;"><br />
<li>specifies steps in assessing processes to determine privacy capability;</li><br />
<li>specifies a set of levels for privacy capability assessment;</li><br />
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li><br />
<li>provides guidance for those implementing process assessment;</li><br />
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li><br />
</ul><br />
<br />
|-<br />
| Documentation<br />
| Must be purchased. [http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45269 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45269]<br />
|-<br />
| Calendar<br />
| <br/><br />
|-<br />
| Comments<br />
| <br/><br />
|}<br />
<br />
=== <span style="font-size:larger">29191 Requirements for partially anonymous, partially unlinkable authentication</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br/><br />
| <br/><br />
|-<br />
| Scope<br />
| <br />
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.<br />
<br />
This document provides guidance to the use of group signatures for data minimization and user convenience.<br />
<br />
This guideline is applicable in use cases where authentication or authorization is needed.<br />
<br />
It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.<br />
<br />
|-<br />
| Documentation<br />
| <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.7999992370605px">Must be purchased.&nbsp;</span>&nbsp;[http://www.iso.org/iso/catalogue_detail.htm?csnumber=45270 http://www.iso.org/iso/catalogue_detail.htm?csnumber=45270]&nbsp;(preview available)<br />
|-<br />
| Comments<br/><br />
| <br/><br />
|}<br />
<br />
=== <span style="font-size:larger">27018 Code of practice for protection of PII in public clouds acting as PII processors</span> ===<br />
<br />
{| border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br/><br />
| <br/><br />
|-<br />
| Scope<br />
| <br />
This International Standard establishes control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.<br />
<br />
It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. The standard concerns public cloud only and cloud service providers acting as PII processors.<br />
<br />
|-<br />
| Documentation<br />
| <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.7999992370605px">Must be purchased.&nbsp;</span>&nbsp;[http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498&nbsp http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498&amp;nbsp]; (preview available)<br/><br />
|-<br />
| Comments<br />
| <br />
1st published in 2014<br />
<br />
ISO/IEC JTC&nbsp;1, ''Information technology'', Subcommittee SC&nbsp;27, ''IT Security techniques''<br />
<br />
|}<br />
<br />
<br />
<br />
=== <span style="font-size: larger;">20889&nbsp;Privacy Enhancing De-identification Techniques</span> ===<br />
<br />
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.7999992370605px; width: 900px;"<br />
|-<br />
| Editor<br/><br />
| Chris Mitchell and&nbsp;Lionel Vodzislawsky<br/><br />
|-<br />
| Scope<br />
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing<br/>and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100.<br/>In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their<br/>characteristics, and their applicability for minimizing the risk of re-identification<br/><br />
|-<br />
| Documentation<br />
| Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015):&nbsp;[http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]<br />
|-<br />
| Calendar<br />
| Working draft status<br />
|-<br />
| Comments<br />
| Was proposed in the Kuching meeting (May 2015).<br />
|}<br />
<br />
=== <span style="font-size:larger">NWIP Guidelines for online privacy notices and consent</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br/><br />
| Nat Sakimura, Srinivas Poorsala<br/><br />
|-<br />
| Scope<br />
| Guidelines for the content and the structure of online privacy notices as well as documents asking for consent to collect and process personally identifiable information (PII) from a PII principals online<br/><br />
|-<br />
| Documentation<br />
| <br/><br />
|-<br />
| Calendar<br />
| <br/><br />
|-<br />
| Comments<br />
| <br />
Initiated in Jaipur (Oct 2015)<br />
<br />
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent<br />
<br />
|}<br />
<br />
== <span style="font-size:larger"><span style="color: rgb(0, 0, 0); font-family: sans-serif; line-height: 19.2000007629395px">Study Periods</span></span> ==<br />
<br />
Study periods are the instruments through which new items of standardisation will be introduced. They typically last 6 months (until next meeting), after which, a NWIP (New Work Item Proposal) can be made<span style="line-height: 1.6">.</span><br />
<br />
=== <span style="line-height: 1.2; font-size: larger;">Privacy Engineering Framework</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Leaders<br />
| <span style="line-height: 20.7999992370605px">Antonio Kung, Matthias Reinis</span><br/><br />
|-<br />
| Objective<br />
| Study the concept of privacy engineering and see whether new work items are needed<br />
|-<br />
| Documentation<br />
| Slides presenting motivation for study period by Antonio Kung:&nbsp;[http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf]<br />
|-<br />
| Comments<br />
| <div style="line-height: 20.7999992370605px"><span style="line-height: 20.7999992370605px">Intended calendar</span><br/></div><div style="line-height: 20.7999992370605px"><br />
*Contributions by August 15th 2015.<br />
**<span style="line-height: 20.7999992370605px; background-color: rgb(255, 255, 0)"></span><span style="line-height: 20.7999992370605px;">Contribution from PRIPARE.&nbsp;[http://ipen.trialog.com/wiki/File:WG5_N94_PRIPARE_Contribution_SP_Priv_engineer_frmwk_v2.pdf http://ipen.trialog.com/wiki/File:WG5_N94_PRIPARE_Contribution_SP_Priv_engineer_frmwk_v2.pdf]</span><br />
*Presentation in Jaipur October 2015<br />
**<span style="background-color:#FFFF00;">Summary made to PRIPARE project:&nbsp;</span>[http://ipen.trialog.com/wiki/File:Status_SP_Privacy_Engineering_Framework_October_30th_2015.pdf <span style="background-color:#FFFF00;">http://ipen.trialog.com/wiki/File:Status_SP_Privacy_Engineering_Framework_October_30th_2015.pdf</span>]<br />
*Contribution in 2016 with liaison to be established with ISO/IEC JTC1/SC7&nbsp;Software and systems engineering<br />
*Presentation in Tampa April 2016<br />
</div><br />
|}<br />
<div>=</div><div></div><br />
=== <span style="font-size: larger;">PII Protection Considerations for Smartphone App Providers</span> ===<br />
<br />
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.7999992370605px; width: 900px;"<br />
|-<br />
| Leader<br />
| Rahul Sharma, Natarajan Swaminathan, Johan Eksteen, Sai Pradeep Chilukuri<br/><br />
|-<br />
| Objective<br />
| <br />
Study mobile application ecosystems from a privacy viewpoint<br />
<br />
<span style="line-height: 20.7999992370605px;">Collect views of multiple stakeholders in the mobile applications space</span><br />
<br />
<span style="line-height: 20.7999992370605px;">Collect mobile apps privacy guidelines issued by various agencies</span><br />
<br />
<span style="line-height: 20.7999992370605px;">Collate a report on the findings</span><br />
<br />
<span style="line-height: 20.7999992370605px;">Potentially provide a new work item proposal</span><br />
<br />
|-<br />
| Documentation<br />
| <br/><br />
|-<br />
| Comments<br />
| <br />
Initiated in Jaipur (October 2015)<br />
<br />
|}<br />
<br />
=== <span style="font-size: larger;">Privacy-Preserving Attribute-based Entity Authentication</span> ===<br />
<br />
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.7999992370605px; width: 900px;"<br />
|-<br />
| Leader<br />
| <span style="line-height: 20.7999992370605px;">Pascal Pailler, Nat Sakimura, Jaz Hoon Nah</span><br/><br />
|-<br />
| Objective<br />
| <br/><br />
|-<br />
| Documentation<br />
| <br/><br />
|-<br />
| Comments<br />
| <br />
Initiated in Jaipur (Oct 2015)<br />
<br />
Replaces SP privacy-respecting identity management scheme using attribute-based credentials&nbsp;<span style="line-height: 20.7999992370605px;">(outcome of the ABC4trust FP7 project:&nbsp;</span>[https://abc4trust.eu/ https://abc4trust.eu]<span style="line-height: 20.7999992370605px;">,, initiated in April 2014 in Hong Kong), with an extended scope</span><br />
<br />
|}<br />
<div style="line-height: 20.7999992370605px;"><br/></div><br />
=== <span style="font-size:larger">Privacy in Smart Cities</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Leaders<br />
| Saritha Nilesh Auti, Sanjeev Chhabra, Satish Katepalli Ksreenivasaiah, Antonio Kung<br/><br />
|-<br />
| Objective<br />
| <br />
Connect with multiple stakeholders in the smart city space<br />
<br />
Refer the existing work on smart cities<br />
<br />
Collate information, feedback, inputs from the stakeholders and draft the guidelines<br />
<br />
Potentially provide (a) new work item proposal(s) that can translate in guidelines<br />
<br />
|-<br />
| Documentation<br />
| <br/><br />
|-<br />
| Comments<br />
| <br />
Initiated in Jaipur (October 2015)<br />
<br />
Liaison to be established with ISO/IEC JTC1/SG1 (Smart cities)&nbsp;<br />
<br />
|}</div>IreneKamarahttps://ipen.trialog.com/?title=ISO&diff=375ISO2016-02-03T17:46:19Z<p>IreneKamara: </p>
<hr />
<div><parsererror style="display: block; white-space: pre; border: 2px solid #c77; padding: 0 1em 0 1em; margin: 1em; background-color: #fdd; color: black"><br />
=== This page contains the following errors: ===<br />
<div style="font-family:monospace;font-size:12px">error on line 1 at column 13926: attributes construct error </div><br />
=== Below is a rendering of the page up to the first error. ===<br />
</parsererror><br />
[[File:ISO.png]]<br />
<br />
== <span style="font-size:larger">Introduction</span> ==<br />
<br />
The objective of this page is to provide a high-level view of activities related to privacy standards in ISO, in particular in&nbsp;<span style="line-height: 1.6">'''ISO/IEC JTC1/SC27'''</span><br />
<br />
<span style="line-height: 1.6">More info can be found on in the SC27 portal:</span><br />
<br />
*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]<br />
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707]&nbsp;(set of slides)<br />
<br />
<span style="line-height: 1.6">Note that the portal will in general contain more information that in this wiki, which</span><span style="line-height: 1.6">&nbsp;focuses mainly on work carried out in&nbsp;</span>'''ISO/IEC JTC1/SC27/WG5'''''<span style="line-height: 1.6">.</span>''<span style="line-height: 1.6">The convenor is Kai Rannenberg, and the vice convenor is Jan Schallaböck.</span><br />
<br />
== <span style="font-size:larger">Some conventions on ISO standards</span> ==<br />
<br />
The important things to know concerning ISO standards steps:<br />
<br />
{| style="width: 500px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| <span style="line-height: 18.9090900421143px">Standard</span><br/><br />
| <ul style="line-height: 18.9090900421143px;"><br />
<li>SP: Study period</li><br />
<li>NWIP: New Work Item Proposal</li><br />
<li>NP: New Work Item</li><br />
<li>WD: Working Draft</li><br />
<li>CD: Committee Draft</li><br />
<li>DIS: Draft International Standard</li><br />
<li>FDIS: Final Draft International Standard</li><br />
<li>IS: International Standard</li><br />
</ul><br />
<br />
|-<br />
| <span style="line-height: 20.7999992370605px">Technical report</span><br/><br />
| <ul style="line-height: 20.7999992370605px;"><br />
<li>PDTR: Proposed Draft Technical Report</li><br />
<li>DTR:&nbsp;Draft Technical Report</li><br />
<li>TR: Technical Report</li><br />
</ul><br />
<br />
|-<br />
| <span style="line-height: 20.7999992370605px">Technical specification</span><br/><br />
| <ul style="line-height: 20.7999992370605px;"><br />
<li>PDTS:&nbsp;Proposed Draft Technical Specification</li><br />
<li>DTS: Draft Technical Specification</li><br />
<li>Technical Specification</li><br />
</ul><br />
<br />
|}<br />
<br />
Progress is finalised in plenary&nbsp;meetings (taking place every 6 months). Here is a list of meetings that took place or that will take place.<br />
<br />
{| style="width: 500px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| 2014<br />
| <br />
*<span style="line-height: 1.6">April 7-15, 2014 Hong Kong</span><br />
*<span style="line-height: 1.6">Oct 20-24, 2014 Mexico City, Mexico</span><br />
<br />
|-<br />
| 2015<br />
| <br />
*May 4-12, 2015 Kuching, Malaysia<br />
*Oct 26-30, 2015 Jaipur, India<br />
<br />
|-<br />
| 2016<br />
| <br />
*April 11-15 Tampa, USA<br />
*Oct 23 (sunday) - 27 (thursday), UAE<br />
<br />
|-<br />
| 2017<br />
| <br />
*April/May Hamilton, New Zealand<br />
*Oct/Nov Crete, Greece<br />
<br />
|}<br />
<br />
== <span style="font-size:larger">Standards and Projects</span> ==<br />
<br />
=== <span style="font-size:larger">29100 IS Privacy framework</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br/><br />
| <span style="line-height: 20.7999992370605px">Stefan Weiss</span><br/><br />
|-<br />
| Scope<br />
| <span style="line-height: 20.7999992370605px">This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.</span><span style="line-height: 1.6">This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems.</span><br/><br />
|-<br />
| Documentation<br />
| <span style="line-height: 20.7999992370605px">Is a free standard&nbsp;: see&nbsp;</span>[http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html]<br/><br />
|-<br />
| Comments<br />
| <br/><br />
|}<br />
<br />
=== <span style="font-size:larger">29101 IS Privacy architecture framework</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br />
| <span style="line-height: 20.7999992370605px">Stefan Weiss and Dan Bogdanov</span><br/><br />
|-<br />
| Scope<br />
| <br />
This International Standard describes a privacy architecture framework that<br />
<ol style="line-height: 18.9090900421143px;"><br />
<li>describes concerns for ICT systems that process PII;</li><br />
<li>lists components for the implementation of such systems; and</li><br />
<li>provides architectural views contextualizing these components.</li><br />
</ol><br />
<br />
This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.<br />
<br />
|-<br />
| Documentation<br />
| <span style="line-height: 20.7999992370605px">Must be purchased. [http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124 http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124]&nbsp;(preview available)</span><br/><br />
|-<br />
| Comments<br />
| <br/><br />
|}<br />
<br />
=== <span style="font-size:larger">29134 Privacy impact assessment -- Methodology&nbsp;Privacy impact assessment - Guidelines</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br />
| <span style="line-height: 20.7999992370605px">Mathias Reinis</span><br/><br />
|-<br />
| Scope<br />
| <br />
This Standard establishes guidelines for the conduct of privacy impact assessments that are used for the protection of personally identifiable information (PII).<br />
<br />
It should be used by organizations that are establishing or operating programs or systems that involve the processing of PII, or that are making significant changes to existing programs or systems. This International Standard also provides guidance on privacy risk treatment options. Privacy Impact Assessments can be conducted at various stages in the life cycle of a programme or systems ranging from the prelaunch phase and decommissioning.<br />
<br />
In particular, it will provide a framework for privacy safeguarding and specific method for privacy impact assessment.<br />
<br />
It will be applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations and will be relevant to any staff involved in designing or implementing projects which will have an impact on privacy within an organization, including operating data processing systems and services and, where appropriate, external parties supporting such activities.<br />
<br />
This Standard describes privacy risk assessment as introduced by ISO/IEC 29100:2011. For the basic elements of the privacy framework and the privacy principles, reference is made to ISO/IEC 29100:2011.<br />
<br />
For principles and guidelines on risk management, reference is made to ISO 31000:2009.<br />
<br />
|-<br />
| Documentation<br />
| <br/><br />
|-<br />
| Calendar<br />
| <span style="line-height: 1.6">Currently CD</span><br/><br />
|-<br />
| Comments<br />
| <br/><br />
|}<br />
<div></div><br />
=== <span style="font-size:larger">29151 Code of Practice for PII Protection</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br />
| <span style="line-height: 20.7999992370605px">Heung Youl Youm, Alan Shipman</span><br/><br />
|-<br />
| Scope<br />
| <br />
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).<br />
<br />
In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).<br />
<br />
This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.<br />
<br />
|-<br />
| Documentation<br />
| March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE):&nbsp;[http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]<br />
|-<br />
| Calendar<br />
| <span style="line-height: 20.7999992370605px">Currently CD</span><br/><br />
|-<br />
| Comments<br />
| Also an ITU reference (ITU-T X.gpim)<br />
|}<br />
<br />
=== <span style="font-size:larger">29190 Privacy capability assessment model</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br />
| <span style="line-height: 20.7999992370605px">Alan Shipman</span><br/><br />
|-<br />
| Scope<br />
| <br />
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes.&nbsp;<span style="line-height: 1.6">In particular, it:</span><br />
<ul style="line-height: 18.9090900421143px;"><br />
<li>specifies steps in assessing processes to determine privacy capability;</li><br />
<li>specifies a set of levels for privacy capability assessment;</li><br />
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li><br />
<li>provides guidance for those implementing process assessment;</li><br />
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li><br />
</ul><br />
<br />
|-<br />
| Documentation<br />
| Must be purchased. [http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45269 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45269]<br />
|-<br />
| Calendar<br />
| <br/><br />
|-<br />
| Comments<br />
| <br/><br />
|}<br />
<br />
=== <span style="font-size:larger">29191 Requirements for partially anonymous, partially unlinkable authentication</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br/><br />
| <br/><br />
|-<br />
| Scope<br />
| <br />
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.<br />
<br />
This document provides guidance to the use of group signatures for data minimization and user convenience.<br />
<br />
This guideline is applicable in use cases where authentication or authorization is needed.<br />
<br />
It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.<br />
<br />
|-<br />
| Documentation<br />
| <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.7999992370605px">Must be purchased.&nbsp;</span>&nbsp;[http://www.iso.org/iso/catalogue_detail.htm?csnumber=45270 http://www.iso.org/iso/catalogue_detail.htm?csnumber=45270]&nbsp;(preview available)<br />
|-<br />
| Comments<br/><br />
| <br/><br />
|}<br />
<br />
=== <span style="font-size:larger">27018 Code of practice for protection of PII in public clouds acting as PII processors</span> ===<br />
<br />
{| border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br/><br />
| <br/><br />
|-<br />
| Scope<br />
| <br />
This International Standard establishes control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.<br />
<br />
It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. The standard concerns public cloud only and cloud service providers acting as PII processors.<br />
<br />
|-<br />
| Documentation<br />
| <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.7999992370605px">Must be purchased.&nbsp;</span>&nbsp;[http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498&nbsp http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498&amp;nbsp]; (preview available)<br/><br />
|-<br />
| Comments<br />
| <br />
1st published in 2014<br />
<br />
ISO/IEC JTC&nbsp;1, ''Information technology'', Subcommittee SC&nbsp;27, ''IT Security techniques''<br />
<br />
|}<br />
<br />
=== <span style="font-size:larger;">27017&nbsp;Code of practice for information security controls based on ISO/IEC 27002 for cloud services</span><span style="font-size: larger;"></span> ===<br />
<br />
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px;"<br />
|-<br />
| Editor<br/><br />
| <br/><br />
|-<br />
| Scope<br />
| <br />
|}</div>IreneKamarahttps://ipen.trialog.com/?title=Contacts&diff=280Contacts2015-07-06T20:30:14Z<p>IreneKamara: </p>
<hr />
<div>=== Subscription ===<br />
<br />
Please contact [[Users:Antoniok|Antonio Kung]] (''TRIALOG'').<br />
<br />
=== Contacts ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! scope="col" | Name<br />
! scope="col" | Company<br />
! scope="col" style="width: 15%" | Contact Informations<br />
! scope="col" style="width: 40%" | Presentation<br />
|-<br />
| valign="top" | [[User:Antoniok|Antonio Kung]]<br/><br />
| valign="top" | [http://trialog.com Trialog]<br />
| valign="top" | antonio.kung@trialog.com<br />
| valign="top" | <br />
|-<br />
| valign="top" | [[User:Olivierm|Olivier Maridat]]<br />
| valign="top" | [http://trialog.com Trialog]<br />
| valign="top" | olivier.maridat@trialog.com<br />
| valign="top" | <br />
|-<br />
| valign="top" | [[User:JoseDelAlamo|Jose M. del Alamo]]<br />
| valign="top" | [http://www.dit.upm.es Universidad Politécnica de Madrid]<br />
| valign="top" | jmdela@dit.upm.es<br />
| valign="top" | [http://www.dit.upm.es/~jmdela/index_en.html Homepage]<br />
|-<br />
| valign="top" | [[User:YodSamuelMartin|Yod-Samuel Martin]]<br />
| valign="top" | [http://ww.dit.upm.es Universidad Politécnica de Madrid]<br />
| valign="top" | samuelm@dit.upm.es<br />
| valign="top" | <br/><br />
|-<br />
| valign="top" | Irene Kamara<br/><br />
| valign="top" | [http://www.vub.ac.be/LSTS/ Vrije Universiteit Brussel]<br/><br />
| valign="top" | irene.kamara@vub.ac.be<br/><br />
| valign="top" | <br/><br />
|}</div>IreneKamarahttps://ipen.trialog.com/?title=CEN-CENELEC-ETSI_Activities&diff=272CEN-CENELEC-ETSI Activities2015-07-06T10:06:37Z<p>IreneKamara: </p>
<hr />
<div>This page focuses on activities related to privacy carried out in the European Standardisation Organisations (ESOs)<br />
<br />
&lt;img src="/images/ipen/c/c0/CEN_CENELEC.jpg" _fck_mw_filename="CEN CENELEC.jpg" alt="" /&gt;&lt;img src="/images/ipen/b/b3/ETSI.jpg" _fck_mw_filename="ETSI.jpg" alt="" /&gt;<br />
<br />
== <span style="font-size: larger; line-height: 1.2">CEN-CENELEC JWG8 on Privacy Management of Security Products and Related Services</span> ==<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Context<br/><br />
| <br />
The European commission has issued in early 2015 a mandate to European Standardisation Organisations (or ESOs), CEN, CENELEC, ETSI) to work on a roadmap of standards covering the privacy management of security products and related services<br />
<br />
<span style="line-height: 1.6">Consequently, CEN/CENELEC has decided to launch a joint working group JWG8, the secretariat of which will be managed by AFNOR (France).</span><br />
<br />
The objective if to define a roadmap and work plan for October 2015<br />
<br />
|-<br />
| URL<br />
| <br />
Mandate page:&nbsp;<a href="[http://ec.europa.eu/growth/tools-databases/mandates/index.cfm?fuseaction=search.detail&id=548 http://ec.europa.eu/growth/tools-databases/mandates/index.cfm?fuseaction=search.detail&amp;id=548]">[http://ec.europa.eu/growth/tools-databases/mandates/index.cfm?fuseaction=search.detail&id=548 http://ec.europa.eu/growth/tools-databases/mandates/index.cfm?fuseaction=search.detail&amp;id=548]&lt;/a&gt;<br />
<br />
JWG8 page:&nbsp;<a href="[http://www.cencenelec.eu/standards/Sectors/DefenceSecurityPrivacy/Privacy/Pages/default.aspx http://www.cencenelec.eu/standards/Sectors/DefenceSecurityPrivacy/Privacy/Pages/default.aspx]">[http://www.cencenelec.eu/standards/Sectors/DefenceSecurityPrivacy/Privacy/Pages/default.aspx http://www.cencenelec.eu/standards/Sectors/DefenceSecurityPrivacy/Privacy/Pages/default.aspx]&lt;/a&gt;<br />
<br />
|-<br />
| Members of JWG8<br />
| <br />
Working group structure<br />
<ul style="line-height: 18.9090900421143px;"><br />
<li>Chair: Claire Waast-Richards (EDF)</li><br />
</ul><br />
<br />
Editing team<br />
<ul style="line-height: 18.9090900421143px;"><br />
<li>French delegation: Antonio Kung, Mourad Faher, Denis Pinkas</li><br />
<li>German delegation: Matthias Reinis, Kai Rannenberg</li><br />
<li>UK delegation: Alan Shipman, John Mitchell</li><br />
<li>ANEC: Matthias Pocs</li><br />
<li>CEN-CENELEC: Alina Iatan</li><br />
</ul><br />
<br />
|-<br />
| Comments<br />
| <br />
[Antonio Kung]<br />
<br />
*During the IPEN workshop it was made clear that the concept of security products should be more clearly defined (in particular on the contradiction between surveillance and privacy)<br />
<br />
|}<br />
<br />
<br />
<br />
== <span style="font-size: larger; line-height: 1.2">CEN/TC225 - AIDC technologies</span> ==<br />
<br />
<span style="line-height: 1.6">As stated in Wikipedia&nbsp;: ''Automatic identification and data capture (AIDC) refers to the methods of automatically identifying objects, collecting data about them, and entering that data directly into computer systems (i.e. without human involvement). Technologies typically considered as part of AIDC include bar codes, Radio Frequency Identification (RFID), biometrics, magnetic stripes, Optical Character Recognition (OCR), smart cards, and voice recognition. AIDC is also commonly referred to as “Automatic Identification,” “Auto-ID,” and "Automatic Data Capture."''</span><br />
<br />
=== <span style="font-size: 18.2520008087158px; line-height: 29.2032012939453px">Data Protection, Privacy and Information Aspects of RFID</span> ===<br />
<br />
{| style="line-height: 20.7999992370605px; width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Context<br />
| <br />
In December 2008, the European Commission addressed the Mandate M/436 to CEN, CENELEC and ETSI in the field of ICT as applied to RFID systems.&nbsp;The Mandate M/436 was accepted by the ESOs in the first months of 2009. The Mandate addresses the data protection, privacy and information aspects of RFID, and is being executed in two phases.<br />
<br />
Phase 1, completed in May 2011, identified the work needed to produce a complete framework of future RFID standards. The Phase 1 results are contained in the ETSI Technical Report&nbsp;<a href="[http://www.etsi.org/deliver/etsi_tr/187000_187099/187020/01.01.01_60/tr_187020v010101p.pdf http://www.etsi.org/deliver/etsi_tr/187000_187099/187020/01.01.01_60/tr_187020v010101p.pdf]">TR 187 020&lt;/a&gt;, which was published in May 2011.<br />
<br />
Phase 2 is concerned with the execution of the standardisation work programme identified in the first phase. This second phase ended in July 2014 with the publication of different technical reports and the publication of two European standards:<br />
<br />
<font color="#333333"><a href="[http://standards.cen.eu/dyn/www/f?p=204:110:0::::FSP_PROJECT:38577&cs=1201C63DE7F80DEAB30AE7D3BD4035F0A http://standards.cen.eu/dyn/www/f?p=204:110:0::::FSP_PROJECT:38577&amp;cs=1201C63DE7F80DEAB30AE7D3BD4035F0A]">EN 16571&lt;/a&gt;: «&nbsp;Information technology - RFID privacy impact assessment process» and</font><br />
<br />
<font color="#333333"><a href="[http://standards.cen.eu/dyn/www/f?p=204:110:0::::FSP_PROJECT:38350&cs=117C4B4C6C024833E3B87802F882742D0 http://standards.cen.eu/dyn/www/f?p=204:110:0::::FSP_PROJECT:38350&amp;cs=117C4B4C6C024833E3B87802F882742D0]">EN 16570&lt;/a&gt;: «&nbsp;Information technology - Notification of RFID - The information sign and additional information to be provided by operators of RFID application systems».</font><br />
<br />
Here is a powerpoint presentation of TC225&nbsp;:&nbsp;<a href="[http://docbox.etsi.org/Workshop/2013/201301_SECURITYWORKSHOP/03_CENCENELEC_Standardization/CEN_TC225_M436_DESSENNE.pdf http://docbox.etsi.org/Workshop/2013/201301_SECURITYWORKSHOP/03_CENCENELEC_Standardization/CEN_TC225_M436_DESSENNE.pdf]">[http://docbox.etsi.org/Workshop/2013/201301_SECURITYWORKSHOP/03_CENCENELEC_Standardization/CEN_TC225_M436_DESSENNE.pdf http://docbox.etsi.org/Workshop/2013/201301_SECURITYWORKSHOP/03_CENCENELEC_Standardization/CEN_TC225_M436_DESSENNE.pdf]&lt;/a&gt;<br />
<br />
|-<br />
| URL<br />
| <br />
Mandate page:&nbsp;<a href="[http://ec.europa.eu/growth/tools-databases/mandates/index.cfm?fuseaction=search.detail&id=415 http://ec.europa.eu/growth/tools-databases/mandates/index.cfm?fuseaction=search.detail&amp;id=415]">M/436&lt;/a&gt;<br />
<br />
CEN/TC225 page:&nbsp;<a href="[http://standards.cen.eu/dyn/www/f?p=204:7:0::::FSP_LANG_ID,FSP_ORG_ID:25,6206&cs=1655B872A8BB9229C9ABA80AB8819C24A#1 http://standards.cen.eu/dyn/www/f?p=204:7:0::::FSP_LANG_ID,FSP_ORG_ID:25,6206&amp;cs=1655B872A8BB9229C9ABA80AB8819C24A#1]">CEN/TC225&lt;/a&gt;<br />
<br />
|-<br />
| Members of CEN/TC225<br />
| <br />
A dedicated Project Team has been appointed to draft the EN 16571 on PIA for RFID applications<br />
<ul style="line-height: 18.9090900421143px;"><br />
<li><span style="line-height: 20.7999992370605px">Project Leader: Claude Tételin (<a href="[http://www.centrenational-rfid.com/index_gb.cfm http://www.centrenational-rfid.com/index_gb.cfm]">French RFID National Centre&lt;/a&gt;)</span></li><br />
</ul><br />
<br />
Editing team<br />
<ul style="line-height: 18.9090900421143px;"><br />
<li><span style="line-height: 20.7999992370605px">Paul Chartier (<a href="[https://www.convergent-software.co.uk/ https://www.convergent-software.co.uk/]">Convergent Software Limited&lt;/a&gt;, UK), editor</span></li><br />
<li>Sandra Hohenecker&nbsp;(<a href="[https://www.gs1-germany.de/ https://www.gs1-germany.de/]">GS1 Germany&lt;/a&gt;)</li><br />
<li>John Borking (<a href="[https://www.european-privacy-seal.eu/EPS-en/Home https://www.european-privacy-seal.eu/EPS-en/Home]">EuroPriSe&lt;/a&gt;)</li><br />
<li>Peter Eisenegger (<a href="[http://www.anec.eu/anec.asp http://www.anec.eu/anec.asp]">ANEC&lt;/a&gt;)</li><br />
</ul><br />
<br />
|-<br />
| Comments<br/><br />
| <br />
<br />
<br />
|}<br />
<br />
== <span style="font-size: larger; line-height: 1.2">ETSI </span>Cloud Standards Coordination final report v.1.0 ==<br />
<br />
{| border="1" cellpadding="1" cellspacing="1" width="1071"<br />
|-<br />
| Context<br/><br />
| <br />
<span style="color:#2C3439">The </span><span style="font-size:13px; color:#20272B">overall objective of the Cloud Standards Coordination initiative led by ETSI is to identify a detailed map of the standards required to support a series of </span><span style="font-size:13px; color:#36568B"><u><a href="[http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0529:FIN:EN:PDF http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0529:FIN:EN:PDF]">policy objectives&lt;/a&gt;</u></span><span style="font-size:13px; color:#20272B">&nbsp;defined by the European Commission, in particular </span><span style="color:#2C3439">in critical areas such as security, interoperability, data portability and reversibility</span><span style="font-size:13px; color:#20272B">.</span><br />
<br />
|-<br />
| URL<br />
| http://www.etsi.org/images/files/Events/2013/2013_CSC_Delivery_WS/CSC-Final_report-013-CSC_Final_report_v1_0_PDF_format-.PDF<br/><br />
|-<br />
| Comments<br/><br />
| <br />
[Irene Kamara]<br />
<br />
The report includes the collection and classification of over 100 cloud computing Use Cases, many of which have a personal data protection focus (e.g. UC SD 3.3.3. Processing Sensitive Data)<br />
<br />
|}<br />
<br />
&nbsp;</div>IreneKamarahttps://ipen.trialog.com/?title=CEN-CENELEC-ETSI_Activities&diff=271CEN-CENELEC-ETSI Activities2015-07-05T22:51:44Z<p>IreneKamara: </p>
<hr />
<div><p>This page focuses on activities related to privacy carried out in the European Standardisation Organisations (ESOs)<br />
</p><p><img src="/images/ipen/c/c0/CEN_CENELEC.jpg" _fck_mw_filename="CEN CENELEC.jpg" alt="" /><img src="/images/ipen/b/b3/ETSI.jpg" _fck_mw_filename="ETSI.jpg" alt="" /><br />
</p><br />
<h2> <span style="font-size: larger; line-height: 1.2">CEN-CENELEC JWG8 on Privacy Management of Security Products and Related Services</span> </h2><br />
<table style="width: 900px" border="1" cellpadding="1" cellspacing="1"><br />
<br />
<tr><br />
<td> Context<br /><br />
</td><br />
<td><br />
<p>The European commission has issued in early 2015 a mandate to European Standardisation Organisations (or ESOs), CEN, CENELEC, ETSI) to work on a roadmap of standards covering the privacy management of security products and related services<br />
</p><p><span style="line-height: 1.6">Consequently, CEN/CENELEC has decided to launch a joint working group JWG8, the secretariat of which will be managed by AFNOR (France).</span><br />
</p><p>The objective if to define a roadmap and work plan for October 2015<br />
</p><br />
</td></tr><br />
<tr><br />
<td> URL<br />
</td><br />
<td><br />
<p>Mandate page:&#160;<a href="http://ec.europa.eu/growth/tools-databases/mandates/index.cfm?fuseaction=search.detail&amp;id=548">http://ec.europa.eu/growth/tools-databases/mandates/index.cfm?fuseaction=search.detail&amp;id=548</a><br />
</p><p>JWG8 page:&#160;<a href="http://www.cencenelec.eu/standards/Sectors/DefenceSecurityPrivacy/Privacy/Pages/default.aspx">http://www.cencenelec.eu/standards/Sectors/DefenceSecurityPrivacy/Privacy/Pages/default.aspx</a><br />
</p><br />
</td></tr><br />
<tr><br />
<td> Members of JWG8<br />
</td><br />
<td><br />
<p>Working group structure<br />
</p><br />
<ul style="line-height: 18.9090900421143px;"><br />
<li>Chair: Claire Waast-Richards (EDF)</li><br />
</ul><br />
<p>Editing team<br />
</p><br />
<ul style="line-height: 18.9090900421143px;"><br />
<li>French delegation: Antonio Kung, Mourad Faher, Denis Pinkas</li><br />
<li>German delegation: Matthias Reinis, Kai Rannenberg</li><br />
<li>UK delegation: Alan Shipman, John Mitchell</li><br />
<li>ANEC: Matthias Pocs</li><br />
<li>CEN-CENELEC: Alina Iatan</li><br />
</ul><br />
</td></tr><br />
<tr><br />
<td> Comments<br />
</td><br />
<td><br />
<p>[Antonio Kung]<br />
</p><br />
<ul><br />
<li>During the IPEN workshop it was made clear that the concept of security products should be more clearly defined (in particular on the contradiction between surveillance and privacy)<br />
</li><br />
</ul><br />
</td></tr></table><br />
<p><br /><br />
</p><br />
<h2> <span style="font-size: larger; line-height: 1.2">CEN/TC225 - AIDC technologies</span> </h2><br />
<p><span style="line-height: 1.6">As stated in Wikipedia&#160;: <i>Automatic identification and data capture (AIDC) refers to the methods of automatically identifying objects, collecting data about them, and entering that data directly into computer systems (i.e. without human involvement). Technologies typically considered as part of AIDC include bar codes, Radio Frequency Identification (RFID), biometrics, magnetic stripes, Optical Character Recognition (OCR), smart cards, and voice recognition. AIDC is also commonly referred to as “Automatic Identification,” “Auto-ID,” and "Automatic Data Capture."</i></span><br />
</p><br />
<h3> <span style="font-size: 18.2520008087158px; line-height: 29.2032012939453px">Data Protection, Privacy and Information Aspects of RFID</span> </h3><br />
<table style="line-height: 20.7999992370605px; width: 900px" border="1" cellpadding="1" cellspacing="1"><br />
<br />
<tr><br />
<td> Context<br />
</td><br />
<td><br />
<p>In December 2008, the European Commission addressed the Mandate M/436 to CEN, CENELEC and ETSI in the field of ICT as applied to RFID systems.&#160;The Mandate M/436 was accepted by the ESOs in the first months of 2009. The Mandate addresses the data protection, privacy and information aspects of RFID, and is being executed in two phases.<br />
</p><p>Phase 1, completed in May 2011, identified the work needed to produce a complete framework of future RFID standards. The Phase 1 results are contained in the ETSI Technical Report&#160;<a href="http://www.etsi.org/deliver/etsi_tr/187000_187099/187020/01.01.01_60/tr_187020v010101p.pdf">TR 187 020</a>, which was published in May 2011.<br />
</p><p>Phase 2 is concerned with the execution of the standardisation work programme identified in the first phase. This second phase ended in July 2014 with the publication of different technical reports and the publication of two European standards:<br />
</p><p><font color="#333333"><a href="http://standards.cen.eu/dyn/www/f?p=204:110:0::::FSP_PROJECT:38577&amp;cs=1201C63DE7F80DEAB30AE7D3BD4035F0A">EN 16571</a>: «&#160;Information technology - RFID privacy impact assessment process» and</font><br />
</p><p><font color="#333333"><a href="http://standards.cen.eu/dyn/www/f?p=204:110:0::::FSP_PROJECT:38350&amp;cs=117C4B4C6C024833E3B87802F882742D0">EN 16570</a>: «&#160;Information technology - Notification of RFID - The information sign and additional information to be provided by operators of RFID application systems».</font><br />
</p><p>Here is a powerpoint presentation of TC225&#160;:&#160;<a href="http://docbox.etsi.org/Workshop/2013/201301_SECURITYWORKSHOP/03_CENCENELEC_Standardization/CEN_TC225_M436_DESSENNE.pdf">http://docbox.etsi.org/Workshop/2013/201301_SECURITYWORKSHOP/03_CENCENELEC_Standardization/CEN_TC225_M436_DESSENNE.pdf</a><br />
</p><br />
</td></tr><br />
<tr><br />
<td> URL<br />
</td><br />
<td><br />
<p>Mandate page:&#160;<a href="http://ec.europa.eu/growth/tools-databases/mandates/index.cfm?fuseaction=search.detail&amp;id=415">M/436</a><br />
</p><p>CEN/TC225 page:&#160;<a href="http://standards.cen.eu/dyn/www/f?p=204:7:0::::FSP_LANG_ID,FSP_ORG_ID:25,6206&amp;cs=1655B872A8BB9229C9ABA80AB8819C24A#1">CEN/TC225</a><br />
</p><br />
</td></tr><br />
<tr><br />
<td> Members of CEN/TC225<br />
</td><br />
<td><br />
<p>A dedicated Project Team has been appointed to draft the EN 16571 on PIA for RFID applications<br />
</p><br />
<ul style="line-height: 18.9090900421143px;"><br />
<li><span style="line-height: 20.7999992370605px">Project Leader: Claude Tételin (<a href="http://www.centrenational-rfid.com/index_gb.cfm">French RFID National Centre</a>)</span></li><br />
</ul><br />
<p>Editing team<br />
</p><br />
<ul style="line-height: 18.9090900421143px;"><br />
<li><span style="line-height: 20.7999992370605px">Paul Chartier (<a href="https://www.convergent-software.co.uk/">Convergent Software Limited</a>, UK), editor</span></li><br />
<li>Sandra Hohenecker&#160;(<a href="https://www.gs1-germany.de/">GS1 Germany</a>)</li><br />
<li>John Borking (<a href="https://www.european-privacy-seal.eu/EPS-en/Home">EuroPriSe</a>)</li><br />
<li>Peter Eisenegger (<a href="http://www.anec.eu/anec.asp">ANEC</a>)</li><br />
</ul><br />
</td></tr><br />
<tr><br />
<td> Comments<br /><br />
</td><br />
<td><br />
<p><br /><br />
</p><br />
</td></tr></table><br />
<h2> <span style="font-size: larger; line-height: 1.2">ETSI </span>Cloud Standards Coordination final report v.1.0 </h2><br />
<table border="1" cellpadding="1" cellspacing="1" width="1071"><br />
<br />
<tr><br />
<td> Context<br /><br />
</td><br />
<td><br />
<p><span style="color:#2C3439">The </span><span style="font-size:13px; color:#20272B">overall objective of the Cloud Standards Coordination initiative led by ETSI is to identify a detailed map of the standards required to support a series of </span><span style="font-size:13px; color:#36568B"><u><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0529:FIN:EN:PDF">policy objectives</a></u></span><span style="font-size:13px; color:#20272B">&#160;defined by the European Commission, in particular </span><span style="color:#2C3439">in critical areas such as security, interoperability, data portability and reversibility</span><span style="font-size:13px; color:#20272B">.</span><br />
</p><br />
</td></tr><br />
<tr><br />
<td> URL<br />
</td><br />
<td> <a href="http://csc.etsi.org/phase2/UserNeeds.html">http://csc.etsi.org/phase2/UserNeeds.html</a><br /><br />
</td></tr><br />
<tr><br />
<td> Comments<br /><br />
</td><br />
<td><br />
<p>[Irene Kamara]<br />
</p><p>The report includes the collection and classification of over 100 cloud computing Use Cases, many of which have a personal data protection focus (e.g. UC SD 3.3.3. Processing Sensitive Data)<br />
</p><br />
</td></tr></table><br />
<p>&#160;<br />
</p></div>IreneKamarahttps://ipen.trialog.com/?title=Wiki_for_Privacy_Standards_and_Privacy_Projects&diff=270Wiki for Privacy Standards and Privacy Projects2015-07-05T22:49:58Z<p>IreneKamara: </p>
<hr />
<div>== <span style="font-size:larger">IPEN - Internet Privacy Engineering Network</span> ==<br />
<br />
<span style="line-height: 1.6">The purpose of IPEN ([https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN])&nbsp;is to bring together developers and data protection experts with a technical background from different areas in order to launch and support projects that build privacy into everyday tools and develop new tools which can effectively protect and enhance our privacy.</span><br />
<br />
== <span style="font-size:larger">Objective of WIKI</span> ==<br />
<br />
During the IPEN workshop held in Leuven on June 5th 2015 ([https://secure.edps.europa.eu/EDPSWEB/edps/site/mySite/lang/en/IPEN_Workshop_2015) https://secure.edps.europa.eu/EDPSWEB/edps/site/mySite/lang/en/IPEN_Workshop_2015)], it was agreed that the IPEN community would benefit from the creation of a repository of information on activities related to privacy engineering standards<br />
<br />
The objective of this wiki is to be a tool allowing stakeholders interested in standardisation to identify and seek harmonisation and convergence opportunities<br />
<br />
== <span style="font-size:larger">How to be a member of the wiki</span> ==<br />
<br />
IPEN members can register to this wiki<br />
<br />
*as observers (i.e. getting information)<br />
*as contributors (i.e. providing information and comments on privacy standards activities).<br />
<br />
<span style="background-color:#FFFF00">Contact Antonio Kung (antonio.kung@trialog.com) or Olivier Maridat (olivier.maridat@trialog.com) with topic [IPEN privacy standards] to request access, and indicate whether you want to be an observer or a contributor</span><br />
<br />
== <span style="font-size:larger">Rules for contributors</span> ==<br />
<br />
'''Rule 1: '''It is important to respect copyrights rules of all information contained in this wiki:<br />
<br />
*Concerning existing standards, the wiki can contain<br />
**link to standardisation bodies pages<br />
**analyses and comments that you provide as contributor<br />
**public presentations or documents<br />
*Concerning standards in the making, the wiki can contain<br />
**link to standardisation bodies pages<br />
**<span style="line-height: 1.6">information about the status</span><br />
**information on meetings<br />
**public presentations of documents<br />
<br />
'''Rule 2''': Separate official information from analysis/opinions/comments. It is also advised to give your name when comments are provided.<br />
<br />
<span style="line-height: 1.6">Contributors are free to create new pages either to provide extended analysis or to cover other topics</span><br />
<br />
== <span style="font-size:larger">Content</span> ==<br />
<br />
The wiki will contain the following dedicated pages<br />
<br />
=== <span style="font-size:larger">ISO activities</span> ===<br />
<br />
[http://ipen.trialog.com/wiki/ISO http://ipen.trialog.com/wiki/ISO]<br />
<br />
{| style="line-height: 20.7999992370605px; width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Contributors<br />
| Antonio Kung, Irene Kamara<br/><br />
|}<br />
<br />
=== <span style="font-size:larger">OASIS activities</span> ===<br />
<br />
[http://ipen.trialog.com/wiki/OASIS http://ipen.trialog.com/wiki/OASIS]<br />
<br />
{| style="line-height: 20.7999992370605px; width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Contributors<br />
| <span style="line-height: 20.7999992370605px">John Sabo?, Dawn Jutla?</span><br/><br />
|}<br />
<br />
=== <span style="font-size:larger">W3C activities</span> ===<br />
<br />
[http://ipen.trialog.com/wiki/W3C_Activities http://ipen.trialog.com/wiki/W3C_Activities]<br />
<br />
{| style="line-height: 20.7999992370605px; width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Contributors<br />
| Ninja Marnau?<br />
|}<br />
<br />
=== <span style="font-size:larger">IETF activities</span> ===<br />
<br />
[http://ipen.trialog.com/wiki/IETF_Activities http://ipen.trialog.com/wiki/IETF_Activities]<br />
<br />
{| style="line-height: 20.7999992370605px; width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Contributors<br />
| <span style="line-height: 20.7999992370605px">Steven Farrell?</span><br/><br />
|}<br />
<br />
=== <span style="font-size:larger">CEN-CENELEC-ETSI activities</span> ===<br />
<br />
[http://ipen.trialog.com/?title=CEN-CENELEC-ETSI_Activities http://ipen.trialog.com/?title=CEN-CENELEC-ETSI_Activities]<br />
<br />
{| style="line-height: 20.7999992370605px; width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Contributors<br />
| Antonio Kung (CEN-CENELEC JWG8), Claude Tételin (CEN TC225), Irene Kamara (ETSI)<br/><br />
|}<br />
<br />
=== <span style="font-size:larger">National level activities</span> ===<br />
<br />
[http://ipen.trialog.com/wiki/National_Level_Activities http://ipen.trialog.com/wiki/National_Level_Activities]<br />
<br />
{| style="line-height: 20.7999992370605px; width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Contributors<br />
| Alan Shipman (BSI)<br/><br />
|}<br />
<br />
=== <span style="font-size:larger">Other activities</span> ===<br />
<br />
[http://ipen.trialog.com/wiki/Other_Activities http://ipen.trialog.com/wiki/Other_Activities]<br />
<br />
{| style="line-height: 20.7999992370605px; width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Contributors<br />
| Antonio Kung (Smart grid DPIA template, CNIL risk analysis, ENISA landscape document, NIST privacy risk management framework)<br />
|}<br />
<br />
== <span style="font-size:larger"><span style="line-height: 1.6">Sponsors and Support</span></span> ==<br />
<br />
This wiki is sponsored by Trialog and supported by the PRIPARE project<br />
<br />
[[File:LOGO TRIALOG 200 small 2.png|LOGO TRIALOG 200 small 2.png|link=http://www.trialog.com/]]<br />
<br />
[[File:Logo Pripare-Large-clear.png|Logo Pripare-Large-clear.png|link=http://pripareproject.eu/]]</div>IreneKamarahttps://ipen.trialog.com/?title=CEN-CENELEC-ETSI_Activities&diff=269CEN-CENELEC-ETSI Activities2015-07-05T22:48:11Z<p>IreneKamara: </p>
<hr />
<div>This page focuses on activities related to privacy carried out in the European Standardisation Organisations (ESOs)<br />
<br />
[[File:CEN CENELEC.jpg]][[File:ETSI.jpg]]<br />
<br />
== <span style="font-size: larger; line-height: 1.2">CEN-CENELEC JWG8 on Privacy Management of Security Products and Related Services</span> ==<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Context<br/><br />
| <br />
The European commission has issued in early 2015 a mandate to European Standardisation Organisations (or ESOs), CEN, CENELEC, ETSI) to work on a roadmap of standards covering the privacy management of security products and related services<br />
<br />
<span style="line-height: 1.6">Consequently, CEN/CENELEC has decided to launch a joint working group JWG8, the secretariat of which will be managed by AFNOR (France).</span><br />
<br />
The objective if to define a roadmap and work plan for October 2015<br />
<br />
|-<br />
| URL<br />
| <br />
Mandate page:&nbsp;[http://ec.europa.eu/growth/tools-databases/mandates/index.cfm?fuseaction=search.detail&id=548 http://ec.europa.eu/growth/tools-databases/mandates/index.cfm?fuseaction=search.detail&id=548]<br />
<br />
JWG8 page:&nbsp;[http://www.cencenelec.eu/standards/Sectors/DefenceSecurityPrivacy/Privacy/Pages/default.aspx http://www.cencenelec.eu/standards/Sectors/DefenceSecurityPrivacy/Privacy/Pages/default.aspx]<br />
<br />
|-<br />
| Members of JWG8<br />
| <br />
Working group structure<br />
<ul style="line-height: 18.9090900421143px;"><br />
<li>Chair: Claire Waast-Richards (EDF)</li><br />
</ul><br />
<br />
Editing team<br />
<ul style="line-height: 18.9090900421143px;"><br />
<li>French delegation: Antonio Kung, Mourad Faher, Denis Pinkas</li><br />
<li>German delegation: Matthias Reinis, Kai Rannenberg</li><br />
<li>UK delegation: Alan Shipman, John Mitchell</li><br />
<li>ANEC: Matthias Pocs</li><br />
<li>CEN-CENELEC: Alina Iatan</li><br />
</ul><br />
<br />
|-<br />
| Comments<br />
| <br />
[Antonio Kung]<br />
<br />
*During the IPEN workshop it was made clear that the concept of security products should be more clearly defined (in particular on the contradiction between surveillance and privacy)<br />
<br />
|}<br />
<br />
<br />
<br />
== <span style="font-size: larger; line-height: 1.2">CEN/TC225 - AIDC technologies</span> ==<br />
<br />
<span style="line-height: 1.6">As stated in Wikipedia&nbsp;: ''Automatic identification and data capture (AIDC) refers to the methods of automatically identifying objects, collecting data about them, and entering that data directly into computer systems (i.e. without human involvement). Technologies typically considered as part of AIDC include bar codes, Radio Frequency Identification (RFID), biometrics, magnetic stripes, Optical Character Recognition (OCR), smart cards, and voice recognition. AIDC is also commonly referred to as “Automatic Identification,” “Auto-ID,” and "Automatic Data Capture."''</span><br />
<br />
=== <span style="font-size: 18.2520008087158px; line-height: 29.2032012939453px">Data Protection, Privacy and Information Aspects of RFID</span> ===<br />
<br />
{| style="line-height: 20.7999992370605px; width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Context<br />
| <br />
In December 2008, the European Commission addressed the Mandate M/436 to CEN, CENELEC and ETSI in the field of ICT as applied to RFID systems.&nbsp;The Mandate M/436 was accepted by the ESOs in the first months of 2009. The Mandate addresses the data protection, privacy and information aspects of RFID, and is being executed in two phases.<br />
<br />
Phase 1, completed in May 2011, identified the work needed to produce a complete framework of future RFID standards. The Phase 1 results are contained in the ETSI Technical Report&nbsp;[http://www.etsi.org/deliver/etsi_tr/187000_187099/187020/01.01.01_60/tr_187020v010101p.pdf TR 187 020], which was published in May 2011.<br />
<br />
Phase 2 is concerned with the execution of the standardisation work programme identified in the first phase. This second phase ended in July 2014 with the publication of different technical reports and the publication of two European standards:<br />
<br />
<font color="#333333">[http://standards.cen.eu/dyn/www/f?p=204:110:0::::FSP_PROJECT:38577&cs=1201C63DE7F80DEAB30AE7D3BD4035F0A EN 16571]: «&nbsp;Information technology - RFID privacy impact assessment process» and</font><br />
<br />
<font color="#333333">[http://standards.cen.eu/dyn/www/f?p=204:110:0::::FSP_PROJECT:38350&cs=117C4B4C6C024833E3B87802F882742D0 EN 16570]: «&nbsp;Information technology - Notification of RFID - The information sign and additional information to be provided by operators of RFID application systems».</font><br />
<br />
Here is a powerpoint presentation of TC225&nbsp;:&nbsp;[http://docbox.etsi.org/Workshop/2013/201301_SECURITYWORKSHOP/03_CENCENELEC_Standardization/CEN_TC225_M436_DESSENNE.pdf http://docbox.etsi.org/Workshop/2013/201301_SECURITYWORKSHOP/03_CENCENELEC_Standardization/CEN_TC225_M436_DESSENNE.pdf]<br />
<br />
|-<br />
| URL<br />
| <br />
Mandate page:&nbsp;[http://ec.europa.eu/growth/tools-databases/mandates/index.cfm?fuseaction=search.detail&id=415 M/436]<br />
<br />
CEN/TC225 page:&nbsp;[http://standards.cen.eu/dyn/www/f?p=204:7:0::::FSP_LANG_ID,FSP_ORG_ID:25,6206&cs=1655B872A8BB9229C9ABA80AB8819C24A#1 CEN/TC225]<br />
<br />
|-<br />
| Members of CEN/TC225<br />
| <br />
A dedicated Project Team has been appointed to draft the EN 16571 on PIA for RFID applications<br />
<ul style="line-height: 18.9090900421143px;"><br />
<li><span style="line-height: 20.7999992370605px">Project Leader: Claude Tételin ([http://www.centrenational-rfid.com/index_gb.cfm French RFID National Centre])</span></li><br />
</ul><br />
<br />
Editing team<br />
<ul style="line-height: 18.9090900421143px;"><br />
<li><span style="line-height: 20.7999992370605px">Paul Chartier ([https://www.convergent-software.co.uk/ Convergent Software Limited], UK), editor</span></li><br />
<li>Sandra Hohenecker&nbsp;([https://www.gs1-germany.de/ GS1 Germany])</li><br />
<li>John Borking ([https://www.european-privacy-seal.eu/EPS-en/Home EuroPriSe])</li><br />
<li>Peter Eisenegger ([http://www.anec.eu/anec.asp ANEC])</li><br />
</ul><br />
<br />
|-<br />
| Comments<br/><br />
| <br />
<br />
<br />
|}<br />
<br />
== <span style="font-size: larger; line-height: 1.2">ETSI </span>Cloud Standards Coordination final report v.1.0 ==<br />
<br />
{| border="1" cellpadding="1" cellspacing="1" width="1071"<br />
|-<br />
| Context<br/><br />
| <br />
<span style="color:#2C3439">The </span><span style="font-size:13px; color:#20272B">overall objective of the Cloud Standards Coordination initiative led by ETSI is to identify a detailed map of the standards required to support a series of </span><span style="font-size:13px; color:#36568B"><u>[http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0529:FIN:EN:PDF policy objectives]</u></span><span style="font-size:13px; color:#20272B">&nbsp;defined by the European Commission, in particular </span><span style="color:#2C3439">in critical areas such as security, interoperability, data portability and reversibility</span><span style="font-size:13px; color:#20272B">.</span><br />
<br />
|-<br />
| URL<br />
| [http://csc.etsi.org/phase2/UserNeeds.html http://csc.etsi.org/phase2/UserNeeds.html]<br/><br />
|-<br />
| Comments<br/><br />
| <br />
[Irene Kamara]<br />
<br />
The report includes the collection and classification of over 100 cloud computing Use Cases, many of which have a personal data protection focus (e.g. UC SD 3.3.3. Processing Sensitive Data)<br />
<br />
|}<br />
<br />
&nbsp;</div>IreneKamarahttps://ipen.trialog.com/?title=ISO&diff=268ISO2015-07-03T14:49:18Z<p>IreneKamara: </p>
<hr />
<div>[[File:ISO.png]]<br />
<br />
== <span style="font-size:larger">Introduction</span> ==<br />
<br />
The objective of this page is to provide a high-level view of activities related to privacy standards in ISO, in particular in&nbsp;<span style="line-height: 1.6">'''ISO/IEC JTC1/SC27'''</span><br />
<br />
<span style="line-height: 1.6">More info can be found on in the SC27 portal:</span><br />
<br />
*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]<br />
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707]&nbsp;(set of slides)<br />
<br />
<span style="line-height: 1.6">Note that the portal will in general contain more information that in this wiki, which</span><span style="line-height: 1.6">&nbsp;focuses mainly on work carried out in&nbsp;</span>'''ISO/IEC JTC1/SC27/WG5'''''<span style="line-height: 1.6">.</span>''<span style="line-height: 1.6">The convenor is Kai Rannenberg, and the vice convenor is Jan Schallaböck.</span><br />
<br />
== <span style="font-size:larger">Some conventions on ISO standards</span> ==<br />
<br />
The important things to know concerning ISO standards steps:<br />
<br />
{| style="width: 500px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| <span style="line-height: 18.9090900421143px">Standard</span><br/><br />
| <ul style="line-height: 18.9090900421143px;"><br />
<li>SP: Study period</li><br />
<li>NWIP: New Work Item Proposal</li><br />
<li>NP: New Work Item</li><br />
<li>WD: Working Draft</li><br />
<li>CD: Committee Draft</li><br />
<li>DIS: Draft International Standard</li><br />
<li>FDIS: Final Draft International Standard</li><br />
<li>IS: International Standard</li><br />
</ul><br />
<br />
|-<br />
| <span style="line-height: 20.7999992370605px">Technical report</span><br/><br />
| <ul style="line-height: 20.7999992370605px;"><br />
<li>PDTR: Proposed Draft Technical Report</li><br />
<li>DTR:&nbsp;Draft Technical Report</li><br />
<li>TR: Technical Report</li><br />
</ul><br />
<br />
|-<br />
| <span style="line-height: 20.7999992370605px">Technical specification</span><br/><br />
| <ul style="line-height: 20.7999992370605px;"><br />
<li>PDTS:&nbsp;Proposed Draft Technical Specification</li><br />
<li>DTS: Draft Technical Specification</li><br />
<li>Technical Specification</li><br />
</ul><br />
<br />
|}<br />
<br />
Progress is finalised in plenary&nbsp;meetings (taking place every 6 months). Here is a list of meetings that took place or that will take place.<br />
<br />
{| style="width: 500px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| 2014<br />
| <br />
*<span style="line-height: 1.6">April 7-15, 2014 Hong Kong</span><br />
*<span style="line-height: 1.6">Oct 20-24, 2014 Mexico City</span><br />
<br />
|-<br />
| 2015<br />
| <br />
*May 4-12, 2015 Kuching<br />
*Oct 26-30, 2015 Jaipur, India<br />
<br />
|-<br />
| 2016<br />
| <br />
*May: Tampa<br />
<br />
|}<br />
<br />
== <span style="font-size:larger">Standards and Projects</span> ==<br />
<br />
=== <span style="font-size:larger">29100 IS Privacy framework</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br/><br />
| <span style="line-height: 20.7999992370605px">Stefan Weiss</span><br/><br />
|-<br />
| Scope<br />
| <span style="line-height: 20.7999992370605px">This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.</span><span style="line-height: 1.6">This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems.</span><br/><br />
|-<br />
| Documentation<br />
| <span style="line-height: 20.7999992370605px">Is a free standard&nbsp;: see&nbsp;</span>[http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html]<br/><br />
|-<br />
| Comments<br />
| <br/><br />
|}<br />
<br />
=== <span style="font-size:larger">29101 IS Privacy architecture framework</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br />
| <span style="line-height: 20.7999992370605px">Stefan Weiss</span><br/><br />
|-<br />
| Scope<br />
| <br />
This International Standard describes a privacy architecture framework that<br />
<ol style="line-height: 18.9090900421143px;"><br />
<li>describes concerns for ICT systems that process PII;</li><br />
<li>lists components for the implementation of such systems; and</li><br />
<li>provides architectural views contextualizing these components.</li><br />
</ol><br />
<br />
This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.<br />
<br />
|-<br />
| Documentation<br />
| <span style="line-height: 20.7999992370605px">Must be purchased. [http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124 http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124]&nbsp;(preview available)</span><br/><br />
|-<br />
| Comments<br />
| <br/><br />
|}<br />
<br />
=== <span style="font-size:larger">29134 Privacy impact assessment -- Methodology&nbsp;Privacy impact assessment - Guidelines</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br />
| <span style="line-height: 20.7999992370605px">Mathias Reinis</span><br/><br />
|-<br />
| Scope<br />
| <br />
This Standard establishes guidelines for the conduct of privacy impact assessments that are used for the protection of personally identifiable information (PII).<br />
<br />
It should be used by organizations that are establishing or operating programs or systems that involve the processing of PII, or that are making significant changes to existing programs or systems. This International Standard also provides guidance on privacy risk treatment options. Privacy Impact Assessments can be conducted at various stages in the life cycle of a programme or systems ranging from the prelaunch phase and decommissioning.<br />
<br />
In particular, it will provide a framework for privacy safeguarding and specific method for privacy impact assessment.<br />
<br />
It will be applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations and will be relevant to any staff involved in designing or implementing projects which will have an impact on privacy within an organization, including operating data processing systems and services and, where appropriate, external parties supporting such activities.<br />
<br />
This Standard describes privacy risk assessment as introduced by ISO/IEC 29100:2011. For the basic elements of the privacy framework and the privacy principles, reference is made to ISO/IEC 29100:2011.<br />
<br />
For principles and guidelines on risk management, reference is made to ISO 31000:2009.<br />
<br />
|-<br />
| Documentation<br />
| <br/><br />
|-<br />
| Calendar<br />
| <span style="line-height: 1.6">Currently CD - DIS 2015-11 /&nbsp;</span><span style="line-height: 1.6">IS 2016-05</span><br/><br />
|-<br />
| Comments<br />
| <br/><br />
|}<br />
<div></div><br />
=== <span style="font-size:larger">29151 Code of Practice for PII Protection</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br />
| <span style="line-height: 20.7999992370605px">Heung Youl Youm</span><br/><br />
|-<br />
| Scope<br />
| <br />
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).<br />
<br />
In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).<br />
<br />
This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.<br />
<br />
|-<br />
| Documentation<br />
| March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE):&nbsp;[http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]<br />
|-<br />
| Calendar<br />
| <span style="line-height: 20.7999992370605px">Currently CD - DIS 2015-04 / IS 2016-04</span><br/><br />
|-<br />
| Comments<br />
| Also an ITU reference (ITU-T X.gpim)<br />
|}<br />
<br />
=== <span style="font-size:larger">29190 Privacy capability assessment model</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br />
| <span style="line-height: 20.7999992370605px">Alan Shipman</span><br/><br />
|-<br />
| Scope<br />
| <br />
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes.&nbsp;<span style="line-height: 1.6">In particular, it:</span><br />
<ul style="line-height: 18.9090900421143px;"><br />
<li>specifies steps in assessing processes to determine privacy capability;</li><br />
<li>specifies a set of levels for privacy capability assessment;</li><br />
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li><br />
<li>provides guidance for those implementing process assessment;</li><br />
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li><br />
</ul><br />
<br />
|-<br />
| Documentation<br />
| Must be purchased. Not yet available:&nbsp;[http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45269 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45269]<br />
|-<br />
| Calendar<br />
| FDIS<br />
|-<br />
| Comments<br />
| <br/><br />
|}<br />
<br />
=== <span style="font-size:larger">29191 Requirements for partially anonymous, partially unlinkable authentication</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br/><br />
| <br/><br />
|-<br />
| Scope<br />
| <br />
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.<br />
<br />
This document provides guidance to the use of group signatures for data minimization and user convenience.<br />
<br />
This guideline is applicable in use cases where authentication or authorization is needed.<br />
<br />
It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.<br />
<br />
|-<br />
| Documentation<br />
| <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.7999992370605px">Must be purchased.&nbsp;</span>&nbsp;[http://www.iso.org/iso/catalogue_detail.htm?csnumber=45270 http://www.iso.org/iso/catalogue_detail.htm?csnumber=45270]&nbsp;(preview available)<br />
|-<br />
| Comments<br/><br />
| <br/><br />
|}<br />
<br />
=== <span style="font-size:larger">27018 Code of practice for protection of PII in public clouds acting as PII processors</span> ===<br />
<br />
{| border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br/><br />
| <br/><br />
|-<br />
| Scope<br />
| <br />
This International Standard establishes control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.<br />
<br />
It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. The standard concerns public cloud only and cloud service providers acting as PII processors.<br />
<br />
|-<br />
| Documentation<br />
| <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.7999992370605px">Must be purchased.&nbsp;</span>&nbsp;[http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498&nbsp http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498&amp;nbsp]; (preview available)<br/><br />
|-<br />
| Comments<br />
| <br />
1st published in 2014<br />
<br />
ISO/IEC JTC&nbsp;1, ''Information technology'', Subcommittee SC&nbsp;27, ''IT Security techniques''<br />
<br />
|}<br />
<br />
=== <span style="font-size:larger">NWIP on Privacy Enhancing De-identification Techniques</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Editor<br/><br />
| <span style="color: rgb(0, 0, 0); font-family: sans-serif; font-size: 12.8000001907349px; line-height: 19.2000007629395px">Chris Mitchell</span><br/><br />
|-<br />
| Scope<br />
| <br/><br />
|-<br />
| Documentation<br />
| Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015):&nbsp;[http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]<br />
|-<br />
| Calendar<br />
| <br/><br />
|-<br />
| Comments<br />
| Was proposed in the Kuching meeting (May 2015).<br />
|}<br />
<br />
== <span style="font-size:larger"><span style="color: rgb(0, 0, 0); font-family: sans-serif; line-height: 19.2000007629395px">Study Periods</span></span> ==<br />
<br />
Study periods are the instruments through which new items of standardisation will be introduced. They typically last 6 months (until next meeting), after which, a NWIP (New Work Item Proposal) can be made<span style="line-height: 1.6">.</span><br />
<br />
=== <span style="font-size:larger">Privacy-respecting identity management scheme using attribute-based credentials</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Leader<br />
| <span style="line-height: 20.7999992370605px">Dieter Sommer, Pascal Pailler</span><br/><br />
|-<br />
| Objective<br />
| <br/><br />
|-<br />
| Documentation<br />
| <br/><br />
|-<br />
| Comments<br />
| <br />
Outcome of the ABC4trust FP7 project:&nbsp;[https://abc4trust.eu https://abc4trust.eu]<br />
<br />
Was presented in April 2014 in Hong Kong. Study period is extended to Jaipur meeting.<br />
<br />
|}<br />
<div><br/></div><br />
=== <span style="font-size:larger"><span style="line-height: 1.2">Privacy Engineering Framework</span></span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Leaders<br />
| <span style="line-height: 20.7999992370605px">Antonio Kung, Matthias Reinis</span><br/><br />
|-<br />
| Objective<br />
| Study the concept of privacy engineering and see whether new work items are needed<br />
|-<br />
| Documentation<br />
| Slides presenting motivation for study period by Antonio Kung:&nbsp;[http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf]<br />
|-<br />
| Comments<br />
| <div style="line-height: 20.7999992370605px"><span style="line-height: 20.7999992370605px">Intended calendar</span><br/></div><div style="line-height: 20.7999992370605px"><br />
*Contributions by mid september 2015.<span style="background-color:#FFFF00">Note that if you are interested to provide contributions,&nbsp;</span><span style="line-height: 20.7999992370605px; background-color: rgb(255, 255, 0)">you can eit</span><span style="line-height: 20.7999992370605px; background-color: rgb(255, 255, 0)">her do it through your national standardisation body (e.g. BSI in UK, DIN in Germany, AFNOR in France),&nbsp;</span><span style="line-height: 20.7999992370605px; background-color: rgb(255, 255, 0)">or you can send </span><span style="line-height: 20.7999992370605px; background-color: rgb(255, 255, 0)">the contribution to PRIPARE (antonio.kung@trialog.com)</span><br />
*Presentation in Jaipur October 2015<br />
*Contribution in 2016<br />
*Presentation in Tampa April 2016<br />
</div><br />
|}<br />
<div><br/></div><br />
=== <span style="font-size:larger">Assured and Anonymised Attribute Verification</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Leaders<br />
| <span style="color: rgb(0, 0, 0); font-family: sans-serif; font-size: 12.8000001907349px; line-height: 19.2000007629395px">Patrick Curry, Eduard de Jong,&nbsp;</span><span style="line-height: 20.7999992370605px">Jaehoom Nah</span><br/><br />
|-<br />
| Objective<br />
| <br/><br />
|-<br />
| Documentation<br />
| <br/><br />
|-<br />
| Comments<br />
| Initiated in Kuching (May 2015)<br />
|}<br />
<br />
=== <span style="font-size:larger">User Friendly online Privacy Notice and Consent</span> ===<br />
<br />
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
| Leaders<br />
| <span style="line-height: 18.9090900421143px">Nat Sakimura,&nbsp;</span><span style="line-height: 1.6">Jan Schallaböck,&nbsp;</span><span style="line-height: 1.6">Srinivas Poosarla</span><br/><br />
|-<br />
| Objective<br />
| <br/><br />
|-<br />
| Documentation<br />
| <br/><br />
|-<br />
| Comments<br />
| Initiated in Kuching (May 2015)<br />
|}</div>IreneKamara