Completed study periods and pwis
Privacy engineering framework (Started in April 2015. Completed in April 2016)
Leaders | Antonio Kung, Matthias Reinis |
Objective | Study the concept of privacy engineering and see whether new work items are needed |
Documentation | Slides presenting motivation for study period by Antonio Kung: http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf |
Timeline |
|
Privacy-Preserving Attribute-based Entity Authentication (Started in October 2015. Completed in April 2016)
Leader | Pascal Pailler, Nat Sakimura, Jaz Hoon Nah |
Objective | |
Documentation | |
Comments |
|
Editorial inconsistencies to 29100 (Started in April 2016. Completed in October 2016)
Leaders | Nat Sakimura, Mathias Reinis, Elaine Newton |
Objective |
Collecting errors and correcting inconsistencies |
Documentation | |
Comments |
|
Guidelines for privacy in Internet of Things (IoT) (Started in April 2016. Completed in April 2017)
Leaders | Heung Youl Youm, Srinivas Poorsala, Antonio Kung |
Objective |
|
Documentation |
|
Comments |
Initiated in Tampa (April 2016) Initial contribution in Abu Dhabi (October 2016) Conclusions in Hamilton (April 2017) led to the merging with Guidelines fot security in IoT (WG4). See new study period below on security and privacy for Internet of things. Discussion also led to a new study period "Framework of user-centric PII handling based on privacy preference management by users" |
Guidelines for security and privacy for Internet of Things (IoT) (Completed in November 2017)
Start/Duration | April 2017/6 months) |
Leaders | Eric Hibbard, Faud Khan, Tyson Macaulay, Srinivas Poorsala |
Objective | prepare the materials necessary to initiate an International Standard coming out of the SC 27 meeting in Berlin (Oct-2017) |
Documentation |
|
Comments |
Is an SC27/WG4 study periods involving WG4 and WG5. Study period is completed and new work item has been proposed (https://ipen.trialog.com/wiki/ISO#New_Work_Item_Proposal_Security_and_Privacy_for_the_Internet_of_Things). Kickoff expected in Wuhan in WG4 |
PII Protection considerations for smartphone app providers (Started in October 2015. Completed in April 2017)
Leader | Rahul Sharma, Natarajan Swaminathan, Johan Eksteen, Sai Pradeep Chilukuri |
Objective |
Study mobile application ecosystems from a privacy viewpoint Collect views of multiple stakeholders in the mobile applications space Collect mobile apps privacy guidelines issued by various agencies Collate a report on the findings Potentially provide a new work item proposal |
Documentation | |
Comments |
Initiated in Jaipur (October 2015) |
Privacy in smart cities (Started in October 2015. Completed in November 2017)
Leaders | Antonio Kung, Sanjeev Chhabra, Udbhav Tiwari |
Objective |
Connect with multiple stakeholders in the smart city space Refer the existing work on smart cities Collate information, feedback, inputs from the stakeholders and draft the guidelines Potentially provide (a) new work item proposal(s) that can translate in guidelines |
Documentation | |
Comments |
Initiated in Jaipur (October 2015) Liaison to be established with ISO/IEC JTC1/SG1 (Smart cities) Presentation in Tampa (April 2016) of intermediate state
Presentation in Abu Dhabi (October 2016) of intermediate state
Presentation in Hamilton (April 2017) of intermediate state
Proposal for new work item in Berlin (Nov 2017) |
Code of practice solution for different types of PII (Started in October 2016, Completed in April 2017)
Leaders | Mathias Reinis, Heung Youl Youm |
Objective |
Study ISO/IEC FDIS 29151 and ISO/IEC IS 27018 with the objective to find a solution that is applicable for different types of PII processors, especially compatible with the needs of a SME |
Documentation |
|
Comments |
Terminated due to lack of contributions |
Requirements and outline for ISO/IEC 29115 revision (Started in April 2017. Completed in April 2018)
Leaders | David Temoshok replacing Sal Francomacaro, Thomas Lenz, Patrick Curry, Andrew Hugues, Heung Youl Youm |
Objective | |
Documentation |
|
Comments |
Has resulted in a NWIP |
Leaders | Christophe Stenuit, Joanne Knight |
Objective | Gather information in order to determine the viability of creating a standard providing guidance on the application of ISO 31000:2009 to assess identity-related risks |
Documentation |
|
Comments |
New work item proposal |
Concept of PII Deletion (Started in November 2017. Completed in April 2018)
Leaders | Volker Hammer, Srinivas Poosarla, Eduard de Jong, Alan Shipman |
Objective | Study the potential internationalisation of national standard DIN 66398 "Guideline for development of a concept for data deletion with derivation of deletion periods for personal identifiable information" |
Documentation |
|
Comments |
|
Development of Identify standards landscape standing document (Started in April 2018, Completed in October 2018)
Leaders | Joanne Knight, Julien Bringer, Salvatore Francomacaro, Heung Youl Youm, |
Objective |
Create an initial draft of a new SD that would provide:
|
Documentation |
|
Comments |
|
Identify assurance framework (Started in April 2017. Completed in October 2018)
Leaders | Patrick Curry, Anthony Nadalin |
Objective | analyze the outcomes of ISO/IEC 29003 and related matters, then to determine the possible next steps towards developing an International Standard (or other mechanisms) for an Identity Assurance Framework. |
Documentation |
|
Comments |
|
Framework of user-centric PII handling based on privacy preference management by users (Started in April 2017, Completed in October 2018)
Start/duration |
April 2017 / 18 months |
Leaders | Shinzaku Kiyomoto, Antonio Kung, Heung Youl Youm |
Objective | define frameworks of user-centric PII handling based on privacy preferences of users |
Documentation |
|
Comments |
Triggered by an initiative from ITU-T for such a framework applied to the IoT. See https://ipen.trialog.com/wiki/ITU_Activities#X.iotsec-3:.C2.A0Technical_framework_of_PII_.28Personally_Identifiable_Information.29_handling_system_in_IoT_environment In Berlin (November 2017), it was decided to consider 3 options
In Wuhan (May 2018), it was decided to prepare a NWIP In Gjovik (October 2018), the NWIP was finalised |
Additional Privacy-Enhancing Data De-identification standards (Started in April 2018. Completed in October 2019)
Leaders | Malcom Townsend, Heung Youl Youm |
Scope |
This Study Period aims to analyze the challenges and risks associated with the implementation of data de-identification techniques described in ISO 20889, and provide a strategy and structured approach to the potential development of additional standards covering such potential topics such as requirements, risk analysis, codes of practice and so on. |
Documentation |
|
Comments |
|
Identity Standards Landscape Document Update (Started in October 2018. Completed in October 2019)
Leaders |
Andrew Hughes, Christophe Stenuit, Kai Rannenberg
|
Objective |
Solicit additional content for the draft Standing Document; solicit comments on the current content and structure of the draft Standing Document; discuss and make a disposition of comments; and to update the Standing Document |
Documentation |
|
Comments |
|
Consent receipts and records (Started in April 2019, completed in October 2019)
Leaders | Collin Wallis, Andrew Hughes |
Objective |
The scope of this study period is to assess the need for a Consent Receipt and Record standard used to support transparency and accountability practices related to an individual's consent to PII processing |
Documentation |
|
Comments |
|
Review of requirements for accredited certification for sector specific ISMS standards (Started in April 2019. Completed in October 2019)
Leaders | Hans Hedbom, Alan Shipman |
Objective |
The scope of this study period is to review possible approaches to establishing the foundation for accredited certification for sector-specific standards. The concrete instantiation for this is ISO/IEC 27552, which is expected to be published soon. |
Comments |
|
Privacy consideration in practical workflows (Started in April 2018, completed in April 2020)
Leaders | Mickey Cohen |
Objective |
The scope of this study period is to collect contributions: (1) On workflows describing use-cases where the combination of privacy, security (including exposure period), identification quality and practical implementation need to be viewed as a whole (2) For a merit function(s) combining the subjects into a qualitative evaluation of the privacy |
Documentation |
|
Comments |
|
Use case for identity assurance (Started in October 2018, Completed in September 2020)
Leaders |
Andrew Hughes, Tony Nadalin, Patrick Curry
|
Objective |
To compile a set of business use cases that require identity assurance, which can be analysed to produce functional requirements for identity assurance. These functional requirements can inform the review of TS 29003 and the contents of a potential Identity Assurance Framework International Standard, and also inform the evolution of ISO/IEC 29115 |
Documentation |
|
Comments |
|
Impact of Artificial Intelligence on Privacy (Started in October 2018, Completed in September 2020)
Leaders |
Antonio Kung, Srinivas Poosarla, Peter Dickman, Gurshabad Grover, Peter Deussen, Heung Your Youm, Zhao Yunwei |
Objective |
Establish a 12-month study period starting in October 2018 to review the emerging field of AI and assess its potential impact on privacy, and task the rapporteurs of the Study Period
Is extended for 6 months to study TR 24030 AI use cases and to check the impact of AI on ISO/IEC 27701 Is further extended 6 months to study the integration of security |
Documentation |
In addition to specific contributions made by SC27 experts, the Intermediate report uses the following references: |
Comments |
Expected to have a strong collaboration with JTC1/SC42 Artificial Intelligence An intermediate report was provided in Tel-Aviv (April 2019). A second report was provided in Paris (October 2019) A third report was provided in the virtual meeting (April 2020) including the study of SC42 ISO/IEC 24030 on AI use cases and the study of ISO/IEC 27701 A fourth report was provide in the virtual meeting (Sep 2020) including a contribution to TC215 on security and privacy in eHealth. A preliminary work item is started |
Privacy engineering model (Started in April 2019, Completed in September 2020)
Leaders | John Sabo, Antonio Kung, Srinivas Poorsala |
Objective | Study period to evaluate the development of a privacy engineering model intended to support privacy engineers, privacy architects and other practitioners as a bridge between ISO/IEC SC27 and other data privacy management standards and the technical and business process services and functionality needed to integrate data privacy control requirements in operational processes, systems and their ecosystems |
Documentation |
|
Comments |
As a result of this study period, a NWIP - Privacy operationalisation model and method for engineering has been established |
Guidance on processes of a privacy information management system (Started in October 2019, Completed in September 2020))
Leaders |
Michael Steiner, Alan Shipman |
Objective |
Determine if SC 27 needs a standard for “Guidance on processes of a privacy information management system” as part of the ISO /IEC 27000-family. Consider the following:
|
Documentation |
|
Comments |
|
Privacy for Fintech services (Started in October 2019, completed in September 2020)
Leaders |
Heung Youl Youm, Gurshabad Grover, Janssen Esguerra |
Objective |
Objectives
Protection of privacy of customers is a concern as a huge amount of PII is collected, transmitted, shared, used and analyzed at every instance in the interconnected Fintech services. |
Documentation |
|
Comments |
|
Privacy for Fintech services (Started in October 2019, completed in September 2020)
Leaders |
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla |
Objective |
This work item is to provide guidance and best practices for privacy preservation based on zeroknowledge proofs, taking into account normative references and comparing specifically with ISO/IEC 27551, 27556 and 29191. It intends to cover the usage of zero-knowledge proof protocols for privacy preservation and PII protection in a wide range of data processing applications. It takes into account using zero knowledge proof based privacy-preserving verification system architectures, data process flows and module interfaces. |
Documentation |
|
Comments |
Completed, transformed into a NWIP 27565 |