Completed study periods and pwis

From IPEN Wiki
Jump to: navigation, search


Privacy engineering framework (Started in April 2015. Completed in April 2016)

Leaders Antonio Kung, Matthias Reinis
Objective Study the concept of privacy engineering and see whether new work items are needed
Documentation Slides presenting motivation for study period by Antonio Kung:

Privacy-Preserving Attribute-based Entity Authentication (Started in October 2015. Completed in April 2016)

Leader Pascal Pailler, Nat Sakimura, Jaz Hoon Nah
  • Initiated in Jaipur (Oct 2015)
  • Replaces SP privacy-respecting identity management scheme using attribute-based credentials (outcome of the ABC4trust FP7 project:,, initiated in April 2014 in Hong Kong), with an extended scope
  • Completed.
  • Followed by new project : ISO/IEC 27551: Requirements for attribute-based unlinkable entity authentication (see above)

Editorial inconsistencies to 29100 (Started in April 2016. Completed in October 2016)

Leaders Nat Sakimura, Mathias Reinis, Elaine Newton

Collecting errors and correcting inconsistencies

  • Completed, has led to a draft amendment (with limited scope)

Guidelines for privacy in Internet of Things (IoT) (Started in April 2016. Completed in April 2017)

Leaders Heung Youl Youm, Srinivas Poorsala, Antonio Kung
  • assess the viability of producing guidelines for Privacy in IoT within WG5;
  • to potentially provide (a) New Work Item Proposal(s) and/or input material for existing relevant projects as a recommendation to the Working Groups 5 depending on the outcome of this assessmen



Initiated in Tampa (April 2016)

Initial contribution in Abu Dhabi (October 2016)

Conclusions in Hamilton (April 2017) led to the merging with Guidelines fot security in IoT (WG4). See new study period below on security and privacy for Internet of things.

Discussion also led to a new study period "Framework of user-centric PII handling based on privacy preference management by users"

Guidelines for security and privacy for Internet of Things (IoT) (Completed in November 2017)

Start/Duration April 2017/6 months)
Leaders Eric Hibbard, Faud Khan, Tyson Macaulay, Srinivas Poorsala
Objective prepare the materials necessary to initiate an International Standard
coming out of the SC 27 meeting in Berlin (Oct-2017)



Is an SC27/WG4 study periods involving WG4 and WG5.

Study period is completed and new work item has been proposed (

Kickoff expected in Wuhan in WG4

PII Protection considerations for smartphone app providers (Started in October 2015. Completed in April 2017)

Leader Rahul Sharma, Natarajan Swaminathan, Johan Eksteen, Sai Pradeep Chilukuri

Study mobile application ecosystems from a privacy viewpoint

Collect views of multiple stakeholders in the mobile applications space

Collect mobile apps privacy guidelines issued by various agencies

Collate a report on the findings

Potentially provide a new work item proposal


Initiated in Jaipur (October 2015)

Privacy in smart cities (Started in October 2015. Completed in November 2017)

Leaders Antonio Kung, Sanjeev Chhabra, Udbhav Tiwari

Connect with multiple stakeholders in the smart city space

Refer the existing work on smart cities

Collate information, feedback, inputs from the stakeholders and draft the guidelines

Potentially provide (a) new work item proposal(s) that can translate in guidelines


Initiated in Jaipur (October 2015)

Liaison to be established with ISO/IEC JTC1/SG1 (Smart cities) 

Presentation in Tampa (April 2016) of intermediate state

Presentation in Abu Dhabi (October 2016) of intermediate state

Presentation in Hamilton (April 2017) of intermediate state

Proposal for new work item in Berlin (Nov 2017)

Code of practice solution for different types of PII (Started in October 2016, Completed in April 2017)

Leaders Mathias Reinis, Heung Youl Youm

Study ISO/IEC FDIS 29151 and ISO/IEC IS 27018 with the objective to find a solution that is applicable for different types of PII processors, especially compatible with the needs of a SME



Terminated due to lack of contributions

Requirements and outline for ISO/IEC 29115 revision (Started in April 2017. Completed in April 2018)

Leaders David Temoshok replacing Sal Francomacaro, Thomas Lenz, Patrick Curry, Andrew Hugues, Heung Youl Youm



Has resulted in a NWIP

Application of ISO 31000 for identify-related risk (Started in April 2017. Completed in April 2018)

Leaders Christophe Stenuit, Joanne Knight
Objective Gather information in order to determine the viability of creating a standard providing guidance on the application of ISO 31000:2009 to assess identity-related risks


New work item proposal

Concept of PII Deletion (Started in November 2017. Completed in April 2018)

Leaders Volker Hammer, Srinivas Poosarla, Eduard de Jong, Alan Shipman
Objective Study the potential internationalisation of national standard DIN 66398 "Guideline for development of a concept for data deletion with derivation of deletion periods for personal identifiable information"



Development of Identify standards landscape standing document (Started in  April 2018, Completed in October 2018)

Leaders Joanne Knight, Julien Bringer, Salvatore Francomacaro, Heung Youl Youm,

 Create an initial draft of a new SD that would provide:

  • The scope of the identity standards landscape
  •  Introductory content identifying the role of each existing and emerging standard within the landscape, as well as its relationship to the other landscape standards. To serve as an overarching guide to users of identity-related standards
  • A process (flow chart) for the analysis of the creation or revision of identity standards, to guide alignment
  •  A register of alignment issues that have been accepted as needing to be resolve
  • Develop a proposal for the process of maintaining the standing document that includes:



Identify assurance framework (Started in April 2017. Completed in October 2018)

Leaders Patrick Curry, Anthony Nadalin
Objective analyze the outcomes of ISO/IEC 29003 and related matters, then to determine the possible next steps towards developing an International Standard (or other mechanisms) for an Identity Assurance Framework.



Framework of user-centric PII handling based on privacy preference management by users (Started in April 2017, Completed in October 2018)


April 2017 / 18 months

Leaders Shinzaku Kiyomoto, Antonio Kung, Heung Youl Youm
Objective define frameworks of user-centric PII handling based on privacy preferences of users



Triggered by an initiative from ITU-T for such a framework applied to the IoT. See

In Berlin (November 2017),  it was decided to consider 3 options

  • extension of 29101
  • definition of a generic model
  • defintion of specific models

In Wuhan (May 2018), it was decided to prepare a NWIP

In Gjovik (October 2018), the NWIP was finalised

Additional Privacy-Enhancing Data De-identification standards (Started in April 2018. Completed in October 2019)

Leaders Malcom Townsend, Heung Youl Youm

This Study Period aims to analyze the challenges and risks associated with the implementation of data de-identification techniques described in ISO 20889, and provide a strategy and structured approach to the potential development of additional standards covering such potential topics such as requirements, risk analysis, codes of practice and so on.



Identity Standards Landscape Document Update (Started in October 2018. Completed in October 2019)


Andrew Hughes, Christophe Stenuit, Kai Rannenberg


Solicit additional content for the draft Standing Document; solicit comments on the current content and structure of the draft Standing Document; discuss and make a disposition of comments; and to update the Standing Document



Consent receipts and records (Started in April 2019, completed in October 2019)

Leaders Collin Wallis, Andrew Hughes

The scope of this study period is to assess the need for a Consent Receipt and Record standard used to support transparency and accountability practices related to an individual's consent to PII processing



Review of requirements for accredited certification for sector specific ISMS standards (Started in April 2019. Completed in October 2019)

Leaders Hans Hedbom, Alan Shipman

The scope of this study period is to review possible approaches to establishing the foundation for accredited certification for sector-specific standards. The concrete instantiation for this is ISO/IEC 27552, which is expected to be published soon.


Privacy consideration in practical workflows (Started in April 2018, completed in April 2020)

Leaders Mickey Cohen

The scope of this study period is to collect contributions:

(1) On workflows describing use-cases where the combination of privacy, security (including exposure period), identification quality and practical implementation need to be viewed as a whole

(2) For a merit function(s) combining the subjects into a qualitative evaluation of the privacy



Use case for identity assurance (Started in October 2018, Completed in September 2020)


Andrew Hughes, Tony Nadalin, Patrick Curry


To compile a set of business use cases that require identity assurance, which can be analysed to produce functional requirements for identity assurance.  These functional requirements can inform the review of TS 29003 and the contents of a potential Identity Assurance Framework International Standard, and also inform the evolution of ISO/IEC 29115



Impact of Artificial Intelligence on Privacy (Started in October 2018, Completed in September 2020)


Antonio Kung, Srinivas Poosarla, Peter Dickman, Gurshabad Grover, Peter Deussen, Heung Your Youm, Zhao Yunwei


Establish a 12-month study period starting in October 2018 to review the emerging field of AI and assess its potential impact on privacy, and task the rapporteurs of the Study Period

  • to review the new generation of AI-based systems (autonomous systems) and identify their impact on privacy,
  • to review the new threats to privacy which AI can create,
  • to review how AI can be used by deploying improved privacy controls, and
  • to provide recommendations for standardization work.

Is extended for 6 months to study TR 24030 AI use cases and to check the impact of AI on ISO/IEC 27701

Is further extended 6 months to study the integration of security


In addition to specific contributions made by SC27 experts, the Intermediate report uses the following references:

IEEE Ethically Aligned AI

Ethics guidelines for trustworthy AI
Privacy Commissioners declaration
AI as a Disruptive Opportunity and Challenge for Security
The impact of AI on life cycle processes
Asilomar principles
Malicious AI report 
Privacy and Freedom of Expression In the Age of Artificial Intelligence
UK House of Lords Select Committee on AI: AI in the UK: ready, willing and able?

Australian Human Rights Commission report on Human Rights and Technology

Expected to have a strong collaboration with JTC1/SC42 Artificial Intelligence

An intermediate report was provided in Tel-Aviv (April 2019).

A second report was provided in Paris (October 2019)

A third report was provided in the virtual meeting (April 2020) including the study of SC42 ISO/IEC 24030 on AI use cases and the study of ISO/IEC 27701

A fourth report was provide in the virtual meeting (Sep 2020) including a contribution to TC215 on security and privacy in eHealth. A preliminary work item is started

Privacy engineering model (Started in April 2019, Completed in September 2020)

Leaders John Sabo, Antonio Kung, Srinivas Poorsala
Objective Study period to evaluate the development of a privacy engineering model intended to support privacy engineers, privacy architects and other practitioners as a bridge between ISO/IEC SC27 and other data privacy management standards and the technical and business process services and functionality needed to integrate data privacy control requirements in operational processes, systems and their ecosystems


As a result of this study period, a NWIP - Privacy operationalisation model and method for engineering has been established

Guidance on processes of a privacy information management system (Started in October 2019, Completed in September 2020))


Michael Steiner, Alan Shipman


Determine if SC 27 needs a standard for “Guidance on processes of a privacy information management system” as part of the ISO /IEC 27000-family.

Consider the following:

  1. ISO/IEC 27001 and ISO/IEC 27003
  2. ISO/IEC 27701 (a.k.a. DIS 27552)
  3. ISO Handbook “The integrated use of management system standards”
  4. ISO/IEC 33004
  5. 2nd WD of ISO/IEC 27022


Privacy for Fintech services (Started in October 2019, completed in September 2020)


Heung Youl Youm, Gurshabad Grover, Janssen Esguerra



  • Apply privacy principles described in ISO/IEC 29100:2011
  • Study use cases, applications, devices and underlying infrastructure related to providing Fintech services
  • Consider privacy risks related to providing Fintech services
  • Consider regulatory requirements that impact privacy of customers
  • Consider all kinds of stakeholders: regulators, financial institutions, customers, product suppliers, application and service providers
  • Study the necessity for guidelines on privacy where it could be used by relevant stakeholders to mitigate risks identified in the privacy risks assessment

Protection of privacy of customers is a concern as a huge amount of PII is collected, transmitted, shared, used and analyzed at every instance in the interconnected Fintech services.