Deep Dive: ISO 29100 – Privacy Framework

ISO 29100 Privacy Framework is a standard all privacy practitioners should be aware of. Substantially overhauled and updated in 2024, it provides a comprehensive framework for establishing a robust privacy management system (PMS) within your organization. 

In an earlier post, we covered a series of ISO standards that might be of interest to privacy practitioners, including an outline of ISO 29100. This post provides a deeper dive into the newly updated privacy framework standard.

Elements of the Privacy Framework

The standard identifies a number of key components that relate to privacy an the processing of personal information in ICT systems and which make up the privacy framework described in the standard.  These are:

• Actos and roles
• Interactions
• Recognising PI
• Privacy safeguarding requirements
• Privacy policies
• Privacy controls.

Actors and roles

It is important for the design of the framework to identify the four main types of actors involved in processing of Personal Information – including PII principals (data subjects), PII controllers, PII processors and third parties. 

Interactions

 The design of the framework will depend on the role played by your organisation (particularly if it is mainly a controller or processor) – and interactions with the other identified roles.  This section of the standard recommends mapping out the possible flows of PII among the different roles (controllers, processors, principals and third parties).

Recognising PII

The standard provides useful guidance on identifying PII.  It recognises that sometimes, the determination can be straightforward e.g.:

• If it contains or is associated with an identifier which relates to or can be related to a natural person e.g. social security number;
• If it contains or is associated with an identifier which can be used to establish a communication with an identified natural person e.g. a phone number;
• If it contains a references which links the data to any of the identifiers above.

However it also recognises that information does not necessarily need to be associated with an identifier. Identifiability may depend on any characteristic or combination of attributes which uniquely identify an individual. The standard contains an extensive list of attributes that can be used to identify individuals which can be very useful as a starting point.

The Standard also covers other types of data including information which can be linked to an individual, pseudonymous data, metadata, unsolicited PII and sensitive PII.

Privacy safeguarding requirements

This section identifies the different factors that might motivate or influence the design of the privacy framework and the privacy safeguarding requirements including:

• Legal and regulatory factors
• Contractual factors
• Business factors
• Other factors

It makes it clear that the most important factor to consider when identifying privacy safeguarding requirements relates to the privacy preferences of the data subjects (or PII principals), for example a preference for anonymity or pseudonymity, or likely privacy concerns.

Privacy Policies

Top management should establish a privacy policy that:

• Is appropriate to the purpose of of the organisation
• Provides a framework for setting objectives
• Include a commitment to satisfy applicable privacy safeguarding requirements
• is communicated within the organisation; and
• is available to interested parties as appropriate.

This provision reflects the requirement for an information security policy included in ISO 27001.

Privacy controls

The Standard then recommends that privacy controls should be implemented to meet the privacy safeguarding requirements identified, with the controls being documented as part of a privacy risk assessment. Effort should be taken to develop privacy controls as part of a ‘privacy by design’ approach, with privacy compliance taken into account at the design phase of systems processing PII rather than being bolted on at a subsequent stage.

Privacy Principles to be considered

As outlined previously, Section 6 of ISO 29100 describes 11 privacy principles to be used in the design, development and implementation of privacy policies and controls in ICT systems.  These principles are derived from existing principles developed by countries and international organisations.

The identified principles are:

• Consent and choice.
• Purpose legitimacy and specification.
• Collection limitation.
• Data minimization.
• Use, retention and disclosure limitation.
• Accuracy and quality.
• Openness, transparency and notice.
• Individual participation and access.
• Accountability.
• Information security.
• Privacy compliance.

For each of the 11 principles, the Privacy Framework provides further guidance on what might be required and how to adhere to them. 

Conclusion

ISO 29100 is useful high-level framework providing a starting point for the development of a privacy management program, particularly for organisations operating across jurisdictions with different legal requirements. The 11 identified principles provide a useful set of general requirements that can be mapped to many different privacy laws.

The Privacy 108 team has worked with many organisations on developing and implementing privacy policies, processes, and standards to boost organisational privacy posture. If your organisation needs help, reach out. Our privacy consultants would love to help.