ISO/IEC JTC 1/SC 27/WG 5 N1870
ISO/IEC JTC 1/SC 27 N19770
REPLACES: N
ISO/IEC JTC 1/SC 27/WG 5
Information Security, Cybersecurity and Privacy Protection
Identity Management and Privacy Technologies
Convenorship/Secretariat: DIN, Germany
Document type:
text for DIS ballot
Title:
Text for ISO/IEC 1st DIS 29184 -- Online privacy notice and consent
Status:
This document is circulated within SC 27/WG 5 for information.
Date of document:
2019-05-08
Source:
CRM for SC 27/WG 5 projects (April 2019)
Expected action:
INFO
Action due date:
No. of pages:
1 + 36
Email of secretary: krystyna.passia@din.de
Committee URL:
http://isotc.iso.org/livelink/livelink/open/jtc1sc27wg5
Secretariat ISO/IEC JTC 1/SC 27/WG 5 –
DIN Deutsches Institut für Normung e. V., Saatwinkler Damm 42/43, D-13627 [D-10772 postal] Berlin, Germany
Telephone: + 49 30 2601-2652; Facsimile: + 49 30 2601-4-2652; E-mail: krystyna.passia@din.de;
HTTP://www.din.de/go/jtc1sc27
ISO/IEC JTC 1/SC 27 N19770
REPLACES: N19111
ISO/IEC JTC 1/SC 27
Information Security, Cybersecurity and Privacy Protection
Secretariat: DIN, Germany
DOC TYPE:
text for DIS ballot
TITLE:
Text for ISO/IEC 1 DIS 29184 -- Online privacy notice and consent
SOURCE:
CRM for SC 27/WG 5 projects (April 2019)
DATE:
2019-04-30
PROJECT:
1.27.121 (ISO/IEC 29184)
STATUS:
As per Reasolution 2 (contained in SC 27 N19779) of the Comment Resolution
Meeting (CRM) for SC 27/WG 5 projects held in Ramat Gan / Tel-Aviv, Israel, during
the the SC 27/WG week on 2019-04-01/05, this document has been submitted to the
ISO Central Secretariat (ITTF) for a 12-week 1st DIS letter ballot processing. It is
circulated within SC 27 for information..
ACTION:
ITTF
st
DUE DATE:
DISTRIBUTION:
P-, O, and L-Members,
L. Rajchel, JTC 1 Secretariat
J. Alcorta, ISO/CS (ITTF)
A. Wolf, SC 27 Chairman
L. Lindsay, SC 27 Vice-Chair
E. J. Humphreys, T. Chikazawa, M. Bañón, J. Amsenga, K. Rannenberg, WGConvenors
N. Sakimura, S. Poosarla, Ch. Sténuit, Project editor and co-editors
MEDIUM:
http://isotc.iso.org/livelink/livelink/open/jtc1sc27
NO. OF PAGES:
1 + 30 + 7 (Attachment 1)
Secretariat ISO/IEC JTC 1/SC 27 –
DIN Deutsches Institut für Normung e. V., Saatwinkler Damm 42/43, D-13627 [D-10772 postal] Berlin, Germany
Telephone: + 49 30 2601-2652; Facsimile: + 49 30 2601-42652; E-mail: krystyna.passia@din.de;
HTTP://www.din.de/go/jtc1sc27
© ISO/IEC 2019 – All rights reserved
19770
1
ISO JTC 1/SC 27 N
2
ISO JTC 1/SC 27 WG 5 N
1870
3
ISO/IEC 29184
5
ISO/IEC JTC 1/SC 27/WG 5
Date: 2019-04-30
4
6
7
8
9
Secretariat: DIN
Information technology — Online privacy notices and consent
Technologies de l'information — Mentions sur l'emploi de données personnelles et consentement en
ligne
10
11
12
13
14
15
16
17
18
19
DIS stage
Warning for WDs and CDs
This document is not an ISO International Standard. It is distributed for review and comment. It is subject to
change without notice and may not be referred to as an International Standard.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of
which they are aware and to provide supporting documentation.
ISO/IEC 1st DIS 29184
20
Copyright notice
21
22
23
24
This ISO document is a Draft International Standard and is copyright-protected by ISO. Except as permitted
under the applicable laws of the user's country, neither this ISO draft nor any extract from it may be
reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic,
photocopying, recording or otherwise, without prior written permission being secured.
27
28
29
30
31
32
33
34
35
Secretariat of ISO/IEC JTC 1/SC 27
DIN German Institute for Standardization
D-10772 Berlin
Tel. + 49 30 2601 2652
Fax + 49 30 2601 4 2562
E-mail krystyna.passia@din.de
Web http://www.jtc1sc27.din.de/en (public website)
http://isotc.iso.org/livelink/livelink/open/jtc1sc27 (SC 27 documents) Reproduction may be subject to royalty
payments or a licensing agreement.
25
26
Requests for permission to reproduce should be addressed to either ISO at the address below or ISO's
member body in the country of the requester.
36
Violators may be prosecuted.
37
38
39
40
41
ii
© ISO/IEC 2017 – All rights reserved
ISO/IEC 1st DIS 29184
42
43
44
45
46
47
48
49
50
51
Contents
Information technology — Online privacy notices and consent ....................................... 1
Foreword .......................................................................................................................... v
Introduction .................................................................................................................... vi
1
Scope.......................................................................................................................... 1
2
Normative references ................................................................................................ 1
3
Terms and definitions................................................................................................ 1
4
Symbols and abbreviated terms ................................................................................ 2
5
General requirements and recommendations ........................................................... 2
52
5.1
Overall objective ............................................................................................................ 2
53
54
55
56
57
58
59
60
61
62
5.2
Notice ............................................................................................................................ 2
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
5.3
Contents of notice .......................................................................................................... 5
80
81
82
83
84
85
86
87
88
5.4
Consent ....................................................................................................................... 12
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.13
5.3.14
5.3.15
5.3.16
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
General .............................................................................................................................................2
Providing notice obligation .............................................................................................................2
Appropriate expression ...................................................................................................................3
Multi-lingual notice .........................................................................................................................3
Appropriate timing ..........................................................................................................................3
Appropriate locations ......................................................................................................................4
Appropriate form .............................................................................................................................4
Ongoing reference ...........................................................................................................................5
Accessibility .....................................................................................................................................5
General .............................................................................................................................................5
Purpose description .........................................................................................................................6
Presentation of purpose description ...............................................................................................6
Identification of the PII controller .................................................................................................6
PII collection ....................................................................................................................................6
Collection method ............................................................................................................................7
Timing and location of the PII collection .......................................................................................8
Method of use ...................................................................................................................................8
Geo-location of, and legal jurisdiction over, stored PII .................................................................8
Third party transfer ....................................................................................................................9
Retention period ..........................................................................................................................9
Participation of PII principal ......................................................................................................9
Inquiry and complaint.............................................................................................................. 10
Information about accessing the choices made for consent ................................................... 10
Basis for processing .................................................................................................................. 11
Risks .......................................................................................................................................... 11
General .......................................................................................................................................... 12
Identification of whether consent is appropriate ....................................................................... 12
Informed and freely given consent .............................................................................................. 12
Providing the information about which account the PII principal is using ............................. 13
Independence from other consent ............................................................................................... 13
Separate consent to necessary and optional elements of PII .................................................... 13
Frequency ..................................................................................................................................... 14
Timeliness ..................................................................................................................................... 14
© ISO/IEC 2017 – All rights reserved
iii
ISO/IEC 1st DIS 29184
89
90
91
92
93
94
95
5.5
Change of conditions.................................................................................................... 14
5.5.1
5.5.2
5.5.3
General .......................................................................................................................................... 14
Renewing notice............................................................................................................................ 14
Renewing consent ......................................................................................................................... 15
Annex A ......................................................................................................................... 17
User Interface example for obtaining the consent of a PII principal on PCs and
smartphones .................................................................................................................. 17
96
A.1
Introduction................................................................................................................. 17
A.2
User interface examples for obtaining initial consent for PCs and smartphones ......... 17
97
98
99
100
Annex B ......................................................................................................................... 21
102
103
B.1
Introduction and Purpose of a Consent Receipt ................................................... 21
B.2
The content and layout of a Consent Receipt ....................................................... 21
106
Consent Parties .................................................................................................................. 22
101
104
105
107
108
109
110
111
A.2.1 Identification of which account the PII principal is using ........................................................... 17
A.2.2 Order of Items to be displayed ....................................................................................................... 18
A.2.3 Displaying actual values ................................................................................................................ 20
Example of a Consent Receipt or Consent Record (‘Note’, Clause 5.4.3) ....................... 21
B.2.1 An example human-readable Consent Receipt – simple .............................................................. 21
Information Subject .................................................................................................................... 22
Information Controller ................................................................................................................ 22
Data, collection and use....................................................................................................... 23
Purposes for collection and use...................................................................................................................... 23
112
iv
© ISO/IEC 2017 – All rights reserved
ISO/IEC 1st DIS 29184
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national
standards bodies (ISO member bodies). The work of preparing International Standards is normally
carried out through ISO technical committees. Each member body interested in a subject for which a
technical committee has been established has the right to be represented on that committee.
International organizations, governmental and non-governmental, in liaison with ISO, also take part in
the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all
matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Security techniques.
© ISO/IEC 2017 – All rights reserved
v
ISO/IEC 1st DIS 29184
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
Introduction
The wider availability of communication infrastructures like home broadband connections and the
global internet, the growth in the use of smartphones and other devices (e.g., wearables) that collect
details of individuals' activities, and improvements in information processing capability have enabled
much wider-ranging collection and analysis of personal information. Such technological improvements
provide a better prospect for more convenient consumer life, new business opportunities, more
attractive services and more added value. On the other hand, consumers are becoming increasingly
"privacy aware” and are questioning the privacy impact of the collection and use of personally
identifiable information (PII) by online services. This criticism is often due to the lack of a clear
explanation of how their PII will be processed, stored, maintained and managed.
This document specifies controls and associated additional information for organizations to provide the
basis for presenting clear, easily understood information to individuals whose PII is collected, about
how the organization will process their PII (e.g., when providing services to consumers or under an
employment relationship) and to obtain consent from the PII principals in a fair, demonstrable,
transparent, unambiguous and revocable (withdrawable) manner. This document provides details on
the implementation of two privacy principles (i.e., Principle 1: Consent and Choice, Principle 7:
Openness, Transparency and Notice) from ISO/IEC 29100.
vi
© ISO/IEC 2017 – All rights reserved
ISO/IEC 1st DIS 29184
155
156
Information technology — Online privacy notices and consent
1 Scope
157
158
159
This document specifies controls which will shape the content and the structure of online privacy
notices as well as the process of asking for consent to collect and process personally identifiable
information (PII) from PII principals.
162
2 Normative references
160
161
This document is applicable in any online context where a PII controller or any other entity processing
PII informs PII principals of processing.
163
164
165
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
167
3 Terms and definitions
166
ISO/IEC 29100, Information technology — Security techniques — Privacy framework
168
169
For the purposes of this document, the terms and definitions given in ISO/IEC 29100 and the following
apply.
171
—
170
172
173
174
175
176
177
178
179
180
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
—
IEC Electropedia: available at http://www.electropedia.org/
ISO Online browsing platform: available at http://www.iso.org/obp
3.1
explicit consent
personally identifiable information (PII) principal’s freely given, specific and informed unambiguous
agreement to the processing of their PII exercised through an affirmative act indicating such consent by
the PII principal
[SOURCE: ISO/IEC 29100:2011, 2.4, modified – added "exercised through an affirmative act indicating such consent by the PII
principal" to definition of consent. ]
Note 1 to entry:
Explicit consent is the result of an opt-in.
Note 2 to entry:
Explicit consent may also be referred to as express consent.
181
EXAMPLE
183
184
185
3.2
notice
information regarding processing of PII
182
186
187
Consent is obtained by asking the PII principal to take a specific action in the context of a notice.
Note 1 to entry:
Given to the PII principals through different channels, in a concise, transparent, intelligible and easily
accessible form and using clear and plain language.
© ISO/IEC 2019 – All rights reserved
1
ISO/IEC 1st DIS 29184
188
189
190
191
192
3.3
element of PII
category of PII
piece of PII
descriptor for a type of information, or a set of types of information
194
4 Symbols and abbreviated terms
193
195
JSON
JavaScript Object Notation
196
PC
Personal Computer
197
PII
Personally Identifiable Information
198
XML
Extensible Markup Language
199
5
201
202
203
The overall objective of the standard is to allow PII Principals to understand and act in accordance with
the implications of PII processing, such as the likelihood and severity of any potential impact the
processing may have, as well as the direct and/or intended consequences of the processing.
200
204
205
206
5.1 Overall objective
Organizations that wish to demonstrate compliance with this document must document for each
control of Clause 5
a) whether the control applies,
207
208
b) when there are reasons that can justify that the control does not apply, that the justification is
documented and validated,
209
210
General requirements and recommendations
c) how the implementation of the control is verified and validated.
5.2 Notice
211
5.2.1
213
214
215
216
Objective: To provide notice where it is required, in a language appropriate to PII principals, at a time
that permits PII principals to meaningfully exercise consent, at places where it is easy for PII principals
to recognize, and with references that provide PII principals with access to supplementary material,
including prior notices and their responses.
218
Control
212
217
219
220
221
General
5.2.2 Providing notice obligation
The organization shall identify situations where providing notice is necessary and shall provide notice
that complies with the requirements and recommendations in 5.3 to PII principals whenever it is
required.
2
© ISO/IEC 2019 – All rights reserved
ISO/IEC 1st DIS 29184
222
223
224
225
226
227
228
229
Additional information
The notice should provide all interested parties including outsiders to the organization, with the
organization’s privacy practices, as well as other relevant information such as contact details including
the identity and registered address of the PII controller, and contact points from which PII principals
can obtain additional information.
Displaying a visual notice is one way to provide notice. For accessibility, either screen readers for visual
notices or directly audible notices may be appropriate to assist those who are visually impaired. Other
forms of notice may also be appropriate (see 5.2.9).
230
231
232
233
The organization should provide a notice to PII principals in accordance with relevant data
protection/privacy legislation. Notice may be required, among other situations, when the organization
plans to collect new PII (from the PII principal or from another source) or when it plans to use PII
already collected for new purposes.
235
Control
234
5.2.3 Appropriate expression
236
237
238
The organization shall provide the notice in a way that is clear and easy to understand for the targeted
PII principals. The notice shall be easily legible and in a concise language that a reasonable person
without any legal or technical training can comprehend.
240
241
242
The notice should be drafted taking into account particular categories or types of PII principals (e.g.
disadvantaged societal sub-groups).
5.2.4 Multi-lingual notice
243
244
245
Control
The organization shall provide the notice in the language(s) according to the target principal's language
expectations.
247
248
249
250
For example, the organization may present the PII principal with a list of supported languages displayed
in the respective languages and allow the PII principal to choose the language. Displaying the name of
each language in that language is important, as the PII principal may not be able to recognize it if it is
shown in another language.
239
246
Additional information
Additional information
251
252
253
A web browser has a preference setting for a preferred language, and it may be be used for this purpose.
However, solely depending on the browser's language preference may not be a good idea since the PII
principal may be using a shared computer.
255
Control
254
256
257
258
259
5.2.5 Appropriate timing
The organization shall determine and document the appropriate timing (e.g., immediately prior to
collecting the PII) for providing notice to the PII principals when the activity in question is relevant to
the privacy interests of the PII principals.
Additional information
© ISO/IEC 2019 – All rights reserved
3
ISO/IEC 1st DIS 29184
260
261
262
When an organisation provides a PII principal with a notice and then collects the PII at a later point in
time, including cases in which data are collected from another source, the timing of the notice and the
collection of PII can differ significantly.
263
264
265
266
5.2.6 Appropriate locations
267
268
269
Control
The organization shall provide notices in a manner appropriate to the product or service in question so
that PII principals can find and access the notices electronically and easily, including at online locations.
271
272
273
Appropriate online locations can include but are not limited to links on the organization's home pages
on its websites, or on the landing page, the start-up page of mobile apps, online forms, or in captive
portals.
270
The organization should provide notice where the use of PII can have unexpected or significant effects
on PII principals. If an organization intends to collect additional PII, they should provide a further
notice.
Additional information
274
275
276
277
278
279
In some cases, PII may be processed without prior interaction with the PII principal. From the point of
view of the PII principals, it would actually be quite hard to even find out who is processing their data
and thus it does not help to post the privacy notice only on the organization’s web site. It is useful to
have a place where a PII principal can go and obtain the privacy notices of such organizations. Thus,
where applicable and feasible, the organization should consider using a publicly accessible common
repository where stakeholders can easily find and access the relevant notices.
281
Control
280
5.2.7 Appropriate form
282
283
The organization shall determine how the notice is provided and made accessible with respect to the
timing of processing.
285
286
287
288
The organization may implement the control using different techniques: layered notices, dashboards,
just-in-time notices and icons, and may provide notices in a machine-readable format so that the
software which is presenting it to the PII principal can parse it to optimize the user interface and help
PII principals make decisions.
284
289
290
291
292
293
294
295
296
297
298
Additional information
If the organization implements the control using a layered notice, the first layer should detail anything
unexpected or things that could significantly impact a PII principal, with that impact determined in the
assessment described in 5.3.3. The other layers should provide notice of all collection and/or
processing activities in order to give the PII principal detailed information of these activities.
Organizations should display the first layer of each notice such that PII principals are able to read it as
quickly as possible. It should not span more than a few screens. Given the volume constraints, it may not
be possible to display all the contents on one screen. In that case, organizations should display the
summary first. In the context of mobile devices and smartphones, for better readability, it would be
useful to introduce a “multilayer approach” to notice and consent, showing a short text, with key
information and with a link to the “full text” notice/consent.
4
© ISO/IEC 2019 – All rights reserved
ISO/IEC 1st DIS 29184
299
300
301
When organizations display elements of PII to be collected, they should display them by groups with
those having the highest potential privacy impact being listed first so that PII principals can clearly
recognize the differences.
302
303
Organizations should make content, including relevant information omitted from the first or
subsequent screens, available for reference by PII principals if they wish.
307
308
309
310
311
312
Machine-readable notices may be provided in a standardized XML or JSON format. By so doing, it
becomes possible for devices to select items appropriately and display graphics and icons where
applicable. However, organizations need to note that the PII principal’s interpretation of graphical
representation could differ significantly depending on cultural backgrounds. Guidance for the region or
culture in question may be created in order to prevent PII principals from getting confused.
5.2.8 Ongoing reference
313
314
315
316
Control
317
The organization shall keep and make available the version of the notice presented when the PII
principal gave consent, as well as the most recent relevant version for easy reference by that PII
principal.
Additional information
304
305
306
NOTE
In the case of online notification, pop-ups and drill-downs can be used to display content. PII principals can have
difficulty in reading a large amount of terms and conditions in a contract, especially when they are about to take a
certain action.
318
319
5.2.9 Accessibility
320
321
322
Control
The organization shall provide a notice in an accessible manner that is appropriate to the technologies
underlying the online service.
324
325
326
Particularly in cases where individuals with accessibility issues are expected to access notices, the
notices should enable them to understand the content of the notices. This may involve the need to
ensure that the text of the notice can be converted to sound for those individuals with visual issues.
323
Versions of notices should be retained for as long as they are associated with retained PII.
Additional information
327
328
Guidelines such as ISO/IEC 40500 W3C Web Content Accessibility Guidelines (WCAG) 2.0 helps in
designing accessibility.
330
5.3 Contents of notice
5.3.1
332
333
Objective: To ensure that the PII principal has sufficient information within the notice to understand
how the PII is being processed and what rights the PII principal has.
329
331
General
© ISO/IEC 2019 – All rights reserved
5
ISO/IEC 1st DIS 29184
334
5.3.2 Purpose description
336
337
The organization shall ensure that the notice includes information about the purpose(s) for which the
PII will be processed.
339
340
341
342
It is important for PII principals to understand the purposes for the processing of the PII collected so
that they can provide meaningful consent. For brevity of the notice, a name or short phrase for each
purpose may be used, but it should be possible (e.g., via a hyperlink) to associate that name or phrase
with an overview of the purpose sufficient for PII principals to provide meaningful consent.
345
5.3.3 Presentation of purpose description
335
338
343
344
346
Control
Additional information
Care needs to be taken when drafting notices, as the inclusion of too much detail may result in the need
to reissue them at frequent intervals.
Control
347
348
349
The organization shall specify the purposes related to the collection of each element of PII and
appropriate information about the plausible risk of the processing, in an order according to the general
assessment of the risk.
351
Additional information
355
5.3.4 Identification of the PII controller
350
352
353
354
NOTE
The impact and risk may not necessarily be obvious.
The organization explains how PII will be used in a manner that allows the PII principal to clearly and
readily understand the purpose. If the purpose of the use varies among the elements of PII being
collected, the organization should clearly mark which purpose applies to which element of PII.
356
Control
359
Additional information
357
358
360
361
362
The organization shall provide the PII principal with the relevant information (e.g., the identity and
contact details) about the PII controller.
Identification of the PII controller is typically by company name, but could also involve the displaying of
company number, head office / operational address and (if appropriate) departmental information.
5.3.5 PII collection
363
Control
366
Additional information
364
365
367
368
The organization shall provide information that allows PII principals to understand what elements of
PII are being collected, even where the collection of the particular elements of PII is obvious.
In addition to using generic language such as “We collect your personal information,” where
appropriate based on the impact determined in the assessment described in 5.3.3, the organization
6
© ISO/IEC 2019 – All rights reserved
ISO/IEC 1st DIS 29184
369
370
371
372
should provide the list of specific elements of PII that are collected (e.g., “We collect your name, address,
and telephone number.”) even if it is obvious what the collected information is.
To identify what would count as the PII to be listed in the notice, the organization should consult 4.4 of
ISO/IEC 29100:2011.
373
374
375
376
377
The organization should present the actual value of an element of PII to be collected at the time of
collection where it is relevant, feasible and practical. Where it is not feasible to do so, the organization
may provide a clear example of the element values being collected with the associated name of an
element of PII. By doing so, the PII principal can understand what is referred to by the name of an
element of PII and what kind of values are going to be collected.
379
380
381
382
383
384
Where the PII controller collects the PII from the PII principal through their devices or identity
provider, the actual value can be shown to the PII principal with the notice before being transferred to
the PII controller. See Annex A.2.3. for such examples. Showing actual values of elements of PII helps the
PII principals to determine if they want to provide them to the PII controller, especially in cases where
there are multiple elements of the same type. For example, for a phone number, the PII principal may be
fine to provide his work telephone number but not his personal mobile number.
378
385
386
Example
Instead of referring to “telephone number,” organization should state “telephone number (01-234-5678)”
Care should be taken to lessen the risk of PII leak through shoulder surfing, etc. Techniques such as
masking and drill down should be considered.
387
388
389
390
391
392
393
5.3.6 Collection method
394
395
396
Control
397
The organization shall provide PII principals with clear explanations of the collection methods being
used, along with information about any risks associated with particular collection methods.
Additional information
398
If new PII is generated through some kind of processing of PII, showing the actual value before the
consent is impossible. In such cases, providing an example value may be desirable. For example, when
purchase data from a shop is to be provided, and the PII principal does not have a purchase at the time
of consent, there is no actual data available for display. In such a case, it may be desirable to obtain the
understanding of the PII principal by showing example purchase data and informing the PII principal
what kind of data is going to be collected.
PII can be collected in different ways. For example, PII can be
399
a)
directly collected from the PII principal, e.g., through a web form;
401
c)
observed by the PII controller, e.g., observing browser fingerprint and accessed web pages;
400
402
403
404
405
406
407
408
b) indirectly collected, e.g., from a third party, such as a credit agency;
d) inferred by the PII controller, e.g., profiling the PII principal by analysing the data collected through
the methods a) to c).
Based on the impact determined in the assessment described in 5.3.3, if the collection methods are
different depending on the element of PII, the organization should inform the PII principal which
collection method is applied to each element of PII. When the same collection method is applied to
multiple elements of PII, then elements of PII can be grouped together under each collection method.
However, if the privacy impact of one or more elements of PII in the group is markedly higher than
© ISO/IEC 2019 – All rights reserved
7
ISO/IEC 1st DIS 29184
409
410
others according to a general assessment of impact to the corresponding population of PII principals,
then it should be communicated separately so that the PII principal becomes aware of this.
413
5.3.7 Timing and location of the PII collection
415
416
417
The organization shall explain in the notice generally when and where the PII is collected, although such
notice shall not be required in circumstances where PII collection occurs where and when a PII
principal undertakes an action such as the explicit submission of information.
419
420
421
If PII is not directly collected, the timing and the location of the PII collection may not be obvious to the
PII principal. Including this information in the notice will help the PII principal to understand the
situation.
411
412
414
418
NOTE
This is to prevent the "hide a tree in a forest" attack where the attacker buries the high impact elements of PII in benign
ones to trick the PII principal to give consent.
Control
Additional information
422
423
424
425
426
427
5.3.8 Method of use
428
429
Control
430
The organization shall include in the notice how the PII will be used.
Additional information
431
432
433
434
435
Typically, notices should be provided prior to the PII being collected. For example, where PII is being
collected on a web based form, the top of the form could include the privacy notice (or a summary of the
notice with a link to the full notice). A second example based on collection of PII by CCTV in a public
area, a notice that 'CCTV is in operation' along with details of the PII controller and contact details
should be displayed at the entrance to the area covered by the CCTV.
Method of use can include:
—
used as is,
—
combined with other data (e.g., geo-localized, via the use of cookies, from third parties),
—
used after some processing (e.g., derivation, inference, de-identification, or combining with other data),
—
used by automated decision-making techniques (e.g., profiling, classification).
436
437
438
5.3.9 Geo-location of, and legal jurisdiction over, stored PII
439
440
441
Control
The organization shall specify the geo-location(s) where PII will be stored and processed and the legal
jurisdiction(s) tha govern the handling of the data.
442
If some processing (e.g., de-identification, aggregation) is applied to the PII before use, it is desirable to
state what kinds of transformations that are being applied.
Additional information
8
© ISO/IEC 2019 – All rights reserved
ISO/IEC 1st DIS 29184
443
444
445
5.3.10 Third party transfer
446
447
448
Control
The organization shall provide in the notice if the PII will be transferred to a third party in the ordinary
course of business.
450
Additional information
452
—
to whom the PII will be transferred to;
—
the geo-location(s) where the PII will be transferred to, and any changes in legal jurisdiction(s) that may
arise;
455
—
for what purpose the PII will be transferred;
457
—
the related safeguard for the transfer (e.g., confidentiality and integrity safeguard).
449
451
453
454
456
458
459
The granularity of geographical location(s) (e.g., country, region) should be
applicable geographical extent(s) of the relevant applicable law(s).
consistent with the
NOTE: Transfer includes PII disclosure/communication
If an organization will transfer PII to a third party, the notice shall include, directly or indirectly:
—
the negative impacts on the PII principal, or risks of such impacts caused by the data transfer; and
Although the organization needs to identify and provide notice of individual third-party recipients, it
may specify a group of recipients using clearly defined criteria where appropriate.
460
461
Criteria as specified in 5.3.10 should be clearly defined as part of a Purpose specification category or
definition
463
5.3.11 Retention period
465
466
The organization shall provide information about the retention period and/or disposal schedule of PII
that it is collecting.
468
469
470
471
The information concerning the retention period and/or disposal schedule may be in the form of a
specified period (e.g., 5 years) from the date of collection or from the occurrence of a specific event, or a
specified date (e.g., to be disposed of on 1 January 2025). It may also consist of the criteria used to
determine that period or schedule.
474
5.3.12 Participation of PII principal
462
464
467
472
473
475
NOTE
5.3.10 only applies to third party transfers and does not apply to a transfer to a PII processor.
Control
Additional information
NOTE
An organization may collect PII for multiple purposes. Depending on the purposes, the retention period may differ. As
such, the data retention period may also be specified per purpose.
Control
© ISO/IEC 2019 – All rights reserved
9
ISO/IEC 1st DIS 29184
476
477
478
The organization shall provide information about the PII principal's rights (e.g., access, rectification,
deletion, objection, restriction, data portability, withdrawal of consent, etc.) to access their PII, as well
as their rights to correct or delete their PII.
480
The notice should include, directly or indirectly, the following aspects of the access:
479
Additional information
481
482
a) what elements of PII the PII principal can request access to and the means by which the PII
principal can make such a request;
485
c) the timelines within which a request will be acted upon;
483
484
486
b) what information the PII principal has to provide to authenticate themselves to an acceptable level
before access to any PII is authorized (to avoid the risk of inappropriate disclosure);
d) any fees which may be charged for such access, where the charging of such fees is permitted;
487
488
e) the means by which PII principals can challenge the accuracy and completeness of the PII and have
it amended as appropriate;
491
492
g) when consent is the legal basis, how it can be revoked if the revocation is feasible or required by
relevant legislation.
494
Control
498
Additional information
489
490
493
495
496
497
f)
the circumstances where information will not be altered or deleted and detailing opportunities to
indicate the PII principal’s objections regarding the correctness of the PII; and
5.3.13 Inquiry and complaint
The organization shall provide information about the contact details for inquiries regarding the
processing of PII stated in the notice and about the right to lodge a complaint with a supervisory
authority.
499
500
501
5.3.14 Information about accessing the choices made for consent
502
503
504
505
Control
The organization shall inform the PII principal of where and how to access preserved evidence of choice
exercised initially and as subsequently revised by the PII principal (including revocation), along with
the date such choices were made.
507
508
509
510
Choice and consent are distinct concepts. Choice is the action made by the PII principal. Unless the basis
upon which the PII principal made the choice is informed and fair, the choice does not necessarily entail
consent. This control is dealing with choice instead of consent to preserve the objective action of the PII
principal.
506
Contact information consists of but not limited to telephone numbers, websites, email addresses, and
physical locations where inquiries can be directed.
Additional information
10
© ISO/IEC 2019 – All rights reserved
ISO/IEC 1st DIS 29184
511
512
513
514
This may be required for future reference. For example, the PII principal may inquire it to revise the
previously given consent. It may also be required in the event of a dispute.
When the notice or the privacy policy referenced in the notice undergoes significant revision, then all
such revisions should be preserved.
515
516
517
Organizations, when obtaining the explicit consent as described in 5.4, should provide notice to PII
principals so that PII principals can see the content of their consent by an appropriate means, at any
time within reasonable limits appropriate to the mechanism provided.
519
Control
518
5.3.15 Basis for processing
520
521
The organization shall ensure that the notice includes information about the basis by which the PII will
be processed.
523
524
Consent is one possible basis for processing. Other bases such as performance of a contract may be
possible.
522
525
Additional information
5.3.16 Risks
526
Control
530
Additional information
527
528
529
The organization should provide specific information about plausible risks to PII principals, where the
impact to privacy and likelihood of occurrence (after mitigations are taken into account) are high or
those risks cannot be inferred from other information provided to the PII principal.
531
532
533
The information provided in notices should generally be sufficient enough that the PII principal can be
reasonably expected to identify potential risks to their privacy. The risk should be explicitly
communicated:
535
536
—
534
537
538
539
540
541
542
543
544
—
where the organization determines a high risk or
if a risk cannot be expected from other information provided by the PII Principal (in this case the PII
Controller should communicate this risk regardless of the likelihood of occurrence)
For those risks that are specifically communicated to the PII Principal, this can be done in a separate
section or within the corresponding section( e.g. if the plausible highest risks relate to the purpose of
processing and particular data types, it could be communicated within those section OR it could be
communicated in a separate section of the notice specific to risks).
In some cases, it may be preferable to improve the other information provided so the risks can be better
inferred from this information; e.g. by being more specific on purpose descriptions or elements of PII
processed.
NOTE
Residual risk to privacy of a PII principal can determined from a risk assessment or privacy impact assessment.
© ISO/IEC 2019 – All rights reserved
11
ISO/IEC 1st DIS 29184
5.4 Consent
545
5.4.1
547
548
549
550
Objective: To ensure the organization shall obtain consent from the PII principal when consent is the
basis for collection of PII in a manner that is fair, demonstrable, transparent, unambiguous and
revocable (withdrawable).
5.4.2 Identification of whether consent is appropriate
551
552
553
Control
The organization shall identify the situations where consent or explicit consent is appropriate and shall
request consent from PII principals in these situations.
555
556
557
558
Explicit consent may be required, among other things, when the organization plans to collect sensitive
PII or when it plans to use sensitive PII already collected for new purposes or if the collection or new
purposes cause or indicate a particularly high negative impact on the PII principal or a particularly high
risk of such an impact.
546
554
559
560
561
General
Additional information
The organization may be required to obtain consent concerning its PII collection from PII principals by
relevant data protection/privacy legislation. Consent may be required, among other things, when the
organization plans to collect new PII or when it plans to use PII already collected for new purposes.
562
563
564
565
5.4.3 Informed and freely given consent
566
567
568
569
Control
The organization shall provide sufficient details concerning their processing of PII so that the PII
principal can give consent to the processing freely, specifically and on a knowledgeable basis, and can
easily access, modify and/or withdraw that consent.
571
Details should include the information specified in 5.3.
570
572
573
574
575
576
577
578
579
580
581
Consent is not the only lawful basis for the processing of PII and thus not always required. In some
jurisdictions, other lawful basis includes a) contractual necessity, b) compliance with legal obligations,
c) vital interest, d) public interest, and e) legitimate interests.
Additional information
Consent is only considered to be informed if there is evidence that the PII principal has been provided a
clear and understandable notice. Consent needs to be freely given without the PII principal perceiving
any form of coercion or compulsion.
Organizations, when obtaining consent, should obtain it through PII principal's intentional action.
An intentional action is an action which is unambiguously associated with the PII principal's own
intention. For example, such user interfaces as clicking a check box, pressing a button or sliding a slide
bar can be considered as forming an intentional action.
If the screen to display the notice and the screen to perform the action are separated, PII principals may
get confused about what they are about to do. Therefore, it is better to display the notice on the same
screen as the one obtaining the consent. Where it is not feasible to display the notice and the request for
12
© ISO/IEC 2019 – All rights reserved
ISO/IEC 1st DIS 29184
582
583
consent on the same screen, organizations should take additional measures (such as a summary of key
points from the notice) to ensure that the PII principal clearly understands what they are consenting to.
584
585
The modification and withdrawal of the consent should be as easy as it was to give. This may be
achieved by providing an account or privacy settings page for the PII principal.
587
5.4.4 Providing the information about which account the PII principal is using
589
590
When an organization is collecting consent associated with an account, the organization shall clearly
indicate which account of the PII principal it is asking to grant consent.
592
593
594
595
596
A PII principal may have more than one online account at the PII controller. For example, the PII
principal may have browser sessions to a service with both their work account and their private
account. Another common example is a case where members of a family are sharing the same PC and
the web browser is maintaining the sessions for all of them and the user can select the account from a
pull-down menu.
586
588
591
597
598
599
600
NOTE
One possible approach to document the consent is to use consent receipt as explained in Annex B.
Control
Additional information
Organizations should display the user account or identity that is being used to give consent in the
manner that the PII principal is accustomed to when using the system.
At the outset, the PII Controller ensures that the claimed PII principal is verified so that the PII
controller can be confident that the PII rightfully relates to that PII principal.
601
602
603
Also note that there are cases where the PII principal has not established an account with the service,
but the service is identifying the PII principal with an implicit account that may be linked to an explicit
account later.
605
Control
608
Additional information
604
606
607
5.4.5 Independence from other consent
The organization shall obtain consent for matters related to privacy separately from consent for other
matters not related to privacy.
609
610
611
612
613
Consent for use, collection, and processing of PII should be clearly differentiated from Terms of Use.
Combining privacy related notice with other matters can obscure the notice and potentially have a
negative impact on the comprehensibility of the notice. Organizations should obtain consent through an
action independent from consent for any other terms not related to privacy(e.g., contractual terms and
conditions).
615
Control
614
616
617
618
5.4.6
Separate consent to necessary and optional elements of PII
The organization shall make it possible for the PII principal to recognize the necessary (mandatory) and
optional elements of PII for each identified purpose.
Additional information
© ISO/IEC 2019 – All rights reserved
13
ISO/IEC 1st DIS 29184
619
620
If the necessary elements of PII are not provided, then the processing cannot proceed, but it is not the
case for the optional elements of PII.
623
Where PII is provided for an optional element of PII, it should be taken that consent has been given.
621
622
624
The organization should make it possible for the PII principal to provide consent separately on the
necessary elements of PII and optional elements of PII.
5.4.7 Frequency
625
Control
628
Additional information
626
627
629
630
631
632
633
634
635
The organization shall seek to confirm existing consent or gain the new consent of a PII principal at an
appropriate interval.
If the organization asks for the consent of the PII principal too often, the PII principal may overlook
what the consent is about and start accepting it without really understanding the implication of it. This
is sometimes referred to as click training or user de-sensitization. The organization should not seek
consent too often to prevent this from happening. An indicator for the considerations made before
should be the negative impacts on the PII principal or the risks of such an impact (i.e. the frequency of
confirming existing consent or gaining new consent should enable the PII principal to effectively and
efficiently react to or prepare for the corresponding impacts or risks).
636
Typically, re-consent is only required where a change of conditions (see 5.4) exist.
638
Control
640
Additional information
637
639
641
642
5.4.8 Timeliness
The organization shall obtain the consent of the PII principal in a timely manner.
Seeking the consent of the PII principal too early may have practical issues in the choice being given to
the consent. The organization should not seek the consent of the PII principal too early.
5.5 Change of conditions
643
5.5.1
645
646
647
Objective: To ensure PII principals have an opportunity to re-consent when significant changes are
made in respect to matters regarding initial consent (see 5.4).
5.5.2
648
649
Control
650
The organization shall inform the PII principal when its contents of notice (see 5.3) are updated
Additional Information
644
651
General
Renewing notice
Situations, when the organization should inform the PII principal are for example when:
14
© ISO/IEC 2019 – All rights reserved
ISO/IEC 1st DIS 29184
652
653
654
a) the PII controller's contact details change;
b) the contact point details change;
c) recipients or categories of recipients;
655
656
5.5.3 Renewing consent
657
658
659
660
Control
The organization shall obtain re-consent from the PII principal when conditions change, and not effect
such changes for the PII principal until the re-consent is obtained, especially in circumstances where
the PII principal can be negatively impacted.
661
662
663
664
665
666
667
668
669
d) PII retention period changes.
Additional information
Situations, when the PII principal is required to re-consent, are for example when:
a) the PII controller changes the purpose of use of collected PII to something outside the scope of what
was notified to the PII principal at the time PII was collected;
b) there is a substantial organizational change at the PII controller (e.g., change of owner, change of
business);
c) the PII controller changes the PII being collected (e.g., the PII being processed changes);
d) the PII controller changes the processing of PII;
670
671
e) the PII controller changes the collection method of PII (e.g., the methods used to process the PII
change);
675
676
g) the PII controller extends the retention period or changes the disposal date notified to the PII
principal at the time PII was collected;
679
i)
672
673
674
677
678
680
681
682
683
684
685
686
687
f)
the PII controller changes matters related to the transfer of PII to a third party (unless the PII
principal was previously notified that PII would be provided to a range of third parties and the
change made does not expand the scope of transfer);
h) the PII controller changes matters related to disclosure, use and retention period, correction,
deletion, third party transfer, or revoking of consent;
the PII controller changes the geo-location of data collection.
When organizations should seek consent for changes such as those outlined here, they should consider
whether the PII principal has access to a record (of some kind) of their original consent, as well as how
much time has elapsed between the original consent and the present. If the PII principal is able to
access a record of their prior consent readily and if the elapsed time is not significant, organizations
may provide notice of the changes and seek consent for same. Otherwise, the organization should seek
reconfirmation of the original consent in addition to consent to the notified changes.
Where re-consent is requested, and no response is received, it should be assumed that the original
consent has been withdrawn.
© ISO/IEC 2019 – All rights reserved
15
ISO/IEC 1st DIS 29184
688
689
690
691
692
If a PII principal was notified of a change and that change is going to be made within a notified context,
the organization can change without obtaining consent from the PII principal.
In many cases, the consent for an individual PII principal would be obtained at the login time of the PII
principal.
693
16
© ISO/IEC 2019 – All rights reserved
ISO/IEC 1st DIS 29184
Annex A
694
695
(Informative)
User Interface example for obtaining the consent of a PII principal
on PCs and smartphones
696
697
A.1 Introduction
699
700
701
702
703
This annex covers some aspects of the presentation of the notice and the user interface for obtaining
consent. The presentation and the consent user interface may vary widely depending on the
circumstances and context. For example, the presentations that are suitable for a smart watch and a
personal computer will differ greatly. As such, the presentation and the user interface should be
optimized in each case and should lead to good practices for each type of case.
706
A.2 User interface examples for obtaining initial consent for PCs and smartphones
708
709
710
711
712
713
Before organizations can collect PII from the PII principal, they should identify the PII principal
explicitly or implicitly. In some cases, the PII principal has established multiple account with the PII
controller. In some other cases, the device is shared so that the device may be maintaining multiple
sessions to the PII controler’s software. In both case, as described in 5.4.4, it is important to ensure that
the PII principal is aware of which account is being used to give consent, and select the correct PII
principal and account if not.
698
704
705
707
714
715
716
In this annex, presentation and user interface aspects of personal computers and smartphones are
covered as a starting point for such considerations.
A.2.1 Identification of which account the PII principal is using
There are many ways to achieve this. The simplest way is to ask the PII principal for an username and
password. Other methods such as displaying an account selection screen prompting the PII principal to
select which account to use for granting consent is becoming popular as of the date of writing.
Telco
4G
12:09 83 %
Example Co, Ltd
Location History Mapping Service
Choose your account
alice@example.org
alice.wonda@example.com
info@example.com
OR choose another account
© ISO/IEC 2019 – All rights reserved
17
ISO/IEC 1st DIS 29184
717
Figure A.1 — Account selection screen
718
A.2.2 Order of Items to be displayed
720
721
722
723
724
When organizations seek consent from PII principals, they should display the chosen item in the order
specified in 5.3. The chosen item should be displayed as a headline in a table format for corresponding
values. However, in the absence of corresponding value, the row may be omitted. If the screen is too
small to fit all the relevant information in a table format, a text format may be used. However, the order
of appearance should not be changed.
727
EXAMPLE
719
725
726
Displaying items in a fixed order in a table format makes the comparison of different notices easier,
helping PII principals to form their decision.
Notice regarding use of PII
Overview of service
Purpose of use
PII controller
PII to be collected
Collection method
Timing and location of the
PII Collection
Method of use
Geo-location of stored PII
Transfer to third parties
Retention period, disposal
Your
participation
and
current choices
Inquiry and complaint
Lawful basis
Additional Risks
Notice
728
“Where was I” Location history mapping service
To provide your mobile history to you as a map
Example Co., Ltd.
Email address, GPS Location, IP Address
Data is collected via “Where was I App”
Data is collected while the application is running and
in the background.
Collected data are combined to infer the location of
the phone that the App is running.
California, USA
No
To be disposed of after being stored for six months
You may view, update, and delete the stored
information and manage information sharing
consent options at http://example.com/maps/.
Tel:
03-0000-0000
email:
info@example.com
web:
https://example.com/info/
Supervising Authority: PPC
Performance of the contract and consent (for email)
Learn about the risks with granting access to the PII
at http://example.com/maps/risks/.
A full copy of this notice is available at
http://example.com/maps/notice/.
Figure A.2 — Notice in a table format
729
18
© ISO/IEC 2019 – All rights reserved
ISO/IEC 1st DIS 29184
730
731
732
When displaying the notice in a constrained screen such as on a smart phone, organizations may want
to omit the item names.
EXAMPLE
Item names are omitted
Telco
4G
12:09 83 %
Location history mapping service ▼
Telco
4G
12:09 83 %
Location history mapping service ▼
(Example Co., Ltd.) is would like access to the
following information to provide your location
history on a map.
○,i
○,i
○,i
 Email address
 GPS Location
 IP Address
(to be collected while the app is running even in
background)
Collected data are combined to infer your location.
The data will be stored in California, USA.
It will not be transferred to a third party.
It will be disposed of after being stored for six
months.
You may view, update, and delete the stored
information and manage information sharing
consent options at http://example.com/maps/.
Learn about the risks with granting access to the
PII at http://example.com/maps/risks/.
A full copy of this notice is available at
http://example.com/maps/notice/.
Inquiry and complaint:
Tel:
03-0000-0000
email:
info@example.com
web:
https://example.com/info/
Supervising authority: PPC
Lawful basis: Performance of contract and
consent (for email)
By selecting ‘Decline’ you will not be able to
access and manage your data from anywhere but
only from this installation of this app. If you
uninstall this app, your access will be
permanently lost. If you agree, press ‘Proceed
with limited service’ else press ‘Back'
Note that we still collect your GPS location and IP
Address as they are essential to provide the main
functionality of this application. If you do not wish
them to be collected, please do not use this app.
Proceed with limited service
Back
Decline
Accept
Figure A.3 — The case where the heading is
omitted
733
734
735
736
737
Figure A.4 — The case where the consent is
declined
In the above examples, when (and if) the ‘Decline’ button is pressed, then what is depicted in Figure A.4
appears.
Note that the account that the PII principal is using to give consent is clearly displayed at the top of the
screen as an avatar. This is an example of the control to fulfill the requrement of 5.4.4.
© ISO/IEC 2019 – All rights reserved
19
ISO/IEC 1st DIS 29184
738
A.2.3 Displaying actual values
740
741
742
The additional information in 5.3.5 also suggests the possibility of providing an example if the actual
data is unavailable.. In the example below, it is showing such an example when ○,i in Figure A.3 was
pressed. .
739
743
EXAMPLE
Telco
4G
Email address▼
12:09 83 %
alice@example.com
The email address registered in your
account.
744
745
746
747
748
Figure A.5 — Displaying concrete values
In the same paragraph, it is also suggesting to provide an example where the actual values cannot be presented. The
following figure depicts such an example in the case of the purchase receipts collection.
EXAMPLE
749
Purchase receipt
Here is an example of a receipt.
Example Pharmacy
Date:2014-08-27 15:04:01
Store ID: 1234
Customer ID: 989814501
Item
Qty
Prc
---------- ---- -------Rose Soap 10
58,00
SleepNow
1
24,50
Subtotal
82,50
Tax (18 %) 14,85
Total
97,35
750
Figure A.6 — Displaying an example
20
© ISO/IEC 2019 – All rights reserved
ISO/IEC 1st DIS 29184
Annex B
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
(Informative)
Example of a Consent Receipt or Consent Record (‘Note’, Clause 5.4.3)
B.1 Introduction and Purpose of a Consent Receipt
A Consent Receipt or consent record documents the consent given by a PII principal to a PII controller
for processing of the principal’s PII. This genericized and summarized example is drawn from concepts
documented in the Consent Receipt v1.1 specification referenced in the Bibliography. A common receipt
format enhances the ability to observe, maintain and manage permissions for the principal’s PII by both
the individual and the organization. Much like a retailer giving a customer a cash register receipt as a
personal record of a purchase transaction, an organization may decide to similarly create a digital
record of an online consent interaction, by generating a receipt and providing it to the individual.
B.2 The content and layout of a Consent Receipt
The fields for a typical Consent Receipt are grouped in three sub-sections.
1. Consent Receipt Transaction Fields
•
administrative fields for the consent transaction and the metadata for the overall Consent
Receipt.
767
2. Consent Transaction Parties Fields
769
3. Data, Collection, and Use Fields
768
•
•
information about the parties involved in the consent process.
770
B.2.1 An example human-readable Consent Receipt – simple
772
773
774
775
The screen shot below shows an example of the content and layout of Consent Receipt for a PII principal
who has visited a website and wishes to subscribe to marketing information about the organization, its
products and services. The fields in the Consent Receipt give details and undertakings of the PII
controller in relation to the PII collected from the principal.
771
776
fields for services, personal information categories, attributes, PII, and PII Sensitivity.
777
778
779
780
781
© ISO/IEC 2019 – All rights reserved
21
ISO/IEC 1st DIS 29184
Consent Receipt
Version
KI-CR-v1.1.0
Jurisdiction
Discworld
Consent Timestamp
11/13/2017, 12:00:00 PM EST
Collection Method
Web Subscription Form with opt-in for marketing
Consent Receipt ID
c1befd3e-b7e5-4ea6-8688-e9a565aade21
Public Key
04:a3:1d:40:53:f0:4b:f1:f9:1b:b2:3a:83:a9:d1:
40:02:cc:31:b6:4a:77:bf:5e:a0:db:4f:ea:d2:07:
c4:23:57:6f:83:2c:3d:3e:8d:e7:02:71:60:54:01:
f4:6a:fb:a2:1e:8b:42:53:33:78:68:d9:7d:5e:b2:
cc:0b:f8:a1:bf
Language
English
Consent Parties
Information Subject
PII Principle ID
Bowden Jeffries
Information Controller
PII Controller Name
PII Controller
Contact
PII Controller
Address
782
783
784
Ankh-Morpork Times
William de Word, Chief Editor & Data Protection Officer
Ankh-Morpork Times
Gleam Street, Ankh-Morpork, Discworld
PII Controller Email
william@example.com
PII Controller Phone
(555) 555-DISC (3429)
PII Controller URL
https://example.com/contact
Privacy Notice
https://example.com/privacy_2017
Please see the next page for details on the data we have collected about you, and what we will do with it.
22
© ISO/IEC 2019 – All rights reserved
ISO/IEC 1st DIS 29184
Data, collection and use
Service
Digital Subscription and News Alerts
Purposes for collection and use
Purpose
Fulfil Digital
Subscription
Purpose Category
Provision of services
Marketing
Marketing
Consent
Financial
Record Keeping
Law
Enforcement
Fiduciary obligation
Public task
Legal obligation
Legal obligation
Termination
Third Party
Disclosure
https://example.com/privacy_2017#termination
Third Party
Processors
Sensitive PII
Sensitive PII
Category
Basis for Processing
Performance of
contract
PII Categories
• Technical
• Demographics
• Financial
• Contact
• Demographics
• Financial
• Contact
• Financial
•
All
Primary purpose?
TRUE
FALSE
FALSE
FALSE
True
• Print Shop
• Fulfillment vendor
• Bank
• Law enforcement with subpoena
• Digital Advertising Agency
Yes
Financial Information
© ISO/IEC 2019 – All rights reserved
23
ISO/IEC 1st DIS 29184
Bibliography
785
786
787
[1]
Ministry of Economy, Trade and Industry (Japan), Guidelines for online notices and consent, 2014,
(The guideline in English is from P.130) http://www.meti.go.jp/meti_lib/report/2016fy/000731.pdf
788
[2]
ISO/IEC 29115, Information technology — Security techniques — Entity authentication assurance
789
790
[3]
ISO/IEC 29151, Information technology — Security techniques — Code of practice for personally
identifiable information protection
791
792
[4]
Kantara Initiative, Standard Information Sharing Label, 2012,
https://kantarainitiative.org/confluence/display/infosharing/Standard+Information+Sharing+Label
793
794
[5]
ISO/IEC 24760, Information technology — Security techniques — A framework for identity
management
795
796
[6]
Kantara Initiative, Inc., Consent Receipt V1.0, https://kantarainitiative.org/file-downloads/consentreceipt-specification-v1-1-0/
797
798
[7]
ISO/IEC CD 27552, Information technology — Security techniques — Extension to ISO/IEC 27001and
ISO/IEC 27002 for privacy management — Requirements and guidelines
799
[8]
ISO/IEC 40500, Information technology — W3C Web Content Accessibility Guidelines (WCAG) 2.0
800
801
24
© ISO/IEC 2019 – All rights reserved
Attachment 1 to SC 27 N19770
Form 8A: Committee decision for DIS
Secretariat:
ISO/IEC JTC 1/SC 27
DIN
N 19770
Project number and title:
ISO/IEC CD 29184 - Information technology -- Online privacy notices and consent
This form should be sent to the ISO Central Secretariat (http://isotc.iso.org/livelink/si/), together with the
draft of the project, by the secretariat of the technical committee or subcommittee concerned.
The accompanying document is submitted for circulation to member body vote:
As a DIS
Consensus has been obtained from the P-members of the committee:
on 2019-04-05
At the meeting of ISO/IEC JTC 1/SC 27. See Resolution number 2. In document N 19779.
By ballot initiated on
Please attach a copy of the ballot results (if applicable)
Listing of the P-members (NWIP, CD or Resolution)
P-members in favour:
18
Australia (SA), Belgium (NBN), China (SAC), France (AFNOR), Ireland (NSAI), Japan (JISC), Korea,
Republic of (KATS), Lebanon (LIBNOR), Malaysia (DSM), Mexico (DGN), New Zealand (NZSO),
Panama (COPANIT), Peru (INACAL), Saint Kitts and Nevis (SKNBS), Slovakia (UNMS SR), South Africa
(SABS), Switzerland (SNV), Ukraine (DSTU)
P-members voting against:
2
United Kingdom (BSI), United States (ANSI)
FORM 8A – Committee decision on
1 of 7
P-members abstaining:
26
Algeria (IANOR), Argentina (IRAM), Austria (ASI), Brazil (ABNT), Canada (SCC), Costa Rica (INTECO),
Côte d'Ivoire (CODINORM), Denmark (DS), Finland (SFS), Germany (DIN), India (BIS), Indonesia
(BSN), Iran, Islamic Republic of (ISIRI), Israel (SII), Italy (UNI), Luxembourg (ILNAS), Mauritius (MSB),
Netherlands (NEN), Poland (PKN), Romania (ASRO), Russian Federation (GOST R), Singapore (ESG),
Spain (UNE), Sweden (SIS), United Arab Emirates (ESMA), Uruguay (UNIT)
P-members who did not vote: 0
Remarks:
The text for the 3rd CD of ISO/IEC 29184 was circulated as SC 27 N19111. The summary of voting on
SC 27 N19111 along with additional KR NB liaison (EDPB and Kanatara Initiative) comments were
presented as SC 27 N19140, N19142, N19141, N19146 and N19609, respectively, for consideration at
the Comment Resolution Meeting held during the SC 27/WG week in Ramat Gan / Tel-Aviv, during the
SC 27/WG week on 2019-04-01/05. The dispostions of comments received on SC 27 N19111 (text for
3rd CD) are shown in SC 27 N19769.
As per Tel-Aviv Resolution 2 of the CRM (contained in SC 27 N19779) the text for a 1st DIS of ISO/IEC
29184 as presented in SC 27 N19770 was submitted to the ISO Central Secretariat(ITTF) for a 12-week
DIS ballot processing on 2019-04-30.
The negative National Body votes of United Kingdom and United States have been satisfactorily
resolved and changed to approval.
I hereby confirm that this draft meets the requirements of Part 2 of the ISO/IEC Directives:
Secretariat:
Date:
Name/Signature of TC/SC Secretary:
DIN
2019-04-30
Passia, Krystyna Mrs
FORM 8A – Committee decision on
2 of 7
Result of voting
Ballot Information
Ballot reference
ISO/IEC CD 29184.3 - ISO-IECJTC1-SC27_N19111
Ballot type
CD
Ballot title
Information technology -- Online privacy
notices and consent
Opening date
2018-12-20
Closing date
2019-02-14
Note
3rd CD Consideration
In accordance with Resolution 4 (see SC 27
N19100 = WG 5 N1600) of the Comment
Resolution Meeting (CRM) held in Gjóvik,
Norway (2018-09-30/10-04) the hereby
attached document is circulated for a 8-week
3rd CD letter ballot closing by 2019-02-14.
Member responses:
Votes cast (47)
Algeria (IANOR)
Argentina (IRAM)
Australia (SA)
Austria (ASI)
Belgium (NBN)
Brazil (ABNT)
Canada (SCC)
China (SAC)
Costa Rica (INTECO)
Côte d'Ivoire (CODINORM)
Denmark (DS)
Finland (SFS)
France (AFNOR)
Germany (DIN)
India (BIS)
Indonesia (BSN)
Iran, Islamic Republic of (ISIRI)
Ireland (NSAI)
Israel (SII)
Italy (UNI)
Japan (JISC)
Kenya (KEBS)
Korea, Republic of (KATS)
Lebanon (LIBNOR)
Luxembourg (ILNAS)
Malaysia (DSM)
Mauritius (MSB)
Mexico (DGN)
Netherlands (NEN)
3 of 7
New Zealand (NZSO)
Panama (COPANIT)
Peru (INACAL)
Poland (PKN)
Romania (ASRO)
Russian Federation (GOST R)
Saint Kitts and Nevis (SKNBS)
Singapore (ESG)
Slovakia (UNMS SR)
South Africa (SABS)
Spain (UNE)
Sweden (SIS)
Switzerland (SNV)
Ukraine (DSTU)
United Arab Emirates (ESMA)
United Kingdom (BSI)
United States (ANSI)
Uruguay (UNIT)
Comments submitted (0)
Votes not cast (0)
Questions:
Q.1
"Do you approve the circulation of the draft as a DIS?"
Votes by members
Q.1
Algeria (IANOR)
Abstention
Argentina (IRAM)
Abstention
Australia (SA)
Approval
Austria (ASI)
Abstention
Belgium (NBN)
Approval
Brazil (ABNT)
Abstention
Canada (SCC)
Abstention
China (SAC)
Approval
Costa Rica (INTECO)
Abstention
Côte d'Ivoire
(CODINORM)
Abstention
Denmark (DS)
Abstention
Finland (SFS)
Abstention
France (AFNOR)
Approval
Germany (DIN)
Abstention
India (BIS)
Abstention
Indonesia (BSN)
Abstention
4 of 7
Iran, Islamic Republic Abstention
of (ISIRI)
Ireland (NSAI)
Approval
Israel (SII)
Abstention
Italy (UNI)
Abstention
Japan (JISC)
Approval with
comments
Kenya (KEBS)
Approval
Korea, Republic of
(KATS)
Approval
Lebanon (LIBNOR)
Approval
Luxembourg (ILNAS)
Abstention
Malaysia (DSM)
Approval
Mauritius (MSB)
Abstention
Mexico (DGN)
Approval
Netherlands (NEN)
Abstention
New Zealand (NZSO)
Approval
Panama (COPANIT)
Approval
Peru (INACAL)
Approval
Poland (PKN)
Abstention
Romania (ASRO)
Abstention
Russian Federation
(GOST R)
Abstention
Saint Kitts and Nevis
(SKNBS)
Approval
Singapore (ESG)
Abstention
Slovakia (UNMS SR)
Approval
South Africa (SABS)
Approval
Spain (UNE)
Abstention
Sweden (SIS)
Abstention
Switzerland (SNV)
Approval with
comments
Ukraine (DSTU)
Approval
United Arab Emirates Abstention
(ESMA)
United Kingdom (BSI) Disapproval
United States (ANSI)
Disapproval
Uruguay (UNIT)
Abstention
5 of 7
Answers to Q.1: "Do you approve the circulation of the draft as a DIS?"
17 x
Approval
Australia (SA)
Belgium (NBN)
China (SAC)
France (AFNOR)
Ireland (NSAI)
Kenya (KEBS)
Korea, Republic of (KATS)
Lebanon (LIBNOR)
Malaysia (DSM)
Mexico (DGN)
New Zealand (NZSO)
Panama (COPANIT)
Peru (INACAL)
Saint Kitts and Nevis (SKNBS)
Slovakia (UNMS SR)
South Africa (SABS)
Ukraine (DSTU)
2x
Approval with
comments
Japan (JISC)
Switzerland (SNV)
2x
Disapproval
United Kingdom (BSI)
United States (ANSI)
26 x
Abstention
Algeria (IANOR)
Argentina (IRAM)
Austria (ASI)
Brazil (ABNT)
Canada (SCC)
Costa Rica (INTECO)
Côte d'Ivoire (CODINORM)
Denmark (DS)
Finland (SFS)
Germany (DIN)
India (BIS)
Indonesia (BSN)
Iran, Islamic Republic of (ISIRI)
Israel (SII)
Italy (UNI)
Luxembourg (ILNAS)
Mauritius (MSB)
Netherlands (NEN)
Poland (PKN)
Romania (ASRO)
Russian Federation (GOST R)
Singapore (ESG)
Spain (UNE)
Sweden (SIS)
United Arab Emirates (ESMA)
Uruguay (UNIT)
Comments from Voters
Member:
Comment:
Date:
6 of 7
Japan (JISC)
Comment File
2019-02-14
02:46:25
Switzerland (SNV)
Comment File
2019-02-14
14:51:18
United Kingdom
(BSI)
Comment File
2019-02-14
16:48:34
United States (ANSI)
Comment File
2019-02-11
21:03:06
Comments from Commenters
Member:
Comment:
Date:
7 of 7