ISO/IEC INTERNATIONAL STANDARD 15944-8 First edition 2012-04-01 Information technology Business Operational View - Part 8: Identification of privacy protection reguirements as external constraints on business transactions Technologies de I'information- Vue opérationnelle d'affaires Partie 8: Identification des exigences de protection de la vie privee en tant que contraintes externes sur les transactions d'affaires Reference number ISO/IEC 15944-8:2012(E) 'so IEC @ ISO/IEC 2012 HS under I without license from IHS Not for Resale ISO/IEC 15944-8:2012(E) COPYRIGHT PROTECTED DOCUMENT ?ISO/IEC2012 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either isO at the address below or IsO's memberbody in the country of the requester. ISO copyright office Case postale 56 : CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail [email protected] Web www.iso.org Published in Switzerland ISO/IEC2012-Allrightsreserved py IHS unde ermitted without license from IHS Not for Resale ISO/IEC 15944-8:2012(E) Contents Page Foreword ..vii 0 Introduction. ..vili 0.1 Purpose and overview .. .vili 0.1.1 ISO/IEC 14662 "Open-edi Reference Model" 0.1.2 ISO/IEc 15944-1 "Business Agreement Semantic Descriptive Techniques" ("Business Operational View (Bov").... 0.2 Introducing the use of "Person", "organization" and "party" in the context of business transaction and commitment exchange...................... 0.3 Importance and role of terms and definitions.. ...xili 0.4 .xit 0.5 Needforastandardbasedonrulesandguidelines.. .xiv 0.6 Use of "jurisdictional domain", and "jurisdiction" (and "country") in the context of business transaction and commitment exchange...... 0.7 Use of "identifier" as "identifier (in business transaction)" to prevent ambiguity.. ...xvi 0.8 Use of “privacy protection" in the context of business transaction and commitment exchange.......... 0.9 Organization and description of this document xvii 1 Scope... 1.1 Statement of scope .. 1.2 1.2.1 FunctionalServicesView(FsV).. 1.2.2 Internal behaviour of organizations (and public administration).... 1.2.3 “organization Person" 1.2.4 Overlap of and/or conflict among jurisdictional domains as sources of privacy protection requirements... .2 1.2.5 Publicly available personal information.... 1.3 Aspects currently not addressed .... 1.4 IT-systems environment neutrality.. Normative references... 2.1 ISO/IEC, ISO and ITU 2.2 Referenced specifications. 3 Terms and definitions .. 11 4 Symbolsandabbreviations... 5 Fundamental principles and assumptions governing privacy protection requirements in business transactions involving individuals (external constraints perspective)..... 5.1 Introduction.... 43 5.2 Exceptions to the application of the privacy protection principles ... .46 5.3 Fundamental Privacy Protection Principles..... ...46 5.3.1 Privacy Protection Principle 1: Preventing Harm . 46 5.3.2 Privacy Protection Principle 2: Accountability .. 47 5.3.3 Privacy Protection Principle 3: Identifying Purposes.. 5.3.4 Privacy Protection Principle 4: Informed Consent ... 50 5.3.5 Privacy Protection Principle 5: Limiting Collection... 52 5.3.6 Privacy Protection Principle 6: Limiting Use, Disclosure and Retention.. 54 5.3.7 Privacy Protection Principle 7: Accuracy.... 57 5.3.8 Privacy Protection Principle 8: Safeguards.. 58 5.3.9 Privacy Protection Principle 9: Openness. 59 5.3.10 Principle Protection Principle 10: Individual Access 60 5.3.11 Privacy Protection Principle 11: Challenging Compliance 62 ili ted without license from IHS Not for Resale ISO/IEC 15944-8:2012(E) 5.4 Requirement for tagging (or labelling) data elements in support of privacy protection requirements ... ...63 6 Collaboration space and privacy protection.. ..65 6.1 Introduction ... .65 6.2 6.3 Collaborationspace:Theroleofbuyer(asindividual