ISO IEC 29134-2023.docx

INTERNATIONA1.STANDARDISO/IEC29134editionSecond2023-05Informationtechno1.ogySecuritytechniquesGuide1.inesforprivacyimpactassessmentTechno1.ogiesdeinfrmationTechniquesdeSRUriW1.ignesdirectricespourV6tuded,impactssur1.aviepriv6eReferencenumberISO/IEC29134:2023(E)COPYRIGHTPROTECTEDDOCUMENT©IS0/1EC2023IUirhM*hedbdi1.iUedotherwiseupdhi.o啪InyM1.tta0Dmk<nroni(ncm11ni10tf1.*Mqn1.C6pW11opypMRationmaytheinternetoranintranet,withoutpriorwrittenpermission.PermissioncanberequestedfromeitherISOattheaddressbe1.oworISO'smemberbodyinthecountr)oftherequester.f),WV>fifiU81.andonnet8CH-1214Vernier,GenevaPhone：M1.227490111觥ftte:丽丽BQrgPub1.ishedinSwitzer1.andIntroductionAprivacyimpactassessment(PIA)isaninstrumentfor:asgdb由ccr>Wh由hduiVeerhiPhiVae5z<p3s,PerSoiDfrteriCttiSkkdTrtzProgt1114RJJ如Rwaretakingnecessaryactions,inconsu1.tationwithstakeho1.ders,totreatprivacyrisk.船期1g1.HPt三献或m9三WW)R1.三哨啼H阚拗硼f%E(片蹦加曲行0/1E得叫p!7½uresmorethanatoo1.:itisaprocessthatbeginsattheear1.iestpossib1.estagesofaninitiative,whentherearesti1.1.opportunitiestoinf1.uenceitsoutcomeandtherebyensureprivacybydesign.Itisaprocessthatcontinuesunti1.,andevenafter,theprojecthasbeendep1.oyed.Initiativesvarysubstantia1.1.yinsca1.eandimpact.Objectivesfa1.1.ingundertheheadingof"privacy',wi1.1.dependoncu1.ture,societa1.expectationsandjurisdiction.Thisdocumentisintendedtoprovide§嘛林做物康顺飒M酬H机由I1.taWative期体由HjgMferPre曲秘艇re球通龈Mttancescircumstances.4J¾S律即群盟人帧科强?搬总给itybA和&油邢8般裁蝴品即独服内部PrO强羽AoCOndUCttheirownPIA.婚“缺嬲em,in湖幅栩VW即颈励舀磐an愧科se<fi鼬初强假任俄Vi勰解hersJ梳UChdevicestoprovideprivacy-re1.evantdesigninformationtothoseundertakingthePIA.irispossib1.ethattheproviderofdigita1.devicesisunski1.1.edinandnotresourcedforPIAstforexamp1.e：asma1.1.retai1.er,orasma1.1.andmedium-sizedenterprise(SME)usingdigita1.1.yconnecteddevicesinthecourseofitsnorma1.businessoperations.印ItWMryHnm3ticiwMhi甫iAiwdTttJkdbBWAndevicrwhAp1.iercantheexpectedP1.1.principa1./SMEcontextfortheequipmenttheysupp1.y.洲小Pa1.懈赧叫工加湘蝴Mrt?陶徽湎硼三W幽硼的rea朋pp1.y.ThisdocumentisintendedtobeusedwhentheprivacyimpactonP1.1.principa1.sinc1.udesconsiderationofprocesses,informationsystemsorprogrammes,where：-theresponsibi1.ityfortheimp1.ementationand/orde1.iveryoftheprocess,informationsystemOrprogrammeissharedwithotherorganizationsanditshou1.dbeensuredthateachorganizationproper1.yaddressestheidentifiedrisks;anorganizationisperformingprivacyriskmanagementaspartOfitsovera1.1.riskmanagementeffortwhi1.epreparingfortheimp1.ementationorimprovementofitsISMS(estab1.ishedinaccordancewith由SWIRGRZWMsorananfiMyfeRfiHg魄Fmentsystem);oranorganizationisperformingprivacyriskanorganization(e.g.government)isundertakinganinitiative(e.g.aPUbIiC-PriVate-PartnerShiP逸柚由屈信怖阖hent糠8福掘Vte1.由MMw出队V映S蛆幅rermentp1.anbecomespartofcorresponding1.egis1.ation,regu1.ationorthecontractinstead;theorganizationwantstoactresponsib1.ytowardsthePI1.principa1.s.CUBbg1.kd1.dddummhiMeib½athcnko1.sJdchUi1.n削661娜CH的阙9铀门IapruitiMdyUiKo1.S)PrQosIS0/1EC29151(forP1.1.protectioncontro1.s),orcomparab1.enationa1.standards,ortheycanbedefinedbythepersonresponsib1.eforconductingthePIA1independent1.yofanyothercontro1.set.3.3assessortheirteam.entry:Theassessormaybesupportedbyoneormoreotherinterna1.and/orexterna1.expertsaspartof3.4process(SOURCE:ISO/IEC27000:2018,3.54device3.6privacyimpactsafeguardingrequirements,impactcanresu1.tfromtheprocessingofP1.1.inconformanceorinvio1.ationofprivacy3.7privacyimpactassessmentPIAinformation,framedwithinanorganizationbroaderriskmanagementframework3.8privacyriskmapNote1toentry：Themapistypica1.1.yusedtdeterminetheorderinwhichtheprivacyrisksshou1.dbetreated.programme(SOURCE:ISO143004:2011,3.21projecttime,costandresources©ISO/IEC2023-A1.1.11ghtsreservedpersonwho1.eadsandconductsaprivacyimpactassessment(3.7)Note1toNote2toentry:Theassessormaybeanexpertinterna1.orexterna1.totheorganization.setofinterre1.atedorinteractingactivitieswhichtransformsinputsintooutputs3.5combinationofhardwareandSoftWare,orso1.e1.ysoftware,thata1.1.owsausertoperformactionsanythingthathasaneffectontheprivacyofaP1.1.principa1.and/orgroupofP1.1.principa1.sNote1toentry:Theprivacyovera1.1.processofidentifying,ana1.ysing,eva1.uating,consu1.ting,communicatingandp1.anningthetreatmentofpotentia1.privacyimpactswithregardtotheprocessingofpersona1.1.yidentifiab1.eSOURCE:1SO1EC29100:2011,2.20rmodifiedNote1toentryhasbeende1.eted.)diagramthatindicatesthe1.eve1.ofimpactand1.ike1.ihoodofprivacyrisksidentified3.9groupofprojectsmanagedinacoordinatedwaytoobtainbenefitsnotavai1.ab1.efrommanagingthemindividua1.1.y3.10uniqueprocess,consistingofasetofcoordinatedandcontro1.1.edactivitieswithstartandfinishdates,undertakentoachieveanobjectiveconformingtospecificrequirements,inc1.udingtheconstraintsof(SOURCE:ISO9000:2015,3.4.23.11organizationpersonorgroupofpeop1.ethath