International standard looks to curb theft of personal data
Uber is making headlines for its reaction to the theft of personal data from 57 million drivers and users. The July 2017 breach of Equifax, a large US credit bureau, exposed the social security numbers, birthdates and addresses of 143 million people. Yahoo last month – just prior to its acquisition by Verizon – shared new intelligence that a data breach in 2013 thought to have affected a billion users had in fact compromised all three billion Yahoo user accounts.
The increasing prevalence of high-profile data breaches has motivated countries worldwide to investigate potential reforms to policy and regulation. One of the best-known examples is the European Union’s General Data Protection Regulation to come into force in May 2018, with global implications.
Privacy has taken on new dimensions in our hyperconnected world.
The need to protect personal data is increasing in urgency with the digital transformation of sectors such as healthcare and financial services.
More and more organizations are processing personal data, and all of them dealing with an increasing amount of this data.
Personal data custodians have received new guidance from IEC, ISO and ITU – the three leading international standards bodies – in the form of an international standard providing a ‘Code of Practice for the Protection of Personally Identifiable Information’.
The voluntary standard, ITU-T X.1058 | ISO/IEC 29151, provides a valuable point of reference to government and industry as they intensify their bid to guarantee the protection of personal data.
X.1058 establishes the objectives of data-protection controls, specifies the controls required and provides guidelines for their implementation. It shows how arrangements of these controls can meet the requirements identified by organizations’ risk and impact assessments relevant to the protection of personal data.
The standard builds on ISO/IEC 27002 – code of practice for information security controls – with guidelines specific to personal data protection. Examples include proposed governance structures for employees handing personal data, matched with calls for efficient collaboration with legal teams to interpret relevant laws and regulations.
RELATED: How the European Union is tackling cybersecurity: a look at the NIS directive
An Annex integral to X.1058 provides an extended set of controls for personal data beyond the standard’s augmented provisions of ISO/IEC 27002.
The Annex details control objectives relevant to ‘consent and choice’ and the related ‘participation of personal data principals’, the people with whom data can be identified. They look at ‘purpose legitimacy’ to provide guidance as to whether or not the retention of personal data is appropriate. They encourage the pursuit of ‘collection limitation’ and ‘data minimization’ as well as the ‘openness and transparency’ of organizational policy with respect to personal data.
ITU-T X.1058 | ISO/IEC 29151 was developed in collaboration by ITU’s standardization expert group responsible for ‘building confidence and security in the use of ICTs’, ITU-T Study Group 17, and the ISO/IEC standardization expert group for ‘security techniques’, ISO/IEC JTC 1/SC 27.
ITU-T Study Group 17 this year established two new work streams to coordinate a growing volume of standardization work on security aspects of distributed ledger technologies such as blockchain and connected car communications. Learn more about ITU-T Study Group 17.
