除了ISO/IEC 27002标准的新增补规定之外，ITU X.1058的附录提供了一套扩展的个人数据控制措施。这份附录进一步细化了和“许可与选择”有关的控制目标以及相关的“个人数据负责人的参与”，即数据需要获得其认可人的参与。他们提供指导，通过审查“目的合法性”判断保留个人数据是否合适。他们鼓励追求“收集限制”、“数据最小化”和组织在个人数据相关政策上的“开放和透明”。
Geneva, Switzerland, 27 November 2017 – The July 2017 breach of Equifax, a large US credit bureau, exposed the social security numbers, birthdates and addresses of 143 million people. Yahoo last month – just prior to its acquisition by Verizon – shared new intelligence that a data breach in 2013 thought to have affected a billion users had in fact compromised all three billion Yahoo user accounts.
The increasing prevalence of high-profile data breaches has motivated countries worldwide to investigate potential reforms to policy and regulation. One of the best-known examples is the European Union’s General Data Protection Regulation to come into force in May 2018, with global implications.
Privacy has taken on new dimensions in our hyper connected world. The need to protect personal data is increasing in urgency with the digital transformation of sectors such as healthcare and financial services. More and more organizations are processing personal data, all of them dealing with an increasing amount of this data.
Personal data custodians have received new guidance from IEC, ISO and ITU – the three leading international standards bodies – in the form of an International Standard providing a ‘Code of Practice for the Protection of Personally Identifiable Information’.
The voluntary standard, ISO/IEC 29151 | ITU-T X.1058 provides a valuable point of reference to government and industry as they intensify their bid to guarantee the protection of personal data.
It establishes the objectives of data-protection controls, specifies the controls required and provides guidelines for their implementation. It shows how arrangements of these controls can meet the requirements identified by organizations’ risk and impact assessments relevant to the protection of personal data.
An Annex integral to ITU X.1058 provides an extended set of controls for personal data beyond the standard’s augmented provisions of ISO/IEC 27002.
The Annex details control objectives relevant to ‘consent and choice’ and the related ‘participation of personal data principals’, the people with whom data can be identified. They look at ‘purpose legitimacy’ to provide guidance as to whether or not the retention of personal data is appropriate. They encourage the pursuit of ‘collection limitation’ and ‘data minimization’ as well as the ‘openness and transparency’ of organizational policy with respect to personal data.
ISO/IEC 29151 | ITU-T X.1058 was developed in collaboration by the ISO/IEC standardization expert group for ‘security techniques’, ISO/IEC JTC 1/SC 27 and ITU-T Study Group 17 ‘building confidence and security in the use of ICTs’.
地址：北京海淀区马甸东路9号 邮编：100088 邮箱：email@example.com