Privacy Law and Policy Reporter
The resolutions reproduced below were made by the world’s privacy and data protection Commissioners during the 26th International Conference on Privacy and Personal Data Protection held in Wroclaw, Poland, 14 – 16 September 2004. They represent both an important development in relation to technical standards protecting privacy, and to the growing global cooperation of privacy Commissioners. (General Editor)
The following points are extracted from the Commissioners’ Conference memorandum explaining the resolutions:
• Fourteen data protection Commissioners’ Offices proposed the following resolutions.
• The International Organisation for Standardisation (ISO) has established a Privacy Technology Study Group (PTSG) under Joint Technical Committee 1 (JTC1) to examine the need for developing a privacy technology standard and if so how to proceed and the scope of such an exercise and report in November 2004.
• The International Security, Trust, and Privacy Alliance (ISTPA) (http://www.istpa.org) is a global alliance of companies, institutions and technology providers working on issues related to security, trust, and privacy. ISTPA has put forward to ISO a Draft International Standard (ISO/IEC (PAS) DIS 20886) for a Privacy Framework in a fast track procedure to be voted on by letter ballot ending 11 December 2004.
• The Privacy Enhancing Technology Testing & Evaluation Project (PETTEP), a project led by the Ontario Information & Privacy Commissioner, is global team of privacy and data protection commissioners, academics, government and private sector organizations and privacy experts committed to developing internationally accepted testing and evaluation criteria for the privacy claims of information technologies and systems.
• The International Working Group on Data Protection in Telecommunications (a sub-group of the international Privacy Commissioners) at their 35th meeting in Buenos Aires on 14-15 April 2004 has adopted a Working Paper on a future ISO Privacy Standard.
• The position of the International Conference of Data Protection and Privacy Commissioners is that it wishes to support the development of an effective and universally accepted international privacy technology standard and make available to ISO its expertise for the development of such a standard. It recognizes that compliance with any present or future ISO standard does not necessarily imply or replace compliance with legal regulations, but is a means for assisting parties in complying with legal requirements of a data protection and privacy nature. Despite jurisdictional differences which will continue, on the whole there is a high degree of commonality in legal requirements which would be best served in being captured in an information technology enabled manner through the development of an international standard(s).
Resolution on a Draft ISO Privacy Framework Standard
The Conference adopted the following Resolutions;
Resolution for an ISO Privacy Standard(s)
1. The Conference respectfully recommends a global privacy standard(s) and specifically a privacy technology standard be developed by ISO that would support the implementation of legal rules on privacy and data protection where they exist and the formulation of such rules where they are still lacking.
Resolution for content of Privacy Standard
2. The Conference resolves that developing an international privacy standard must be based on the fair information practices as well as the concepts of data scarcity, minimisation and anonymity. To be effective, an information technology standard(s) must:
• provide evaluation and testing criteria regarding the privacy functionality of any system or technology to assist controllers to comply with national and international legal instruments on data protection,
• provide a level of assurance regarding the privacy claims of technologies and systems used to manage personal information,
• be able to support privacy requirements pertaining to the personal information on or about an individual, independent of the combinations and number of organizations that may be involved in handling and interchanging such personal information.
Resolutions in support of developing a Privacy Standard
3. The Conference supports the recent establishment of an interim Privacy Technology Study Group (PTSG) to assess the need for a standard as well as the scope and method for developing such a standard within the International Organisation for Standardization.
4. The Conference strongly supports expediting, and not delaying establishment of a new, permanent Sub-Committee of the ISO for the development of information technology standards regarding privacy. The new Sub-Committee should take into account the work on specific privacy issues currently being done in existing Sub-Committees.
Resolutions for Commissioner involvement in ISO
5. The Conference strongly supports the inclusion of the Privacy Enhancing Technology Testing & Evaluation Project (PETTEP), as an official liaison organisation to the ISO JTC1 Privacy Technology Study Group (PTSG). This provides a vehicle for Privacy & Data Protection Commissioners to work directly within the ISO PTSG as well as gives PETTEP members the official standing to present, discuss and contribute to the work of the PTSG.
6. The Conference supports and encourages interested Data Protection Commissioners to join PETTEP, thus allowing them, as PETTEP members, an immediate voice in the discussions regarding the development of an ISO privacy technology standard.
7. The Conference recognizes that PETTEP already has official standing in the PTSG and respectfully requests PETTEP to adopt the Conference’s resolutions and present them to the PTSG at the earliest possible date.
8. Resolutions regarding current and future PAS’
The Conference, while acknowledging the intent and commitment of ISTPA in the area of privacy, respectfully requests the withdrawal of the ISTPA framework as a Publicly Available Specification (PAS) until the following is addressed:
• The concept of privacy on which the Draft Privacy Framework Standard is based and that the framework needs to recognize the limits of collection. The Draft defines “privacy” as “the proper handling and use of personal information throughout its life cycle, consistent with data protection principles and the preferences of the subject”. The authors of the Draft understand that the collection and processing of personal information are essential to the proper functioning of modern society and commerce. This statement rests on the assumption that there are no limits to the collection of personal data. There may be situations where the collection and processing of personal information is essential in this sense. But this should not be assumed to be the rule.
9. The Conference respectfully requests the ISO to suspend any existing PAS submissions for fast-track procedure and adoption in the field of privacy and data protection (or the introduction of new PAS submissions related to privacy and data protection) as the development of a privacy standard requires thorough discussion.
The Conference respectfully requests that ISO treats PAS submissions and any others submissions in the field of data protection and privacy as inputs and contributions to the development of an overall framework as well as potential future standards development in the context of such a framework.