The Netherlands Standardization Institute (NEN), together with the international organizations for standardization, ISO and IEC, issues important security standards with titles such as NEN-ISO/IEC 27001 (from now on: ISO 27001). ISO 27001 and ISO 27002 are important security standards that describe how organizations should design their information security. The recently enacted ISO 27701:2019 ("the standard") describes how organizations can integrate their privacy protection and information security policies. What does this expansion mean for privacy information management?
The standard is largely inspired by the General Data Protection Regulation (AVG). Where the AVG formulates rights and obligations, the standard describes how to shape management measures and implementation guidelines to those rights and obligations in practice. For example, section 7.3.4 on page 50 gives form to, among other things, Article 18 AVG, which describes the data subject's right to restrict processing. However, according to a footnote on page 6, the terms of the standard cannot be interchanged one-to-one. For example, the standard talks about Personally Identifiable Information (PII) and assumes that PII identifies or distinguishes individuals. The AVG's term personal data has a broader meaning: any information that refers to or can be connected to a person (natural and living).
The standard starts with the usual four chapters for standards: Scope, References, Definitions, General. These are followed by the elaboration chapters:
Chapter 5 - Pims - specific requirements related to ISO 27001
Here is a concrete description of how the Information Management System (ISMS) of the ISO 27001 is extended to arrive at a Privacy Information Management System (PIMS). It involves determining context of the organization (in what legal environment does it operate?), and determining stakeholder needs and expectations. The AVG contains numerous provisions for these components, and the cross-reference table D.1 on page 80 conveniently summarizes them.
Furthermore, the chapter covers defining the scope of the PIMS, establishing leadership, assessing and addressing risk, setting security objectives, enlisting support, implementing improvements, evaluating, correcting deviations and continuous improvement. In particular, this constitutes an elaboration of Art. 32 paragraphs 1 and 2 AVG on secure processing.
Chapter 6 - PIMS specific guidelines related to ISO27002
Here a relationship is established with the long list of security measures from ISO 27002 to ensure that the information facility does what it is designed to do: make data available when needed, as specified and confidential as required. It mainly concerns an elaboration of the following articles from the AVG: article 5 paragraph 1.f about taking appropriate technical and organizational measures, article 24 paragraphs 1 and 2 about the responsibility of the controller, article 32 paragraphs 1 and 2 about security of processing. Section 6.3.3.1 of the standard discusses the roles and responsibilities in information security, a topic that also appears in many places in the AVG. This is summarized in cross-reference table D.1.
Chapter 7 Additional ISO 27002 Guidelinesfor PII Controllers
This chapter provides an overview of the many obligations of controllers with control measures and implementation guidelines, describing how to meet those obligations. The chapter is summarized in Table A.1 on page 68. The cross-reference table D.1 on page 81 summarizes the referenced articles of the AVG.
Chapter 8 - Additional ISO 27002 guidance for PII processors.
This chapter does the same as Chapter 7, but for processors. The summary can be found in Table B.1 on page 73, with another reference to the articles from the AVG in Table D.1 on page 83.
The standard is a long checklist of requirements and a good basis for certification. Reportedly, the Netherlands Standardization Institute is also currently working on a certification scheme for this standard.
A strength of this standard is the concrete elaboration of combining information security and privacy protection, something that is still too often separate worlds in numerous organizations. For non-lawyers, the standard also provides a practical start to understanding the AVG.
The standard summarizes the AVG, and inevitably something goes wrong in the process. As an example, Art. 6 contains an exhaustive list of processing grounds, but Section 7.2.2 assumes that there are more. Art. 9 states that special personal data may only be processed under conditions. As an example, a supermarket may not process medical data, and that prohibition cannot be resolved with stricter management measures, which the standard on page 44 seems to assume. Furthermore, you can't expect the standard to answer for delineation of terms such as controller and processor. These terms are quite often confused. For example, if a municipality has medical examinations performed by a healthcare institution, then that healthcare institution is not a processor but a data processor, because not information provision but medical services are outsourced. That the AVG limits these concepts in this way is not a matter of "lawyers writing it up awkwardly again," but defensible on good grounds because any other construction would quickly lead to breach of medical confidentiality, whereas the municipality, for example, only needs to know whether someone qualifies for a parking permit given the municipal criteria. Dutch law also has specific provisions for the processing of personal data for, say, personnel departments and schools, and one will look in vain for those in this standard.
In summary, the standard describes a convenient integrated approach to information security and privacy protection, and the checklist format makes it very practical. Warmly recommended for those who want a good basic privacy protection setup such as data protection officers. Consider schools, web stores, smaller healthcare providers and human resources departments. However, the specifics will continue to require the AVG or national legislation.
