User:AlexLiMSFT/sandbox/ISO/IEC 19944

ISO/IEC 19944

edit

ISO/IEC 19944[1] is an international standard designed to standardize transparent communication of personal data protection policies and practices by data controllers through a structured taxonomy of Data Use Statements. It also provides an overview of device and cloud data flow. The standard is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 38.

Structure of the standard

edit

The official title of the standard is "Information technology — Cloud computing ─ Cloud services and devices: data flow, data categories and data use ". ISO/IEC 19944 consists of ten identifiable sections which can be largely divided into three distinct subgroups:

I. Background Information

1. Scope

2. Normative References

3. Terms and Definitions

4. Abbreviations and Acronyms

5. Structure of this International Standard

II. Devices and cloud services ecosystems

6. Overview of devices and cloud services ecosystems

7. Extending the cloud computing reference architecture to the devices and cloud services ecosystem

III. Data Use Statements - Terminology and Structure

8. Data Taxonomies

9. Data Processing

10. Data Use Statement

I. Background Information

edit

The first part of ISO/IEC 19944, consisting of sections 1-5, provides basic treatment of the scope and structure of the standard, terms, definitions, abbreviations, and acronyms used in the standard, and references to previous underlying standards that are either referred to or updated by ISO/IEC 19944.

II. Devices and cloud services ecosystems

edit

The purpose of the devices and cloud services part of ISO/IEC 19944, comprised of sections 6 and 7, is to expand and establish the cloud service ecosystem in which data use statements should be applied. The standard also explains the network of data flow within the cloud services ecosystem that is subject to data use statements. To that end, ISO/IEC 19944 identifies types of cloud services and seeks to extend the cloud computing reference architecture previously described in ISO/IEC 17789 to include devices previously unconsidered in ISO/IEC Standards and the impact of those devices on the cloud services ecosystem.

III. Data Use Statements

edit

Data controllers need to use clear and plain language to represent an otherwise complex reality of how different categories of data are used and managed. A transparent, intelligible, and concise description of data use can help to resolve concerns from privacy stakeholders. It can also help data controllers formalize a stable data use policy while the underlying details of data collection and usage evolve. ISO/IEC 19944 standardizes the data use statements with a defined structure. Where applicable, the standardized structure can be extended to provide more fine-grained details.

Data Use Statement Structure

edit

Data use statements as defined in ISO/IEC 19944 is composed of the following major components:

  1. Data used—describing the data applicable to the data use statement
  2. Source Scope—describing where the data is obtained
  3. Use Scope—describing the applications or services that are using the data
  4. Result Scope—describing the resulting outcome of the data

In more complete form, data use statements can be expressed in the following format:

(Data identification qualifier) (data category) from (source) is used by (user) to (action) for the purpose of (result).

An example of this data use statement: Unlinked Pseudonymized telemetry data from app X is used by this service to improve app X’s services

Structure Data Identification Qualifier Data Categories From Source Scope is used by Use

Scope

to Action the Result Scope
Example Unlinked Pseudonymized Telemetry Data From App X is used by This service to Improve - App X's Service

Data Use Statement Terminology

edit

In addition to outlining a structure for data use statements, ISO 19944 standardizes a glossary of terminology – the actual words that, put together in the correct order, forms the data use statement consistently regardless of authors. The terminology is broken into two overarching categories: terms relating to Data Taxonomies (Section 8) and terms relating to Data Processing (Section 9).

Data Taxonomies

edit

ISO/IEC 19944 identifies and describes data taxonomies, or the types of data being used by controllers. The verbiage provided in Section 8 allows controllers to achieve specificity in their disclosures of data acquired and used.

Data Processing

edit

ISO/IEC 19944 Section 9 considers the various types of data processing that can take place and the scopes of the processing and use (essentially what capabilities, cloud services and parties may be involved). Each clause in this section includes a list of applicable words and terms that can be used to standardize the language of Data Processing.

edit
  1. ^ "ISO/IEC 19944 - Information technology -- Cloud computing -- Cloud services and devices: Data flow, data categories and data use". www.iso.org. Retrieved 2017-08-09.