Resolution on Development of International Standards
29th International Conference of
Data Protection and Privacy Commissioners
Montreal, Canada
September 25-28, 2007
Proposer: Privacy Commissioner of Canada
Co-sponsors:
Federal Data Protection Commissioner of Germany
Belgium Privacy Commission
Berlin Data Protection and Freedom of Information
Commissioner
Information and Privacy Commissioner of Ontario
Data Protection Agency, Spain
Federal Data Protection Commissioner, Switzerland
Resolution
The development of privacy-related standards for the use and deployment of
new and existing technologies has been the subject of considerable debate and
discussion within both the international standards community and the international
data protection and privacy community for the past several years. Standards
have been the subject of specific discussions at previous International Conferences,
including the 25th, 26th, and 28th International Conferences, held in Sydney,
Australia, Wroclaw, Poland and London, United Kingdom respectively.
These discussions reflect a growing recognition within the data protection
and privacy community that data protection and privacy legislation, while essential
to ensuring the protection of personal information, is not, by itself, sufficient.
International standards also have a role to play as a mechanism for assisting
parties to establish and demonstrate compliance with legal requirements of
a data protection and privacy nature.
Developing privacy-related standards for the use and deployment of new and
existing technologies should not be seen as detracting from the central role
of the respective national Data Protection and Privacy Commissions. Standards
are one way of applying technical and organizational specifications which can
translate legal requirements into concrete practices – to date, interpretation
of legislation in the context of technology standards has been done largely
without the active involvement of the data protection and privacy community.
In order to ensure consistent interpretation and compliance, this situation
must change.
With the creation of Working Group 5 (Identity Management and Privacy Technologies)
within Sub-Committee 27 (Information Technology Security), the International
Organization for Standardization (ISO) has signalled its intention to push
ahead with the development of privacy related standards. The Working Group
has issued a call for liaison to the International Conference of Data Protection
and Privacy Commissioners (hereafter “Conference”), noting specifically “mutual
interests in the area of data protection and privacy within both organizations
and the Working Group's goal to harmonize aspects for identity management,
biometrics and privacy in the context of information technology with a set
of international standards”.
While the development of privacy-related standards1 under
the auspices of a security-oriented group is not an ideal solution for the
data protection and privacy community, it is the structure that ISO has adopted,
at least for the time being. Responding to this approach from the standards
community by becoming more actively involved in the standards development process
is an essential step in order to ensure the development of privacy-respecting
standards.
It is also a natural extension to the work that the Conference is already
doing in consultation with privacy stakeholders from other jurisdictions at
the international level – for example, with the Organization for Economic
Cooperation and Development and the Asia-Pacific Economic Cooperation group – to
address privacy issues arising from trans-border data flows. Simply put, it
is in the best interest of both the Conference and the standards community
for the members of the Conference to develop a more cooperative, collaborative
approach to standards development.
Therefore, the Conference adopts the following Resolutions:
- The Conference wishes to support the development of effective and universally
accepted international privacy standards and will make available to ISO its
expertise for the development of such standards;
- The Conference calls on its members to become more actively involved in
the ISO standards development process via their respective national standards
development organizations;
- Given the resource limitations that many members face, the Conference calls
on its members to consider how they might best pool their knowledge and expertise
in order to make that knowledge and expertise available to ISO;
- The Conference calls on its members to consider how they might best coordinate
their contributions to the standards development process to ensure that these
contributions are consistent across the Conference membership;
- The Conference calls on its members to consider potential mechanisms for
effecting liaison with ISO on behalf of the Conference; and
- The Conference calls on its members to actively promote participation in
the ISO standards development process by other non-DPA stakeholders (such
as academics, non-government organizations and research centers) and
to encourage them to participate through their respective national standards
bodies.
1 Standards currently under
development by the new ISO Working Group include ISO 29101 – A Privacy
Reference Architecture (best practices for consistent technical implementation
of privacy principles); ISO 29100 – A Privacy Framework (defining
privacy requirements for processing of personal information in any information
system in any jurisdiction); and ISO 24760 – A Framework for Identity
Management (framework for secure, reliable and privacy compliant management
of identity information).
|