ISO/IEC 15944-12:2020 pdf download – Information technology — Business operational view — Part 12: Privacy protection requirements (PPR) on information life cycle management (ILCM) and EDI of personal information (PI).
3.76 Open-edi electronic data interchange (3.41) (EDI) among multiple autonomous Persons (3.89) to accomplish an explicit shared business (3.7) goal according to Open-edi standards (3.82) [SOURCE: ISO/IEC 14662:2010, 3.14] 3.77 Open-edi disposition process (3.100) governing the implementation of formally approved records retention, destruction (or expungement (3.44)) or transfer of recorded information (3.110) under the control of (3.142) a Person (3.89) which are documented in a records scheduling and disposition authority(ies) or similar instrument of the organization (3.86) Note 1 to entry: Within an organization, Open-edi disposition shall be in accordance and compliant with the applicable Open-edi records retention (OeRR) and disposal schedule (RRDS) of the organization. [SOURCE: ISO/IEC 15944-5:2008, 3.90] 3.78 Open-edi party OeP Person (3.89) that participates in Open-edi (3.76) Note 1 to entry: Often referred to generically in this and other eBusiness standards, (e.g., parts of the ISO/IEC 15944 series) as party or parties for any entity modelled as a Person as playing a role in Open-edi scenarios. [SOURCE: ISO/IEC 14662:2010, 3.17] 3.79 Open-edi record retention OeRR specification of a period of time that a set of recorded information (SRI) (3.128) is required to be kept by a Person (3.89) in order to meet operational, legal, regulatory, fiscal or other requirements as specified in the external constraints (3.45) (or internal constraints (3.60)) applicable to a Person who is a party to a business transaction (3.10) [SOURCE: ISO/IEC 15944-5:2008, 3.92]
3.91 personal information controller PIC organization Person (3.88) authorized and so formally designated by the organization (3.86) to ensure that personal information (3.90) remains (fully) under the control of (3.142) the organization and ensures its privacy protection transactional integrity (PPTI) (3.99) in compliance with applicable privacy protection (3.97) requirements including in any use by the organization of agents (3.2) and/or third parties (3.139) in support of a business transaction(s) (3.10) Note 1 to entry: The primary role and responsibility pertain to and focus on ensuring that: (a) personal information remains under the control of the organization; and, (b) required ILCM aspects are implemented in a verifiable manner. A PIC also bridges the BOV-to-FSV with respect to all aspects of information handling (processing and EDI) of personal information of IT system(s) of an organization. Note 2 to entry: A PIC has a defined set of responsibilities which can be “outsourced” should a seller decide to use an agent and/or third party based on a contractual agreement to ensure that the privacy protection requirements (rights) of the buyer as an individual are fully supported. Note 3 to entry: An organization may authorize and designate its privacy protection officer (PPO) to also function in the role of its personal information controller (PIC). Note 4 to entry: A privacy protection officer (PPO) is a role of an officer in an organization. It may well be that the same organization Person is assigned responsibility for more than one role within an organization including those pertaining to corporate information law compliance, responsibility for corporate internal constraints such as information/records management, security, etc.