ISO/IEC 29100:2011 pdf download – Information technology — Security techniques — Privacy framework.
2 Terms and definitions For the purposes of this document, the following terms and definitions apply. NOTE In order to make it easier to use the ISO/IEC 27000 family of International Standards in the specific context of privacy and to integrate privacy concepts in the ISO/IEC 27000 context, the table in Annex A provides the ISO/IEC 27000 concepts that correspond with the ISO/IEC 291 00 concepts used in this International Standard. 2.1 anonymity characteristic of information that does not permit a personally identifiable information principal to be identified directly or indirectly 2.2 anonymization process by which personally identifiable information (PII) is irreversibly altered in such a way that a PII principal can no longer be identified directly or indirectly, either by the PII controller alone or in collaboration with any other party 2.3 anonymized data data that has been produced as the output of a personally identifiable information anonymization process 2.4 consent personally identifiable information (PII) principal’s freely given, specific and informed agreement to the processing of their PII
2.5 identifiability condition which results in a personally identifiable information (PII) principal being identified, directly or indirectly, on the basis of a given set of PII 2.6 identify establish the link between a personally identifiable information (PII) principal and PII or a set of PII 2.7 identity set of attributes which make it possible to identify the personally identifiable information principal 2.8 opt-in process or type of policy whereby the personally identifiable information (PII) principal is required to take an action to express explicit, prior consent for their PII to be processed for a particular purpose NOTE A different term that is often used with the privacy principle ‘consent and choice’ is “opt-out”. It describes a process or type of policy whereby the PII principal is required to take a separate action in order to withhold or withdraw consent, or oppose a specific type of processing. The use of an opt-out policy presumes that the PII controller has the right to process the PII in the intended way. This right can be implied by some action of the PII principal different from consent (e.g., placing an order in an online shop). 2.9 personally identifiable information PII any information that (a) can be used to identify the PII principal to whom such information relates, or (b) is or might be directly or indirectly linked to a PII principal NOTE To determine whether a PII principal is identifiable, account should be taken of all the means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to identify that natural person. 2.10 PII controller privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing personally identifiable information (PII) other than natural persons who use data for personal purposes NOTE A PII controller sometimes instructs others (e.g., PII processors) to process PII on its behalf while the responsibility for the processing remains with the PII controller.