1、INTERNATIONA1.STANDARDISO/IEC27555editionFirst2O21-1.OInformationsecurity,cybersecurityandprivacyprotectionGuide1.inesonpersona1.1.yidentiab1.einformationde1.etionSecuritydeinformation,CybersecuriteetprotectiondeIavieprivee1.ignesdirectricesre1.ativesaIasuppressiondesinformationspersonne1.1.ementide
2、ntif1.ab1.esReferencenumberISO/IEC2755S:2O21(E)COPYRIGHTPROTECTEDDOCUMENTIS0/1EC2021IUirhM*hedbdi1.iUedotherwiseupdhi.o啪InPSd1.Mc;GeatrOn1.fifiU81.andonnet8CH-1214Vernier,GenevaPhone:M1.22749O1.11觥曲ite:图洲跳触OQrgPub1.ishedinSwitzer1.andContentsForewordV5.3Retentionperiod45.5ArchivesAIIocationofc1.uste
3、rs7.3Standardde1.etionspecificationsidentification7.4.3Suspensionextendde1.etion13899e3ReqUIre)ents.189.3.5Transmissiondismant1.ingand199.5Requirementsregu1.arimp1.ementationfor21iiiPageIntroductionviScope1Normativereferences1Termsanddefinitions1SymbOiSandabbreviatedterms3Frameworkforde1.etion35.1 G
4、enera1.352ConStraIntS5.4 C1.ustersofP1.1.andregu1.arde1.etionperiod5.4.1Retentionperiod55.4.1 Regu1.arde1.etionperiod55.4.2 andbackupcopiesofP1.1.5.6 Standardde1.etionperiods,startingpoints,de1.etionru1.esandde1.etionc1.asses75.7 Specia1.situations7C1.ustersofP1.I86.1 Genera1.86.2 Idcntfi03Tion.9Spe
5、cif1.cationofde1.etionperiods107.1 Standardandregu1.arde1.etionperiods107.2 Regu1.arde1.etionperiodspecifications117.4 De1.etionperiodperiodforspecia1.situations7.4.1Genera1.127.4.1 Modificationofdataobjects12Needtooftheperiodofactiveuse7.4.5 Backupcopies13De1.etionc1.asses148.1 Abstractstartingpoin
6、tsabstractde1.etionru1.es148.2 Matrixofde1.etionc1.asses15Requirementsforimp1.ementation169.1 Gener21.,.169.2 ConditionsforstartingpointsoutsideITsystems181.1.1 Genera1.forimp1.ementationfororganization-wideaspects9.3.2Backup181.1.3 191.1.4 Repair,systemsdisposa1.ofsystemsandcomponents9.3.6Everydayb
7、usiness1.ife199.4 Requirementsforimp1.ementationforindiridua1.ITsystems209.6 De1.etionformanua1.processesP1.1.processor9.7 Contro1.de1.etioninspecia1.cases219.7.1 Exceptionmanagement2110Responsibi1.ities2210.1 Genera1.2210.2 Documentation23iBib1.iography25ForewordCommission)formIECspecia1.izedsystem
8、deve1.opmentofStandardization.Standardsthroughtechnica1.organizations,governmenta1.andnon-governmenta1.,in1.iaisonwithISOandIECra1.sotakepartintheneededdescnbedtheindifTerentISO1.ECDirectives,Partshou1.dparticu1.ar.Thisdocumen1.inAttentiondrawn1.S0andpossibi1.itythatsomeOfresponsib1.eforofidentifyj1
9、1ganymaya1.1.suchsubject1.istofpatentdec1.arationsreceived(seepatents.iec.ch).expressionsexp1.anationtoconformityassessment,standards,informationaboutSpecificadherenceandSubcommitteeSCwasInformationsecurity,CyhersecwntyCommitteeISO/1.ECprotection.Informationtechno1.ogy,O/IEC2021-A1.1.nghtsreservedIS
10、O(theInternationa1.OrganizationforStandardization)andIEC(theInternationa1.E1.ectrotechnica1.membersofISOtheparticipateintheforwor1.dwideInternationa1.Nationa1.bodiesarccommitteesestab1.ishedbytherespectiveorganizationtodea1.withparticu1.arfie1.dsoftechnica1.activity.ISOandIECmitteesco1.1.aborateinfi
11、e1.dsofmutua1.interest.Otherinternationa1.work.Theproceduresusedtodeve1.opthisdocumentandthoseintendedforitsfurthermaintenanceareforthetypesofdocument1.Inbenoted,thedifferentwascriteriaacwdaneeWiIhMedikri1.门心oCht!ISO/IECDirectives,Part2(seewww.iso.org/directivesorwww.iec.ch/members-experts/refdocs).
12、vOfpatentrights.totheIECsha1.1.notbehe1.dthee1.ementsthisdocumentorbethepatentrights.Detai1.sofanypatentrightsidentifiedduringthedeve1.opmentofe4kM:Umen1.wi1.1.theIntroductionand/orontheISO1.istofpatentd1.artionsreceived(seewww.iso.org/patents)ortheIECAnytradenameusedinthisdocumentisinformationgiven
13、fortheconvenienceofusersanddoesnotconstituteanendorsementForanre1.atedofthevo1.untarynatureofwe1.1.themeaningofISO1.SO,stermstothWoHd丁Fadg。悖相a由HNwTO)princip1.esMfheTeCbng1.Baie111d。(丁BT)seewww.iso.org/iso/fdrcword.htm1.IntheIEC,seewsvw.iec.ch/undcrstanding-s1.andards.Thisdocument27,preparedbyJointTe
14、chnica1.andprivacyrJTCI1Anyfeedbackorquestionsonthisdocumentshou1.dIp1.ete1.istingof.IntroductionManyfunctiona1.processesandITapp1.icationsusepersona1.1.yidentifiab1.einformation(PU),whichisMbjcctnotHnninerttonipiif1.crdpm)visionsnea(idsin)HindbQqiiiisaThd.1.etedo(ri0anpptqirtaie(idRmeT9nsum】thatreq
15、uireorganizationstofu1.fi1.therightsofP1.1.principa1.s,suchastherighttoobtainerasure(tobeforgotten).1SOIEC29100definesprincip1.esof*dataminimization”and“use.retentionanddisc1.osure1.imitationforP)1.,whichcanbeenforcedusingde1.etionasasecuritycontro1.PHde1.etionrequiresasetofcarefu1.1.ydesigned,c1.ea
16、randeasi1.yunderstoodde1.etionru1.es,embodyingappropriateretentionperiodsthatsatisfythedemandsofmu1.tip1.estakeho1.ders.Theseru1.esshou1.dMMfformcM也加P收出欣贻弓胆dorigi晒j网fr三,G能耐出柳actH8也%cnsU用K跖胞心ISO/IEC2021-A1.1.rightsreserved9.5 De1.etioninregu1.armanua1.processessystems.withinHsomcaningsomedocument.sit
17、uationsinwhichde1.etioncannotbedeterminedbyde1.etionperiodsStoredappropriatec1.usterpurposeExamp1.esofcreditc1.ustersstatements.persona1.fi1.eskept9.6 Requirementsforimp1.ementationforPIIprocessorregu1.arde1.etionperiodsforitsownsetsofPU,whichareprocessedbythecontractedPI1.processor.provideforde1.et
18、ion,forexamp1.ebytheinc1.usionofde1.etionru1.esincontractua1.documentation;provideproofofde1.etion;9.7 Contro1.de1.etioninspecia1.cases9.7.1 ExceptionmanagementEXAMP1.ESfbrDe1.etionuses;C1.ustersstoppedbecausearerequirederrors;piesbyorderfomexterna1.authorities;timeframe.Thefo1.1.owingframeworkoutsi
19、debeUSedrCgU1.arprocesses,statingde1.etedinanappropriate apersonresponsib1.eforhand1.ingoftheexceptionshou1.dheappointed;NOTE1.ega1.requirementscan1.imitthede1.ayofChede1.etionoftheP1.1.re1.atedtotheexemption. informationonterminationprivacyexception,theorganizationshou1.dbeinvo1.vedinapprova1.andde
20、1.etionresponsib1.eorganizationa1.unitoverviewisfeedback,ensuredrreturninstanceregu1.aroperationortheISO/IEC2021-A1.1.rightsreservedTheindividua1.measuresapp1.ytosetsOfPIInotinc1.udedinorganization-vrideaspectsorindividua1.ITdeIetionruIesTheycantheinc1.udeofthisspecia1.PIIarcpart1.ya1.sousedinregu1.
21、armanua1.processes.ThesePIIshou1.da1.sobede1.etedwithintheregu1.arpaperfi1.esoftheonServerfortheofPU.ofCheckingsuchcardofP1.iareItisadvisab1.etospecifythecorrespondingtasksinworkinstructionsfortheprocessesconcerned.1.ega1.requirementscanexistwhicha1.somaketheP1.1.contro1.1.erresponsib1.eforcomp1.ian
22、cewiththeTheP1.1.contro1.1.ershou1.drequiretheP1.1.processor,whereapp1.icab1.e,to: makeavai1.ab1.eprocedura1.documentationforde1.etion; provideprooforretainevidenceofthedisposa1.ofstoragemedia.A1.1.deviationsfromregu1.arde1.etionperiods(referredtoasexceptions)whichtakeeffectononeororganization,ofP1.
23、1.shou1.dbemanaged,forexamp1.eusingthechangemanagementsystemofthearerequiredSpeda1.runsthatareOfPIIwhichofsystemtobekeptofP1.1.theregu1.aroperationde1.etionmeasuresarenotimp1.ementedandre1.easedasschedu1.ed.A1.1.suchsetsofPU,whichusedmaythetoensurethisbyshou1.dbethat: anexceptionshou1.dbep1.anned,do
24、cumentedandapproved; thetimeperiodforwhichtheexceptionisgrantedshou1.dbeIinntcd; theexceptionp1.anshou1.dcontainanenddateWhCnreturntoregu1.arde1.etionperiodsisachieved;thepersoninchargeofofthemattersofForthepurposeOfkeepingtrackoftheexceptions,itisusefu1.tomaintainanoverviewofexceptions.Aftertheshou
25、1.ddocumented.IfthishasgivenItsa1.readythefortobythedesignofchangemanagement,thenfurthermeasuresarepossib1.ynotrequired.9.7.2FurthersetsofPIISetsofPIIforwhichnoregu1.arprocesseshavebeenimp1.ementedgenera1.1.yresu1.tfromspecia1.Ck1.etthgiRJKantioubndnthythinedohjstwteianWThru1.arMetedeSOOfSiddjnRdySi
26、ngnu1.arprocessesimp1.ementedaccordingtothepo1.iciesandproceduresforde1.etionwhereitisneitherusefu1.norappropriatetoa1.1.ocatethemtoade1.etionc1.ass.Examp1.esofsuchsetsofPIIinc1.ude: setsofPIIwhicharenotde1.etedbyregu1.arprocesses,forinstanceinconnectionwithmigrations; 11fidtfi用SWIWhafterhaVe浜1.M*Vt
27、rtSbytheregu1.arprocessesduetoerrorsinthede1.etion setsofPIIwhich,accordingtothere1.evant1.ega1.requirements,anewPIIcontro1.1.erisnota1.1.owed战din业E枭RRaqhhCRVft解血IIIRaFS1.*WP1咒oHcr;sp1.it-uporwhichwou1.dhavetobe setsofP1.Iwhicharenotpermittedtoremainonthesystemsafteradisasterrecoveryexercise.W岫瓢晒屈fi
28、neMricspecifkpo牌超姐帆颇皿生的崛面wM靛8i的曲ng:SitUatiOn.The whoisob1.igedtode1.etesuchsetsofPU; considerationofapp1.icab1.e1.egis1.ationandrequirementsofcompetentauthorities; whoneedstobeinformedifsuchsetsofP1.1.areidentified; howthetasksarecontro1.1.edanddocumented,e.g.viachangemanagement.ITsystemsandprocesse
29、sshou1.dthereforeofferthemechanismsrequiredtode1.etethesesetsofP1.1.withinthenecessarytime1.ines.IfnoothermechanismsareprovidedbyanITsystem,asanoption,thedfffWrff1.RWfJfeh9)rmWWftVfered.systemadministrative1.eve1.Inaworst-casescenario,aSpecificinstructionstoreso1.vetheissueswithsuchfurthersetsofPIIs
30、hou1.dbedocumented,aswe1.1.astheexecution,forinstancewithintheframeworkofanexistingchangemanagement.NOTE1.ega1.requirementscana1.1.owP1.1.contro1.1.erstorestrictP1.1.processinginsteadofde1.etion.IftheP1.1.contro1.1.erstoresP1.1.inamannerincontraventionofthere1.evant1.ega1.requirements,measuresshou1.
31、dbeimp1.ementedtode1.etethatP1.1.assoonaspossib1.e.There1.evant1.ega1.requirementscanrequirede1.etionmeasurestobetakenimmediate1.y.IfaPI1.principa1.fi1.esarequestforde1.etioninaccordancewiththere1.evant1.ega1.requirements,thentheP1.1.concerneda1.soneedstobede1.eted.10Responsibi1.ities10.1 Genera1.In
32、thepo1.iciesandproceduresforde1.etion,theP1.1.contro1.1.ershou1.dspecifytheresponsibi1.itiesfortheindividua1.tasks.Thisshou1.dinc1.udeadefinitionoftheoperationa1.Stnictureforde1.etion.Theoperationa1.andorganizationa1.structuresshou1.dbestructuredandimp1.ementedsystematica1.1.yand,whereappropriate,em
33、beddedintoexistingorganizationa1.structures.22A1.Itbeirtiof)M(riiscswhd1.prucMhfttBthtirdutetionHThispsbcHte4vcdprivacymattersasappropriate.TheP1.Icontro1.1.ershou1.ddocument: thede1.etionru1.ecata1.ogueinc1.udingrationa1.eforc1.usteringPU,de1.etionperiods,de1.etionc1.assesandde1.etionru1.es; requir
34、ementsforimp1.ementation,inc1.udingimp1.ementationmeasures; auditp1.ans.TheP1.1.Contro1.1.ershou1.dassigntheresponsibi1.itiesfor:一theidentificationandde1.etionofPU; maintenanceandre1.easeofthedocuments.TheP1.1.contro1.1.ershou1.dputinp1.acemeasuresforde1.etion.TheP1.1.contro1.1.ershou1.dauditonaregu
35、1.arbasis(seea1.soFigure4)thede1.etionmeasuresof: theITsystem; organization-wideaspects; manua1.processes; P1.1.processors.Whereappropriate,theP1.1.contro1.1.ermayinstructtheP1.1.processorsinhigh-1.eve1.terms,requiringtheprocessortoreso1.vesomeora1.1.oftheissuesidentified.10.2 DocumentationThepo1.iciesandproceduresforde1.etionshou1.ddocumentro1.esandresponsibi1.itiesfor: thedefinitionofthede1.etionru1.es; theconsistencyoftheseru1.esacrosstheorganization; theimp1.ementation,checkin
