The new privacy standard highlights the importance of looking beyond Australian law when approaching privacy compliance and the management of personal information. Privacy laws are moving towards a global standard, and Australian organisations should bear this in mind when considering how they will comply locally.
Last year the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) released ISO/IEC 27701 (ISO 27701), a privacy extension to the well-known security standards set out in ISO/IEC 27001 (ISO 27001) and ISO/IEC 27002. The standard provides specific guidance on establishing, implementing and maintaining a Privacy Information Management System (PIMS) within the organisation, expanding on the International Security Management System (ISMS) defined in ISO 27001.
What are the new privacy standards?
ISO 27701 sets out requirements for organisations that are implementing privacy protections for the processing of Personal Identifiable Information (PII) (in Australia, referred to as 'personal information'). These requirements apply to all sizes and types of organisations who process PII within an ISMS.
ISO 27701 sets out requirements that are specific to both controllers and processors. Therefore, an organisation must determine whether it is a controller or a processor (or both), and understand the specific requirements applicable to that role.
The terms 'processor' and 'controller' are not used in Australian privacy law, but are found in the European General Data Protection Regulation (GDPR). Article 4 of the GDPR defines a 'controller' as an entity that 'determines the purposes and means of the processing of personal data'. A 'processor', on the other hand, is an entity that 'processes personal data on behalf of the controller'.
What does this mean for Australian organisations?
In light of the increasing global trend towards regulating the handling of data, organisations should consider investing in policies and procedures that align with both Australian and key overseas privacy regimes. The new ISO standard will assist organisations to meet privacy-specific requirements, irrespective of the jurisdictions in which they operate. Australian organisations may look to become ISO 27701 certified to demonstrate such compliance, and might also consider requesting evidence of compliance or certification from their vendors (particularly where those vendors are processing a high volume of personal information).
Organisations wishing to pursue ISO 27701 certification must first gain certification to ISO 27001, as the standards are intended to complement each other.
Given that it adopts terminology from the GDPR (and in particular, 'controller' and 'processor'), ISO 27701 helpfully includes a mapping to the GDPR, so that the requirements of the ISO and the GDPR can be read alongside each other. At minimum, Australian organisations should become familiar with the concepts of 'controller' and 'processor', so as to understand their own role in the handling of personal information.
What next?
Dr Andreas Wolf (Chair of the ISO/IEC technical committee that developed the ISO) stated that, as almost every organisation processes personal information, protecting it is not only a legal requirement, but also a societal need. Generally, certification to ISO standards has been used by organisations as a point of differentiation. It will be interesting to see whether certification to emerging privacy standards will become the norm, rather than the exception, in light of evolving community expectations, and increasing regulatory focus, on privacy and the protection of data.
Please contact our team if you would like further guidance on the requirements of the ISO 27701.