ISO/IEC 5212:2024

International
Standard
ISO/IEC 5212
First edition
Information technology — Data
2024-04
usage — Guidance for data usage
Technologies de l'information — Utilisation des données —
Recommandations pour l'utilisation des données
Reference number
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2024 – All rights reserved
ii
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 1
5 Introduction to data usage . 1
5.1 Overview .1
5.1.1 The context of data usage .1
5.1.2 Data process .2
5.1.3 Data environment .3
5.2 Preparing for data usage .5
5.3 Applications for this document . .6
6 Preparing the data environment for use, sharing and exchange of data . 7
6.1 Overview .7
6.2 Overview of organizational readiness and capability .7
6.2.1 General .7
6.2.2 Understanding the organization and the data context .7
6.2.3 Identifying uses of data .7
6.2.4 Data strategy within the organization .8
6.2.5 Data policy .8
6.2.6 Leadership and commitment .8
6.2.7 Organizational roles and responsibilities .9
6.2.8 Competence .9
6.2.9 Awareness .9
6.2.10 Tools and resources .9
6.2.11 Data sharing and exchange protocols . .10
6.2.12 Data documentation .10
6.3 Data systems .10
6.4 Data modelling and data design .10
6.5 Data acquisition .10
6.6 Data storage .11
6.7 Data preparation .11
7 Guidance for the use, sharing and exchange of data .12
7.1 Overview . 12
7.2 Data risk management . 13
7.2.1 General . 13
7.2.2 Risk management in the data environment . 13
7.2.3 Classifying data and data set information .14
7.2.4 Data attributes .14
7.2.5 Data process and the data environment .14
7.3 Managing data usage . 15
7.3.1 General . 15
7.3.2 Establishing a data catalogue or metadata registry . 15
7.3.3 Data quality, sensitivity and security .16
7.3.4 Privacy protection requirements .18
7.3.5 Personal information . .18
7.3.6 PII .19
8 Data use, exchange and sharing .20
8.1 Overview . 20
8.2 Data use. 20
8.3 Data exchange . 20

© ISO/IEC 2024 – All rights reserved
iii
8.4 Data sharing .21
8.4.1 General .21
8.4.2 Data sharing within an organization . 22
8.4.3 Data sharing between organizations . 22
8.4.4 Identifying data sharing parties . 23
8.4.5 Data sharing agreements (DSA) . 23
8.5 Publishing data . 25
8.5.1 General . 25
8.5.2 Considerations in publishing data . 25
9 Post data usage considerations .26
9.1 General . 26
9.2 Establishing a process for post data usage . 26
9.3 Archiving data . . 26
9.3.1 Overview . 26
9.3.2 Storage media for data archival . 26
9.3.3 Policies and procedures for archival .27
9.4 Deleting data .27
9.5 Reactivating data .27
Bibliography .28

© ISO/IEC 2024 – All rights reserved
iv
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 32, Data management and interchange.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2024 – All rights reserved
v
Introduction
This document is a high level, principles-based advisory International Standard. It sets out a framework
of two elements with the relevant concepts, that can be referenced by organizations, persons and systems
that use data. The framework and concepts outlined in this standard should be read in conjunction with the
terms and definitions contained in ISO/IEC 5207.
Organizations of all types (including commercial enterprises, government agencies, not-for-profit
organizations), sizes and purposes depend on the use of data for day-to-day business operations and are
increasingly reliant on data dependent systems such as information technology management, cloud
computing, big data, Internet of Things, and artificial intelligence.
There are numerous approaches to data usage, from the most complex which includes highly sensitive,
personal or confidential information to the least sophisticated data capture systems. Within each data
usage scenario, there are different approaches to system integrity, data quality, data user capabilities, and
organizational governance.
This document has been prepared using a principles-based approach to encourage organizations to implement
data governance to manage risks at each stage of data use, exchange or sharing. This approach supports
organizations seeking greater value, knowledge and insights from data while providing a framework for
data users. As data are essential to a broad range of roles within an organization, it is imperative that all
users have a fundamental understanding of data use to ensure appropriate data management. There is a risk
that as the use of data is ubiquitous within organizations, users without appropriate knowledge, context and
expertise can inadvertently lead to incorrect data usage.
The sharing or exchange of data can involve multiple individuals, systems or organizations with different
processes and procedures. Furthermore, each entity involved in the sharing or exchange of data can
have different approaches to security, privacy, data sensitivity or legal considerations. While data usage
activities can be managed under different governance arrangements such as a formal contract or data
sharing agreement, there are many steps involved in data usage that may not be formalized. This document
uses a risk identification and management methodology which can be considered by any data user, be
they an individual or organization. There can be an advantage for organizations operating with existing
data or technology governance processes, such as those outlined in International Standards related to the
governance of information technology, such as ISO/IEC 38500 or ISO/IEC 38505-1.
In addition, organizations can consider the suitability of IT systems, security and storage requirements
to support governance capabilities which are addressed within ISO/IEC 27001, ISO/IEC 27701 and
ISO/IEC 27040.
© ISO/IEC 2024 – All rights reserved
vi
International Standard ISO/IEC 5212:2024(en)
Information technology — Data usage — Guidance for data usage
1 Scope
This document provides high-level guidance to data users, whether organizations or individuals, to assist in
realizing the benefits from data usage while managing risks.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 5207, Information technology — Data usage — Terminology and use cases
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 5207 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
4 Abbreviated terms
DLO data level objective
DQO data quality objective
DSA data sharing agreement
IoT internet of things
PII personally identifiable information
SLA service level agreement
SLO service level objective
5 Introduction to data usage
5.1 Overview
5.1.1 The context of data usage
Data usage is any activity involving data. This includes the use, sharing and exchange of data that can occur
across entities of all types, sizes, and purposes. The decision-making process around data usage requires
the identification of:
— the decision to use, exchange or share data;

© ISO/IEC 2024 – All rights reserved
— the purpose for data use, exchange or sharing;
— details about the data itself including its characteristics, quality, security, and privacy;
— pathways to use, share and exchange data and the alternatives;
— acceptable risks in using, sharing, or exchanging data;
— mitigation measures for risks;
— authorization steps required;
— the policies, processes, procedures, or instruments required to provide predictability and reliability
around data usage activities.
Identifying these characteristics can be complex particularly when data use is ubiquitous in an organization,
or when there are multiple parties, or informal data sharing arrangements. This document proposes two
perspectives to assist organizations to identify and mitigate data project risks and opportunities being:
a) the data process within the organization or between or among organizations or entities when sharing
or exchanging data, using the data lifecycle as a framework;
b) the data environment to assess the surroundings or conditions which can be consequential.
These two elements are the core components in developing a data usage framework which provides
the structure for organizations to understand the characteristics of any entity in possession of the data.
Each component within the data usage framework should be captured within the metadata description.
Understanding the data process, the data environment and developing a data usage framework can assist
organizations with benefits including:
— identifying risks to the data management process and opportunities for corrective actions;
— identifying opportunities to standardize identical data processes;
— increasing value capture from data through improved usage practices;
— ensuring that all entities have a common understanding of the data through well documented metadata.
5.1.2 Data process
The data process can be assessed using the data lifecycle as a framework to identify the steps involved in
data usage. This can assist organizations in better understanding their data processes and identify areas
of greater risk or opportunity. There are many iterations of the data lifecycle and organizations can find
it useful to develop a data lifecycle map for each data project to identify data usage activities and related
changes to the data characteristics. See Figure 1 as an example of a data lifecycle and the maturity of data at
each stage.
Figure 1 — Data lifecycle
For more information on data lifecycle frameworks for projects related to the development and use of AI
systems, see ISO/IEC 8183.
Organizations can apply a multi-layered data lifecycle where steps within the process occur within other
entities to recognize data movement beyond organizational boundaries. Data management policies
and procedures should consider how these apply to other entities to maintain a consistent and shared

© ISO/IEC 2024 – All rights reserved
understanding of data management processes and where these occur, as shown in the example in Figure 2.
For example, organizations that operate within a specified jurisdiction with data required to be retained,
stored and used within the same location. The addition of cloud computing in a different jurisdiction may
require specification within cloud service (or storage) agreements to address jurisdiction-based operational
expectations.
Figure 2 — Third parties and the data lifecycle
Each of the steps in the data life cycle can be considered as distinct elements however, this does not recognize
the interconnected nature of data, or the ability of data to persist in perpetuity. Therefore, decisions at
each stage of the data life cycle should consider the preceding and following stages, while risk mitigation
measures need to extend beyond the immediate stage to explore potential risks carried forward. This is
important for any action that changes the data including:
— expanding or refining the data set through the ongoing acquisition of data;
— data preparation including cleaning, decryption, transformation, data translation, representation, etc.;
— data analysis;
— exchange of data via other entities;
— sharing data;
— combining data.
The ubiquitous nature of data collection has resulted in large data sets and big data in parallel with
increasing levels of data complexity. Data subjects can be far removed from the data users, who themselves
can operate in disassociated and distinct parts of the data life cycle. Risk mitigation measures may require
ensuring that each data user is aware of the risks preceding and following their immediate area of data
use, in addition to understanding the overall data project objective including related privacy, security, and
sensitivity and other fitness-for-purpose considerations. These risks need to be managed effectively to
avoid high compliance costs, data breaches, non-compliance, or reputational damage. Without a framework
to consider these issues, organizations can avoid sharing or exchanging data, failing to realize the value
derived from data driven insights and knowledge. Preparing data users and systems appropriately is part of
managing the data environment.
5.1.3 Data environment
The data environment relates to the surroundings or conditions that can influence the data usage outcomes.
The data environment is important in considering the decision-making process related to data usage. The
data environment can include but is not limited to the components outlined in Figure 3.

© ISO/IEC 2024 – All rights reserved
Figure 3 — The data environment
Organizations should consider each of these in the context of whether each component is:
— competent;
— structured and resourced;
— defined, understood, and agreed among all parties;
— enabled with appropriate issues awareness and access to remediation avenues;
— appropriately considered with regards to responsible use, misuse, and corruption;
— documented under an appropriate governance framework.
For example, the people or data users operating in the data environment can affect the data quality, safety,
security or value of the data through their actions. Therefore, organizations should ensure that data users
are appropriately trained and have a common understanding of the data usage task.
Organizations who are sharing or exchanging data should consider the data environment related to each
entity and whether there are material differences that can affect the data project outcomes, risks or
opportunities. This can include documenting:
— the entities or organizations holding or using the data;
— the people, users, or systems within each entity;
— the data project including objective, outcomes and expectations;
— the data management and security processes;
— the data outputs.
Each of these components presents a decision-making situation for organizations which can warrant an
assessment of the risks and opportunities within each one. This can be important when entities, which
are fundamentally different, share data. Each entity should consider the comparability in each component

© ISO/IEC 2024 – All rights reserved
particularly with regards to risk appetite, governance processes, internal and external accountability and
data project expectations.
By considering both the data process and the data environment, organizations can identify where there are
potential vulnerabilities across all data usage activities.
To support responsible data usage, entities should consider the existing data environment including legacy
data, governance, competency and processes and undertake any necessary steps in preparing for data usage.
5.2 Preparing for data usage
Good data governance is important in data sharing, exchange and use. Organizations with good data
governance processes can have an advantage in data project management, enabling greater value capture
and effectively mitigating risks. Table 1 provides an overview of the data usage environment and the aspects
that organizations should consider prior to undertaking data use, sharing and exchange.
Table 1 — Preparing for data usage
Pre data use, sharing and ex- Data use, sharing and exchange Post data sharing,
change preparation exchange, and use
considerations
Organizational capability Recorded information about the data Archived data
— policies — data catalogue and metadata — security
— procedures
Defined data context for users Data transmission or receiving Deleted data
Data management system Data systems operation
Data user capability Data accessibility, security and privacy
Data acquisition Purpose of data use, sharing or exchange
— data capture — outcomes
— primary data — risks
— secondary data — sensitivities
— externally acquired data — privacy concerns
— compliance considerations
— data subjects and stakeholders
— data user processes
Data preparation including: Data use including:
— representation — access
— decryption — observation
— de-identification — interpretation
— cleaning — analysis
— normalizing — event detection
— transforming — event detection response
— labelling — consolidation, collation
— enrichment — recording
— integrity verification — creating data products
— updating metadata
© ISO/IEC 2024 – All rights reserved
TTabablele 1 1 ((ccoonnttiinnueuedd))
Pre data use, sharing and ex- Data use, sharing and exchange Post data sharing,
change preparation exchange, and use
considerations
Data storage Data exchange
— access platforms — storage
— safety and security — access
provisions
— transferring
— business continuity
— archiving
plans
Other data entities and parties Data sharing
— specific access
— group access
— public access
— open access, publication
Data use conclusion
— selective archiving, data removal
— deleting
— destroying
5.3 Applications for this document
This document provides a framework for organizations to support the development of data use systems,
tailored to their specific circumstances. It provides guidance for any data user undertaking their own risk
assessment using the data life cycle as a framework. This document involves both data management and
data governance for all data users. This can include data sharing or exchange between multiple platforms or
entities, or the sharing of data across public domains.
This document also provides guidance to those advising, informing or assisting governing bodies which can
include:
— public officers;
— board members and senior executives;
— members of data management teams within an organization;
— advisory boards;
— external business or technical specialists, retail or industrial associations or professional bodies;
— internal and external service providers (including consultants);
— auditors.
The guidance set out in this document is generic and intended to be applicable to all entities regardless of
type, size or nature. This document provides guidance to organizations and individuals who use, analyse, or
share data through a framework for data usage.
Organizations seeking additional guidance on data and information management systems can reference
ISO/IEC 38500 and ISO/IEC 38505-1.

© ISO/IEC 2024 – All rights reserved
6 Preparing the data environment for use, sharing and exchange of data
6.1 Overview
In preparing to use, share or exchange data, organizations should consider the data environment within the
organization. Organizations should prepare for data usage by developing the capability of people within the
organization as well as establishing documented and reliable data procedures which operate under a robust
data governance framework. This clause provides guidance for organizations to support a strong foundation
for proficient data use, sharing and exchange. The basis for both the data environment, procedures and
governance is to examine and prepare the organization’s competence in terms of people, systems and data
preparation.
6.2 Overview of organizational readiness and capability
6.2.1 General
Organizations increasingly require access to vast quantities of high-quality data to support digital
transformation activities, increase operational efficiency and develop enhanced knowledge and insights.
To support data related activities all entities should consider their organizational readiness, operational
and system capabilities, governance, and general data competency. All data users within an organization
should have a fundamental level of understanding of the data types, quality, use, and processes. Key to this
is operating under a sound governance framework that supports the appropriate competence and measures
regarding security, privacy and data sensitivity.
6.2.2 Understanding the organization and the data context
The organization should determine the intended use of data including:
a) the purposes for which data are used;
b) the parties involved in the data process including data subjects (stakeholders and beneficiaries);
c) data attributes such as data volume, data format, data categories, etc;
d) the alignment of interests and benefits arising from data usage
e) the sensitivity of data sets;
f) data privacy or security requirements that can be applicable to other entities, such as a different
department within the organization or entity, functional units (for example from accounting to legal), or
to external entities;
g) the property right of data such as data ownership;
h) the data users;
i) data systems including operating platforms, electronic data interchange (EDI), machine learning or
artificial intelligence systems;
j) the data stakeholders including, but not limited to data subjects;
k) policies and procedures relevant to data usage by the entity;
l) legal, regulatory, and contractual obligations that relate to the entity’s data usage.
6.2.3 Identifying uses of data
Data can be used in many ways by an entity. This document provides guidance to assist organizations in
understanding the full breadth of data usage, beyond what has been previously considered within specific
data processes. Data usage can include several data related activities that have not been subject to a risk-

© ISO/IEC 2024 – All rights reserved
based analysis to quantify the potential risk associated with each action. For example, the following are
examples of data usage:
— for analysis: tallying, visualising, describing, diagnosing, showing relationships, predicting or modelling;
— for event detection: monitoring, alerting;
— to trigger actions: based on thresholds or as a consequence of event detection;
— for historical record: observing, recording and archiving;
— storage: files for photos, videos, programs, other recordings, presentations or spreadsheets;
— to create data products: copies, aggregates, subsets, perturbed versions, insights or outputs in other
formats (e.g. printing of digital documents;)
— in transmission: broadcasting, transferring or connecting;
— deletion: destruction or rendering data inaccessible to the current entity.
Organizations should consider whether existing data practices and data sets are consistent with current
governance expectations. For example, data collected prior to relevant personal privacy protections cannot
be considered complaint, particularly if mass collection methods such as scraping have been used. These
legacy processes and systems can be problematic when data are used, shared and exchanged as, combined
with other data, data subjects can be identified. Organizations should consider whether reusing data
warrants additional risk management measures particularly if the insights from the data project are to be
published.
6.2.4 Data strategy within the organization
To effectively use, exchange and share data, organizations should develop a coherent and company wide
data usage strategy. Central to this is the development of data capability across the organization, beyond a
delegated role or area of responsibility such as a responsible data officer. The data strategy should encompass
protective capabilities to understand sensitivities and opportunistic capabilities to capture value.
6.2.5 Data policy
Entities that use data should establish a data usage policy that:
— is appropriate for the entity;
— references data usage processes and procedures;
— recognizes the relevant jurisdictional and other legal obligations applicable to the entity;
— encourages the effective, safe, and responsible use of data;
— considers the ethical aspects of data usage for stakeholders and particularly data subjects;
— recognizes the value of data;
— is accessible to all actual or potential data users.
6.2.6 Leadership and commitment
Data processes, procedures and opportunities should be documented and understood by all data users in the
organization. The effective, safe, and responsible use of data is a principle that should be upheld at all levels
of the organization, beginning with the board or group with external accountability for strategic oversight.
Data issues should be managed by leadership with relevant issues reported at board level or equivalent.

© ISO/IEC 2024 – All rights reserved
6.2.7 Organizational roles and responsibilities
The organization should ensure that all data user roles within the entity follow:
— the appropriate qualifications and experience level;
— the organization’s data usage policy;
— this document.
6.2.8 Competence
The organization should:
— determine the necessary competence of individuals acting as data users;
— ensure that the required competence is specified within terms of engagement such as contracts (including
but not limited to employment contracts);
— ensure competence requirements are included as appropriate in induction;
— implement a framework that identifies data sensitivity and security levels in association with the
relevant processes and users;
— ensure that data users who have access to all levels of data (for example IT personnel or data scientists)
are appropriately qualified, inducted and appraised of any relevant data sensitivity or security
considerations;
— undertake periodic assessments as required to ensure the appropriate level of competence is maintained;
— operate a system to maintain competency in response to changes in the data usage environment.
6.2.9 Awareness
The organization should ensure that individuals, either employees or third parties responsible for data, are
aware of and have the necessary skills and knowledge to action:
— the organization’s data policies and processes;
— the requirements, including competence, for data users;
— governance requirements related to data exchange and sharing;
— the implications of non-compliance with the organizations data policy.
6.2.10 Tools and resources
The organization should ensure the appropriate resources are made available for data usage including:
— platforms that enable data sharing and data exchange;
— data system security provisions as required by the data policy and jurisdictional or legislative
requirements.
The tools and resources used should be reliable with the appropriate means of continuity of service,
redundancy and back-up to ensure that they do not compromise the level of data integrity, completeness and
reliability.
© ISO/IEC 2024 – All rights reserved
6.2.11 Data sharing and exchange protocols
The organization should develop explicit protocols for data sharing and exchange with all sharing, and
exchange activities operating under a framework that provides clarity around:
— Operational authority for data users;
— Approved platforms and systems for data exchange;
— Data representation and quality expectations for each data sharing or exchange project;
— Approval frameworks for external data exchange or sharing entities.
6.2.12 Data documentation
The organization should develop a data documentation system to ensure the way data are catalogued
is consistent across the organization. A shared understanding of all data is vital to ensure data users
operate in a consistent and predicable manner. In most organizations this involves the development of a
data catalogue at the simplest level or a metadata registry to appropriately structure data about all data.
Metadata registries are vital to tracking all changes related to data and can be useful in the event of a data
breach or incident.
6.3 Data systems
The data systems applicable to a data project can be continuous or connected directly or indirectly.
Organizations should consider all systems involved in data exchange (access, transmission, storage and
archive) to ensure data integrity and provenance are not compromised, including where the data exchange
takes place beyond the organization. This can include systems that operate actively undertaking analysis or
exchanging data or passively by providing data storage and can include:
— cloud computing;
— electronic data interchange (EDI);
— third party processing.
Data systems should enable all data exchange to be recorded in a transaction log, data catalogue or metadata
registry.
6.4 Data modelling and data design
An important step in understanding data is to model the data and the relationships among individual data
elements. Such modelling also aids in the design of databases and other data stores used to store the data.
The corresponding metadata should be captured during this process. In many data processing systems, the
data modelling and data design processes precede the
...