Information technology — Cloud computing — Cloud services and devices: Data flow, data categories and data use

ISO/IEC 19944:2017 - extends the existing cloud computing vocabulary and reference architecture in ISO/IEC 17788 and ISO/IEC 17789 to describe an ecosystem involving devices using cloud services, - describes the various types of data flowing within the devices and cloud computing ecosystem, - describes the impact of connected devices on the data that flow within the cloud computing ecosystem, - describes flows of data between cloud services, cloud service customers and cloud service users, - provides foundational concepts, including a data taxonomy, and - identifies the categories of data that flow across the cloud service customer devices and cloud services. ISO/IEC 19944:2017 is applicable primarily to cloud service providers, cloud service customers and cloud service users, but also to any person or organization involved in legal, policy, technical or other implications of data flows between devices and cloud services.

Technologies de l'information — Informatique en nuage — Services et dispositifs en nuage : Débits, catégories et utilisation des données

General Information

Status
Withdrawn
Publication Date
25-Sep-2017
Withdrawal Date
25-Sep-2017
Current Stage
9599 - Withdrawal of International Standard
Completion Date
26-Oct-2020
Ref Project

Relations

Buy Standard

Standard
ISO/IEC 19944:2017 - Information technology -- Cloud computing -- Cloud services and devices: Data flow, data categories and data use
English language
42 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

INTERNATIONAL ISO/IEC
STANDARD 19944
First edition
2017-09
Information technology — Cloud
computing — Cloud services and
devices: Data flow, data categories and
data use
Technologies de l'information — Informatique en nuage — Services
et dispositifs en nuage : Débits, catégories et utilisation des données
Reference number
ISO/IEC 19944:2017(E)
©
ISO/IEC 2017

---------------------- Page: 1 ----------------------
ISO/IEC 19944:2017(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2017 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 19944:2017(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 4
5 Structure of this document . 5
6 Overview of devices and cloud services ecosystems . 5
6.1 Background and context — Impact of devices and personalized cloud services . 5
6.2 Ecosystem of devices and cloud services . 6
6.3 Devices and multiple user sub-roles . 7
6.3.1 General. 7
6.3.2 Bring your own device (BYOD) . 8
7 Extending the CCRA to the devices and cloud services ecosystem .9
7.1 Overview . 9
7.2 Personal and organizational environments . 9
7.3 Device impact on the CCRA: User view .10
7.3.1 Cloud service provider . .10
7.3.2 Cloud service customer .11
7.4 Device impact on the CCRA: Functional view .11
7.4.1 General.11
7.4.2 Functional components in the functional view .12
7.4.3 Functional view: Data flows .14
8 Data taxonomy .16
8.1 Overview .16
8.2 Data categories .16
8.2.1 General.16
8.2.2 Customer content data .17
8.2.3 Derived data .18
8.2.4 Cloud service provider data .21
8.2.5 Account data .21
8.3 Data identification qualifiers .21
8.3.1 General.21
8.3.2 Identified data .22
8.3.3 Pseudonymized data .22
8.3.4 Unlinked pseudonymized data .22
8.3.5 Anonymized data .22
8.3.6 Aggregated data .22
9 Data processing and use categories .22
9.1 Overview .22
9.2 Data processing categories .23
9.2.1 General.23
9.2.2 Data partitioning .23
9.2.3 Data integration .23
9.2.4 Data fusion .24
9.2.5 Data improvement .24
9.2.6 Encryption .24
9.2.7 Replication .24
9.2.8 Data Deletion . . .24
9.2.9 Re-identification .25
9.3 Data use categories .25
© ISO/IEC 2017 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 19944:2017(E)

9.3.1 General.25
9.3.2 Provide .26
9.3.3 Improve .26
9.3.4 Personalize .27
9.3.5 Offer upgrades or upsell .27
9.3.6 Market/advertise/promote .27
9.3.7 Share .28
9.4 Scopes: Boundaries of collection and use of data .29
9.4.1 Scope concepts .29
9.4.2 Scope types .29
10 Data use statements .31
10.1 Overview .31
10.2 Data use statement structure .32
10.2.1 Structure definition .32
10.2.2 Describing the scope of applications and cloud services that apply to
use statements .34
10.2.3 Assumptions about when data is collected and used .35
10.2.4 Defining promotion targets .35
10.2.5 Data types .35
10.2.6 Data qualifiers for data types .36
10.2.7 Examples of statements about data flow in the devices and cloud
services ecosystem . .37
10.2.8 Exceptional use statements .38
Annex A (informative) Diagrams of data categories and data identification qualifiers .41
Bibliography .42
iv © ISO/IEC 2017 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 19944:2017(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 38, Cloud computing and distributed platforms.
© ISO/IEC 2017 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC 19944:2017(E)

Introduction
Objective and target audience
This document provides a description of the ecosystem of devices and cloud services and the related
flows of data between cloud services, cloud service customers, cloud service users and their devices.
These are necessary to provide guidance about how data is used on the devices in the context of the
cloud computing ecosystem and the associated location and identity issues that emerge from such use.
This document proposes a scheme for the structure of data use statements that can be used by cloud
service providers to help cloud service customers understand and protect the privacy and confidentiality
of their data and their users’ data through increased transparency of policies and practices.
This document can be used in several ways including, but not limited to, the following:
a) by cloud service providers and application developers to guide them in describing what they intend to
do with data in their designs, so as to simplify privacy and data use reviews and to communicate this
information to non-technical departments such as internal compliance, marketing and legal teams;
b) by organizations drawing up data use statements as part of drafting cloud service agreements
and application contracts, privacy statements, etc., which could apply to documents internal to an
organization, in addition to public or legal documents;
c) by government regulators and agencies to advise on suitable ways of describing data flow and use;
d) by those preparing information on data flow and data use for communication to the press and
the public.
This document is descriptive and not prescriptive. It cannot be used for compliance directly. Instead, it
provides a set of concepts and definitions, including a data taxonomy and data use statement structure,
that can be used for transparency about how data is used in an ecosystem of devices and cloud services.
Providing a clear description of data flows
This document aims to improve the understanding of the data flows that take place in an ecosystem
consisting of devices accessing cloud services. It does this through an extended cloud computing
reference architecture (CCRA) (based on the architecture described in ISO/IEC 17789) that describes
the impact of devices on cloud service ecosystems and the impact of cloud services on devices. It also
describes the data flows that take place within the extended reference architecture.
Providing transparency to all stakeholders
To maintain a relationship of trust between the stakeholders of the ecosystem of devices and cloud
services and also to meet the demands of laws and regulations, it is necessary for the device platform
providers and the cloud service providers to be transparent about how they make use of the various
data types that flow within the ecosystem.
There is a particular need to provide simple and clear statements to end users about what is done with
data that relates to them. The data may be personally identifiable information (PII) and may be sensitive,
in other words, this can be a privacy issue. Cloud service customers are likely to be concerned about how
their data is used, even when the customer is an organization rather than an individual. The cloud service
customer may be a data controller, holding personal data about their employees or their customers; in
such a role, the cloud service customer has obligations relating to the processing of that data.
To assist cloud service providers and device platform providers in being transparent about their use of
data, this document defines a simple language for making statements about data use, which can be used
to create clear notification to end users and other interested parties.
vi © ISO/IEC 2017 – All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 19944:2017(E)
Information technology — Cloud computing — Cloud
services and devices: Data flow, data categories and data use
1 Scope
This document
— extends the existing cloud computing vocabulary and reference architecture in ISO/IEC 17788 and
ISO/IEC 17789 to describe an ecosystem involving devices using cloud services,
— describes the various types of data flowing within the devices and cloud computing ecosystem,
— describes the impact of connected devices on the data that flow within the cloud computing
ecosystem,
— describes flows of data between cloud services, cloud service customers and cloud service users,
— provides foundational concepts, including a data taxonomy, and
— identifies the categories of data that flow across the cloud service customer devices and cloud
services.
This document is applicable primarily to cloud service providers, cloud service customers and cloud
service users, but also to any person or organization involved in legal, policy, technical or other
implications of data flows between devices and cloud services.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http://www.electropedia.org/
— ISO Online browsing platform: available at http://www.iso.org/obp
3.1
cloud service
one or more capabilities offered through cloud computing invoked using a defined interface
[SOURCE: ISO/IEC 17788:2014, 3.2.8]
3.2
cloud service customer
party which is in a business relationship for the purpose of using cloud services (3.1)
Note 1 to entry: A business relationship does not necessarily imply financial agreements.
[SOURCE: ISO/IEC 17788:2014, 3.2.11]
© ISO/IEC 2017 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/IEC 19944:2017(E)

3.3
cloud service partner
party which is engaged in support of, or auxiliary to, activities of either the cloud service provider (3.4)
or the cloud service customer (3.2), or both
[SOURCE: ISO/IEC 17788:2014, 3.2.14]
3.4
cloud service provider
party which makes cloud services (3.1) available
[SOURCE: ISO/IEC 17788:2014, 3.2.15]
3.5
cloud service user
natural person, or entity acting on their behalf, associated with a cloud service customer (3.2) that uses
cloud services (3.1)
Note 1 to entry: Examples of such entities include devices and applications.
[SOURCE: ISO/IEC 17788:2014, 3.2.17]
3.6
device
physical entity that communicates directly or indirectly with one or more cloud services (3.1)
3.7
account data
class of data specific to each CSC that is required to administer the cloud service (3.1)
Note 1 to entry: Account data is typically generated when a cloud service is purchased and is under the control of
the CSP.
Note 2 to entry: Account data consists of data elements provided by CSC, such as; name, address, telephone, etc.
3.8
cloud service customer data
class of data objects under the control of the cloud service customer (3.2) that were input to the cloud
service (3.1), or resulted from exercising the capabilities of the cloud service by or on behalf of the cloud
service customer through the published interface of the cloud service
Note 1 to entry: An example of legal controls is copyright.
Note 2 to entry: It may be that the cloud service contains or operates on data that is not cloud service customer
data; this might be data made available by the cloud service providers, or obtained from another source, or it
might be publicly available data. However, any output data produced by the actions of the cloud service customer
using the capabilities of the cloud service on this data is likely to be cloud service customer data, following
the general principles of copyright, unless there are specific provisions in the cloud service agreement to the
contrary.
[SOURCE: ISO/IEC 17788:2014, 3.2.12]
3.9
cloud service derived data
class of data objects under cloud service provider (3.4) control that are derived as a result of interaction
with the cloud service (3.1) by the cloud service customer (3.2)
Note 1 to entry: Cloud service derived data includes log data containing records of who used the service, at what
times, which functions, types of data involved and so on. It can also include information about the numbers of
authorized users and their identities. It can also include any configuration or customization data, where the
cloud service has such configuration and customization capabilities.
[SOURCE: ISO/IEC 17788:2014, 3.2.13]
2 © ISO/IEC 2017 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC 19944:2017(E)

3.10
cloud service provider data
class of data objects, specific to the operation of the cloud service (3.1), under the control of the cloud
service provider (3.4)
Note 1 to entry: Cloud service provider data includes but is not limited to resource configuration and utilization
information, cloud service specific virtual machine, storage and network resource allocations, overall data centre
configuration and utilization, physical and virtual resource failure rates, operational costs and so on.
[SOURCE: ISO/IEC 17788:2014, 3.2.16]
3.11
application marketplace
set of cloud services (3.1) providing a digital marketplace intended to offer applications and other digital
content for a particular device platform (3.13) allowing users to browse and download applications and
other content
Note 1 to entry: An application marketplace may be offered to the public, or to private groups such as a corporate
environment.
Note 2 to entry: A device (3.6) can use more than one application marketplace.
3.12
application cloud service
cloud service (3.1) that supports applications running on a given device (3.6), where the cloud service is
provided by a party other than the device platform provider (3.14)
3.13
device platform
operating system and related feature set that provide the core capabilities for a device (3.6)
Note 1 to entry: An application marketplace (3.11) is specific to a device platform.
3.14
device platform provider
device platform cloud service provider
cloud service provider (3.4) that provides cloud services (3.1) necessary to support a device platform
(3.13) including managing needed digital identities
Note 1 to entry: The cloud service provider that offers the application marketplace (3.11) is typically the same as
the device platform provider, but it is not required to be.
3.15
device platform cloud service
cloud service (3.1) offered by the device platform provider (3.14) to support the device platform (3.13)
Note 1 to entry: An application marketplace (3.11) can be an example of device platform cloud service.
3.16
personally identifiable information
PII
any information that a) can be used to identify the PII principal (3.18) to whom such information relates,
or b) is or might be directly or indirectly linked to a PII principal
[SOURCE: ISO/IEC 29100:2011, 2.9]
© ISO/IEC 2017 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO/IEC 19944:2017(E)

3.17
PII controller
privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing
personally identifiable information (PII) (3.16) other than natural persons who use data for personal
purposes
Note 1 to entry: A PII controller sometimes instructs others, e.g. PII processors (3.19) to process PII on its behalf
while the responsibility for the processing remains with the PII controller.
[SOURCE: ISO/IEC 29100:2011, 2.10]
3.18
PII principal
natural person to whom the personally identifiable information (PII) (3.16) relates
Note 1 to entry: Depending on the jurisdiction and the particular PII protection and privacy legislation, the
synonym “data subject” can also be used instead of the term “PII principal”.
[SOURCE: ISO/IEC 29100:2011, 2.11]
3.19
PII processor
privacy stakeholder that processes personally identifiable information (PII) (3.16) on behalf of and in
accordance with the instructions of a PII controller (3.17)
[SOURCE: ISO/IEC 29100:2011, 2.12]
3.20
end user identifiable information
EUII
derived data associated with a user that is captured or generated from the use of the service by that user
4 Abbreviated terms
BYOD Bring Your Own Device
CCRA Cloud Computing Reference Architecture
CSA Cloud Service Agreement
CSC Cloud Service Customer
CSN Cloud Service partner
CSP Cloud Service Provider
CSU Cloud Service User
EUII End User Identifiable Information
GPS Global Positioning System
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.