Your company is engineering an information system to support the new business of selling toys online in the United States. The marketing department proposed that the system shall retrieve the customer profile from social media when the customer is signing up to ease and accelerate the registration process. They decide to accept domestic orders only and reject orders from EU citizens to avoid legal and regulatory risk. As a security professional, you are aware that the privacy issue should be addressed. Which of the following will most concern you?
A. Principal’s Consent
B. Use, retention and disclosure limitation
C. Legal and regulatory requirements
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Legal and regulatory requirements.
ISO 29100: 2011
ISO/IEC 29100:2011 provides a privacy framework which
- specifies a common privacy terminology;
- defines the actors and their roles in processing personally identifiable information (PII);
- describes privacy safeguarding considerations; and
- provides references to known privacy principles for information technology.
ISO/IEC 29100:2011 is applicable to natural persons and organizations involved in specifying, procuring, architecting, designing, developing, testing, maintaining, administering, and operating information and communication technology systems or services where privacy controls are required for the processing of PII.
For several decades the OECD has been playing an important role in promoting respect for privacy as a fundamental value and a condition for the free flow of personal data across borders. The Guidelines on the Protection of Privacy and Transborder Flows of Personal Data constitute the first update of the original 1980 version that served as the first internationally agreed upon set of privacy principles.
Source: OECD Privacy Guidelines
- Options A, B, and D are ISO privacy principles which are not mandatory or binding.
- However, legal and regulatory requirements are binding to organizations.