ISO/IEC INTERNATIONAL STANDARD 29187-1 First edition 2013-02-15 Information technology Identification of privacy protection requirements pertaining to learning, education and training (LET) — Part 1: Framework and reference model Technologies de I'information - ldentification des exigences de protection privee concernant I'apprentissage, I'éducation et la formation (AEF)- Partie 1: Cadre général et modele de réference Reference number ISO/IEC 29187-1:2013(E) IEC @ISO/IEC2013 ISO/IEC 29187-1:2013(E) COPYRIGHT PROTECTED DOCUMENT ISO/IEC2013 electronic or mechanical, including photocopying and microfilm, without permission in writing from either IsO at the address below or IsO's member body in the country of the requester. ISO copyright office Case postale 56 . CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail [email protected] Web www.iso.org Published in Switzerland ii @ ISO/IEC 2013 - All rights reserved ISO/IEC 29187-1:2013(E) Contents Page Foreword vii 0 Introduction.... 0.1 Purpose and overview ... ix 0.2 Benefits of using a multipart ISO/lEC 29187 standard approach ix 0.3 Informed consent and learning transaction .... X 0.4 Use of "jurisdictional domain", jurisdiction, country .. xi 0.5 Use of "Person", “"individual", “"organization", “"public administration" and“person" in the context of a learning transaction ............ 0.6 Importance of definitions and terms xili 0.7 Standard based on rules and guidelines .. . xiv 0.8 Sizeofdocumentandroleof"Part1FrameworkandReferenceModel" xiv 0.9 Use of "identifier' (in a learning transaction) ... 0.10 transaction ... XV 0.11 Organization and description of document ... XV 1 Scope .. 1.1 Statement of scope - ISO/IEC 29187 multipart standard 1.2 Statement of scope - part 1: Framework and Reference Model 1.3 Exclusions.... 1.3.1 1.3.2 Overlap of and/or conflict among jurisdictional domains as sources of privacy protection requirements 1.3.3 Publicly available personal information.. 1.4 Aspects currently not addressed ..... 1.5 IT-systems environment neutrality... 6 2 Normative references... 2.1 ISO/IEC, ISO and ITU 2.2 Referenced specifications 3 Terms and definitions 4 Symbols and acronyms .. .39 5 Fundamental principles and assumptions governing privacy protection requirements in learning transactions involving individual learners (external constraints perspective) 5.1 Introduction and sources of requirements .. .41 5.2 Exceptions to the application of the privacy protection principles .. 5.3 Fundamental Privacy Protection Principles 44 5.3.1 Privacy Protection Principle 1: Preventing Harm 44 5.3.2 Privacy Protection Principle 2: Accountability . 44 5.3.3 Privacy Protection Principle 3: identifying Purposes.. 48 5.3.4 Privacy Protection Principle 4: Informed Consent ..... 48 5.3.5 Privacy Protection Principle 5: Limiting Collection ... 50 5.3.6 Privacy Protection Principle 6: Limiting Use, Disclosure and Retention .. 51 5.3.7 Privacy Principle 7.: Accuracy ......... 55 5.3.8 Privacy Protection Principle 8: Safeguards.... 56 5.3.9 Privacy Protection Principle 9: Openness ... 57 5.3.10 Principle 10: Individual Access.... 57 5.3.11 Privacy Protection Principle .1.: Challenging Compliance ........ 59 5.4 Requirement for tagging (or labelling) data elements in support of privacy protection requirements .... .60 6 Collaboration space and privacy protection .............. @ ISO/IEC 2013 - All rights reserved ili ISO/IEC 29187-1:2013(E) 6.1 Introduction ..... 6.2 Privacy collaboration space: Role of individual learner, LET provider and regulator ..63 6.3 Learning collaboration space (of a learning transaction) .65 7 Public policy requirements of jurisdictional domains .... 7.1 7.2 Jurisdictionaldomainsandpublicpolicyrequirements. .67 7.2.1 Privacy protection... ..68 7.2.2 Consumer protection .69 7.2.3 Individual accessibility.... 7.2.4 Human rights... ..71 7.2.5 Privacy as a right of an “"individual" and not right of an organization or public .72 7.2.6 Need to differen