BS ISO IEC 29100:2011 pdf download – Information technology – Security techniques – Privacy framework
4.2.1 PII principals
PII principals provide their PII for processing to PII controllers and PII processors and, when it is not otherwise provided by applicable law, they give consent and determine their privacy preferences for how their PII should be processed. PII principals can include, for example, an employee listed in the human resources system of a company, the consumer mentioned in a credit report, and a patient listed in an electronic health record. It is not always necessary that the respective natural person is identified directly by name in order to be considered a PII principal. If the natural person to whom the PII relates can be identified indirectly (e.g., through an account identifier, social security number, or even through the combination of available attributes), he or she is considered to be the PII principal for that PII set.
4.2.2 PII controllers
A PII controller determines why (purpose) and how (means) the processing of PII takes place. The PII controller should ensure adherence to the privacy principles in this framework during the processing of PII under its control (e.g., by implementing the necessary privacy controls). There might be more than one PII controller for the same PII set or set of operations performed upon PII (for the same or different legitimate purposes). In this case the different PII controllers shall work together and make the necessary arrangements to ensure the privacy principles are adhered to during the processing of PII. A PII controller can also decide to have all or part of the processing operations carried out by a different privacy stakeholder on its behalf. PII controllers should carefully assess whether or not they are processing sensitive PII and implement reasonable and appropriate privacy and security controls based on the requirements set forth in the relevant jurisdiction as well as any potential adverse effects for PII principals as identified during a privacy risk assessment.
4.4 Recognizing PII
To determine whether or not a natural person should be considered identifiable, several factors need to be taken into account. In particular, account should be taken of all the means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to identify that natural person. ICT systems should support mechanisms that will make the PII principal aware of such PII and provide the natural person with appropriate controls over the sharing of that information. The following sub-clauses provide additional clarification on how to determine whether or not a PII principal should be considered identifiable.
Any attribute which takes on a value which uniquely identifies a PII principal is to be considered as a distinguishing characteristic. Note that whether or not a given characteristic distinguishes a natural person from other natural persons might change depending on the context of use. For instance, while the last name of a natural person might be insufficient to identify that natural person on a global scale, it will often be sufficient to distinguish a natural person on a company scale.