ISO IEC 22624:2020 pdf download – Information technology – Cloud computing – Taxonomy based data handling for cloud services
In order to define application specific data handling policies and practices, these elements need to be applied to the application domain at hand. This includes data classifications with regards to security or risk levels that apply to data, as well as technical and organisational qualifications of data. Hence, the approach described in this document requires the considerations of data categories as described in ISO/IEC 19944 as well as orthogonal information dependent on the concrete application under consideration. Examples which are used to explain this approach therefore employ a tabular representation format emphasizing the orthogonal character of generic data categorization (rows) and application specific elements (columns). Therefore, for a person who is concerned with the development of, for example, enterprise policies for data use by a set of cloud services, all relevant cases which need to be considered are visible.
Implicitly, ISO/IEC 19944 focuses on personal data and PII, and does not explicitly cover non-personal data, or mixed sets of data that contain both PII and non-personal data. Non-personal data is defined as any data that is not personal and is not covered under PII, e.g. scientific data, sales data. Mixed data sets contain both PII and non-personal data such as human resource data that contains both organizational structures and personal employee data. It is important to recognize these different sets as different policies and regulations could apply to each. For example, the EU GDPR [9] regulates aspects of PII and the free-flow of non-personal data regulation [10] sets policies concerning the geo-location and movement of non-personal data. In line with ISO/IEC 19944, this document focuses on PII and does not delve deeper into aspects explicitly related to non-personal or mixed sets of data.
6.1 General
This document uses the taxonomy and data use expression structure specified in ISO/IEC 19944. Any policy or practice that conforms to this document and uses the taxonomy or data use expression shall meet the requirements of ISO/IEC 19944 as appropriate. To handle key data management topics, Clause 6 describes a harmonized structure to express a desired policy for data management based on various data types, using data taxonomy in ISO/IEC 19944. The data management policies based on a common structure specified by this document can be expressed, compared and negotiated. It is important to point out that this document does not define one or more data policies, rather it offers a common structure and framework for others to use in order to express their policy of choice. Moreover, this document does not stipulate any specific format or syntax to be used to express policies and practices related to a categorization of data. Although tables are frequently employed throughout this document to illustrate the usage of the framework, the use of tabular formats is not normative or mandatory but serves for the presentation of examples only.