identity

#ICYMI, check these online fully accessible + freely downloadable ISO standards, relevant for information security, privacy & data protection

#ICYMI, In case you missed it.

Online freely accessible ISO standards

In the midst of the #COVID19 corona pandemic, the ISO (International Organization for Standardization) has unlocked free reading access to a bunch of relevant standards, including

  • ISO 22301:2019, Security and resilience – Business continuity management systems –Requirements
  • ISO 22316:2017, Security and resilience – Organizational resilience – Principles and attributes
  • ISO 22320:2018, Security and resilience – Emergency management – Guidelines for incident management
  • ISO 31000:2018, Risk management – Guidelines
  • ISO 13485:2016, Medical devices — Quality management systems – Requirements for regulatory purposes

The general access page with all online, fully accessible standards can be found here: https://www.iso.org/covid19.

Important note:

  • these standards are available online, but not downloadable (for legitimate downloads you need to purchase your copy in the ISO shop or with your national standards organisation)
  • there is no guarantee for continued free access once the Covid pandemic is over, if ever. That’s the sole discretion of the ISO, of course.

Freely downloadable ISO standards

Next to the (temporary) free online access, there is also a set of standards you can download for free, no payment required.
See here: https://standards.iso.org/ittf/PubliclyAvailableStandards/

Short url to bookmark: https://ffwd2.me/FreeISO.

Check the interesting ISO standards (from the information security point of view) below

ISO27000 (Information security)

The ISO27001 vocabulary

ISO/IEC 27000:2018
EN – FR
5thInformation technology — Security techniques — Information security management systems — Overview and vocabularyISO/IEC JTC 1/SC 27

Privacy Framework (ISO29100)

ISO/IEC 29100:2011
EN – FR
1stInformation technology — Security techniques — Privacy frameworkISO/IEC JTC 1/SC 27

Cloud Computing Reference architecture

SO/IEC 17788:2014
EN
1stInformation technology — Cloud computing — Overview and vocabularyISO/IEC JTC 1/SC 38
ISO/IEC 17789:2014
EN
1stInformation technology — Cloud computing — Reference architectureISO/IEC JTC 1/SC 38

Cloud computing vocabulary

ISO/IEC 22123-1:2021
EN
1stInformation technology — Cloud computing — Part 1: VocabularyISO/IEC JTC 1/SC 38

Cloud computing policy development

ISO/IEC TR 22678:2019
EN
1stInformation technology — Cloud computing — Guidance for policy developmentISO/IEC JTC 1/SC 38

Cloud Computing SLAs

ISO/IEC 19086-1:2016
EN
1stInformation technology — Cloud computing — Service level agreement (SLA) framework — Part 1: Overview and conceptsISO/IEC JTC 1/SC 38
ISO/IEC 19086-2:2018
EN
1stCloud computing — Service level agreement (SLA) framework — Part 2: Metric modelISO/IEC JTC 1/SC 38

Common Criteria (ISO 15408)

ISO/IEC 15408-1:2009
EN – FR
3rdInformation technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general modelISO/IEC JTC 1/SC 27
ISO/IEC 15408-2:2008
EN – FR
3rdInformation technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional componentsISO/IEC JTC 1/SC 27
ISO/IEC 15408-3:2008
EN – FR
3rdInformation technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance componentsISO/IEC JTC 1/SC 27

Identity management

ISO/IEC 24760-1:2019
EN – FR
2ndIT Security and Privacy — A framework for identity management — Part 1: Terminology and conceptsISO/IEC JTC 1/SC 27

Why it’s not appropriate to ask for a copy of the identity card by default and systematically before you respond to a #GDPR data access request?

The EDPB guidelines on the data subject’s rights of access contain 60 pages of very useful instructions. This article is not elaborating all of it, but only highlights the topics relative to the use of ID card photocopies, as there has been a recent case at the Belgian Data Protection Authority strongly referring to the data access request guidelines by the European Data Protection board (EDPB).

Background

In a recent publication of a case (DOS-2020-05314), the Belgian Data protection Authority decided to classify the complaint itself without any consequences, but they explicitly confirmed that the use of a photocopy of the ID card is a very bad idea in general.

A very clear reminder that you shall not systematically request a copy of the identity card

In the motivation of the case it sets a very clear reminder that it’s considered illegal to systematically request for a copy of an identity card as a condition to respond to a GDPR data access request, in accordance with the EDPB (European Data Protection Board) guidelines on the right to access.

Why is a copy of an ID card a bad idea?

The copy of the ID card contains a lot of sensitive data like your national number, that can be abused to harm you, by stealing your identity.
Using your identity data, people can open bank accounts and credits, steal your many, empty your existing bank account, … so the impact is very personal, very real and very high when your identity is stolen.

EDPB guidelines Guidelines 01/2022 on data subject rights – Right of access

The highlights

The EDPB explains in the executive overview of their guidelines that “The right of access of data subjects is enshrined in Arti. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.

“There are no specific requirements on the format of a request. The controller should provide appropriate and user-friendly communication channels that can easily be used by the data subject.”

“The request for additional information must be proportionate to the type of data processed, the damage that could occur etc. in order to avoid excessive data collection.”

Do not excessively demand for personal data when validation of access request

In the guidelines, the EDPB says:

“65. /../ In general, the fact that the controller may request additional information to assess the data subject’s identity cannot lead to excessive demands and to the collection of personal data which are not relevant or necessary to strengthen the link between the individual and the personal data requested.”

Copy of ID card should generally not be considered an appropriate way of authentication

EDPB guideline:

74. Taking into account the fact, that many organisations (e.g. hotels, banks, car rentals) request copies of
their clients’ ID card, it should generally not be considered an appropriate way of authentication
.

Alternatively, the controller may implement a quick and effective security measure to identify a data subject who has been previously authenticated by the controller, e.g. via e-mail or text message containing confirmation links, security questions or confirmation codes.”

Information on the ID that is not necessary for confirming the identity should be hidden

EDPB guidine 75:
In any case, information on the ID that is not necessary for confirming the identity of the data subject,
such as the access and serial-number, nationality, size, eye colour, photo and machine-readable zone,
may be blackened or hidden
by the data subject before submitting it to the controller, except where
national legislation requires a full unredacted copy of the identity card (see para. 77 below).

Generally, the date of issue or expiry date, the issuing authority and the full name matching with the online
account are sufficient for the controller to verify the identity, always provided that the authenticity of
the copy and the relation to the applicant are ensured. Additional information such as the birth date
of the data subject may only be required in case the risk of mistaken identity persists, if the controller
is able to compare it with the information it already processes.

Inform about data minimization and apply it.

EDPB guideline 76.

“To follow the principle of data minimisation

the controller should inform the data subject about the information that is not needed and

about the possibility to blacken or hide those parts of the ID document.

In such a case, if the data subject does not know how or is not able to blacken such information, it is good practice for the controller to blacken it upon receipt of the document, if this is possible for the controller, taking into account the means available to the controller in the given circumstances.”

Making the information available in a commonly used electronic form

Following EDPB guideline, paragraph 32, the controller must provide the answer in a commonly used electronic form.

the event of a request by electronic form means, information shall be provided by electronic means
where possible and unless otherwise requested by the data subject
(see Art. 12(3)). Art. 15(3), third
sentence, complements this requirement in the context of access requests by stating, that the
controller is in addition obliged to provide the answer in a commonly used electronic form, unless
otherwise requested by the data subject
. Art. 15(3) presupposes, that for controllers who are able to
receive electronic requests it will be possible to provide the reply to the request in a commonly used
electronic form (e.g. in PDF). This provision refers to all the information that needs to be provided in
accordance with Art. 15(1) and (2). Therefore, if the data subject submits the request for access by
electronic means, all information must be provided in a commonly used electronic form.”

Some practical data protection life hacks

Protecting your identity card

  • keep your ID card in your pocket or wallet as much as possible.
  • do NOT hand over your identity card to any party, unless it’s a legal authority (police, … )
  • Quickly showing your ID card for validation is fine, but resist to the requests to get a copy of your card.
  • prepare to have a masked paper copy of your ID card,
    • make sure to hide all the irrelevant, sensitive information yourself
    • keep a paper copy in your wallet
  • Prepare a masked digital photo copy of your ID card, yourself.
  • mask all all the irrelevant, sensitive information on your identity card, do it yourself
    • eg, use tippex to wipe out info, but you can simply scratch tippex when an official authority needs to validate your sensitive information)
    • ‘accidental’ copies will still mask your data, and you can detect if an unauthorized party scratches your ID card

From a corporate perspective

  • Do not request copies of identity cards by default, there are many more practical means to verify identity in a secure way
  • Only authenticate ID cards, when there are no other options.
  • use electronic authentication without disclosure of sensitive data
  • use an alternative means of authentication, there are many ways to do this securely
  • do not keep a copy of any identity card, there are virtually NO reasons to keep a copy, quick validation is mostly enough
  • delete any copy of identity cards as soon as possible…

Reference information: