The Standards Council of Canada (SCC) is seeking feedback from relevant stakeholders on the International Organization for Standardization’s (ISO) new work item proposal for the development of a new standard on Consumer protection: Privacy by design for consumer goods and services. All responses submitted to SCC will serve to generate a Canadian position on the proposal.
Purpose and justification for new field of activity
ISO's Committee on Consumer Policy (COPOLCO) is proposing that the British Standards Institution (BSI) lead the development of a new ISO Project Committee on Consumer protection: Privacy by design for consumer goods and services. The main purpose of the new work item proposal is to provide a standard whereby designers of products and providers of services can demonstrate how they protect consumers from fraud, ransom demands, and other forms of privacy invasion and privacy breaking exploits resulting from lost and stolen personal data and hijacking of consumer devices. A couple of examples where technical design and technical solutions can lead to better consumer protection are described below.
The range of goods and services in the connected smart home is rapidly expanding and much current security good practice recommends unique and high-strength passwords for each device and service, challenging consumers to cope with many different complex passwords. There are technical good practice solutions that could be adopted which need to replace the proposed use of many different passwords, which is impractical from the consumer perspective.
Consumers can have difficulty keeping their security measures up to date for a number of reasons. For example, updates may interfere with the ways of using equipment that consumers are familiar with, or update processes can be complicated. There are a number of consumer needs and requirements that should be met in product design to address these areas. For example, in technology design including simplified user controls with reduced human action to accept and install online delivered security software updates.
Scope of proposed technical activity
Specification of the design process will provide consumers with goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of data protection.
In order to protect consumer privacy, the functional scope includes security. Preventing unauthorized access to data is fundamental to consumer privacy, consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.
The process is to be based on ISO 9001, Quality management systems – Requirements, and ISO 10377, Consumer product safety – Guidelines for suppliers, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services.
Statement from proposer regarding new and existing work
Below is a listing of relevant existing documents at the international and national levels.
- ISO 9001, Quality management systems – Requirements
- ISO 10377, Consumer product safety – Guidelines for suppliers
- ISO/IEC JTC1 security and privacy good practices, including ISO/IEC 29100, Information technology – Security techniques – Privacy framework ISO/IEC 27001, Information technology – Security techniques – Information security management systems – Requirements
- ISO/IEC 29134, Information technology – Security techniques – Guidelines for privacy impact assessment
- ISO/IEC 27005,
- EN 16571, Information technology – RFID privacy impact assessment process
- Form 4 Consumer protection Privacy by design for consumer goods and services (PDF)
- Outline description Privacy by design (PDF)
- Privacy by design of Consumer Goods and Services first draft (PDF)
Stakeholders are invited to consider the following when formulating a response:
- Do you agree to the proposal?
- If yes, why, and do you wish to participate should a mirror committee be established?
- If no, why not?
Deadline for survey submission
SCC values your feedback on this proposal. Please fill out the stakeholder feedback form at https://scc.sondages-surveys.ca/s/privacy-by-design/ no later than November 23, 2017.
For more information, please contact Suzanna Ersoy, Program Manager, ISO, SCC, at firstname.lastname@example.org.
SCC is a federal Crown corporation with the mandate to promote efficient and effective standardization in Canada with the goal of enhancing Canada’s economic competitiveness and social well-being. It also accredits standards development and conformity assessment organizations. For more information on SCC’s programs, visit www.scc.ca or email email@example.com.