PII Processing Principles

ISO 27018 is built on fundamental principles for handling Personally Identifiable Information in cloud environments. These principles guide all control implementation.

The Seven Core Principles

1. Consent and Choice

Principle: PII should only be processed with clear consent and purpose.

Requirements:

• Obtain explicit consent before processing
• Clearly state the purpose of processing
• Allow individuals to withdraw consent
• No processing beyond stated purposes

Cloud Context:

• Cloud customer obtains consent from end users
• CSP must not use PII for own purposes without consent
• Sub-processors must be covered by consent chain

2. Purpose Legitimacy and Specification

Principle: Processing must have a legitimate, specific purpose.

Requirements:

• Document the purpose for each PII processing activity
• Ensure purpose is lawful and legitimate
• No "purpose creep"—stick to stated purposes
• Re-evaluate purposes when systems change

Examples:

• ✓ Processing payment data to complete transactions
• ✓ Storing email addresses to send service notifications
• ✗ Selling customer lists to third parties
• ✗ Using healthcare data for marketing

3. Collection Limitation

Principle: Collect only the PII necessary for the stated purpose.

Requirements:

• Minimize data collection
• Justify each data field collected
• No "nice to have" data collection
• Regular reviews of collection practices

Practical Application:

• Do you really need date of birth, or just age?
• Do you need full address, or just city/state?
• Is social security number necessary?

4. Data Minimization

Principle: Process the minimum amount of PII needed.

Requirements:

• Use anonymization when possible
• Use pseudonymization where anonymization isn't feasible
• Aggregate data when individual records aren't needed
• Delete data when no longer needed

Techniques:

• Tokenization
• Data masking
• Aggregation
• Hashing

5. Use, Retention, and Disclosure Limitation

Principle: PII should only be used, retained, and disclosed as specified.

Use Limitation:

• Use only for stated purposes
• No secondary uses without consent
• Access controls enforce usage limits

Retention Limitation:

• Define retention periods for each PII type
• Automatic deletion after retention period
• Legal hold exceptions documented

Disclosure Limitation:

• Disclose only as agreed
• Sub-processors approved in advance
• Log all disclosures
• Notify customer of government requests (where legally possible)

6. Accuracy and Quality

Principle: PII must be accurate, complete, and current.

Requirements:

• Mechanisms to update PII
• Validation at collection
• Regular accuracy reviews
• Correction processes

Cloud Responsibilities:

• Cloud Customer: Ensures data accuracy before upload
• CSP: Maintains data integrity, provides tools for updates

7. Openness, Transparency, and Notice

Principle: Processing practices must be transparent.

Requirements:

• Clear privacy notices
• Accessible privacy policies
• Data processing registers
• Transparency reports

What to Disclose:

• What PII is collected
• How it's used
• Where it's stored
• Who has access
• Retention periods
• Individual rights

Additional Cloud-Specific Principles

Accountability

• CSP is accountable for PII protection
• Cannot disclaim responsibility through contract
• Must demonstrate compliance

Security

• Appropriate technical and organizational measures
• Risk-based security controls
• Regular security assessments
• Breach notification

Principle Application Matrix

Privacy by Design

ISO 27018 embodies privacy by design principles:

• Privacy as the default
• Privacy embedded in design
• Full functionality (not zero-sum)
• End-to-end security
• Visibility and transparency
• Respect for user privacy

Next Lesson: Cloud customer agreements and contractual requirements.