ISO 29151 - Code of practice for personally identifiable information protection

    ISO 29151 - Code of practice for personally identifiable information protection

    An international standard, developed by the International Organization for Standardization (ISO), that establishes control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

    Last Updated: June 7, 2019


  • General

    The international standard 29151 further specifies the guidelines based on ISO/IEC 27002, focusing on controls related to the protection of personally identifiable information (PII).

    This standard is applicable to PII controller and creates a code of practice meet requirements identified by risk and impact assessments related to PII, completing the framework created by ISO/IEC/29100 (Privacy Framework) and ISO/IEC/29134 (Privacy Impact Assessment).

    The specification mirrors ISO/IEC/27002, adding new controls tailored for the protection of PII or otherwise specifying when ISO/IEC/27002 controls are sufficient, while also providing implementation guidelines.

    Following the framework of ISO/IEC/29100, the controls are divided into 12 categories:

    • — consent and choice;
    • — purpose, legitimacy and specification;
    • — collection limitation;
    • — data minimization;
    • — use, retention and disclosure limitation;
    • — accuracy and quality;
    • — openness, transparency and notice;
    • — individual participation and access;
    • — accountability;
    • — information security; and
    • — privacy compliance.

Want to learn more? Login to the full DataGuidance platform.