ISTPA Operational Analysis of International Privacy Requirements

  • John T. Sabo


The ISTPA Privacy Framework is an open, policy-configurable model consisting of 10 integrated privacy services, designed to facilitate an operational template for architecting and implementing privacy management solutions. Given the major changes in information privacy since the publication of the Framework in 2002, and because language and context differ across international privacy laws and directives, ISTPA initiated the Analysis of Privacy Principles: Making Privacy Operational as a structured review of a set of major privacy instruments to ensure that the ISTPA Framework Services can be used to support any set of common privacy “requirements.”

Using direct references extracted from each source law or directive, mapped against basic privacy principles, the Analysis compares and correlates the language in each instrument associated with these basic principles and identifies in nine instances where a particular principle is composed of additional, definable components. For example, Notice, based on the requirements expressed in the referenced instruments, is more accurately understood as a set of five related but discrete requirements. As a consequence of this analysis and findings, the study provides a set of composite, operational definitions for each principle. These operational definitions include the sub-components identified in the study. The Analysis also identified three additional privacy requirements expressed across these international privacy instruments: anonymity, data flow, and data sensitivity.

In summary, the Analysis is a practical first step in framing the huge variations in language and the differing placement of many principles/practices in international privacy law, regulations and directives. It enables ISTPA to test the ISTPA Privacy Framework’s completeness and to identify areas for possible revision based on the inherent complexity of data protection laws and directives as well as the evolution of privacy requirements and expectations since the Framework’s first publication in 2002. The Analysis will also be of use by external audiences: privacy officers, those persons responsible for creating privacy policies and controls in organizations, and standards bodies having an interest in privacy.


Personal Information Data Privacy Privacy Requirement Privacy Management Core Privacy 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Friedr. Vieweg & Sohn Verlag | GWV Fachverlage GmbH, Wiesbaden 2007

Authors and Affiliations

  • John T. Sabo
    • 1
    • 2
    • 3
  1. 1.WashingtonUSA
  2. 2.Global Government Relations, CA, Inc.USA
  3. 3.International Security Trust and Privacy AllianceUSA

Personalised recommendations