ISO 27701, Clause 8.5 – PII Sharing, Transfer, and Disclosure

ISO 27701 Controls and Clauses Explained

Book a demo

business,woman,working,and,typing,on,laptop,computer,on,the

ISO 27701 clause 8.5 outlines an organisation’s objectives whenever PII is set to be transferred to or disclosed to other countries, organisations and subcontractors.

ISO 27701 Clause 8.5.1 – PII Sharing, Transfer, and Disclosure

Purpose of Clause 8.5.1

Whenever PII is to be transferred between jurisdictions, organisations need to inform the customer of the underlying need to do so, in a timely manner.

Guidance on Clause 8.5.1

PII transfer regulations can vary from region to region, depending on where the data is being transferred to and from.

Transfer destinations can include:

  • Suppliers.
  • Third-parties.
  • Different countries.
  • International organisations.

Organisations should give the customer adequate notice of any transfers, so that objections may be raised and, in certain circumstances, termination requests can be made.

Organisations don’t always need to inform customers of changes to their data transfer arrangements, but contracts should clearly outline the circumstances in which they do need to offer advance warning.

When transferring PII to another country, organisations should consider official mechanisms, such as:

  1. Model Contract Clauses.
  2. Binding Corporate Rules.
  3. Cross-Border Privacy Rules.
Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 8.5.2 – Countries and International Organizations to Which PII Can Be Transferred

Purpose of Clause 8.5.2

Organisations should keep an accurate, up-to-date list of any countries or organisations where PII has the potential to be transferred to.

Guidance on Clause 8.5.2

Customers should be able to view a list of potential recipient countries and organisations at any given time, including a log of all countries involved in PII subcontracting (see ISO 27701 clause 8.5.1).

In certain circumstances, organisations will not always be able to divulge in advance where transfer requests have originated from – particularly involving cases of criminal proceedings. This is unavoidable, and it should be the organisation’s priority to uphold the integrity of a law enforcement operation (see ISO 27701 clauses 7.5.1, 8.5.4 and 8.5.5).

Relevant ISO 27701 Clauses

  • ISO 27701 7.5.1
  • ISO 27701 8.5.1
  • ISO 27701 8.5.4
  • ISO 27701 8.5.5

ISO 27701 Clause 8.5.3 – Records of PII Disclosure to Third Parties

Purpose of Clause 8.5.3

Organisations should meticulously record any instances of them needing to disclose PII to a third party.

Guidance on Clause 8.5.3

Whenever PII is disclosed – either as part of standard business routines or in special circumstances, such as an ongoing legal or regulatory process – organisations should record what’s been disclosed, the recipient, and the underlying reason for doing so.

ISO 27701 Clause 8.5.4 – Notification of PII Disclosure Requests

Purpose of Clause 8.5.4

Whenever a legally-binding request is made for the organisation to disclose PII, where allowed, the organisation should inform the PII principal of the request.

Guidance on Clause 8.5.4

Organisations should draft a procedure that governs how PII principals are notified of legally-binding third party requests for their information, including a reasonable timeframe and a contractual stipulation that outlines the entire process.

Above all, organisations need to comply with the requests of law enforcement agencies, who have the right to request that the customer is not notified of any request, and ensure they don’t break any laws by accidentally or wilfully informing the customer of the situation.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

ISO 27701 Clause 8.5.5 – Legally Binding PII Disclosures

Purpose of Clause 8.5.5

Organisations should immediately object to any PII disclosure request that is in contravention of prevailing data security laws, or are in any way not legally binding.

PII principals should be consulted before the organisation discloses any PII-related information, and organisations should adhere to contractual terms that outline what disclosures are allowed, from the customer’s perspective.

Guidance on Clause 8.5.5

Contracts need to be specific in what they regard as a lawful request, in addition to any that are authorised by the customer, including those that originate from:

  • Courts.
  • Employment tribunals.
  • Labor disputes.
  • Regulatory/administrative authorities.

ISO 27701 Clause 8.5.6 – Legally Binding PII Disclosures

Purpose of Clause 8.5.6

Before engaging with any subcontractors that are required to process PII, the organisation should disclose the details of the relationship first, before allowing the subcontractor to carry out their duties.

Guidance on Clause 8.5.6

All provisions for the use of subcontractors should be listed as such within the SLA/customer contract.

Information on subcontractors should include:

  1. The subcontractors name.
  2. Any countries that the subcontractor are able to transfer data to (see ISO 27701 clause 8.5.2), so that the customer is able to inform any PII principals.
  3. How the subcontractor is expected to meet the needs of the organisation (see ISO 27701 clause 8.5.7).

NDAs should be drafted to disclose any information that would represent a heightened security risk if publicly exposed.

Relevant ISO 27701 Clauses

  • ISO 27701 8.5.2
  • ISO 27701 8.5.7

ISO 27701 Clause 8.5.7 – Engagement of a Subcontractor to Process PII

Purpose of Clause 8.5.7

The only time it is acceptable to subcontract PII processing activities, is alongside the stipulations contained within a contractual agreement.

Guidance on Clause 8.5.7

Organisations need to obtain written approval from their customers, prior to any PII being processed by a third party organisation.

Subcontractors should be subject a binding agreement (usually in the form of a written contract), which ensures that subcontractors understand their obligations towards implementing the controls listed in ISO 27701 Annex B.

Contracts should take into account various risk assessment processes (see ISO 27701 clause 5.4.1.2), and the entire scope of the organisation’s PII processing operation (see ISO 27701 clause 6.12). As above, all controls listed in Annex B should be adhered to, with any omissions listed, alongside the justifications for doing so.

Relevant ISO 27701 Clauses

  • ISO 27701 5.4.1.2
  • ISO 27701 6.12

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

ISO 27701 Clause 8.5.8 – Change of Subcontractor to Process PII

Purpose of Clause 8.5.8

Whenever the need arises to change the way that the organisation outsources any element of its PII processing operation, customers should be informed of the changes well in advance in order to give them time to question or object to said changes.

Guidance on Clause 8.5.8

Contracts should include clauses that cater for written authorisation from the customer to go ahead with the change, before any PII is processed.

Organisations may also seek approval for changes within ad-hoc written agreements, outside of any contractual terms.

Supporting GDPR Articles

Various elements of ISO 27701 Clause 8.5 are applicable within UK GDPR legislation. Take a look at the below table for the corresponding references.

ISO 27701 Clause IdentifierISO 27701 Clause NameAssociated GDPR Articles
8.5.1Basis for PII Transfer Between JurisdictionsArticles (44), (46), (48), (49)
8.5.2Countries and International Organisations to Which PII Can Be TransferredArticle (30)
8.5.3Records of PII Disclosure to Third PartiesArticle (30)
8.5.4Notification of PII Disclosure RequestsArticle (28)
8.5.5Legally Binding PII DisclosuresArticle (48)
8.5.6Disclosure of Subcontractors Used to Process PIIArticle (28)
8.5.7Engagement of a Subcontractor to Process PIIArticle (28)
8.5.8Change of Subcontractor to Process PIIArticle (28)

How ISMS.online Helps

At ISMS.online, we make documenting your privacy information management system easier for your organisation. We provide you with a logical, usable, cloud-based information management interface that will help your organisation check its privacy processes and progress against the ISO 27701 / PIMS standard.

Our cloud-based platform allows you to access all your PIMS resources in one place.

You can use our easy-to-use platform to document everything you need to show that you meet the requirements of ISO 27701. Our Assured Results Method (ARM) demystifies the requirements of ISO 27701 and gives you confidence as you progress towards the attainment of certification.

We have an in-house team of information security experts who can provide guidance and answer questions to help you on your way to ISO 27701 certification.

Find out more by booking a demo.

See how we can help you

Book a tailored hands-on session
based on your needs and goals
Book your demo

Unsure whether to build or buy?

Discover the best way to achieve ISMS success

Get your free guide

Explore ISMS.online's platform with a self-guided tour - Start Now