Privacy Information Management Systems (PIMS)

The term Privacy Information Management System (PIMS) refers to a specific type of management system designed to govern the collection, use, protection, and disposal of Personally Identifiable Information (PII) within an organization. It is typically implemented in compliance with the ISO/IEC 27701 standard.

A PIMS is a comprehensive, documented framework built upon existing information security controls (like ISO 27001) that specifies the policies, procedures, and controls necessary to effectively manage privacy risks and comply with privacy regulations, such as the General Data Protection Regulation (GDPR).

The concept of PIMS is closely associated with international standards that integrate privacy requirements into existing quality and security infrastructures.

ISO Standard Certification for PIMS

The management system used for PIMS is defined by the ISO 27701 standard:

ISO 27701 Certification: Organizations can pursue ISO 27701 Certification for Privacy Information Management.

Purpose: This standard is designed to help organizations address and implement critical controls necessary to protect PII (Personally Identifiable Information).

Training Availability: Training courses are available specifically for the ISO 27701 standard to help employees address and implement these critical controls.

Integration with Information Security and Data Regulation

PIMS, driven by ISO 27701, is part of a broader set of standards focused on data protection and security, ensuring privacy is managed systematically:

Relationship to ISO 27000 Series: ISO 27701 is an extension of the ISO 27001 Certification for Information Security. Other related standards in this series cover:

• ISO 27017 Certification for Cloud Data Protection.
• ISO 27018 Certification for PII Cloud Security.

GDPR Alignment: PIMS documentation and training are designed to align organizations with global regulations such as the General Data Protection Regulation (GDPR). Training is offered to provide the knowledge and tools necessary for organizations to navigate GDPR regulations and align with ISO standards.

Privacy Documentation: Organizations, including those in critical infrastructure, IT, telecommunications, banking/finance, government, and medical device sectors, utilize documentation toolkits that cover GDPR (privacy) requirements.

Protection of Confidentiality and Privacy in Regulatory Contexts

The need to protect sensitive personal and commercial data is a foundational principle across various regulatory environments, reflecting the core concern of PIMS:

Medical Device Reporting (MDR): The FDA mandates the deletion of certain information before public disclosure of adverse event reports, specifically:

• Personal privacy invasion: Any personal, medical, and similar information (including serial numbers of implanted devices) that would constitute an invasion of personal privacy is deleted.
• Unwarranted invasion of privacy: Similar deletions are required under § 20.63 for information that would constitute a clearly unwarranted invasion of personal privacy.

Premarket Notification (510(k)): When information from a 510(k) submission is made public, all patient identifiers and trade secret or confidential commercial information are excluded from disclosure.

Investigational Device Exemptions (IDE): In specific cases, like investigations involving exceptions from informed consent, the FDA may make certain information publicly available upon request, but it generally will not disclose information identifying individual patients. When the FDA inspects and copies records related to postmarket surveillance, it generally will redact information pertaining to individual subjects prior to copying those records.

Device Tracking: Manufacturers of tracked devices must maintain records including the patient's name, address, telephone number, and social security number (if available), unless the patient refuses to release this information for tracking purposes. However, information contained in these records that would identify patients or research subjects shall not be available for public disclosure, except as provided under Part 20.

Analogy for Understanding

A Privacy Information Management System (PIMS) is like implementing a digital vault layered on top of a security fence. The security fence is your basic Information Security Management System (ISO 27001), protecting all data. The digital vault (PIMS/ISO 27701) specifically addresses the highly sensitive, personally identifiable documents inside the fence, establishing rules for who can touch them, when they must be destroyed, and how their identity must be shielded, ensuring compliance with global privacy laws like GDPR before the information is even stored or processed.

‍