3.1.22 personal information management system (PIMS)part of the overall management framework that plans, establishes, implements and maintains themanagement of personal informationNOTE It is recognized that an organizational PIMS addresses the management of personal information thatmight be held across a wide range of operational units and information technology based applications systems.3.1.23 policyintentions and direction of an organization (3.1.17), as formally expressed by its topmanagement (3.1.33)3.1.24 proceduredocumented set of actions which is the prescribed or accepted way of doing something3.1.25 processset of interrelated or interacting activities which transforms inputs into outputs3.1.26 processingoperation or set of operations which is performed upon personal information or sets ofpersonal informationNOTE This is irrespective of whether or not by automated means.EXAMPLE Processing can include collection, recording, organization, structuring, storage, adaptionor alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwisemaking available, alignment or combination, restriction, erasure or destruction (from the GDPR [1],Article 4(2)).3.1.27 profilingform of automated processing of personal information consisting of the use of personal informationto evaluate certain personal aspects relating to a natural person (3.1.14)NOTE Profiling is often used to analyse or predict aspects concerning that natural person's performance at work,economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.3.1.28 requirementneed or expectation that is stated, generally implied or obligatoryNOTE 1 “Generally implied” means that it is custom or common practice for the organization and interested partiesthat the need or expectation under consideration is implied.NOTE 2 A specified requirement is one that is stated, for example in documented information.3.1.29 riskeffect of uncertaintyNOTE 1 An effect is a deviation from the expected - positive or negative.NOTE 2 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledgeof, an event, its consequence, or likelihood.NOTE 3 Risk is often characterized by reference to potential “events” (as defined in PD ISO Guide 73:2009, 3.5.1.3)and “consequences” (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these.NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes incircumstances) and the associated “likelihood” (as defined in PD ISO Guide 73:2009, 3.6.1.1) of occurrence.
3.1.30 special categories of personal informationpersonal information (3.1.20) relating to the natural person’s (3.1.14):a) racial or ethnic origin;b) political opinions;c) religious or philosophical beliefs;d) trade-union membership;e) the processing of genetic information;f) biometric information for the purpose of uniquely identifying a natural person;g) information concerning health or information concerning a natural person's sex life or sexualorientation.NOTE See Article 9 of the GDPR [1] for special conditions under which special category information canbe processed.