Information security technology — Guidance for personal information security impact assessment
1 Scope
This standard gives the basic principle and implementation process of personal information security impact assessment.
This standard is applicable to the self-assessment of personal information security impact of various organizations and may also be used by competent regulatory authorities, the third-party testing and assessment agencies, etc. as a reference to the supervision, inspection and assessment of personal information security.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 20984 Information security technology — Risk assessment specification for information security
GB/T 25069-2010 Information security technology — Glossary
GB/T 35273-2020 Information security technology — Personal information security specification
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069-2010, GB/T 35273-2020 and the following apply.
3.1
personal information
various information recorded electronically or otherwise that can, either alone or in combination with other information, identify a particular natural person or reflect the activity of such a person
[GB/T 35273-2020, 3.1]
3.2
personal sensitive information
personal information which, once disclosed, illegally provided or abused, will possibly endanger the personal and property safety and easily result in damages to personal reputation and physical and mental health or result in discriminatory treatment
[GB/T 35273-2020, 3.2]
3.3
personal information subject
natural person identified by or connected to personal information
[GB/T 35273-2020, 3.3]
3.4
personal information security impact assessment
process of inspecting the extent to which the personal information processing activities are lawful and compliant, of determining the various risks of such activities that cause damage to legitimate rights and interests of personal information subject and of assessing the effectiveness of various measures used to protect personal information subject
4 Assessment principle
4.1 General
The purpose of personal information security impact assessment is to discover, dispose of and continuously monitor the risks that adversely affect the legitimate rights and interests of the personal information subject during the personal information processing.
4.2 Assessment value
The implementation of personal information security impact assessment can effectively strengthen the protection of the rights and interests of the personal information subject, help an organization to show its efforts to protect personal information security, enhance transparency and enhance the trust of the personal information subject. The assessment value includes the following aspects:
a) Before personal information processing, the organization may identify the risks that may damage the rights and interests of the personal information subject through impact assessment, and adopt appropriate personal information security control measures accordingly.
b) During personal information processing, the organization may continuously revise the personal information security control measures already taken by considering the changes of internal and external factors through impact assessment, so as to ensure that the risk of adverse impact on the legitimate rights and interests of individuals is generally controllable.
c) Personal information security impact assessment and its record documents may help the organization to prove its compliance with the laws, regulations and standards on personal information protection and data security in the investigation, law enforcement and compliance audit of the government, relevant institutions or business partners.
d) In case of personal information security incident, the personal information security impact assessment and its record documents may be used to prove that the organization has actively assessed risks and taken certain security protection measures, which is helpful to reduce or even avoid the related responsibilities and reputation losses of the organization.
e) The organization may strengthen the personal information security education for employees through personal information security impact assessment. During the assessment, employees may become familiar with various personal information security risks and improve their capacity of risk disposal.
f) For partners, the organization shows that it takes personal information security protection seriously by practical assessment, and guides them to take appropriate security control measures to achieve the same or similar level of security protection.
4.3 Purposes of assessment report
The contents of personal information security impact assessment report mainly include: the business scenarios covered by the assessment, the specific personal information processing activities involved in the business scenarios, the responsible departments and personnel and involved, the identified risks, the list of adopted and proposed security control measures, and the remaining risks, etc.
Therefore, the purposes of the personal information security impact assessment report include but are not limited to:
a) For the personal information subject, the assessment report may ensure that the subject knows how to dispose and protect his or her personal information, and enable him or her to judge whether there is any residual risk that has not been disposed of.
b) For the organization conducting impact assessment, the purposes of the assessment report may include:
1) In the planning stage of products, services or projects, assessment report is used to ensure that the protection requirements of personal information are fully considered and realized in the design of products or services (e.g., the realizability, feasibility and traceability of security mechanism);
2) During the operation of products, services or projects, it is used to judge whether the internal and external factors of the operation (e.g., the change of the operation team, the Internet security environment, the third-party security control ability of information sharing), laws and regulations have undergone substantial changes, and whether the impact assessment results need to be reviewed and revised;
3) It is used to establish a responsibility system to supervise whether security protection measures have been taken for the personal information processing activities in security risks to improve or eliminate the identified risks;
4) It is used to enhance the personal information security awareness of internal employees.
c) For the competent regulatory authorities, requiring an organization to provide the personal information security impact assessment report may urge the organization to carry out the assessment and take effective security control measures. When dealing with personal information security-related complaints and investigating personal information security incidents, the competent regulatory authorities may know about the relevant situation through the impact assessment report, or use the report as relevant evidence.
d) For the partners of the organization carrying out the impact assessment, assessment report is used to understand their roles and functions in the business scenarios as a whole, as well as their specific personal information protection work and responsibilities.
4.4 Responsible subject of assessment
The organization designates the department or personnel responsible for the establishment, implementation and improvement of the work process of personal information security impact assessment and for the quality of the work results of personal information security impact assessment. The responsible department or personnel is independent and not affected by the assessed party. Usually, the department leading the implementation of personal information security impact assessment in an organization is the legal service department, compliance department or information security department.
The responsible department in the organization may choose to carry out the personal information security impact assessment by itself or hire an external independent third party to undertake the specific personal information security impact assessment according to the specific capacity of the department.
For a specific product, service or project, the person in charge of the corresponding product, service or project shall ensure the development and smooth progress of the personal information security impact assessment activities, and give corresponding support.
When the organization conducts its own personal information security impact assessment, the competent regulatory authorities and customers may require independent audits to verify the rationality and completeness of the impact assessment activities. At the same time, the organization allows the competent regulatory authorities to obtain evidence of the impact assessment process and related information systems or procedures.
4.5 Basic assessment principle
The basic principle of personal information security impact assessment is shown in Figure 1.
Figure 1 Schematic diagram for assessment principle
Before assessment, it is necessary to conduct a comprehensive investigation on the object to be assessed (which may be a certain product, a certain business, a specific cooperation, etc.), form clear data lists and data flow charts, and sort out the specific personal information processing activities to be assessed. When carrying out the assessment, through analyzing the possible impact of personal information processing activities on the rights and interests of personal information subjects and its degree, as well as analyzing the effectiveness, the security incident risks and the possibility of security measures, obtain the security risks and risk level of personal information processing activities by combining the two results, and put forward corresponding improvement suggestions to form an assessment report.
4.6 Factors to be considered in assessment implementation
4.6.1 Assessment scale
The scale of personal information security impact assessment often depends on the scope and number of impacted personal information subjects and the impact degree. Usually, when an organization carries out this kind of personal information security impact assessment, the type, sensitivity and number of personal information, the scope and number of subjects involved in personal information, and the scope of people who can access personal information will all become important factors of assessment scale.
4.6.2 Assessment methods
The basic assessment methods used in the evaluation implementation process include but are not limited to the following three ones:
a) Interview: the process in which an assessor talks with relevant personnel to know about, analyze and obtain evidence about the processing of personal information, and the design and implementation of protection measures in the information system. Interviewees include product managers, R&D engineers, persons in charge of personal information protection, persons in charge of legal affairs, system architects, security administrators, operation and maintenance personnel, human resources personnel and system users.
b) Inspection: the process in which an assessor observes, inspects and analyzes the management system, security policies and mechanisms, contract and agreements, security configuration and design documents, operation records, etc. in order to know about, analyze or obtain evidence. The inspection objects are specifications, mechanisms and activities, such as personal information protection policy planning and procedures, system design documents and interface specifications, emergency planning drill results, event response activities, technical manuals and user/administrator guidances, and operation of information technology mechanisms in information system hardware/software, etc.
c) Testing: the process in which an assessor conducts technical testing through manual or automated security testing tools, obtain relevant information, and conduct analysis to obtain evidence. The testing objects are security control mechanisms, such as access control, identity recognition and verification, security audit mechanism, transmission link and preservation encryption mechanism, continuous monitoring of important events, testing event response capability and emergency planning drill capability, etc.
4.6.3 Assessment forms
From the implementation subject, personal information security impact assessment is classified into self-assessment and inspection assessment.
Self-assessment refers to the organization's self-initiated assessment of its personal information processing behavior. Self-assessment may be carried out by the post or role designated by the organization to be responsible for assessment and audit, or an external professional organization may be entrusted to carry out assessment.
Inspection assessment refers to the personal information security impact assessment initiated by the organization's superior organization, which directly leads the organization or is responsible for supervising and managing the organization. An external professional organization may also be entrusted to carry out inspection assessment.
After determining the scale of assessment and selecting assessment methods and forms, the specific process of assessment implementation may refer to Clause 5.
5 Implementation process of assessment
5.1 Necessity analysis of assessment
5.1.1 General
Personal information security impact assessment may be used for compliance gap analysis, as well as further improving one's own security risk management ability and security level. Therefore, the necessity of personal information security impact assessment depends on the organization's personal information security goal, and the organization may select the business scenarios to be initiated according to the actual needs.
5.1.2 Compliance gap assessment
5.1.2.1 General
When the personal information security goal defined by the organization is to meet the baseline requirements of relevant laws, regulations or standards, the main purpose of personal information security impact assessment is to identify the gap between the security control measures taken for the specific personal information processing activities to be assessed and the specific requirements of relevant laws, regulations or standards, such as whether to share personal information with a third party in a business scenario and obtain the express consent of the personal information subject.
5.1.2.2 Overall compliance analysis
According to applicable laws, regulations, policies and standards related to personal information protection, the organization may analyze the gap between all personal information processing activities related to specific products or services and applicable laws, regulations, policies and standards. The application scenarios of this assessment method include but are not limited to the following situations:
a) annual overall assessment of products or services;
b) design stage assessment of new products or services (whose technology platform is not limited);
c) initial release assessment of new products or services (whose technology platform is not limited);
d) re-assessment when there are major changes in laws, regulations, policies and standards, etc.;
e) re-assessment when there are major changes in business model, Internet security environment and external environment, etc.;
f) re-assessment after a major personal information security incident;
g) assessment in case of acquisition, merger, reorganization, etc.
5.1.2.3 Partial compliance analysis
According to applicable laws, regulations, policies and standards related to personal information protection, the organization may analyze the gap between partial personal information processing activities related to specific products or services and applicable laws, regulations, policies and standards. The application scenarios of this assessment method include but are not limited to the following situations:
a) assessment when new personal information types are needed to be collected for new functions;
b) assessment when there are partial changes in laws, regulations, policies and standards, etc.;
c) assessment when there are changes in the business model, information system and operating environment.
5.1.2.4 Analysis of assessment compliance requirements
Some laws, regulations and standards related to the personal information protection put forward the assessment compliance requirements. Such requirements do not put forward clear and specific security control measures for specific personal information processing activities, but require organizations to carry out risk assessment for specific personal information processing activities, and take security control measures commensurate with the degree of risk, so as to reduce the risk of adverse impact on the legitimate rights and interests of personal information subjects to an acceptable level, in order to meet the requirements.
Assessment compliance requirements are often aimed at personal information processing activities that have a significant impact on personal rights and interests, such as processing sensitive personal information, processing personal information with automated decision-making methods, entrusting personal information processing, transferring or sharing personal information to third parties, publicly disclosing personal information, and transferring personal information abroad.
In view of such requirements, the organization may use the personal information security impact assessment method provided in this guidance to ensure that the security risks of personal information processing activities are controllable to meet the requirements of corresponding laws, regulations and standards.
Note: Please refer to Annex A for analysis examples of assessment compliance requirements and specific assessment points.
5.1.3 Due diligence risk assessment
For the purposes of prudent operation, reputation maintenance, branding, etc., organizations often select personal information processing activities that may have high risks in the legitimate rights and interests of individuals, and carry out due diligence risk assessment for them. The goal of this risk assessment is to minimize the adverse impact on the legitimate rights and interests of the personal information subjects on the basis of meeting the baseline requirements of relevant laws, regulations and standards.
Note: Please refer to Annex B for examples of high-risk personal information processing activities.
The organization may use the personal information security impact assessment methods provided in this standard to assess high-risk personal information processing activities, and further reduce the security risks of personal information processing activities.
5.2 Assessment preparation
5.2.1 Establishment of assessment team
The organization confirms and appoints personnel (assessor) responsible for personal information security impact assessment. In addition, the organization shall designate personnel to sign the assessment report.
The assessor clearly specifies the object to submit the personal information security impact assessment report, the time period for the assessment, and whether to publish the assessment report or its abstract.
If necessary, the assessor needs to request team support, such as a team composed of representatives from technical department, relevant business department and legal service department. The internal personal information security impact assessment needs long-term support from the organization management.
The management shall allocate necessary resources for the personal information security impact assessment team.
?
5.2.2 Development of assessment plan
The plan shall clearly define the work needed to complete the personal information security impact assessment report, the division of assessment tasks and the assessment schedule. In the plan, considerations shall also be given to the suspension or cancellation of the scenario to be assessed. The following aspects shall be considered during the specific operation:
a) personnel, skills, experience and capacity;
b) the time required to perform various tasks;
c) resources required for each procedure of assessment, such as automated assessment tools.
Note: It is recommended to update and iterate the original plan when the scenario involved is complex and consumes a lot of resources. For routine assessment activities or situations involving less complex scenario to be assessed, the original plan may be used or the procedure may be simplified.
If consultation with relevant parties is involved, the plan shall explain under what circumstances the relevant parties need to be consulted, who will be consulted and the specific consultation methods (e.g., through public opinion surveys, seminars, focus groups, public hearings, online experiences).
5.2.3 Determination of the assessment object and scope
Describe the assessment object and scope from the following three aspects:
a) description of basic system information, including but not limited to:
1) purpose and type of personal information processing;
2) description of information systems supporting current or future business processes;
3) departments or related personnel performing information system management duties, and their duties or performance levels;
4) description of personal information processing methods, processing scope, and roles have authority of personal information access;
5) If it is expected to entrust a third party to handle the personal information, or share or transfer it with a third party, explain the identity of the third party and the access of the third party to the information system.
b) description of system design information, including but not limited to:
1) overview of functional (or logical) structure;
2) overview of physical structure;
3) list and structure of information system databases, tables and fields containing personal information;
4) chart of data flow divided by components and interfaces;
5) chart of data flow of personal information life cycle, such as collection, storage, use and sharing of personal information;
6) description of the time node for informing the personal information subject, and the time node for obtaining the consent of the personal information subject, and the work flow chart;
7) list of interfaces available to transmit personal information externally;
8) security measures during personal information processing.
c) description of the processing flow and plan information, including but not limited to:
1) the concept of identity and user management of information system;
2) operation concept, including the way that information systems or some of their structures adopt field operation, external hosting, or cloud outsourcing;
3) support concept, including listing the scope of third parties who have authority of personal information access, their personal information access authority and assess location;
4) record concept, including the saving plan of logged-in information;
5) backup and recovery plan;
6) protection and management of metadata;
7) data saving and deletion plan and storage medium disposal.
5.2.4 Development of the relevant party consultation plan
Relevant parties include but are not limited to:
——employees, such as personnel related to human resources, law, information security, finance, business operation functions, communication and internal audit (especially in the regulatory environment);
——personal information subjects and consumer representatives;
——subcontractors and business partners;
——system development personnel and operation and maintenance personnel;
——other personnel in the organization who have corresponding concerns about the assessment.
In order to make assessment process transparent and achieve the goal of security risk reduction, the assessor shall confirm in detail the internal or external relevant parties involved in the assessment process. Relevant parties have a direct interest relationship with the personal information processing activities to be assessed, and relevant parties may be any organizations or individuals who have or may obtain access permission for personal information.
The assessor needs to confirm the classification of relevant parties, and then specifically confirm the specific organizations or individuals in various relevant parties. If the relevant party is an individual, the individual should be as representative as possible.
The scope and scale of personal information, as well as business importance, cost and benefit, etc., are very important for determining the appropriate relevant parties. If large-scale personal information processing activities are to be assessed, there may be more relevant parties. In this case, social organizations (such as consumer rights and interests protection organizations) may be recognized as relevant parties. On the contrary, some small assessments may not need to confirm a broad list of relevant parties.
When making the consultation plan, it is necessary to clarify the impacts and consequences (if known) suffered by different relevant parties, as well as the security control measures taken to reduce the adverse effects and other related issues. The consultation scope and schedule are also included in the plan.
The objectives of the consultation plan include but are not limited to:
a) determination of the number and scope of relevant parties;
b) specific ways for relevant parties to participate in identification and assessment of the impact on personal rights and interests and the security risks;
Note: Although issues raised in feedback from relevant parties may be related to subjective risk awareness, rather than objective actual risks, these opinions are not negligible. Organizations may deal with these opinions in a wider range of management issues of relevant parties to provide assistance for communication activities.
c) consulting the relevant parties on the assessment report to confirm whether the report fully reflects their concerns about relevant issues.
During personal information security impact assessment, the organization may urge appropriate relevant parties (mainly including subcontractors and business partners) to carry out personal information security impact assessment. Appropriate relevant parties have the obligation to carry out personal information security impact assessment, or cooperate with the organization to carry out personal information security impact assessment, and the organization may quote the personal information security impact assessment report of relevant parties as the consultation result.
5.3 Data flow analysis
After conducting a comprehensive investigation on the personal information processing process, the organization forms a clear data list and data flow chart.
The data flow analysis stage needs to combined with the specific scenarios of personal information processing. The investigation contents include personal information types, processing purposes and specific implementation methods involved in personal information collection, storage, usage, transfer, sharing and deletion, as well as resources (such as internal information systems) and relevant parties (such as third parties like personal information processors, platform operators, external service providers, cloud service providers etc.) involved in personal information processing. During the investigation, considered off-line systems, system data consolidation, enterprise acquisition, mergers and acquisitions, and global expansion, where possible.
When sorting out the results of data flow analysis, the personal information processing activities are classified according to the types, sensitivity, collection scenarios, processing methods and relevant parties of personal information, as well as describing the specific situations of each type of personal information processing activities, for later impact analysis and risk assessment by classification.
Note: For data flow analysis, may refer to Table C.1 and Table C.2 in Annex C.
5.4 Risk source identification
The purpose of risk source identification is to analyze the threats faced in personal information processing activities, and whether the activities are lacking of adequate security measures and leads to vulnerability and security incidents. There are many factors that determine the occurrence of personal information security incidents. For threat sources, there are internal threats and external threats, as well as data theft caused by malicious personnel, and data leakage caused by non-malicious personnel unconsciously. For vulnerability, there are data damage caused by physical environment, and data leakage, tampering and loss caused by technical factors, and abuse caused by improper management.
The threat identification and vulnerability identification methods described in GB/T 20984 may be used in the analysis process of personal information security incidents. In order to further simplify the analysis process of the possibility of personal information security incidents, the factors related to the possibility of personal information security incidents are summarized into the following four aspects:
a) network environment and technical measures. Factors in assessment shall include but be not limited to the following aspects:
1) Whether the network environment of the information system processing personal information is the internal network or the Internet, different network environments face different threat sources, and the information system connected with the Internet faces higher risks;
2) The interaction mode between the information system processing personal information and other systems, such as, whether to use the network interface for data interaction, whether to embed third-party codes and plug-ins that may collect personal information, etc. Generally, the more data interaction, the more comprehensive security measures to be taken to prevent risks such as information leakage and theft;
3) Whether strict measures such as identity authentication and access control are implemented during personal information processing;
4) Whether boundary protection equipment is deployed, strict boundary protection strategy is configured, and technical measures for data leakage prevention are implemented at the network boundary;
5) Whether to monitor and record the running status of the network, whether to mark and analyze the status of personal information internally or interacting with a third party, to find abnormal traffic and illegal use in time;
6) Whether technical measures are taken to prevent network intrusion such as virus and Trojan backdoor attacks, port scanning, and denial of service attacks;
7) Whether to use encrypted transmission, encrypted storage and other measures to provide extra protection to personal sensitive information;
8) Whether to audit the personal information processing activities at stages of personal information collection, storage, transmission, usage and sharing, and warn for abnormal operation;
9) Whether a complete network security incident warning, emergency response and reporting mechanism has been established;
10) Whether the information systems are subjected to regular security inspection, assessment, infiltration test, as well as timely patch update and security reinforcement;
11) Whether to strengthen the security management of data storage media, and whether to have the ability to back up and restore data;
12) Other necessary technical support measures for network security.
Note 1: If an organization establishes a mature security protection system with reference to other national standards related to network security and data security, it may conduct analysis and assessment based on its existing foundation.
b) personal information processing procedure. Factors in assessment shall include but be not limited to the following aspects:
1) Whether the judgment of personal sensitive information is accurate;
2) Whether the purpose of personal information collection is legitimate and legal;
3) Whether the data obtained from the third party is officially authorized for processing;
4) Whether the notification method and content are friendly and accessible, whether all processing activities have been approved by users;
5) Whether the minimum element set of personal information is defined, whether personal information is collected beyond the scope;
6) Whether changing the purpose of using personal information has an impact on the personal information subject;
7) Whether to provide a convenient and effective mechanism for individual participation, including inquiry, correction, deletion, withdrawal consent, account cancellation, etc.;
8) Whether the third party that receiving personal information will change the purpose of using on personal information;
9) Whether the retention time of personal information is minimized, whether the mechanism such as deleting beyond the time limit is reasonable;
10) Whether to restrict the user profiling mechanism to avoid accurate pointing to specific individuals;
11) Whether to provide a mechanism that may be control, exit or close by users for personalized display;
12) Whether the anonymization mechanism is effective, whether the de-identified personal information can be correlated and analyzed, etc., resulting in re-identification of the identity of the subject of personal information subject;
13) Whether to provide timely and effective security incident notification mechanism and emergency response mechanism;
14) Whether to provide effective complaints and rights protection channels;
15) Whether to share or transfer personal information to a third party without the consent of the user;
16) Whether inaccurate data or incomplete misleading data are disseminated;
17) Whether to induce or force individuals to provide too much personal information;
18) Whether to track or monitor personal behavior too much;
19) Whether to unreasonably restrict individuals from controlling their personal information, etc.;
20) Normalization of other personal information processing procedures.
Note 2: The normative analysis of personal information processing flow may refer to the corresponding contents of GB/T 35273-2020.
c) participants and third parties. Factors in assessment shall include but be not limited to the following aspects:
1) Whether to appoint responsible person and working agency for personal information protection; whether the responsible person for personal information protection is with relevant management experience and professional knowledge of personal information protection.
2) Whether to develop and implement personal information security management policies and strategies according to business security requirements;
3) Whether to develop security management system involving all aspects of personal information processing and put forward specific security management requirements;
4) Whether to sign confidentiality agreement with relevant personnel engaged in personal information processing and conduct background investigation on those who have access to large quantities of personal sensitive information;
5) Whether to specify security duties of different internal posts involving personal information processing, as well as establish a penalty and accountability system for security incidents;
6) Whether to launch professional training and assessment to personal information security for relevant personnel engaged in personal information processing so as to ensure that relevant personnel are proficient in the privacy policy and related procedures.
7) Whether to specify the personal information security requirements that external service personnel who may access personal information to comply with, and implement supervision;
8) Whether to sign binding contracts and other documents with a third party, and stipulate the processing purpose, method, data retention time and processing method if overdue, after the personal information is transmitted to the third party;
9) Whether the third party's handling of personal information is regularly inspected and audited to ensure that it strictly implements the contract and other agreements;
10) Other necessary measures.
Note 3: If an organization establishes a mature security management system with reference to other national standards related to network security and data security, it may conduct analysis and assessment based on its existing foundation.
d) business characteristics, scale and security situation. Factors in assessment shall include but be not limited to the following aspects:
1) Business dependence on personal information processing;
2) The number, frequency, user scale and peak value of personal information that the business processes or may process;
3) Whether there have been incidents such as leakage, tampering, damage or loss of personal information;
4) Law enforcement supervision trends related to personal information protection;
5) Suffering from cyber-attacks or security incidents in the near future;
6) Recently received or publicly released security-related warning information.
After fully understanding the corresponding contents of the above dimensions, the organization identifies the measures taken and the current status by means of investigation and interview, consulting supporting documents, functional inspection and technical test. According to the different dimensions of the analysis of personal rights and interests in 5.5, the possibility level of security incidents is comprehensively assessed from the above four aspects.
Note 4: Please refer to D.1 in Annex D for the assessment of security event possibility level.
5.5 Analysis of the impact of personal rights and interests
5.5.1 Dimension of personal rights and interests
Personal rights and interests impact analysis refers to analyzing whether specific personal information processing activities will have an impact on the legitimate rights and interests of the personal information subject, and what kind of impact it may have. The impact of personal rights and interests may be summarized into four dimensions: "limiting individual autonomy", "causing differential treatment", "personal reputation damage or mental stress" and "personal property damage":
a) Limiting the individual's autonomy, such as being forced to perform unwilling operations, lacking relevant knowledge or relevant channels to correct personal information, unable to choose to refuse the push of personalized advertisements, and being deliberately pushed with information that affects the judgment of personal values;
b) Causing differential treatment, such as discrimination against individual rights caused by information leakage such as illness, marriage history and student status, and damage to individual fair trade rights caused by abuse of information such as personal consumption habits;
c) Personal reputation damage or mental stress, such as being fraudulently used by others, revealing habits and experiences that are unwilling to be known, being frequently harassed, monitored and tracked, etc.;
d) Personal property damage, such as personal injury, theft of capital account, fraud, extortion, etc.
?
5.5.2 Analysis process of personal rights and interests impact
According to the results of data flow analysis and the personal information processing activities that need to be assessed, combined with the requirements of relevant laws, regulations and standards or the personal information security objectives defined by the organization, the organization may analyze the possible impact of the whole life cycle of personal information processing activities or specific processing behaviors on personal rights and interests, as well as the possible impact of personal information disclosure, damage, loss and abuse on personal rights and interests, so as to examine whether there is any risk of infringing the rights and interests of personal information subjects.
The process of personal rights and interests impact analysis generally includes four stages: sensitivity analysis of personal information, characteristics analysis of personal information processing activities, problems analysis of personal information processing activities and impact analysis:
a) In the analysis stage of personal information sensitivity, the organization may refer to the relevant national laws, regulations and standards and analyze the possible impact of personal information sensitivity on personal rights and interests according to the data flow analysis results. For example, the disclosure and abuse of health physiological information may have a serious impact on personal physiology and psychology;
b) In the stage of analyzing the characteristics of personal information processing activities, the organization may refer to the relevant national laws, regulations and standards and analyze whether the personal information processing activities involve restricting personal autonomy, causing differential treatment, personal reputation damage or mental stress, personal property damage, etc. For example, public disclosure of personal experiences may have an impact on personal reputation;
c) In the analysis stage of personal information processing activities, the organization may analyze the possible weaknesses, gaps and problems of personal information processing activities according to the data flow analysis results, with reference to the relevant national laws, regulations and standards. The normative analysis results of personal information process in 5.4b) may support the analysis process in this stage, and the analysis of the severity of the problems is helpful to analyze the impact degree of personal rights and interests;
d) In the analysis stage of personal rights and interests impact degree, the organization may comprehensively analyze the possible impact of personal information processing activities on personal rights and interests and its severity by combining the analysis results of previous stages.
Note: Refer to D.2 for the assessment of personal rights and interests.
5.6 Comprehensive analysis of security risks
When conducting comprehensive analysis of security risks, the following steps may be taken with reference to the basic principles in 4.5:
a) With reference to 5.4, analyze the implemented security measures, relevant parties, treatment scale and other factors, and assess the possibility level of security incidents;
b) With reference to 5.5, analyze the impact of possible security incidents on personal rights and interests, and assess the degree of impact on personal rights and interests;
c) considering the possibility of security incidents and the impact degree of personal rights and interests, the security risk level of personal information processing activities is obtained through comprehensive analysis.
Note: Please refer to D.3 for the specific process of security risk analysis and the judgment of risk level, and refer to Table C.3, Table C.4 and Table C.5 for the specific process of security risk analysis.
After completing the impact assessment of specific personal information processing activities, the organization may synthesize the assessment results of all relevant personal information processing activities to form the risk level of the whole assessment object (such as business department, specific project, specific cooperation, etc.).
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 Assessment principle
4.1 General
4.2 Assessment value
4.3 Purposes of assessment report
4.4 Responsible subject of assessment
4.5 Basic assessment principle
4.6 Factors to be considered in assessment implementation
5 Implementation process of assessment
5.1 Necessity analysis of assessment
5.2 Assessment preparation
5.3 Data flow analysis
5.4 Risk source identification
5.5 Analysis of the impact of personal rights and interests
5.6 Comprehensive analysis of security risks
5.7 Assessment report
5.8 Risk disposal and continuous improvement
5.9 Report release strategy development
Annex A (Informative) Examples of assessment compliance and key points of assessment
Annex B (Informative) Examples of high-risk personal information processing activities
Annex C (Informative) Common-used tool tables for personal information security impact assessment
Annex D (Informative) Personal information security impact assessment reference method
Bibliography
信息安全技術
個人信息安全影響評估指南
1 范圍
本標準給出了個人信息安全影響評估的基本原理、實施流程。
本標準適用于各類組織自行開展個人信息安全影響評估工作,同時可為主管監管部門、第三方測評機構等組織開展個人信息安全監督、檢查、評估等工作提供參考。
2 規范性引用文件
下列文件對于本文件的應用是必不可少的。凡是注日期的引用文件,僅注日期的版本適用于本文件。凡是不注日期的引用文件,其最新版本(包括所有的修改單)適用于本文件。
GB/T 20984 信息安全技術 信息安全風險評估規范
GB/T 25069—2010 信息安全技術 術語
GB/T 35273—2020 信息安全技術 個人信息安全規范
3 術語和定義
GB/T 25069—2010、GB/T 35273—2020 界定的以及下列術語和定義適用于本文件。
3.1
個人信息 personal information
以電子或者其他方式記錄的能夠單獨或者與其他信息結合識別特定自然人身份或者反映特定自然人活動情況的各種信息。
[GB/T 35273—2020,定義3.1]
3.2
個人敏感信息 personal sensitive information
一旦泄露、非法提供或濫用可能危害人身和財產安全,極易導致個人名譽、身心健康受到損害或歧視性待遇等的個人信息。
[GB/T 35273—2020,定義3.2]
3.3
個人信息主體 personal information subject
個人信息所標識或者關聯的自然人。
[GB/T 35273—2020,定義3.3]
3.4
個人信息安全影響評估 personal information security impact assessment
針對個人信息處理活動,檢驗其合法合規程度,判斷其對個人信息主體合法權益造成損害的各種風險,以及評估用于保護個人信息主體的各項措施有效性的過程。
4 評估原理
4.1 概述
個人信息安全影響評估旨在發現、處置和持續監控個人信息處理過程中對個人信息主體合法權益造成不利影響的風險。
4.2 開展評估的價值
實施個人信息安全影響評估,能夠有效加強對個人信息主體權益的保護,有利于組織對外展示其保護個人信息安全的努力,提升透明度,增進個人信息主體對其的信任。包括:
a) 在開展個人信息處理前,組織可通過影響評估,識別可能導致個人信息主體權益遭受損害的風險,并據此采用適當的個人信息安全控制措施。
b) 對于正在開展的個人信息處理,組織可通過影響評估,綜合考慮內外部因素的變化情況,持續修正已采取的個人信息安全控制措施,確保對個人合法權益不利影響的風險處于總體可控的狀態。
c) 個人信息安全影響評估及其形成的記錄文檔,可幫助組織在政府、相關機構或商業伙伴的調查、執法、合規性審計等中,證明其遵守了個人信息保護與數據安全等方面的法律、法規和標準的要求。
d) 在發生個人信息安全事件時,個人信息安全影響評估及其形成的記錄文檔,可用于證明組織已經主動評估風險并采取一定的安全保護措施,有助于減輕、甚至免除組織相關責任和名譽損失。
e) 組織可通過個人信息安全影響評估,加強對員工的個人信息安全教育。參與評估之中,員工能熟悉各種個人信息安全風險,增強處置風險的能力。
f) 對合作伙伴,組織通過評估的實際行動表明其嚴肅對待個人信息安全保護,并引導其能夠采取適當的安全控制措施,以達到同等或類似的安全保護水平。
4.3 評估報告的用途
個人信息安全影響評估報告的內容主要包括:評估所覆蓋的業務場景、業務場景所涉及的具體的個人信息處理活動、負責及參與的部門和人員.已識別的風險.已采用及擬采用的安全控制措施清單、剩余風險等。
因此,個人信息安全影響評估報告的用途包括但不限于:
a) 對于個人信息主體,評估報告可確保個人信息主體了解其個人信息被如何處理、如何保護,并使個,人信息主體能夠判斷是否有剩余風險尚未得到處置。
b) 對于開展影響評估的組織,評估報告的用途可能包括:
1) 在產品、服務或項目的規劃階段,用于確保在產品或服務的設計中充分考慮并實現個人信息的保護要求(例如,安全機制的可實現性、可行性、可追蹤性等);
2) 在產品、服務或項目的運營過程中,用于判斷運營的內外部因素(例如運營團隊的變動、互聯網安全環境、信息共享的第三方安全控制能力等)、法律法規是否發生實質變更,是否需要對影響評估結果進行審核和修正;
3) 用于建立責任制度,監督發現存在安全風險的個人信息處理活動是否已采取安全保護措施,改善或消除已識別的風險;
4) 用于提升內部員工的個人信息安全意識。
c) 對于主管監管部門,要求組織提供個人信息安全影響評估報告,可督促組織開展評估并采取有效的安全控制措施。在處理個人信息安全相關投訴、調查個人信息安全事件等時,主管監管部門可通過影響評估報告了解相關情況,或將報告作為相關證據。
d) 對于開展影響評估的組織的合作伙伴,用于整體了解其在業務場景中的角色和作用,以及其應具體承擔的個人信息保護工作和責任。
4.4 評估責任主體
組織指定個人信息安全影響評估的責任部門或責任人員,由其負責個人信息安全影響評估工作流程的制定、實施、改進,并對個人信息安全影響評估工作結果的質量負責。該責任部門或人員具有獨立性,不受到被評估方的影響。通常,組織內部牽頭執行個人信息安全影響評估工作的部門為法務部門、合規部門或信息安全部門。
組織內的責任部門可根據部門的具體能力配備情況,選擇自行開展個人信息安全影響評估工作,或聘請外部獨立第三方來承擔具體的個人信息安全影響評估工作。
對于具體的產品、服務或項目,由相應的產品、服務或項目負責人確保個人信息安全影響評估活動的開展和順利進行,并給予相應支持。
當由組織自行進行個人信息安全影響評估時,主管監管部門和客戶可要求獨立審計來核證影響評估活動的合理性和完備性。同時,該組織允許主管監管部門對影響評估流程以及相關信息系統或程序進行取證。
4.5 評估基本原理
個人信息安全影響評估的基本原理如圖1。
數據映射分析
待評估的個人信息處理活動
個人權益影響分析
個人權益影響程度
安全保護措施有效性分析
安全事件可能性程度
風險級別
圖1 評估原理示意圖
開展評估前,需對待評估的對象(可為某項產品、某類業務、某項具體合作等)進行全面的調研,形成清晰的數據清單及數據映射圖表(data flow charts),并梳理出待評估的具體的個人信息處理活動。開展評估時,通過分析個人信息處理活動對個人信息主體的權益可能造成的影響及其程度,以及分析安全措施是否有效、是否會導致安全事件發生及其可能性,綜合兩方面結果得出個人信息處理活動的安全風險及風險等級,并提出相應的改進建議,形成評估報告。
4.6 評估實施需考慮的要素
4.6.1 評估規模
個人信息安全影響評估的規模往往取決于受到影響的個人信息主體范圍、數量和受影響的程度。通常,組織在實施該類個人信息安全影響評估時,個人信息的類型、敏感程度、數量,涉及個人信息主體的范圍和數量,以及能訪問個人信息的人員范圍等,都會成為影響評估規模的重要因素。
4.6.2 評估方法
評估實施過程中采用的基本評估方法,包括但不限于以下三種:
a) 訪談:指評估人員對相關人員進行談話,以對信息系統中個人信息的處理、保護措施設計和實施情況進行了解、分析和取證的過程。訪談的對象包括產品經理、研發工程師、個人信息保護負責人、法務負責人員、系統架構師、安全管理員、運維人員、人力資源人員和系統用戶等。
b) 檢查:指評估人員通過對管理制度、安全策略和機制、合同協議、安全配置和設計文檔、運行記錄等進行觀察、查驗、分析,以便理解、分析或取得證據的過程。檢查的對象為規范、機制和活動,如個人信息保護策略規劃和程序、系統的設計文檔和接口規范、應急規劃演練結果、事件響應活動、技術手冊和用戶/管理員指南、信息系統的硬件/軟件中信息技術機制的運行等。
c) 測試:指評估人員通過人工或自動化安全測試工具進行技術測試,獲得相關信息,并進行分析以便獲取證據的過程。測試的對象為安全控制機制,如訪問控制、身份識別和驗證、安全審計機制、傳輸鏈路和保存加密機制.對重要事件進行持續監控、測試事件響應能力以及應急規劃演練能力等。
4.6.3 評估工作形式
從實施主體來區分,個人信息安全影響評估分為自評估和檢查評估兩種形式。
自評估是指組織自行發起對其個人信息處理行為的評估,自評估可以由本組織指定專門負責評估、審計的崗位或角色開展,也可以委托外部專業組織開展評估工作。
檢查評估是指組織的上級組織發起的個人信息安全影響評估工作。上級組織是對組織有直接領導關系或負有監督管理責任的組織。檢查評估也可以委托外部專業組織開展評估。
在確定評估規模,選定評估方法、評估工作形式后,評估實施的具體流程可參照第5章內容。
5 評估實施流程
5.1 評估必要性分析
5.1.1 概述
個人信息安全影響評估可用于合規差距分析,也可以用于合規之上、進一步提升自身安全風險管理能力和安全水平的目的。因此啟動個人信息安全影響評估的必要性,取決于組織的個人信息安全目標,組織可根據實際的需求選取需要啟動評估的業務場景。
5.1.2 合規差距評估
5.1.2.1 概述
當組織定義的個人信息安全目標為符合相關法律、法規或標準的基線要求時,則個人信息安全影響評估主要目的在于識別待評估的具體個人信息處理活動已采取的安全控制措施,與相關法律、法規或標準的具體要求之間的差距,例如在某業務場景中與第三方共享個人信息,是否取得了個人信息主體的明示同意。
5.1.2.2 整體合規分析
組織可根據所適用的個人信息保護相關法律、法規、政策及標準,分析特定產品或服務所涉及的全部個人信息處理活動與所適用規則的差距。該評估方式的應用場景包括但不限于以下情形:
a) 產品或服務的年度整體評估;
b) 新產品或新服務(不限技術平臺)設計階段評估;
c) 新產品或新服務(不限技術平臺)上線初次評估;
d) 法律法規、政策、標準等出現重大變化時重新評估;
e) 業務模式、互聯網安全環境、外部環境等發生重大變化的重新評估;
f) 發生重大個人信息安全事件后重新評估;
g) 發生收購、兼并、重組等情形開展評估。
5.1.2.3 局部合規分析
組織可根據所適用的個人信息保護相關法律、法規.政策及標準,對特定產品或服務所涉及的部分個人信息處理活動與所適用規則的差距進行分析。該評估方式的應用場景包括但不限于以下情形:
a) 新增功能需要收集新的個人信息類型時的評估;
b) 法律、法規、政策、標準出現部分變化時的評估;
c) 業務模式、信息系統、運行環境等發生變化時評估。
5.1.2.4 評估性合規要求分析
部分個人信息保護相關的法律、法規、標準的規定提出了評估性合規要求。這類規定并沒有針對特定的個人信息處理活動提出明確、具體的安全控制措施,而是要求組織針對特定個人信息處理活動,專門開展風險評估,并采取與風險程度相適應的安全控制措施,將對個人信息主體合法權益不利影響的風險降低到可接受的程度,才符合其規定。
評估性合規要求往往針對的是對個人權益有重大影響的個人信息處理活動,例如處理個人敏感信息、使用自動化決策方式處理個人信息、委托處理個人信息、向第三方轉讓或共享個人信息、公開披露個人信息、向境外轉移個人信息等。
針對此類規定,組織可使用本指南提供的個人信息安全影響評估方法進行評估,保證個人信息處理活動的安全風險可控,以符合相應的法律、法規、標準的要求。
注:評估性合規要求分析示例及具體評估要點可參考附錄A。
5.1.3 盡責性風險評估
出于審慎經營、聲譽維護、品牌建立等目的,組織往往選取可能對個人合法權益產生高風險的個人信息處理活動,開展盡責性風險評估。此種風險評估的目標,是在符合相關法律、法規和標準的基線要求之上,盡可能降低對個人信息主體合法權益的不利影響。
注:高風險個人信息處理活動示例可參考附錄B。
組織可使用本標準提供的個人信息安全影響評估方法,對高風險個人信息處理活動進行評估,進一步降低個人信息處理活動的安全風險。
5.2 評估準備工作
5.2.1 組建評估團隊
組織確認并任命負責進行個人信息安全影響評估的人員(評估人)。此外,組織還要指定人員負責簽署評估報告。
評估人明確規定個人信息安全影響評估報告的提交對象、個人信息安全影響評估的時間段、是否會公布評估報告或其摘要。
如有必要評估人需申請團隊支持,例如由技術部門、相關業務部門及法律部門的代表構成的團隊。組織內部個人信息安全影響評估需要組織管理層給予長期支持。
管理層需為個人信息安全影響評估團隊配置必要資源。
5.2.2 制定評估計劃
計劃需清楚規定完成個人信息安全影響評估報告所進行的工作、評估任務分工、評估計劃表。此外,計劃還需考慮到待評估場景中止或撤銷的情況。具體操作時考慮以下方面:
a) 人員、技能、經驗及能力;
b) 執行各項任務所需時間;
c) 進行評估每一步驟所需資源,如自動化的評估工具等。
注:涉及的場景復雜、耗用資源多時,建議對原有方案進行更新迭代,針對常規評估活動或涉及待評估場景復雜度低等情形時,可沿用原有計劃或簡化該步驟。
如涉及相關方咨詢,計劃需說明在何種情況下需要咨詢相關方、將咨詢哪些人員以及具體的咨詢方式(例如通過公眾意見調查、研討會、焦點小組、公眾聽證會、線上體驗等等)。
5.2.3 確定評估對象和范圍
從以下三個方面描述評估的對象和范圍:
a) 描述系統基本信息,包括但不限于:
1) 處理個人信息的目的和類型;
2) 對支撐當前或未來業務流程的信息系統的描述;
3) 履行信息系統管理職責的部門或相關人員,以及其職責或履行水平;
4) 關于個人信息處理方式、處理范圍的說明、有權訪問個人信息的角色等;
5) 如預計委托第三方處理,或與第三方共享、轉讓信息系統的個人信息,說明上述第三方身份、第三方接入信息系統的情況等。
b) 描述系統設計信息,包括但不限于:
1) 功能(或邏輯)結構概覽;
2) 物理結構概覽;
3) 包含個人信息的信息系統數據庫、表格和字段的清單和結構;
4) 按組件和接口劃分的數據流示意圖;
5) 個人信息生命周期的數據流示意圖,例如個人信息的收集、存儲、使用和共享等;
6) 描述通知個人信息主體的時間節點以及取得個人信息主體同意的時間節點和工作流程圖;
7) 可對外傳輸個人信息的接口清單;
8) 個人信息處理過程中的安全措施。
c) 描述處理流程和程序信息,包括但不限于:
1) 信息系統的身份與用戶管理概念;
2) 操作概念,包括信息系統或其中部分結構采用現場運行、外部托管,或云外包的方式;
3) 支持概念,包括列示可訪問個人信息的第三方范圍、其所擁有的個人信息訪問權限、其可訪問個人信息的位置等;
4) 記錄概念,包括已登入信息的保存計劃;
5) 備份與恢復計劃;
6) 元數據的保護與管理;
7) 數據保存與刪除計劃及存儲介質的處置。
5.2.4 制定相關方咨詢計劃
相關方包括但不限于:
——員工,例如人力資源、法律、信息安全、財務、業務運營職能、通信與內部審計(尤其是在監管環境下)相關人員;
——個人信息主體和消費者代表;
——分包商和業務合作伙伴;
——系統開發和運維人員;
——對于評估有相應擔憂的其他組織人員。
為保證評估流程的透明,實現降低安全風險的目標,評估人需詳細確認進人評估程序的內部或外部相關方。相關方與待評估的個人信息處理活動具有直接的利益關系,相關方可以是擁有或可能獲取個人信息訪問權限的組織或個人。
評估人需確認相關方的分類,然后具體確認各類相關方中的特定組織或個人。如果相關方為個人,則該個人宜盡可能具有代表性。
個人信息的范圍與規模,以及業務重要性、成本收益等因素,對于確定恰當的相關方非常重要。如對大型個人信息處理活動進行評估,則可能存在較多相關方。在這種情況下,社會團體(如消費者權益保護組織)可能被確認為相關方。相反,一些小型評估,可能不需要確認寬泛的相關方清單。
制定咨詢計劃需明確不同的相關方所受的影響、后果(如果已知)以及所采取的用于降低不利影響的安全控制措施等相關問題。計劃中還包含咨詢范圍及計劃表。
咨詢計劃的目標包括但不限于:
a) 確定相關方的數量與范圍;
b) 相關方參與識別并評估個人權益影響及安全風險的具體方式;
注:相關方的反饋意見所提出的問題可能與主觀風險認識有關,而非客觀實際風險,但不能忽略這些意見,組織可將這些意見放在更廣泛的相關方管理問題中進行處理,為交流活動提供幫助。
c) 就評估報告咨詢相關方意見,以確認報告是否充分反映他們對有關問題的關注。
組織在開展個人信息安全影響評估時,可以督促適當的相關方(主要包括分包商和業務合作伙伴)開展個人信息安全影響評估。適當的相關方有義務開展個人信息安全影響評估,或者配合組織開展個人信息安全影響評估,組織可以引用相關方的個人信息安全影響評估報告作為咨詢結果。
5.3 數據映射分析
組織在針對個人信息處理過程進行全面的調研后,形成清晰的數據清單及數據映射圖表。
數據映射分析階段需結合個人信息處理的具體場景。調研內容包括個人信息收集、存儲、使用、轉讓、共享、刪除等環節涉及的個人信息類型、處理目的、具體實現方式等,以及個人信息處理過程涉及的資源(如內部信息系統)和相關方(如個人信息處理者、平臺經營者、外部服務供應商、云服務商等第三方)。調研過程中盡可能考慮已下線系統、系統數據合并、企業收購、并購及全球化擴張等情況。
梳理數據映射分析的結果時,根據個人信息的類型、敏感程度、收集場景、處理方式、涉及相關方等要素,對個人信息處理活動進行分類,并描述每類個人信息處理活動的具體情形,便于后續分類進行影響分析和風險評價。
注:開展數據映射分析,可參考附錄C中表C.1和表C.2。
