In March, Facebook's massive data breach reignited global attention to the abuse of personal privacy.
On May 1, the "Information Security Technology Personal Information Security Specification" (hereinafter referred to as the "Specification") was officially launched. The norm provides detailed provisions on personal information processing activities such as collection, storage, use, sharing, transfer, and public disclosure.
Although this norm is not a mandatory regulation, it is also a big improvement in the protection of personal information rights and interests. Below, Brother Xi will extract some of the more important chapters and share them with you.
1. The standard defines "personal information" and "personal sensitive information" for the first time
In daily life, users' concept of privacy is more of a general concept, and the concept of personal information is relatively vague. In terms and definitions, the specification makes a distinction between personal information and personal sensitive information for the first time.
1. Personal information
Various information recorded by electronic or other means that can identify the identity of a specific person or reflect the activities of a specific person, alone or in combination with other information.
Personal information includes name, date of birth, ××× piece number, personal biometric information, address, communication contact information, communication records and content, account password, property information, credit information, whereabouts, accommodation information, health and physiology management information, transaction information, etc.
2. Personal sensitive information
Once leaked, illegally provided or abused, personal information that may endanger personal and property safety, easily lead to damage to personal reputation, physical and mental health, or discriminatory treatment, etc.
Personal sensitive information includes ××× piece number, personal biometric information, bank account number, communication record and content, property information, credit information, whereabouts, accommodation information, health and physiological information, transaction information, persons under the age of 14 (including ) children's personal information, etc.
In the appendix, the specification enumerates the scope and type of various personal information/personal sensitive information. Personal information such as: user operation records, IMEI information, device MAC address, etc.; personal sensitive information such as fingerprints, sexual orientation, undisclosed criminal records, web browsing records and precise positioning information.
2. Basic principles of personal information security
Personal information controllers (organizations or individuals who have the right to decide the purpose and method of personal information processing) carry out personal information processing activities, and should follow the following basic principles:
1. The principle of the consistency of rights and responsibilities - assume responsibility for the damage to the legitimate rights and interests of personal information subjects caused by their personal information processing activities.
2. The clear principle of personal information processing - has a legal, legitimate, necessary and clear purpose of personal information processing.
3. The principle of choosing consent - express the purpose, method, scope, rules, etc. of personal information processing to the personal information subject, and seek their authorization and consent.
4. The principle of most sufficiency - unless otherwise agreed with the personal information subject, only the minimum type and quantity of personal information required to meet the purpose of the personal information subject's authorization and consent shall be processed. After the purpose is achieved, personal information should be deleted in a timely manner according to the agreement.
5. The principle of openness and transparency - disclose the scope, purpose, rules, etc. of personal information processing in a clear, understandable and reasonable manner, and accept external supervision.
6. Ensure security principles - have security capabilities commensurate with the security risks faced, and take adequate management measures and technical means to protect the confidentiality, integrity and availability of personal information.
7. The principle of subject participation - to provide personal information subjects with the ability to access, correct, delete their personal information, and withdraw consent, cancel accounts and other methods.
3. Collection and use of personal sensitive information
Requirements for information collection by information control subjects:
1. When collecting personal sensitive information, the express consent of the personal information subject shall be obtained. It should be ensured that the express consent of the personal information subject is a voluntary, specific, clear and unambiguous expression of desire given by him on a fully informed basis;
2. Before collecting personal sensitive information through active provision or automatic collection, it should: 1) inform the personal information subject of the core business functions of the products or services provided and the personal sensitive information that must be collected, and clearly inform the refusal to provide or refuse consent will have impact. The personal information subject should be allowed to choose whether to provide or agree to automatic collection; 2) If the product or service provides other additional functions, when personal sensitive information needs to be collected, the personal information subject should be explained to the personal information subject one by one before the collection. It is required and allows the subject of personal information to choose whether to provide or agree to the automatic collection of sensitive personal information item by item. When the personal information subject refuses, the corresponding additional functions may not be provided, but the provision of core business functions should not be stopped for this reason, and the corresponding service quality should be guaranteed.
This article emphasizes that express consent is voluntary consent based on the completeness of the personal information subject, and requires that the provision of core business functions cannot be stopped because the user refuses consent, and the corresponding service quality must be guaranteed.
For the current practice of many APPs that cannot use certain functions without agreeing to authorization, this article still has a certain value.
2. Restrictions on the use of personal information:
1. Except as necessary for the purpose, when using personal information, clear identity orientation should be eliminated to avoid pinpointing specific individuals. For example, in order to accurately evaluate personal credit status, direct user portraits can be used, while for the purpose of pushing commercial advertisements, indirect user portraits should be used;
2. If the information generated by processing the collected personal information can identify the personal identity of the natural person alone or in combination with other information, or reflect the personal activities of the natural person, it shall be recognized as personal information. Its processing should follow the scope of authorization and consent obtained when personal information was collected;
Note: If the personal information generated by processing is personal sensitive information, its processing shall meet the requirements of this standard for personal sensitive information.
3. When using personal information, it shall not exceed the scope that is directly or reasonably related to the stated purpose when collecting personal information. If it is necessary to use personal information beyond the above-mentioned scope due to business needs, the express consent of the subject of personal information shall be obtained again. Note: The use of collected personal information for academic research or to obtain a description of the general state of natural, scientific, social, economic and other phenomena falls within the scope that is reasonably related to the purpose of collection. However, when the results of academic research or description are provided externally, the personal information contained in the results shall be de-identified.
4. Entrusted processing, sharing and transfer of personal information
Delegate processing:
When entrusting the processing of personal information, the following requirements shall be observed: a) The personal information controller shall not exceed the scope of authorization and consent of the personal information subject or comply with the conditions stipulated in 5.4 of this standard when entrusting the personal information controller; b) The personal information controller shall entrust the entrustment. Conduct personal information security impact assessments to ensure that the entrusted person has sufficient data security capabilities and provides a sufficient level of security protection; c) The entrusted person should: 1) Process personal information in strict accordance with the requirements of the personal information controller. If the entrusted person fails to process personal information in accordance with the requirements of the personal information controller due to special reasons, he shall promptly report it to the personal information controller; 2) If the entrusted person really needs to entrust again, he shall obtain the authorization of the personal information controller in advance ;3) Assist the personal information controller to respond to the personal information subject's request based on this standard: 4) If the entrusted person cannot provide a sufficient level of security protection in the process of processing personal information or a security incident occurs, it shall promptly report to the personal information controller. 5) No personal information will be saved when the entrustment relationship is terminated. d) The personal information controller shall supervise the entrusted persons, including but not limited to: 1) stipulating the responsibilities and obligations of the entrusted persons through contracts and other means; 2) auditing the entrusted persons. e) The personal information controller shall accurately record and preserve the entrusted processing of personal information.
Sharing and Transfer of Personal Information:
In principle, personal information shall not be shared or transferred. When personal information controllers really need to share or transfer, they should pay full attention to risks. Sharing and transferring personal information, not due to acquisition, merger or reorganization, shall comply with the following requirements: a) Conduct personal information security impact assessment in advance, and take effective measures to protect the subject of personal information according to the assessment results; b) Provide personal information to personal information The subject informs the purpose of sharing and transferring personal information, the type of data recipient, and obtains the authorization and consent of the subject of personal information in advance. Except for sharing and transferring de-identified personal information and ensuring that the data recipient cannot re-identify the subject of personal information; c) Before sharing or transferring sensitive personal information, in addition to the content notified in b), the personal information The subject informs the type of sensitive personal information involved, the identity of the data recipient and the data security capability, and obtains the express consent of the subject of personal information in advance; d) Accurately record and save the sharing and transfer of personal information, including sharing and transfer date, scale, purpose, and basic information of the data recipient, etc.; e) Bear the corresponding responsibility for the damage to the legitimate rights and interests of the personal information subject caused by the sharing and transfer of personal information; f) Help the personal information subject understand the data recipient's attitude towards personal information. Storage, use, etc., and the rights of the subject of personal information, such as access, correction, deletion, account cancellation, etc.
Transfer of personal information during acquisition, merger, and reorganization: When the personal information controller is subject to acquisition, merger, or reorganization, etc., the personal information controller should: a) inform the personal information subject of the relevant situation; b) control the personal information after the change The personal information controller shall continue to perform the responsibilities and obligations of the original personal information controller. If the purpose of using personal information is changed, the express consent of the personal information subject shall be obtained again.
In the current era of big data, artificial intelligence, and blockchain, the value of data as the basic means of production is self-evident. Doing a good job in ensuring the safety of basic means of production is to ensure the safety of people's basic production and the security of the digital economy in the future.
"Information Security Technology Personal Information Security Specification" is very rich in content. The above are just the important points that Brother Xi thinks. If you want to know more, Brother Xi recommends that you study the original text carefully, I believe there will be a lot of gains.