近期,全国信息安全标准化技术委员会发布了《信息安全技术个人信息安全影响评估指南》(征求意见稿,下称“《评估指南》”),作为2018年5月生效的《个人信息安全规范》(GB/T 35273—2017,下称“《安全规范》”)之配套规范及重要补充。
本文将从实务角度出发,对《评估指南》的内容进行介绍,并对《评估指南》所反映出的个人信息保护价值取向进行初步解读。
1《评估指南》下评估的功能
从内容上来看,《安全规范》从个人信息的收集、保存、使用到委托处理、共享、转让、公开披露及相关安全事件处置等方面,针对个人信息提出了一套几乎完整涵盖信息整个生命周期的良好实践体系。
现阶段,符合该体系的组织或企业,可向中国网络安全审查技术与认证中心(原中国信息安全认证中心)申请个人信息安全管理体系认证,获得相应的认证证书,从而提高组织的个人信息安全管理能力和合规性,进而提升组织的社会信誉。从这个角度而言,《安全规范》是一份以认证为导向的国家推荐标准。
与此相对,本次发布的《评估指南》引言部分即明确,该指南“将针对机构、企业提出个人信息安全影响评估的基本框架、方法和流程,供其自我评估使用”。由个人信息安全影响评估(下称“评估”)形成的报告(下称“评估报告”)更像是一份针对个人信息控制者处理个人信息的尽职调查报告,它不仅可以作为一种发现安全风险的预警机制,也可以证明个人信息控制者在相关活动中已遵守了相关法律、法规和标准的要求。
2评估的步骤与分析维度
具体而言,个人信息控制者或国家职能部门可按以下步骤,自行或委托第三方编制评估报告:
评估原理示意图
01数据映射分析
针对个人信息控制者的个人信息处理过程进行全面调研,形成数据清单及数据映射图表,确定个人信息处理的各环节设计的目的和具体实现方式及涉及的相关方,并初步判定所处理的个人信息是否属于个人敏感信息;
02个人权益影响分析
根据不同的个人信息处理活动,分析其是否会对个人信息主体权益产生影响,具体包括以下四个维度:
a)影响个人自主决定权,比如被强迫执行不愿执行的操作、无法更正错误上传的个人信息、无法选择推送广告的种类、被蓄意推送影响个人价值观判断的资讯;
b)引发差别性待遇,比如隐私信息(疾病、婚史、种族等)泄露造成的歧视、故意设置个人福利、资格、权利的差别等;
c)个人名誉受损或遭受精神压力,比如公开不愿为人知的事实(生活习惯、以往经历等),被频繁骚扰、监视追踪等;
d)个人财产受损或遭受人身伤害,比如账户被盗、遭受诈骗、被勒索恐吓、限制自由等。
03安全事件可能性分析
从网络环境和技术措施、处理流程规范性、参与人员与第三方情况及安全态势和处理规模四个维度,结合上述个人权益影响分析的不同维度,分析安全事件发生的可能性进行综合评价;
04综合评估
综合分析个人权益影响程度和安全事件可能性两个要素后,可根据《评估指南》得出个人信息安全风险的综合风险等级,并给出相应的改进建议,最终形成评估报告。
评估报告的内容通常包括:个人信息保护专员的审批页面、评估报告适用范围、实施评估及撰写报告的人员信息、参考的法律、法规和标准、个人信息影响评估对象(应明确涉及的个人敏感信息)、评估内容、涉及的相关方等,以及个人权益影响分析结果,安全保护措施分析结果、安全事件发生的可能性分析结果、风险判定的准则、合规性分析结果、风险分析过程及结果,风险处置建议等。
3评估报告对风险控制的作用
根据评估报告的结果,个人信息控制者可选取并实施相应的安全控制措施进行风险处置,持续跟踪风险处置的落实情况,评估剩余风险,将风险控制在可接受的范围内。如有必要,个人信息控制者还可节选发布评估报告的核心内容,以此促进自合规、配合监管并增加客户信任。
4个人信息保护的展望
我们认为,与体系化的《安全规范》认证相比,《评估指南》下的评估报告对企业的个人信息合规工作而言成本更低,操作更加灵活,且在发生相关安全风险时,评估报告的效力同样可以被监管机构认可,这一点对于随着“个人信息”定义从《网安法》到《安全规范》不断扩大,主动或被动成为“个人信息控制者”的诸多企业而言,显得尤为可贵。
此外,特别值得注意的是,《评估指南》首次在正文中提及了主导整个评估流程的“个人信息保护专员”,而这一表述也曾出现在《安全规范》附录D的隐私政策模板中,可以看作是中国网安法体系对欧盟GDPR要求设立的数据保护官(Data Protection Officer, DPO)有效借鉴。
我们认为,我国网安法体系将会逐步吸收GDPR的一些优秀实践,通过法规、规范甚至国标等方式,在事实上确立“个人信息保护专员”制度,作为《网安法》对个人信息保护的实践进路。因此,可以预见的是,今后我们将会在更多与个人信息有关的规范性文件中看到“个人信息保护专员”的相关规定,这也可能成为律师事务所在网络安全合规方面开展业务的新领域。
Security Impact Assessment Guide of Personal Informationis Seeking Public Comments
Recently, National Information Security Standardization Technical Committee announced a draft Information Security Technology-Security Impact Assessment Guide of Personal Information (the “Assessment Guide”) for public comments.
Assessment Guide is an important supplementary standard to the Personal Information Security Specification(GB/T 36273-2017, the “Security Specification”)effective upon May 2018.
I. Function of Assessment under the Assessment Guide
The existing Security Specification proposes a system of good practice covering almost the whole life cycle of personal information, ranging from its collection, storage, use to its entrusted processing, sharing, transfer, disclosure and disposal of relevant cybersecurity threats.Currently, any organization or enterprise conforming to such system can apply to China Cybersecurity Examination and Certification Center (formerly known as China Information Security Certification Center) for a Certification on Personal Information Security Management so as to improve its ability and compliance to a security management of personal information. Such certification can also be helpful to the good reputation of such organization or enterprise. In this regard, Security Specification is a certification-orientated recommended national standard.
In contrast, it is clearly stated in the introduction to the newly announced Assessment Guide that, the Guide “provides the basic frame, methodology and procedure for organizations’ and enterprises’ self-conducted impact assessment of personal information security”. The report compiled from the personal information security assessment (respectively as the “Assessment” and the “Assessment Report”) is similar to a due diligence report on personal data controller’s processing of personal information. It serves not only for the security risk early warning, but also for the proof of personal data controller’s compliance with relevant laws, regulations and standards during its business activities.
II. Procedures and Perspectives of the Assessment
Personal data controllers or governmental authorities may compile the Assessment Report, by themselves or through entrusted third party, following the steps listed below:
1、Data Mapping Analysis:
a comprehensive analysis of personal data controller’s processing of personal information shall be conducted to a) generate a data list and data mapping table, b) determine every step in personal information processing and their respective purposes, methods and subjects, and c) preliminarily determine whether the involved personal information shall be classified as personal sensitive information.
2、Personal Interests Impact Analysis:
the analysis of potential impact on personal information shall be conducted from the following four perspectives, subject to the specific processing method of personal information:
a) Autonomic decision: for example, the data subject is forced to carry out operations unwillingly, is unable to correct wrongly uploaded personal information, has no chance to choose types of push ads, or is purposely pushed to information that influences individual’s personal value;
b) Differential treatment: such as discriminatory treatment resulting from disclosure of privacy information (medical or marital history, race, etc.); willful offer of differential personal welfares, qualifications and rights;
c) Personal reputation or mental stress: for example, personal habit, history and other facts that data subject is not willing to disclose are disclosed, data subject is harassed, observed or traced frequently;
d) Monetary loss or personal injury, such as steal of account, fraud, threat, restriction on freedom, etc.
3、Probability of Cybersecurity Threats:
probability of cybersecurity threats shall be assessed, combined with the above four perspectives of personal interests impact analysis, based on the following for key factors: a) network environment and technical measures, b) standardized processing procedure, c) situation of involved personnel and third party, and d) general security situation and scale of processing.
4、Synthetic Assessment:
pursuant to the Assessment Guide, the comprehensive analysis of the personal interests impact and probability of cybersecurity threats will eventually lead to the evaluation of general risk level for personal information security, based on which the improvement actions shall be proposed and Assessment Report compiled.
The Assessment Report usually includes following sections: approval page for personal data protection officer, scope of the report, information page for appraiser(s) and drafter(s), laws, regulations and standards referred, object (with personal sensitive information clearly marked), contents of Assessment, involved parties, and results of personal interests impact analysis, security protection methods analysis, probability of cybersecurity threats analysis, criteria for risk evaluation, compliance analysis result, risk analysis process, result and solutions, etc.
III.Risk Control of Personal Information Protection based on the Assessment Report
Personal data controller may, based on the Assessment Report, choose suitable measures to dispose of the risks, monitor the progress and evaluate the remaining threats, so that the risks would be limited within an acceptable scale. If necessary, personal data controller may also publish a selected version of the Assessment Report with core contents for its better self-compliance and reputation among clients.
IV. Prospect: Personal Data Protection Officer
We are of the opinion that, compared with the systematic certification under the Security Specification, the Assessment Report under the Assessment Guide is a more economical and flexible solution to a company’s personal information protection compliance,especially taking the fact into account, that such Assessment Report can also be acknowledged by competent authorities in case of cybersecurity threats. For many companies recognized as “personal data controller”, either voluntarily or involuntarily as a result of the expanding definition of “personal information” from Cybersecurity Law to the Security Specification, such self-conducted assessment is quite a good alternative.
Furthermore, personal data protection officer is mentioned for the first time in the main text of the Assessment Guide, which is first introduced in Appendix D (Sample Privacy Policy) of the Security Specification as a counterpart of data protection officer (DPO) under GDPR.
We believe that China’s cybersecurity law system is trying to absorb some good practices from GDPR by means of regulations, specifications or even national standards. Personal data protection officer might be established as a de facto practice approach to
personal information protection under China Cybersecurity Law in the future.
It is also foreseeable that more rules on personal data protection officer will be stipulated in coming regulatory documents pertaining to personal information. For law firms practicing in the field of compliance, personal data protection officer might be a new business area worthy of further exploration.
关于隐私影响评估(PIA),企业你准备好了吗?
作者:潘冰峰来源:君悦律师事务所

近期,全国信息安全标准化技术委员会发布了《信息安全技术个人信息安全影响评估指南》(征求意见稿,下称“《评估指南》”),作为2018年5月生效的《个人信息安全规范》(GB/T 35273—2017,下称