Standard No.:	GB/T 41817-2022
English Name:	Information security technology—Guidelines for personal information security engineering
Chinese Name:	信息安全技术 个人信息安全工程指南
Chinese Classification:	L80    Data encryption
Professional Classification:	GB    National Standard
Source Content Issued by:	SAMR; SAC
Issued on:	2022-10-12
Implemented on:	2023-5-1
Status:	valid
Target Language:	English
File Format:	PDF
Word Count:	10500 words
Translation Price(USD):	315.0
Delivery:	via email in 1~3 business day

GB/T 41817:2022 Information security technology - Guidelines for personal information security engineering 1 Scope This document sets forth the principles, objectives, stages and preparations of personal information security engineering, and provides engineering guidelines for implementing personal information security requirements in the requirements, design, development, testing and release stages of network products and services. This document is applicable to network products and services (including information systems) that involve the processing of personal information, providing guidelines for their synchronous planning and construction of personal information security measures, and may also be referenced to by organizations when carrying out privacy engineering in the software development lifecycle. Note: In case of no confusion, the term "network products and services" is referred to as "products and services" herein. 2 Normative references The following documents contain requirements which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. GB/T 25069-2022 Information security techniques - Terminology GB/T 35273-2020 Information security technology - Personal information security specification GB/T 39335-2020 Information security technology - Guidance for personal information security impact assessment GB/T 41391-2022 Information security technology - Basic requirements for collecting personal information in mobile internet applications 3 Terms and definitions For the purposes of this document, the terms and definitions given in GB/T 25069-2022 and the following apply.   3.1 personal information security engineering an engineering process of integrating personal information security principles and requirements into each stage of product and service planning and construction, so that personal information security requirements can be effectively implemented in products and services Note: It is also known as "privacy engineering". 3.2 personal information protection impact assessment process of, for the personal information processing, inspecting whether the purpose and method of personal information processing are legal, legitimate and necessary, judging the impact on the legitimate rights and interests of individuals and the security risks, and assessing the effectiveness of personal information protection measures taken Note: It is also known as "personal information security impact assessment". 3.3 personal information processing collection, storage, use, processing, transmission, provision, disclosure, deletion and other acts of personal information 3.4 automated decision-making activity of automatically analyzing and assessing an individual's behavioral habits, interests, or economic, health, or credit status through a computer program, and thus making decisions Note: It includes personalized recommendation, personalized display and precision marketing. 3.5 third-party components applications such as software development kits, codes, plug-ins and programs provided by organizations or individuals other than product and service providers Note 1: They include commercial applications and open source applications. Note 2: They include SDKs, codes and plug-ins (referred to as "third-party components") embedded in products and services, as well as mobile Internet applications (referred to as "mobile applications"), applets and application systems (referred to as "third-party products or services") accessing products and services.   4 Abbreviations For the purposes of this document, the following abbreviations apply. API: application programming interface ICT: information communication technology SDK: software development kit SDL: security development lifecycle

Foreword III Introduction IV 1 Scope 2 Normative references 3 Terms and definitions 4 Abbreviations 5 General 5.1 Principles of personal information security engineering 5.2 Objectives of personal information security engineering 5.3 Stages of personal information security engineering 5.4 Preparations for personal information security engineering 6 Requirements stage of personal information security engineering 6.1 Description 6.2 Inputs 6.3 Roles and responsibilities 6.4 Main activities 6.5 Outputs 7 Design stage of personal information security engineering 7.1 Description 7.2 Inputs 7.3 Roles and responsibilities 7.4 Main activities 7.5 Outputs 8 Development stage of personal information security engineering 8.1 Description 8.2 Inputs 8.3 Roles and responsibilities 8.4 Main activities 8.5 Outputs 9 Testing stage of personal information security engineering 9.1 Description 9.2 Inputs 9.3 Roles and responsibilities 9.4 Main activities 9.5 Outputs 10 Release stage of personal information security engineering 10.1 Description 10.2 Inputs 10.3 Roles and responsibilities 10.4 Main activities 10.5 Outputs Annex A (Informative) Common personal information security design reference points Annex B (Informative) Common personal information security default configuration reference points Bibliography