Information security technology — Guidance for personal information security impact assessment
1 Scope
This standard gives the basic principle and implementation process of personal information security impact assessment.
This standard is applicable to the self-assessment of personal information security impact of various organizations and may also be used by competent regulatory authorities, the third-party testing and assessment agencies, etc. as a reference to the supervision, inspection and assessment of personal information security.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 20984 Information security technology — Risk assessment specification for information security
GB/T 25069-2010 Information security technology — Glossary
GB/T 35273-2020 Information security technology — Personal information security specification
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069-2010, GB/T 35273-2020 and the following apply.
3.1
personal information
various information recorded electronically or otherwise that can, either alone or in combination with other information, identify a particular natural person or reflect the activity of such a person
[GB/T 35273-2020, 3.1]
3.2
personal sensitive information
personal information which, once disclosed, illegally provided or abused, will possibly endanger the personal and property safety and easily result in damages to personal reputation and physical and mental health or result in discriminatory treatment
[GB/T 35273-2020, 3.2]
3.3
personal information subject
natural person identified by or connected to personal information
[GB/T 35273-2020, 3.3]
3.4
personal information security impact assessment
process of inspecting the extent to which the personal information processing activities are lawful and compliant, of determining the various risks of such activities that cause damage to legitimate rights and interests of personal information subject and of assessing the effectiveness of various measures used to protect personal information subject
4 Assessment principle
4.1 General
The purpose of personal information security impact assessment is to discover, dispose of and continuously monitor the risks that adversely affect the legitimate rights and interests of the personal information subject during the personal information processing.
4.2 Assessment value
The implementation of personal information security impact assessment can effectively strengthen the protection of the rights and interests of the personal information subject, help an organization to show its efforts to protect personal information security, enhance transparency and enhance the trust of the personal information subject. The assessment value includes the following aspects:
a) Before personal information processing, the organization may identify the risks that may damage the rights and interests of the personal information subject through impact assessment, and adopt appropriate personal information security control measures accordingly.
b) During personal information processing, the organization may continuously revise the personal information security control measures already taken by considering the changes of internal and external factors through impact assessment, so as to ensure that the risk of adverse impact on the legitimate rights and interests of individuals is generally controllable.
c) Personal information security impact assessment and its record documents may help the organization to prove its compliance with the laws, regulations and standards on personal information protection and data security in the investigation, law enforcement and compliance audit of the government, relevant institutions or business partners.
d) In case of personal information security incident, the personal information security impact assessment and its record documents may be used to prove that the organization has actively assessed risks and taken certain security protection measures, which is helpful to reduce or even avoid the related responsibilities and reputation losses of the organization.
e) The organization may strengthen the personal information security education for employees through personal information security impact assessment. During the assessment, employees may become familiar with various personal information security risks and improve their capacity of risk disposal.
f) For partners, the organization shows that it takes personal information security protection seriously by practical assessment, and guides them to take appropriate security control measures to achieve the same or similar level of security protection.
4.3 Purposes of assessment report
The contents of personal information security impact assessment report mainly include: the business scenarios covered by the assessment, the specific personal information processing activities involved in the business scenarios, the responsible departments and personnel and involved, the identified risks, the list of adopted and proposed security control measures, and the remaining risks, etc.
Therefore, the purposes of the personal information security impact assessment report include but are not limited to:
a) For the personal information subject, the assessment report may ensure that the subject knows how to dispose and protect his or her personal information, and enable him or her to judge whether there is any residual risk that has not been disposed of.
b) For the organization conducting impact assessment, the purposes of the assessment report may include:
1) In the planning stage of products, services or projects, assessment report is used to ensure that the protection requirements of personal information are fully considered and realized in the design of products or services (e.g., the realizability, feasibility and traceability of security mechanism);
2) During the operation of products, services or projects, it is used to judge whether the internal and external factors of the operation (e.g., the change of the operation team, the Internet security environment, the third-party security control ability of information sharing), laws and regulations have undergone substantial changes, and whether the impact assessment results need to be reviewed and revised;
3) It is used to establish a responsibility system to supervise whether security protection measures have been taken for the personal information processing activities in security risks to improve or eliminate the identified risks;
4) It is used to enhance the personal information security awareness of internal employees.
c) For the competent regulatory authorities, requiring an organization to provide the personal information security impact assessment report may urge the organization to carry out the assessment and take effective security control measures. When dealing with personal information security-related complaints and investigating personal information security incidents, the competent regulatory authorities may know about the relevant situation through the impact assessment report, or use the report as relevant evidence.
d) For the partners of the organization carrying out the impact assessment, assessment report is used to understand their roles and functions in the business scenarios as a whole, as well as their specific personal information protection work and responsibilities.
4.4 Responsible subject of assessment
The organization designates the department or personnel responsible for the establishment, implementation and improvement of the work process of personal information security impact assessment and for the quality of the work results of personal information security impact assessment. The responsible department or personnel is independent and not affected by the assessed party. Usually, the department leading the implementation of personal information security impact assessment in an organization is the legal service department, compliance department or information security department.
The responsible department in the organization may choose to carry out the personal information security impact assessment by itself or hire an external independent third party to undertake the specific personal information security impact assessment according to the specific capacity of the department.
For a specific product, service or project, the person in charge of the corresponding product, service or project shall ensure the development and smooth progress of the personal information security impact assessment activities, and give corresponding support.
When the organization conducts its own personal information security impact assessment, the competent regulatory authorities and customers may require independent audits to verify the rationality and completeness of the impact assessment activities. At the same time, the organization allows the competent regulatory authorities to obtain evidence of the impact assessment process and related information systems or procedures.
4.5 Basic assessment principle
The basic principle of personal information security impact assessment is shown in Figure 1.
Figure 1 Schematic diagram for assessment principle
Before assessment, it is necessary to conduct a comprehensive investigation on the object to be assessed (which may be a certain product, a certain business, a specific cooperation, etc.), form clear data lists and data flow charts, and sort out the specific personal information processing activities to be assessed. When carrying out the assessment, through analyzing the possible impact of personal information processing activities on the rights and interests of personal information subjects and its degree, as well as analyzing the effectiveness, the security incident risks and the possibility of security measures, obtain the security risks and risk level of personal information processing activities by combining the two results, and put forward corresponding improvement suggestions to form an assessment report.
4.6 Factors to be considered in assessment implementation
4.6.1 Assessment scale
The scale of personal information security impact assessment often depends on the scope and number of impacted personal information subjects and the impact degree. Usually, when an organization carries out this kind of personal information security impact assessment, the type, sensitivity and number of personal information, the scope and number of subjects involved in personal information, and the scope of people who can access personal information will all become important factors of assessment scale.
4.6.2 Assessment methods
The basic assessment methods used in the evaluation implementation process include but are not limited to the following three ones:
a) Interview: the process in which an assessor talks with relevant personnel to know about, analyze and obtain evidence about the processing of personal information, and the design and implementation of protection measures in the information system. Interviewees include product managers, R&D engineers, persons in charge of personal information protection, persons in charge of legal affairs, system architects, security administrators, operation and maintenance personnel, human resources personnel and system users.
b) Inspection: the process in which an assessor observes, inspects and analyzes the management system, security policies and mechanisms, contract and agreements, security configuration and design documents, operation records, etc. in order to know about, analyze or obtain evidence. The inspection objects are specifications, mechanisms and activities, such as personal information protection policy planning and procedures, system design documents and interface specifications, emergency planning drill results, event response activities, technical manuals and user/administrator guidances, and operation of information technology mechanisms in information system hardware/software, etc.
c) Testing: the process in which an assessor conducts technical testing through manual or automated security testing tools, obtain relevant information, and conduct analysis to obtain evidence. The testing objects are security control mechanisms, such as access control, identity recognition and verification, security audit mechanism, transmission link and preservation encryption mechanism, continuous monitoring of important events, testing event response capability and emergency planning drill capability, etc.
4.6.3 Assessment forms
From the implementation subject, personal information security impact assessment is classified into self-assessment and inspection assessment.
Self-assessment refers to the organization's self-initiated assessment of its personal information processing behavior. Self-assessment may be carried out by the post or role designated by the organization to be responsible for assessment and audit, or an external professional organization may be entrusted to carry out assessment.
Inspection assessment refers to the personal information security impact assessment initiated by the organization's superior organization, which directly leads the organization or is responsible for supervising and managing the organization. An external professional organization may also be entrusted to carry out inspection assessment.
After determining the scale of assessment and selecting assessment methods and forms, the specific process of assessment implementation may refer to Clause 5.
5 Implementation process of assessment
5.1 Necessity analysis of assessment
5.1.1 General
Personal information security impact assessment may be used for compliance gap analysis, as well as further improving one's own security risk management ability and security level. Therefore, the necessity of personal information security impact assessment depends on the organization's personal information security goal, and the organization may select the business scenarios to be initiated according to the actual needs.
5.1.2 Compliance gap assessment
5.1.2.1 General
When the personal information security goal defined by the organization is to meet the baseline requirements of relevant laws, regulations or standards, the main purpose of personal information security impact assessment is to identify the gap between the security control measures taken for the specific personal information processing activities to be assessed and the specific requirements of relevant laws, regulations or standards, such as whether to share personal information with a third party in a business scenario and obtain the express consent of the personal information subject.
5.1.2.2 Overall compliance analysis
According to applicable laws, regulations, policies and standards related to personal information protection, the organization may analyze the gap between all personal information processing activities related to specific products or services and applicable laws, regulations, policies and standards. The application scenarios of this assessment method include but are not limited to the following situations:
a) annual overall assessment of products or services;
b) design stage assessment of new products or services (whose technology platform is not limited);
c) initial release assessment of new products or services (whose technology platform is not limited);
d) re-assessment when there are major changes in laws, regulations, policies and standards, etc.;
e) re-assessment when there are major changes in business model, Internet security environment and external environment, etc.;
f) re-assessment after a major personal information security incident;
g) assessment in case of acquisition, merger, reorganization, etc.
5.1.2.3 Partial compliance analysis
According to applicable laws, regulations, policies and standards related to personal information protection, the organization may analyze the gap between partial personal information processing activities related to specific products or services and applicable laws, regulations, policies and standards. The application scenarios of this assessment method include but are not limited to the following situations:
a) assessment when new personal information types are needed to be collected for new functions;
b) assessment when there are partial changes in laws, regulations, policies and standards, etc.;
c) assessment when there are changes in the business model, information system and operating environment.
5.1.2.4 Analysis of assessment compliance requirements
Some laws, regulations and standards related to the personal information protection put forward the assessment compliance requirements. Such requirements do not put forward clear and specific security control measures for specific personal information processing activities, but require organizations to carry out risk assessment for specific personal information processing activities, and take security control measures commensurate with the degree of risk, so as to reduce the risk of adverse impact on the legitimate rights and interests of personal information subjects to an acceptable level, in order to meet the requirements.
Assessment compliance requirements are often aimed at personal information processing activities that have a significant impact on personal rights and interests, such as processing sensitive personal information, processing personal information with automated decision-making methods, entrusting personal information processing, transferring or sharing personal information to third parties, publicly disclosing personal information, and transferring personal information abroad.
In view of such requirements, the organization may use the personal information security impact assessment method provided in this guidance to ensure that the security risks of personal information processing activities are controllable to meet the requirements of corresponding laws, regulations and standards.
Note: Please refer to Annex A for analysis examples of assessment compliance requirements and specific assessment points.
5.1.3 Due diligence risk assessment
For the purposes of prudent operation, reputation maintenance, branding, etc., organizations often select personal information processing activities that may have high risks in the legitimate rights and interests of individuals, and carry out due diligence risk assessment for them. The goal of this risk assessment is to minimize the adverse impact on the legitimate rights and interests of the personal information subjects on the basis of meeting the baseline requirements of relevant laws, regulations and standards.
Note: Please refer to Annex B for examples of high-risk personal information processing activities.
The organization may use the personal information security impact assessment methods provided in this standard to assess high-risk personal information processing activities, and further reduce the security risks of personal information processing activities.
5.2 Assessment preparation
5.2.1 Establishment of assessment team
The organization confirms and appoints personnel (assessor) responsible for personal information security impact assessment. In addition, the organization shall designate personnel to sign the assessment report.
The assessor clearly specifies the object to submit the personal information security impact assessment report, the time period for the assessment, and whether to publish the assessment report or its abstract.
If necessary, the assessor needs to request team support, such as a team composed of representatives from technical department, relevant business department and legal service department. The internal personal information security impact assessment needs long-term support from the organization management.
The management shall allocate necessary resources for the personal information security impact assessment team.
5.2.2 Development of assessment plan
The plan shall clearly define the work needed to complete the personal information security impact assessment report, the division of assessment tasks and the assessment schedule. In the plan, considerations shall also be given to the suspension or cancellation of the scenario to be assessed. The following aspects shall be considered during the specific operation:
a) personnel, skills, experience and capacity;
b) the time required to perform various tasks;
c) resources required for each procedure of assessment, such as automated assessment tools.
Note: It is recommended to update and iterate the original plan when the scenario involved is complex and consumes a lot of resources. For routine assessment activities or situations involving less complex scenario to be assessed, the original plan may be used or the procedure may be simplified.
If consultation with relevant parties is involved, the plan shall explain under what circumstances the relevant parties need to be consulted, who will be consulted and the specific consultation methods (e.g., through public opinion surveys, seminars, focus groups, public hearings, online experiences).
5.2.3 Determination of the assessment object and scope
Describe the assessment object and scope from the following three aspects:
a) description of basic system information, including but not limited to:
1) purpose and type of personal information processing;
2) description of information systems supporting current or future business processes;
3) departments or related personnel performing information system management duties, and their duties or performance levels;
4) description of personal information processing methods, processing scope, and roles have authority of personal information access;
5) If it is expected to entrust a third party to handle the personal information, or share or transfer it with a third party, explain the identity of the third party and the access of the third party to the information system.
b) description of system design information, including but not limited to:
1) overview of functional (or logical) structure;
2) overview of physical structure;
3) list and structure of information system databases, tables and fields containing personal information;
4) chart of data flow divided by components and interfaces;
5) chart of data flow of personal information life cycle, such as collection, storage, use and sharing of personal information;
6) description of the time node for informing the personal information subject, and the time node for obtaining the consent of the personal information subject, and the work flow chart;
7) list of interfaces available to transmit personal information externally;
8) security measures during personal information processing.
c) description of the processing flow and plan information, including but not limited to:
1) the concept of identity and user management of information system;
2) operation concept, including the way that information systems or some of their structures adopt field operation, external hosting, or cloud outsourcing;
3) support concept, including listing the scope of third parties who have authority of personal information access, their personal information access authority and assess location;
4) record concept, including the saving plan of logged-in information;
5) backup and recovery plan;
6) protection and management of metadata;
7) data saving and deletion plan and storage medium disposal.
5.2.4 Development of the relevant party consultation plan
Relevant parties include but are not limited to:
——employees, such as personnel related to human resources, law, information security, finance, business operation functions, communication and internal audit (especially in the regulatory environment);
——personal information subjects and consumer representatives;
——subcontractors and business partners;
——system development personnel and operation and maintenance personnel;
——other personnel in the organization who have corresponding concerns about the assessment.
In order to make assessment process transparent and achieve the goal of security risk reduction, the assessor shall confirm in detail the internal or external relevant parties involved in the assessment process. Relevant parties have a direct interest relationship with the personal information processing activities to be assessed, and relevant parties may be any organizations or individuals who have or may obtain access permission for personal information.
The assessor needs to confirm the classification of relevant parties, and then specifically confirm the specific organizations or individuals in various relevant parties. If the relevant party is an individual, the individual should be as representative as possible.
The scope and scale of personal information, as well as business importance, cost and benefit, etc., are very important for determining the appropriate relevant parties. If large-scale personal information processing activities are to be assessed, there may be more relevant parties. In this case, social organizations (such as consumer rights and interests protection organizations) may be recognized as relevant parties. On the contrary, some small assessments may not need to confirm a broad list of relevant parties.
When making the consultation plan, it is necessary to clarify the impacts and consequences (if known) suffered by different relevant parties, as well as the security control measures taken to reduce the adverse effects and other related issues. The consultation scope and schedule are also included in the plan.
The objectives of the consultation plan include but are not limited to:
a) determination of the number and scope of relevant parties;
b) specific ways for relevant parties to participate in identification and assessment of the impact on personal rights and interests and the security risks;
Note: Although issues raised in feedback from relevant parties may be related to subjective risk awareness, rather than objective actual risks, these opinions are not negligible. Organizations may deal with these opinions in a wider range of management issues of relevant parties to provide assistance for communication activities.
c) consulting the relevant parties on the assessment report to confirm whether the report fully reflects their concerns about relevant issues.
During personal information security impact assessment, the organization may urge appropriate relevant parties (mainly including subcontractors and business partners) to carry out personal information security impact assessment. Appropriate relevant parties have the obligation to carry out personal information security impact assessment, or cooperate with the organization to carry out personal information security impact assessment, and the organization may quote the personal information security impact assessment report of relevant parties as the consultation result.
5.3 Data flow analysis
After conducting a comprehensive investigation on the personal information processing process, the organization forms a clear data list and data flow chart.
The data flow analysis stage needs to combined with the specific scenarios of personal information processing. The investigation contents include personal information types, processing purposes and specific implementation methods involved in personal information collection, storage, usage, transfer, sharing and deletion, as well as resources (such as internal information systems) and relevant parties (such as third parties like personal information processors, platform operators, external service providers, cloud service providers etc.) involved in personal information processing. During the investigation, considered off-line systems, system data consolidation, enterprise acquisition, mergers and acquisitions, and global expansion, where possible.
When sorting out the results of data flow analysis, the personal information processing activities are classified according to the types, sensitivity, collection scenarios, processing methods and relevant parties of personal information, as well as describing the specific situations of each type of personal information processing activities, for later impact analysis and risk assessment by classification.
Note: For data flow analysis, may refer to Table C.1 and Table C.2 in Annex C.
5.4 Risk source identification
The purpose of risk source identification is to analyze the threats faced in personal information processing activities, and whether the activities are lacking of adequate security measures and leads to vulnerability and security incidents. There are many factors that determine the occurrence of personal information security incidents. For threat sources, there are internal threats and external threats, as well as data theft caused by malicious personnel, and data leakage caused by non-malicious personnel unconsciously. For vulnerability, there are data damage caused by physical environment, and data leakage, tampering and loss caused by technical factors, and abuse caused by improper management.
The threat identification and vulnerability identification methods described in GB/T 20984 may be used in the analysis process of personal information security incidents. In order to further simplify the analysis process of the possibility of personal information security incidents, the factors related to the possibility of personal information security incidents are summarized into the following four aspects:
a) network environment and technical measures. Factors in assessment shall include but be not limited to the following aspects:
1) Whether the network environment of the information system processing personal information is the internal network or the Internet, different network environments face different threat sources, and the information system connected with the Internet faces higher risks;
2) The interaction mode between the information system processing personal information and other systems, such as, whether to use the network interface for data interaction, whether to embed third-party codes and plug-ins that may collect personal information, etc. Generally, the more data interaction, the more comprehensive security measures to be taken to prevent risks such as information leakage and theft;
3) Whether strict measures such as identity authentication and access control are implemented during personal information processing;
4) Whether boundary protection equipment is deployed, strict boundary protection strategy is configured, and technical measures for data leakage prevention are implemented at the network boundary;
5) Whether to monitor and record the running status of the network, whether to mark and analyze the status of personal information internally or interacting with a third party, to find abnormal traffic and illegal use in time;
6) Whether technical measures are taken to prevent network intrusion such as virus and Trojan backdoor attacks, port scanning, and denial of service attacks;
7) Whether to use encrypted transmission, encrypted storage and other measures to provide extra protection to personal sensitive information;
8) Whether to audit the personal information processing activities at stages of personal information collection, storage, transmission, usage and sharing, and warn for abnormal operation;
9) Whether a complete network security incident warning, emergency response and reporting mechanism has been established;
10) Whether the information systems are subjected to regular security inspection, assessment, infiltration test, as well as timely patch update and security reinforcement;
11) Whether to strengthen the security management of data storage media, and whether to have the ability to back up and restore data;
12) Other necessary technical support measures for network security.
Note 1: If an organization establishes a mature security protection system with reference to other national standards related to network security and data security, it may conduct analysis and assessment based on its existing foundation.
b) personal information processing procedure. Factors in assessment shall include but be not limited to the following aspects:
1) Whether the judgment of personal sensitive information is accurate;
2) Whether the purpose of personal information collection is legitimate and legal;
3) Whether the data obtained from the third party is officially authorized for processing;
4) Whether the notification method and content are friendly and accessible, whether all processing activities have been approved by users;
5) Whether the minimum element set of personal information is defined, whether personal information is collected beyond the scope;
6) Whether changing the purpose of using personal information has an impact on the personal information subject;
7) Whether to provide a convenient and effective mechanism for individual participation, including inquiry, correction, deletion, withdrawal consent, account cancellation, etc.;
8) Whether the third party that receiving personal information will change the purpose of using on personal information;
9) Whether the retention time of personal information is minimized, whether the mechanism such as deleting beyond the time limit is reasonable;
10) Whether to restrict the user profiling mechanism to avoid accurate pointing to specific individuals;
11) Whether to provide a mechanism that may be control, exit or close by users for personalized display;
12) Whether the anonymization mechanism is effective, whether the de-identified personal information can be correlated and analyzed, etc., resulting in re-identification of the identity of the subject of personal information subject;
13) Whether to provide timely and effective security incident notification mechanism and emergency response mechanism;
14) Whether to provide effective complaints and rights protection channels;
15) Whether to share or transfer personal information to a third party without the consent of the user;
16) Whether inaccurate data or incomplete misleading data are disseminated;
17) Whether to induce or force individuals to provide too much personal information;
18) Whether to track or monitor personal behavior too much;
19) Whether to unreasonably restrict individuals from controlling their personal information, etc.;
20) Normalization of other personal information processing procedures.
Note 2: The normative analysis of personal information processing flow may refer to the corresponding contents of GB/T 35273-2020.
c) participants and third parties. Factors in assessment shall include but be not limited to the following aspects:
1) Whether to appoint responsible person and working agency for personal information protection; whether the responsible person for personal information protection is with relevant management experience and professional knowledge of personal information protection.
2) Whether to develop and implement personal information security management policies and strategies according to business security requirements;
3) Whether to develop security management system involving all aspects of personal information processing and put forward specific security management requirements;
4) Whether to sign confidentiality agreement with relevant personnel engaged in personal information processing and conduct background investigation on those who have access to large quantities of personal sensitive information;
5) Whether to specify security duties of different internal posts involving personal information processing, as well as establish a penalty and accountability system for security incidents;
6) Whether to launch professional training and assessment to personal information security for relevant personnel engaged in personal information processing so as to ensure that relevant personnel are proficient in the privacy policy and related procedures.
7) Whether to specify the personal information security requirements that external service personnel who may access personal information to comply with, and implement supervision;
8) Whether to sign binding contracts and other documents with a third party, and stipulate the processing purpose, method, data retention time and processing method if overdue, after the personal information is transmitted to the third party;
9) Whether the third party's handling of personal information is regularly inspected and audited to ensure that it strictly implements the contract and other agreements;
10) Other necessary measures.
Note 3: If an organization establishes a mature security management system with reference to other national standards related to network security and data security, it may conduct analysis and assessment based on its existing foundation.
d) business characteristics, scale and security situation. Factors in assessment shall include but be not limited to the following aspects:
1) Business dependence on personal information processing;
2) The number, frequency, user scale and peak value of personal information that the business processes or may process;
3) Whether there have been incidents such as leakage, tampering, damage or loss of personal information;
4) Law enforcement supervision trends related to personal information protection;
5) Suffering from cyber-attacks or security incidents in the near future;
6) Recently received or publicly released security-related warning information.
After fully understanding the corresponding contents of the above dimensions, the organization identifies the measures taken and the current status by means of investigation and interview, consulting supporting documents, functional inspection and technical test. According to the different dimensions of the analysis of personal rights and interests in 5.5, the possibility level of security incidents is comprehensively assessed from the above four aspects.
Note 4: Please refer to D.1 in Annex D for the assessment of security event possibility level.
5.5 Analysis of the impact of personal rights and interests
5.5.1 Dimension of personal rights and interests
Personal rights and interests impact analysis refers to analyzing whether specific personal information processing activities will have an impact on the legitimate rights and interests of the personal information subject, and what kind of impact it may have. The impact of personal rights and interests may be summarized into four dimensions: "limiting individual autonomy", "causing differential treatment", "personal reputation damage or mental stress" and "personal property damage":
a) Limiting the individual's autonomy, such as being forced to perform unwilling operations, lacking relevant knowledge or relevant channels to correct personal information, unable to choose to refuse the push of personalized advertisements, and being deliberately pushed with information that affects the judgment of personal values;
b) Causing differential treatment, such as discrimination against individual rights caused by information leakage such as illness, marriage history and student status, and damage to individual fair trade rights caused by abuse of information such as personal consumption habits;
c) Personal reputation damage or mental stress, such as being fraudulently used by others, revealing habits and experiences that are unwilling to be known, being frequently harassed, monitored and tracked, etc.;
d) Personal property damage, such as personal injury, theft of capital account, fraud, extortion, etc.
5.5.2 Analysis process of personal rights and interests impact
According to the results of data flow analysis and the personal information processing activities that need to be assessed, combined with the requirements of relevant laws, regulations and standards or the personal information security objectives defined by the organization, the organization may analyze the possible impact of the whole life cycle of personal information processing activities or specific processing behaviors on personal rights and interests, as well as the possible impact of personal information disclosure, damage, loss and abuse on personal rights and interests, so as to examine whether there is any risk of infringing the rights and interests of personal information subjects.
The process of personal rights and interests impact analysis generally includes four stages: sensitivity analysis of personal information, characteristics analysis of personal information processing activities, problems analysis of personal information processing activities and impact analysis:
a) In the analysis stage of personal information sensitivity, the organization may refer to the relevant national laws, regulations and standards and analyze the possible impact of personal information sensitivity on personal rights and interests according to the data flow analysis results. For example, the disclosure and abuse of health physiological information may have a serious impact on personal physiology and psychology;
b) In the stage of analyzing the characteristics of personal information processing activities, the organization may refer to the relevant national laws, regulations and standards and analyze whether the personal information processing activities involve restricting personal autonomy, causing differential treatment, personal reputation damage or mental stress, personal property damage, etc. For example, public disclosure of personal experiences may have an impact on personal reputation;
c) In the analysis stage of personal information processing activities, the organization may analyze the possible weaknesses, gaps and problems of personal information processing activities according to the data flow analysis results, with reference to the relevant national laws, regulations and standards. The normative analysis results of personal information process in 5.4b) may support the analysis process in this stage, and the analysis of the severity of the problems is helpful to analyze the impact degree of personal rights and interests;
d) In the analysis stage of personal rights and interests impact degree, the organization may comprehensively analyze the possible impact of personal information processing activities on personal rights and interests and its severity by combining the analysis results of previous stages.
Note: Refer to D.2 for the assessment of personal rights and interests.
5.6 Comprehensive analysis of security risks
When conducting comprehensive analysis of security risks, the following steps may be taken with reference to the basic principles in 4.5:
a) With reference to 5.4, analyze the implemented security measures, relevant parties, treatment scale and other factors, and assess the possibility level of security incidents;
b) With reference to 5.5, analyze the impact of possible security incidents on personal rights and interests, and assess the degree of impact on personal rights and interests;
c) considering the possibility of security incidents and the impact degree of personal rights and interests, the security risk level of personal information processing activities is obtained through comprehensive analysis.
Note: Please refer to D.3 for the specific process of security risk analysis and the judgment of risk level, and refer to Table C.3, Table C.4 and Table C.5 for the specific process of security risk analysis.
After completing the impact assessment of specific personal information processing activities, the organization may synthesize the assessment results of all relevant personal information processing activities to form the risk level of the whole assessment object (such as business department, specific project, specific cooperation, etc.).
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 Assessment principle
4.1 General
4.2 Assessment value
4.3 Purposes of assessment report
4.4 Responsible subject of assessment
4.5 Basic assessment principle
4.6 Factors to be considered in assessment implementation
5 Implementation process of assessment
5.1 Necessity analysis of assessment
5.2 Assessment preparation
5.3 Data flow analysis
5.4 Risk source identification
5.5 Analysis of the impact of personal rights and interests
5.6 Comprehensive analysis of security risks
5.7 Assessment report
5.8 Risk disposal and continuous improvement
5.9 Report release strategy development
Annex A (Informative) Examples of assessment compliance and key points of assessment
Annex B (Informative) Examples of high-risk personal information processing activities
Annex C (Informative) Common-used tool tables for personal information security impact assessment
Annex D (Informative) Personal information security impact assessment reference method
Bibliography
Information security technology — Guidance for personal information security impact assessment
1 Scope
This standard gives the basic principle and implementation process of personal information security impact assessment.
This standard is applicable to the self-assessment of personal information security impact of various organizations and may also be used by competent regulatory authorities, the third-party testing and assessment agencies, etc. as a reference to the supervision, inspection and assessment of personal information security.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 20984 Information security technology — Risk assessment specification for information security
GB/T 25069-2010 Information security technology — Glossary
GB/T 35273-2020 Information security technology — Personal information security specification
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069-2010, GB/T 35273-2020 and the following apply.
3.1
personal information
various information recorded electronically or otherwise that can, either alone or in combination with other information, identify a particular natural person or reflect the activity of such a person
[GB/T 35273-2020, 3.1]
3.2
personal sensitive information
personal information which, once disclosed, illegally provided or abused, will possibly endanger the personal and property safety and easily result in damages to personal reputation and physical and mental health or result in discriminatory treatment
[GB/T 35273-2020, 3.2]
3.3
personal information subject
natural person identified by or connected to personal information
[GB/T 35273-2020, 3.3]
3.4
personal information security impact assessment
process of inspecting the extent to which the personal information processing activities are lawful and compliant, of determining the various risks of such activities that cause damage to legitimate rights and interests of personal information subject and of assessing the effectiveness of various measures used to protect personal information subject
4 Assessment principle
4.1 General
The purpose of personal information security impact assessment is to discover, dispose of and continuously monitor the risks that adversely affect the legitimate rights and interests of the personal information subject during the personal information processing.
4.2 Assessment value
The implementation of personal information security impact assessment can effectively strengthen the protection of the rights and interests of the personal information subject, help an organization to show its efforts to protect personal information security, enhance transparency and enhance the trust of the personal information subject. The assessment value includes the following aspects:
a) Before personal information processing, the organization may identify the risks that may damage the rights and interests of the personal information subject through impact assessment, and adopt appropriate personal information security control measures accordingly.
b) During personal information processing, the organization may continuously revise the personal information security control measures already taken by considering the changes of internal and external factors through impact assessment, so as to ensure that the risk of adverse impact on the legitimate rights and interests of individuals is generally controllable.
c) Personal information security impact assessment and its record documents may help the organization to prove its compliance with the laws, regulations and standards on personal information protection and data security in the investigation, law enforcement and compliance audit of the government, relevant institutions or business partners.
d) In case of personal information security incident, the personal information security impact assessment and its record documents may be used to prove that the organization has actively assessed risks and taken certain security protection measures, which is helpful to reduce or even avoid the related responsibilities and reputation losses of the organization.
e) The organization may strengthen the personal information security education for employees through personal information security impact assessment. During the assessment, employees may become familiar with various personal information security risks and improve their capacity of risk disposal.
f) For partners, the organization shows that it takes personal information security protection seriously by practical assessment, and guides them to take appropriate security control measures to achieve the same or similar level of security protection.
4.3 Purposes of assessment report
The contents of personal information security impact assessment report mainly include: the business scenarios covered by the assessment, the specific personal information processing activities involved in the business scenarios, the responsible departments and personnel and involved, the identified risks, the list of adopted and proposed security control measures, and the remaining risks, etc.
Therefore, the purposes of the personal information security impact assessment report include but are not limited to:
a) For the personal information subject, the assessment report may ensure that the subject knows how to dispose and protect his or her personal information, and enable him or her to judge whether there is any residual risk that has not been disposed of.
b) For the organization conducting impact assessment, the purposes of the assessment report may include:
1) In the planning stage of products, services or projects, assessment report is used to ensure that the protection requirements of personal information are fully considered and realized in the design of products or services (e.g., the realizability, feasibility and traceability of security mechanism);
2) During the operation of products, services or projects, it is used to judge whether the internal and external factors of the operation (e.g., the change of the operation team, the Internet security environment, the third-party security control ability of information sharing), laws and regulations have undergone substantial changes, and whether the impact assessment results need to be reviewed and revised;
3) It is used to establish a responsibility system to supervise whether security protection measures have been taken for the personal information processing activities in security risks to improve or eliminate the identified risks;
4) It is used to enhance the personal information security awareness of internal employees.
c) For the competent regulatory authorities, requiring an organization to provide the personal information security impact assessment report may urge the organization to carry out the assessment and take effective security control measures. When dealing with personal information security-related complaints and investigating personal information security incidents, the competent regulatory authorities may know about the relevant situation through the impact assessment report, or use the report as relevant evidence.
d) For the partners of the organization carrying out the impact assessment, assessment report is used to understand their roles and functions in the business scenarios as a whole, as well as their specific personal information protection work and responsibilities.
4.4 Responsible subject of assessment
The organization designates the department or personnel responsible for the establishment, implementation and improvement of the work process of personal information security impact assessment and for the quality of the work results of personal information security impact assessment. The responsible department or personnel is independent and not affected by the assessed party. Usually, the department leading the implementation of personal information security impact assessment in an organization is the legal service department, compliance department or information security department.
The responsible department in the organization may choose to carry out the personal information security impact assessment by itself or hire an external independent third party to undertake the specific personal information security impact assessment according to the specific capacity of the department.
For a specific product, service or project, the person in charge of the corresponding product, service or project shall ensure the development and smooth progress of the personal information security impact assessment activities, and give corresponding support.
When the organization conducts its own personal information security impact assessment, the competent regulatory authorities and customers may require independent audits to verify the rationality and completeness of the impact assessment activities. At the same time, the organization allows the competent regulatory authorities to obtain evidence of the impact assessment process and related information systems or procedures.
4.5 Basic assessment principle
The basic principle of personal information security impact assessment is shown in Figure 1.
Figure 1 Schematic diagram for assessment principle
Before assessment, it is necessary to conduct a comprehensive investigation on the object to be assessed (which may be a certain product, a certain business, a specific cooperation, etc.), form clear data lists and data flow charts, and sort out the specific personal information processing activities to be assessed. When carrying out the assessment, through analyzing the possible impact of personal information processing activities on the rights and interests of personal information subjects and its degree, as well as analyzing the effectiveness, the security incident risks and the possibility of security measures, obtain the security risks and risk level of personal information processing activities by combining the two results, and put forward corresponding improvement suggestions to form an assessment report.
4.6 Factors to be considered in assessment implementation
4.6.1 Assessment scale
The scale of personal information security impact assessment often depends on the scope and number of impacted personal information subjects and the impact degree. Usually, when an organization carries out this kind of personal information security impact assessment, the type, sensitivity and number of personal information, the scope and number of subjects involved in personal information, and the scope of people who can access personal information will all become important factors of assessment scale.
4.6.2 Assessment methods
The basic assessment methods used in the evaluation implementation process include but are not limited to the following three ones:
a) Interview: the process in which an assessor talks with relevant personnel to know about, analyze and obtain evidence about the processing of personal information, and the design and implementation of protection measures in the information system. Interviewees include product managers, R&D engineers, persons in charge of personal information protection, persons in charge of legal affairs, system architects, security administrators, operation and maintenance personnel, human resources personnel and system users.
b) Inspection: the process in which an assessor observes, inspects and analyzes the management system, security policies and mechanisms, contract and agreements, security configuration and design documents, operation records, etc. in order to know about, analyze or obtain evidence. The inspection objects are specifications, mechanisms and activities, such as personal information protection policy planning and procedures, system design documents and interface specifications, emergency planning drill results, event response activities, technical manuals and user/administrator guidances, and operation of information technology mechanisms in information system hardware/software, etc.
c) Testing: the process in which an assessor conducts technical testing through manual or automated security testing tools, obtain relevant information, and conduct analysis to obtain evidence. The testing objects are security control mechanisms, such as access control, identity recognition and verification, security audit mechanism, transmission link and preservation encryption mechanism, continuous monitoring of important events, testing event response capability and emergency planning drill capability, etc.
4.6.3 Assessment forms
From the implementation subject, personal information security impact assessment is classified into self-assessment and inspection assessment.
Self-assessment refers to the organization's self-initiated assessment of its personal information processing behavior. Self-assessment may be carried out by the post or role designated by the organization to be responsible for assessment and audit, or an external professional organization may be entrusted to carry out assessment.
Inspection assessment refers to the personal information security impact assessment initiated by the organization's superior organization, which directly leads the organization or is responsible for supervising and managing the organization. An external professional organization may also be entrusted to carry out inspection assessment.
After determining the scale of assessment and selecting assessment methods and forms, the specific process of assessment implementation may refer to Clause 5.
5 Implementation process of assessment
5.1 Necessity analysis of assessment
5.1.1 General
Personal information security impact assessment may be used for compliance gap analysis, as well as further improving one's own security risk management ability and security level. Therefore, the necessity of personal information security impact assessment depends on the organization's personal information security goal, and the organization may select the business scenarios to be initiated according to the actual needs.
5.1.2 Compliance gap assessment
5.1.2.1 General
When the personal information security goal defined by the organization is to meet the baseline requirements of relevant laws, regulations or standards, the main purpose of personal information security impact assessment is to identify the gap between the security control measures taken for the specific personal information processing activities to be assessed and the specific requirements of relevant laws, regulations or standards, such as whether to share personal information with a third party in a business scenario and obtain the express consent of the personal information subject.
5.1.2.2 Overall compliance analysis
According to applicable laws, regulations, policies and standards related to personal information protection, the organization may analyze the gap between all personal information processing activities related to specific products or services and applicable laws, regulations, policies and standards. The application scenarios of this assessment method include but are not limited to the following situations:
a) annual overall assessment of products or services;
b) design stage assessment of new products or services (whose technology platform is not limited);
c) initial release assessment of new products or services (whose technology platform is not limited);
d) re-assessment when there are major changes in laws, regulations, policies and standards, etc.;
e) re-assessment when there are major changes in business model, Internet security environment and external environment, etc.;
f) re-assessment after a major personal information security incident;
g) assessment in case of acquisition, merger, reorganization, etc.
5.1.2.3 Partial compliance analysis
According to applicable laws, regulations, policies and standards related to personal information protection, the organization may analyze the gap between partial personal information processing activities related to specific products or services and applicable laws, regulations, policies and standards. The application scenarios of this assessment method include but are not limited to the following situations:
a) assessment when new personal information types are needed to be collected for new functions;
b) assessment when there are partial changes in laws, regulations, policies and standards, etc.;
c) assessment when there are changes in the business model, information system and operating environment.
5.1.2.4 Analysis of assessment compliance requirements
Some laws, regulations and standards related to the personal information protection put forward the assessment compliance requirements. Such requirements do not put forward clear and specific security control measures for specific personal information processing activities, but require organizations to carry out risk assessment for specific personal information processing activities, and take security control measures commensurate with the degree of risk, so as to reduce the risk of adverse impact on the legitimate rights and interests of personal information subjects to an acceptable level, in order to meet the requirements.
Assessment compliance requirements are often aimed at personal information processing activities that have a significant impact on personal rights and interests, such as processing sensitive personal information, processing personal information with automated decision-making methods, entrusting personal information processing, transferring or sharing personal information to third parties, publicly disclosing personal information, and transferring personal information abroad.
In view of such requirements, the organization may use the personal information security impact assessment method provided in this guidance to ensure that the security risks of personal information processing activities are controllable to meet the requirements of corresponding laws, regulations and standards.
Note: Please refer to Annex A for analysis examples of assessment compliance requirements and specific assessment points.
5.1.3 Due diligence risk assessment
For the purposes of prudent operation, reputation maintenance, branding, etc., organizations often select personal information processing activities that may have high risks in the legitimate rights and interests of individuals, and carry out due diligence risk assessment for them. The goal of this risk assessment is to minimize the adverse impact on the legitimate rights and interests of the personal information subjects on the basis of meeting the baseline requirements of relevant laws, regulations and standards.
Note: Please refer to Annex B for examples of high-risk personal information processing activities.
The organization may use the personal information security impact assessment methods provided in this standard to assess high-risk personal information processing activities, and further reduce the security risks of personal information processing activities.
5.2 Assessment preparation
5.2.1 Establishment of assessment team
The organization confirms and appoints personnel (assessor) responsible for personal information security impact assessment. In addition, the organization shall designate personnel to sign the assessment report.
The assessor clearly specifies the object to submit the personal information security impact assessment report, the time period for the assessment, and whether to publish the assessment report or its abstract.
If necessary, the assessor needs to request team support, such as a team composed of representatives from technical department, relevant business department and legal service department. The internal personal information security impact assessment needs long-term support from the organization management.
The management shall allocate necessary resources for the personal information security impact assessment team.
5.2.2 Development of assessment plan
The plan shall clearly define the work needed to complete the personal information security impact assessment report, the division of assessment tasks and the assessment schedule. In the plan, considerations shall also be given to the suspension or cancellation of the scenario to be assessed. The following aspects shall be considered during the specific operation:
a) personnel, skills, experience and capacity;
b) the time required to perform various tasks;
c) resources required for each procedure of assessment, such as automated assessment tools.
Note: It is recommended to update and iterate the original plan when the scenario involved is complex and consumes a lot of resources. For routine assessment activities or situations involving less complex scenario to be assessed, the original plan may be used or the procedure may be simplified.
If consultation with relevant parties is involved, the plan shall explain under what circumstances the relevant parties need to be consulted, who will be consulted and the specific consultation methods (e.g., through public opinion surveys, seminars, focus groups, public hearings, online experiences).
5.2.3 Determination of the assessment object and scope
Describe the assessment object and scope from the following three aspects:
a) description of basic system information, including but not limited to:
1) purpose and type of personal information processing;
2) description of information systems supporting current or future business processes;
3) departments or related personnel performing information system management duties, and their duties or performance levels;
4) description of personal information processing methods, processing scope, and roles have authority of personal information access;
5) If it is expected to entrust a third party to handle the personal information, or share or transfer it with a third party, explain the identity of the third party and the access of the third party to the information system.
b) description of system design information, including but not limited to:
1) overview of functional (or logical) structure;
2) overview of physical structure;
3) list and structure of information system databases, tables and fields containing personal information;
4) chart of data flow divided by components and interfaces;
5) chart of data flow of personal information life cycle, such as collection, storage, use and sharing of personal information;
6) description of the time node for informing the personal information subject, and the time node for obtaining the consent of the personal information subject, and the work flow chart;
7) list of interfaces available to transmit personal information externally;
8) security measures during personal information processing.
c) description of the processing flow and plan information, including but not limited to:
1) the concept of identity and user management of information system;
2) operation concept, including the way that information systems or some of their structures adopt field operation, external hosting, or cloud outsourcing;
3) support concept, including listing the scope of third parties who have authority of personal information access, their personal information access authority and assess location;
4) record concept, including the saving plan of logged-in information;
5) backup and recovery plan;
6) protection and management of metadata;
7) data saving and deletion plan and storage medium disposal.
5.2.4 Development of the relevant party consultation plan
Relevant parties include but are not limited to:
——employees, such as personnel related to human resources, law, information security, finance, business operation functions, communication and internal audit (especially in the regulatory environment);
——personal information subjects and consumer representatives;
——subcontractors and business partners;
——system development personnel and operation and maintenance personnel;
——other personnel in the organization who have corresponding concerns about the assessment.
In order to make assessment process transparent and achieve the goal of security risk reduction, the assessor shall confirm in detail the internal or external relevant parties involved in the assessment process. Relevant parties have a direct interest relationship with the personal information processing activities to be assessed, and relevant parties may be any organizations or individuals who have or may obtain access permission for personal information.
The assessor needs to confirm the classification of relevant parties, and then specifically confirm the specific organizations or individuals in various relevant parties. If the relevant party is an individual, the individual should be as representative as possible.
The scope and scale of personal information, as well as business importance, cost and benefit, etc., are very important for determining the appropriate relevant parties. If large-scale personal information processing activities are to be assessed, there may be more relevant parties. In this case, social organizations (such as consumer rights and interests protection organizations) may be recognized as relevant parties. On the contrary, some small assessments may not need to confirm a broad list of relevant parties.
When making the consultation plan, it is necessary to clarify the impacts and consequences (if known) suffered by different relevant parties, as well as the security control measures taken to reduce the adverse effects and other related issues. The consultation scope and schedule are also included in the plan.
The objectives of the consultation plan include but are not limited to:
a) determination of the number and scope of relevant parties;
b) specific ways for relevant parties to participate in identification and assessment of the impact on personal rights and interests and the security risks;
Note: Although issues raised in feedback from relevant parties may be related to subjective risk awareness, rather than objective actual risks, these opinions are not negligible. Organizations may deal with these opinions in a wider range of management issues of relevant parties to provide assistance for communication activities.
c) consulting the relevant parties on the assessment report to confirm whether the report fully reflects their concerns about relevant issues.
During personal information security impact assessment, the organization may urge appropriate relevant parties (mainly including subcontractors and business partners) to carry out personal information security impact assessment. Appropriate relevant parties have the obligation to carry out personal information security impact assessment, or cooperate with the organization to carry out personal information security impact assessment, and the organization may quote the personal information security impact assessment report of relevant parties as the consultation result.
5.3 Data flow analysis
After conducting a comprehensive investigation on the personal information processing process, the organization forms a clear data list and data flow chart.
The data flow analysis stage needs to combined with the specific scenarios of personal information processing. The investigation contents include personal information types, processing purposes and specific implementation methods involved in personal information collection, storage, usage, transfer, sharing and deletion, as well as resources (such as internal information systems) and relevant parties (such as third parties like personal information processors, platform operators, external service providers, cloud service providers etc.) involved in personal information processing. During the investigation, considered off-line systems, system data consolidation, enterprise acquisition, mergers and acquisitions, and global expansion, where possible.
When sorting out the results of data flow analysis, the personal information processing activities are classified according to the types, sensitivity, collection scenarios, processing methods and relevant parties of personal information, as well as describing the specific situations of each type of personal information processing activities, for later impact analysis and risk assessment by classification.
Note: For data flow analysis, may refer to Table C.1 and Table C.2 in Annex C.
5.4 Risk source identification
The purpose of risk source identification is to analyze the threats faced in personal information processing activities, and whether the activities are lacking of adequate security measures and leads to vulnerability and security incidents. There are many factors that determine the occurrence of personal information security incidents. For threat sources, there are internal threats and external threats, as well as data theft caused by malicious personnel, and data leakage caused by non-malicious personnel unconsciously. For vulnerability, there are data damage caused by physical environment, and data leakage, tampering and loss caused by technical factors, and abuse caused by improper management.
The threat identification and vulnerability identification methods described in GB/T 20984 may be used in the analysis process of personal information security incidents. In order to further simplify the analysis process of the possibility of personal information security incidents, the factors related to the possibility of personal information security incidents are summarized into the following four aspects:
a) network environment and technical measures. Factors in assessment shall include but be not limited to the following aspects:
1) Whether the network environment of the information system processing personal information is the internal network or the Internet, different network environments face different threat sources, and the information system connected with the Internet faces higher risks;
2) The interaction mode between the information system processing personal information and other systems, such as, whether to use the network interface for data interaction, whether to embed third-party codes and plug-ins that may collect personal information, etc. Generally, the more data interaction, the more comprehensive security measures to be taken to prevent risks such as information leakage and theft;
3) Whether strict measures such as identity authentication and access control are implemented during personal information processing;
4) Whether boundary protection equipment is deployed, strict boundary protection strategy is configured, and technical measures for data leakage prevention are implemented at the network boundary;
5) Whether to monitor and record the running status of the network, whether to mark and analyze the status of personal information internally or interacting with a third party, to find abnormal traffic and illegal use in time;
6) Whether technical measures are taken to prevent network intrusion such as virus and Trojan backdoor attacks, port scanning, and denial of service attacks;
7) Whether to use encrypted transmission, encrypted storage and other measures to provide extra protection to personal sensitive information;
8) Whether to audit the personal information processing activities at stages of personal information collection, storage, transmission, usage and sharing, and warn for abnormal operation;
9) Whether a complete network security incident warning, emergency response and reporting mechanism has been established;
10) Whether the information systems are subjected to regular security inspection, assessment, infiltration test, as well as timely patch update and security reinforcement;
11) Whether to strengthen the security management of data storage media, and whether to have the ability to back up and restore data;
12) Other necessary technical support measures for network security.
Note 1: If an organization establishes a mature security protection system with reference to other national standards related to network security and data security, it may conduct analysis and assessment based on its existing foundation.
b) personal information processing procedure. Factors in assessment shall include but be not limited to the following aspects:
1) Whether the judgment of personal sensitive information is accurate;
2) Whether the purpose of personal information collection is legitimate and legal;
3) Whether the data obtained from the third party is officially authorized for processing;
4) Whether the notification method and content are friendly and accessible, whether all processing activities have been approved by users;
5) Whether the minimum element set of personal information is defined, whether personal information is collected beyond the scope;
6) Whether changing the purpose of using personal information has an impact on the personal information subject;
7) Whether to provide a convenient and effective mechanism for individual participation, including inquiry, correction, deletion, withdrawal consent, account cancellation, etc.;
8) Whether the third party that receiving personal information will change the purpose of using on personal information;
9) Whether the retention time of personal information is minimized, whether the mechanism such as deleting beyond the time limit is reasonable;
10) Whether to restrict the user profiling mechanism to avoid accurate pointing to specific individuals;
11) Whether to provide a mechanism that may be control, exit or close by users for personalized display;
12) Whether the anonymization mechanism is effective, whether the de-identified personal information can be correlated and analyzed, etc., resulting in re-identification of the identity of the subject of personal information subject;
13) Whether to provide timely and effective security incident notification mechanism and emergency response mechanism;
14) Whether to provide effective complaints and rights protection channels;
15) Whether to share or transfer personal information to a third party without the consent of the user;
16) Whether inaccurate data or incomplete misleading data are disseminated;
17) Whether to induce or force individuals to provide too much personal information;
18) Whether to track or monitor personal behavior too much;
19) Whether to unreasonably restrict individuals from controlling their personal information, etc.;
20) Normalization of other personal information processing procedures.
Note 2: The normative analysis of personal information processing flow may refer to the corresponding contents of GB/T 35273-2020.
c) participants and third parties. Factors in assessment shall include but be not limited to the following aspects:
1) Whether to appoint responsible person and working agency for personal information protection; whether the responsible person for personal information protection is with relevant management experience and professional knowledge of personal information protection.
2) Whether to develop and implement personal information security management policies and strategies according to business security requirements;
3) Whether to develop security management system involving all aspects of personal information processing and put forward specific security management requirements;
4) Whether to sign confidentiality agreement with relevant personnel engaged in personal information processing and conduct background investigation on those who have access to large quantities of personal sensitive information;
5) Whether to specify security duties of different internal posts involving personal information processing, as well as establish a penalty and accountability system for security incidents;
6) Whether to launch professional training and assessment to personal information security for relevant personnel engaged in personal information processing so as to ensure that relevant personnel are proficient in the privacy policy and related procedures.
7) Whether to specify the personal information security requirements that external service personnel who may access personal information to comply with, and implement supervision;
8) Whether to sign binding contracts and other documents with a third party, and stipulate the processing purpose, method, data retention time and processing method if overdue, after the personal information is transmitted to the third party;
9) Whether the third party's handling of personal information is regularly inspected and audited to ensure that it strictly implements the contract and other agreements;
10) Other necessary measures.
Note 3: If an organization establishes a mature security management system with reference to other national standards related to network security and data security, it may conduct analysis and assessment based on its existing foundation.
d) business characteristics, scale and security situation. Factors in assessment shall include but be not limited to the following aspects:
1) Business dependence on personal information processing;
2) The number, frequency, user scale and peak value of personal information that the business processes or may process;
3) Whether there have been incidents such as leakage, tampering, damage or loss of personal information;
4) Law enforcement supervision trends related to personal information protection;
5) Suffering from cyber-attacks or security incidents in the near future;
6) Recently received or publicly released security-related warning information.
After fully understanding the corresponding contents of the above dimensions, the organization identifies the measures taken and the current status by means of investigation and interview, consulting supporting documents, functional inspection and technical test. According to the different dimensions of the analysis of personal rights and interests in 5.5, the possibility level of security incidents is comprehensively assessed from the above four aspects.
Note 4: Please refer to D.1 in Annex D for the assessment of security event possibility level.
5.5 Analysis of the impact of personal rights and interests
5.5.1 Dimension of personal rights and interests
Personal rights and interests impact analysis refers to analyzing whether specific personal information processing activities will have an impact on the legitimate rights and interests of the personal information subject, and what kind of impact it may have. The impact of personal rights and interests may be summarized into four dimensions: "limiting individual autonomy", "causing differential treatment", "personal reputation damage or mental stress" and "personal property damage":
a) Limiting the individual's autonomy, such as being forced to perform unwilling operations, lacking relevant knowledge or relevant channels to correct personal information, unable to choose to refuse the push of personalized advertisements, and being deliberately pushed with information that affects the judgment of personal values;
b) Causing differential treatment, such as discrimination against individual rights caused by information leakage such as illness, marriage history and student status, and damage to individual fair trade rights caused by abuse of information such as personal consumption habits;
c) Personal reputation damage or mental stress, such as being fraudulently used by others, revealing habits and experiences that are unwilling to be known, being frequently harassed, monitored and tracked, etc.;
d) Personal property damage, such as personal injury, theft of capital account, fraud, extortion, etc.
5.5.2 Analysis process of personal rights and interests impact
According to the results of data flow analysis and the personal information processing activities that need to be assessed, combined with the requirements of relevant laws, regulations and standards or the personal information security objectives defined by the organization, the organization may analyze the possible impact of the whole life cycle of personal information processing activities or specific processing behaviors on personal rights and interests, as well as the possible impact of personal information disclosure, damage, loss and abuse on personal rights and interests, so as to examine whether there is any risk of infringing the rights and interests of personal information subjects.
The process of personal rights and interests impact analysis generally includes four stages: sensitivity analysis of personal information, characteristics analysis of personal information processing activities, problems analysis of personal information processing activities and impact analysis:
a) In the analysis stage of personal information sensitivity, the organization may refer to the relevant national laws, regulations and standards and analyze the possible impact of personal information sensitivity on personal rights and interests according to the data flow analysis results. For example, the disclosure and abuse of health physiological information may have a serious impact on personal physiology and psychology;
b) In the stage of analyzing the characteristics of personal information processing activities, the organization may refer to the relevant national laws, regulations and standards and analyze whether the personal information processing activities involve restricting personal autonomy, causing differential treatment, personal reputation damage or mental stress, personal property damage, etc. For example, public disclosure of personal experiences may have an impact on personal reputation;
c) In the analysis stage of personal information processing activities, the organization may analyze the possible weaknesses, gaps and problems of personal information processing activities according to the data flow analysis results, with reference to the relevant national laws, regulations and standards. The normative analysis results of personal information process in 5.4b) may support the analysis process in this stage, and the analysis of the severity of the problems is helpful to analyze the impact degree of personal rights and interests;
d) In the analysis stage of personal rights and interests impact degree, the organization may comprehensively analyze the possible impact of personal information processing activities on personal rights and interests and its severity by combining the analysis results of previous stages.
Note: Refer to D.2 for the assessment of personal rights and interests.
5.6 Comprehensive analysis of security risks
When conducting comprehensive analysis of security risks, the following steps may be taken with reference to the basic principles in 4.5:
a) With reference to 5.4, analyze the implemented security measures, relevant parties, treatment scale and other factors, and assess the possibility level of security incidents;
b) With reference to 5.5, analyze the impact of possible security incidents on personal rights and interests, and assess the degree of impact on personal rights and interests;
c) considering the possibility of security incidents and the impact degree of personal rights and interests, the security risk level of personal information processing activities is obtained through comprehensive analysis.
Note: Please refer to D.3 for the specific process of security risk analysis and the judgment of risk level, and refer to Table C.3, Table C.4 and Table C.5 for the specific process of security risk analysis.
After completing the impact assessment of specific personal information processing activities, the organization may synthesize the assessment results of all relevant personal information processing activities to form the risk level of the whole assessment object (such as business department, specific project, specific cooperation, etc.).
Contents of GB/T 39335-2020
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 Assessment principle
4.1 General
4.2 Assessment value
4.3 Purposes of assessment report
4.4 Responsible subject of assessment
4.5 Basic assessment principle
4.6 Factors to be considered in assessment implementation
5 Implementation process of assessment
5.1 Necessity analysis of assessment
5.2 Assessment preparation
5.3 Data flow analysis
5.4 Risk source identification
5.5 Analysis of the impact of personal rights and interests
5.6 Comprehensive analysis of security risks
5.7 Assessment report
5.8 Risk disposal and continuous improvement
5.9 Report release strategy development
Annex A (Informative) Examples of assessment compliance and key points of assessment
Annex B (Informative) Examples of high-risk personal information processing activities
Annex C (Informative) Common-used tool tables for personal information security impact assessment
Annex D (Informative) Personal information security impact assessment reference method
Bibliography
