Guidelines for the Security Protection of Personal Information on the Internet

With the rapid development of cloud computing, big data, mobile applications and other technologies and the orderly advancement of the "Internet +" action plan, the value of information has been fully tapped, and its security issues have received widespread attention. Driven by economic interests, the phenomenon of violating citizens' personal privacy is increasing day by day, and related crimes have even formed a complete chain of interests, causing great trouble to people's daily life, even causing property damage and endangering personal safety. How to ensure the security of users' personal information has become an important part of network information security.

Recently, the Cyber ​​Security Bureau of the Ministry of Public Security, the Beijing Network Industry Association and the Third Research Institute of the Ministry of Public Security jointly researched and formulated the "Guidelines for the Security Protection of Personal Information on the Internet" (hereinafter referred to as the "Guidelines"). Technical measures and business processes are stipulated. To sum up, the introduction of the "Guide" mainly has the following practical significance.

1. It has strong guiding significance for establishing network security compliance of personal information holders

The "Guide" clarifies that the applicable objects are "personal information holders", that is, organizations or individuals who control and process personal information.
The "Guide" stipulates that "applicable to the personal information holder's reference to carry out security protection work in the process of personal information life cycle processing. It applies to enterprises that provide services through the Internet, and also applies to the use of private networks or non-networked environments for control and processing. Organizations or Individuals of Personal Information". It can be seen that as long as it involves the control and processing of personal information, it falls within the scope of application of the Guidelines. signal jammer

On the basis of identifying the main regulatory bodies, the Guidelines propose specific personal information protection measures from the aspects of management mechanism, technical measures, business process and emergency response. In particular, it provides clear guidance and suggestions for management systems, management institutions, and managers; it proposes full-process management of personal information collection, preservation, application, deletion, third-party entrusted processing, sharing and transfer, and public disclosure. The relatively complete overall structure enables all relevant departments and units to establish their own user information protection system based on the Guidelines.

2. Provided clear guidance and suggestions for personal information holders in the construction of management mechanisms

If personal information holders want to improve the level of information protection, they must strengthen the construction of internal control mechanisms, establish corresponding management systems, set up management institutions, and allocate management personnel, so as to improve the ability to protect personal information and implement protection responsibilities.

In terms of management system, the "Guide" puts forward requirements on the content of management system, formulation and release, implementation and review and improvement. For example, in terms of the content of the management system, it is recommended to formulate relevant rules, regulations and documents such as the overall policy of personal information protection and security strategy, formulate operating procedures for the daily management of personal information by staff, establish a personal information management system, and formulate emergency response to personal information security incidents plan.

In terms of management institutions, the Guidelines set forth requirements for both management institutions and managers. For example, in terms of management agencies, the "Guide" proposes that a working agency to guide and manage personal information protection should be set up, and the responsibilities of the agency should be clearly defined; the top management or authorized personnel should be responsible for personal information protection work; and so on.

In terms of management personnel, the "Guide" requires strengthening the management of personal information management personnel in terms of recruitment, departure, assessment, education and training, and stipulates specific management measures. It is worth mentioning that, for the first time in the document, the management personnel should be regularly assessed for their understanding of the basic knowledge, safety responsibilities, disciplinary measures, laws and regulations, etc. of relevant work, and the assessment records should be recorded and archived.

3. Refinement of the mechanism for dynamic adjustment of personal information throughout the life cycle

In view of the current situation of insufficient protection of personal information throughout the life cycle in my country, the "Guide" proposes operational procedures for the collection, preservation, application, entrusted processing, sharing, transfer and public disclosure, deletion of personal information of personal information holders. The operational level fills the gap, providing new business references and behavioral guidelines for enhancing citizens' awareness of the protection of personal information throughout the life cycle and corporate compliance operations.

For each link of personal information in the whole life process, the provisions of the "Guide" have different emphases.

1. Collection link: Before personal information is collected, the rules of collection and use should be disclosed to the subject of the collected personal information in accordance with the principles of legality, legitimacy and necessity, and the purpose, method and scope of the collection and use of information should be clearly stated; personal information collection should be obtained. The consent and authorization of the personal information subject shall not collect personal information irrelevant to the services they provide, and shall not compel the collection of personal information by bundling various business functions of products or services; personal information collection shall implement the agreements and agreements signed before collection , should not be collected beyond the scope.

2. Preservation link: The collected personal information shall be processed with corresponding security measures such as secure encrypted storage; the corresponding storage time limit shall be set according to the collection, purpose of use, and the authorization of the person to be collected; It will be deleted after the set time limit is exceeded.​​

3. Application link: The application of personal information should comply with the relevant agreements and regulations signed with the subject of personal information, and should not use personal information beyond the scope; the subject of personal information should have the authority to control his own information; fully rely on automated processing of user portrait technology It can be used in value-added applications such as precision marketing, search result sorting, personalized news push, targeted advertising, etc. without the explicit authorization of the user in advance, but it should be ensured that the user has the right to object or refuse.

4. Deletion link: Personal information should be deleted after the storage time limit has expired, except for those that cannot identify a specific individual and cannot be recovered after processing; the personal information holder collects and uses his personal information in violation of laws, administrative regulations or the agreement of both parties When the subject of personal information requests to delete his or her personal information, measures shall be taken to delete it.

5. Third-party entrusted processing: When entrusting the processing of personal information, it should not exceed the scope of the authorization and consent of the information subject; when entrusting the relevant processing of personal information, the personal information security impact assessment of the entrusted behavior should be carried out; When entrusted processing of information, relevant agreements should be signed to require the entrusted party to comply with this document; the entrusted party should be authorized to use and access personal information data.

6. Sharing and transfer link: In principle, personal information shall not be shared or transferred.

7. Public disclosure link: In principle, personal information shall not be disclosed publicly. If it is authorized by law or there are reasonable reasons for public disclosure, it should pay full attention to risks.

4. Technical measures for safety management and technical two-wheel drive have been adopted

The "Guide" intends to build a layer-by-layer defense in-depth security protection system, through the implementation of multiple security assurance methods, to consolidate the security protection of network infrastructure, and to provide a safe and reliable carrier for the collection, storage, transmission and use of users' personal information.

In terms of technical measures, the "Guide" first stipulates the basic requirements, and proposes that the security technical measures of the personal information processing system should meet the requirements of the corresponding level of GB/T 22239. Free from interference, destruction or unauthorized access, and prevent network data from being leaked or stolen or tampered with. It should be noted that the "Guidelines" does not require across-the-board personal information holders to implement security protection measures at the highest level, but to implement security protection at the corresponding level based on the specific situation of the enterprise itself.

In addition, the "Guide" specifies general requirements and extended requirements respectively. As far as general requirements are concerned, communication network security, regional border security, computing environment security, application and data security are specified. In terms of extension requirements, cloud computing security extension requirements and IoT security extension requirements are proposed.

V. Emphasize the establishment of an emergency response mechanism for personal information security incidents

On the basis of traditional network security incident monitoring and emergency response, the "Guide" further strengthens the monitoring and emergency response mechanism for users' personal information security incidents to ensure timely, efficient, smooth and standardized management in the event of user personal information emergencies. Carry out emergency response.

The "Guide" requires that relevant departments and units should establish and improve network security risk assessment and emergency working mechanisms, and have a mechanism to report to the relevant competent authorities in the event of an emergency in the process of personal information processing; should formulate emergency plans for personal information security incidents; should regularly ( At least once every six months) Organize relevant internal personnel to conduct emergency response training and emergency drills, so that they can master job responsibilities and emergency response strategies and procedures, and keep records of emergency training and emergency drills; Rectification, elimination of hidden dangers; and so on.

All in all, although the "Guide" is not mandatory, it is only used as a reference for individuals and enterprises to carry out security protection work in the process of personal information life cycle processing, but in view of the actual situation of the lack of personal information protection legislation in my country, Chapter 4 of the "Guide". The management mechanism, chapter 5 technical measures, chapter 6 business process, chapter 7 emergency response, etc. are all in line with the "Basic Requirements for Classified Protection of Network Security" ("Basic Requirements for Classified Protection of Information System Security") and "Information Security Technology Personal Information Security". The two national standards of the “Guidelines” have been connected in terms of requirements. Therefore, the release of the “Guidelines” can be said to fill in the normative gaps in many practical fields of personal information protection in a timely manner, and will greatly promote the security and reliability of the network environment.

---