GB/T 41817-2022 英文版/外文版(bzfyw.com) 信息安全技術 個人信息安全工程指南 GBT 41817-2022 英文版/外文版 GB 41817-2022 英文版/外文版 ? 前言

?

本文件按照 GB/T?1.1—2020《標準化工作導則?第1部分：標準化文件的結構和起草規(guī)則》的規(guī)定起草。

請注意本文件的某些內容可能涉及專利。本文件的發(fā)布機構不承擔識別專利的責任。

本文件由全國信息安全標準化技術委員會(SAC/TC 260)提出并歸口。

?

引言

?

為規(guī)范網絡產品和服務個人信息處理活動，最大程度保障用戶個人信息權益，業(yè)界陸續(xù)提出個人信 息安全措施與產品和服務同步規(guī)劃、同步建設、同步使用的理念。例如，歐盟《通用數(shù)據保護條例》規(guī)定 在產品設計階段要考慮個人信息保護要求，同時產品默認設置也要最大程度保護用戶個人信息。這不僅有助于主動防御個人信息安全風險，也便于預防侵害用戶個人信息權益事件發(fā)生。

本文件根據個人信息保護法律法規(guī)和政策標準要求，結合國內外在隱私工程方面的實踐經驗，給出 了具有處理個人信息功能的網絡產品和服務在規(guī)劃和建設階段的個人信息安全工程實施指南，為幫助網絡產品和服務提升個人信息保護能力提供工程化指引。

?

信息安全技術?個人信息安全工程指南

?

1?范圍

?

本文件提出了個人信息安全工程的原則、目標、階段和準備，提供了網絡產品和服務在需求、設計、開發(fā)、測試、發(fā)布階段落實個人信息安全要求的工程化指南。

本文件適用于涉及個人信息處理的網絡產品和服務(含信息系統(tǒng)),為其同步規(guī)劃、同步建設個人信息安全措施提供指導，也適用于組織在軟件開發(fā)生存周期開展隱私工程時參考。

注：在不引起混淆的情況下，本文件中的“網絡產品和服務”簡稱為“產品服務”。

?

2?規(guī)范性引用文件

?

下列文件中的內容通過文中的規(guī)范性引用而構成本文件必不可少的條款。其中，注日期的引用文件，僅該日期對應的版本適用于本文件；不注日期的引用文件，其最新版本(包括所有的修改單)適用于本文件。

GB/T 25069-2022?信息安全技術?術語GB/T 35273-2020?信息安全技術?個人信息安全規(guī)范GB/T 39335-2020?信息安全技術?個人信息安全影響評估指南GB/T 41391-2022?信息安全技術?移動互聯(lián)網應用程序(App) 收集個人信息基本要求

?

3?術語和定義

?

GB/T 25069—2022界定的以及下列術語和定義適用于本文件。

3.1

個人信息安全工程?personal information security engineering

將個人信息安全原則和要求融入到產品服務規(guī)劃、建設的每個階段，使個人信息安全要求在產品服務中有效落實的工程化過程。

注：也稱“隱私工程”。

3.2

個人信息保護影響評估?personal information protection impact assessment

針對個人信息處理活動，檢驗個人信息處理目的、處理方式是否合法、正當、必要，判斷其對個人合法權益的影響及安全風險，以及評估所采取的個人信息保護措施有效性的過程。

注：也稱“個人信息安全影響評估”。

3.3

個人信息處理活動?personal information processing

對個人信息的收集、存儲、使用、加工、傳輸、提供、公開、刪除等行為。

3.4

自動化決策?automated decision-making

通過計算機程序自動分析、評估個人的行為習慣、興趣愛好或者經濟、健康、信用狀況等，并進行決策的活動。

注：包括個性化推薦、個性化展示、精準營銷等情形。

3.5

第三方應用 third-party components

由產品服務提供者之外的其他組織或個人，提供的軟件開發(fā)工具包、代碼、插件、程序等應用。

注1:包括商業(yè)應用和開源應用。

注2:?既包括嵌入產品服務的SDK、代碼、插件等(稱為“第三方組件”),也包括接入產品服務的移動互聯(lián)網應用程序(簡稱“移動應用”)、小程序、應用系統(tǒng)等(稱為“第三方產品或服務”)。

?

4?縮略語

?

下列縮略語適用于本文件。

API:?應用程序編程接口(application programming interface)

ICT:?信息通信技術(information communication technology)

SDK:?軟件開發(fā)工具包(software development kit)

SDL:?安全開發(fā)生存周期

?

Foreword

?

?

This document is developed in accordance with the rules given in GB/T 1.1-2020?

Directives for standardization - Part 1: Rules for the structure and drafting of standardizing documents

.

?

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.

?

This document was proposed by and is under the jurisdiction of SAC/TC 260 National Information Security Standardization Technical Committee.

?

Introduction

?

The industry has successively put forward the concept of synchronizing the planning, construction and use of personal information security measures with products and services with a view to standardizing the personal information processing of network products and services and protecting users' personal information rights and interests to the greatest extent. For example, the European Union's?

General Data Protection Regulation

?stipulates that personal information protection requirements should be taken into account in the product design stage, and that the default settings of products should also protect users' personal information to the greatest extent. This not only helps to proactively prevent personal information security risks, but also facilitates the prevention of infringement upon users' personal information rights and interests.

?

According to the requirements of personal information protection laws, regulations, policies and standards, and combined with the practical experience in privacy engineering at home and abroad, this document gives guidelines for the implementation of personal information security engineering in the planning and construction stages of network products and services with the function of processing personal information, and provides engineering guidelines to help network products and services improve their personal information protection capabilities.

?

Information security technology - Guidelines for personal information security engineering

?

1?Scope

?

This document sets forth the principles, objectives, stages and preparations of personal information security engineering, and provides engineering guidelines for implementing personal information security requirements in the requirements, design, development, testing and release stages of network products and services.

?

This document is applicable to network products and services (including information systems) that involve the processing of personal information, providing guidelines for their synchronous planning and construction of personal information security measures, and may also be referenced to by organizations when carrying out privacy engineering in the software development lifecycle.

?

Note: In case of no confusion, the term "network products and services" is referred to as "products and services" herein.

?

2?Normative references

?

The following documents contain requirements which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

?

GB/T 25069-2022?

Information security techniques - Terminology

GB/T 35273-2020?

Information security technology - Personal information security specification

GB/T 39335-2020?

Information security technology - Guidance for personal information security impact assessment

GB/T 41391-2022?

Information security technology - Basic requirements for collecting personal information in mobile internet applications

?

3?Terms and definitions

?

For the purposes of this document, the terms and definitions given in GB/T 25069-2022 and the following apply.

?

?

3.1

personal information security engineering

an engineering process of integrating personal information security principles and requirements into each stage of product and service planning and construction, so that personal information security requirements can be effectively implemented in products and services

?

Note: It is also known as "privacy engineering".

?

3.2

personal information protection impact assessment

process of, for the personal information processing, inspecting whether the purpose and method of personal information processing are legal, legitimate and necessary, judging the impact on the legitimate rights and interests of individuals and the security risks, and assessing the effectiveness of personal information protection measures taken

?

Note: It is also known as "personal information security impact assessment".

?

3.3

personal information processing

collection, storage, use, processing, transmission, provision, disclosure, deletion and other acts of personal information

?

3.4

automated decision-making

activity of automatically analyzing and assessing an individual's behavioral habits, interests, or economic, health, or credit status through a computer program, and thus making decisions

?

Note: It includes personalized recommendation, personalized display and precision marketing.

?

3.5

third-party components

applications such as software development kits, codes, plug-ins and programs provided by organizations or individuals other than product and service providers

?

Note 1: They include commercial applications and open source applications.

?

Note 2: They include SDKs, codes and plug-ins (referred to as "third-party components") embedded in products and services, as well as mobile Internet applications (referred to as "mobile applications"), applets and application systems (referred to as "third-party products or services") accessing products and services.

?

4?Abbreviations

?

For the purposes of this document, the following abbreviations apply.

?

API: application programming interface

?

ICT: information communication technology

?

SDK: software development kit

?

SDL: security development lifecycle

?