隱私數據保護 – GDPR

隱私數據保護與 GDPR

這篇文章主要說明”隱私數據保護”相關議題, 包含

  • 什麼是隱私數據保護? 與資訊安全有什麼差異?
  • 如何評估隱私數據風險
  • 各國隱私數據保護的法律規範
  • 常見隱私數據保護的技術手段

 

什麼是隱私數據保護

提到”隱私數據保護”最著名的莫過於歐盟執行的 “GDPR” General Data Protection Regulation (GDPR)

針對隱私數據的安全評估 GDPR 第35條規範如下

“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. ” 參考: http://www.privacy-regulation.eu/en/article-35-data-protection-impact-assessment-GDPR.htm

隱私數據保護著重於整個數據採集整体生命週期的安全防護, 主要的原則如下

  • lawfulness: 合法性
  • fairness: 數據處理的過程忠實的遵循相關規範
  • transparency: 公開透明, 明確告知使用者採集的範圍與目的
  • purpose limitation: 目的性限制, 採集的目的不任意變更使用目的
  • data minimization:採集數據的最小化, 不需要採集的數據不採集
  • accuracy: 維持個人數據的準確性並且提供使用者更新個人數據
  • participation and access: 提供使用者存取該個人數據

一般講的資訊安全 CIA (Confidentiality, Integrity, and Availability), 也適用於隱私數據保護

但是資訊安全可能更著重於應用系統本身被黑客攻擊的防護

隱私數據保護更著重於數據本身的安全控制

 

各國隱私數據保護立法情況

英國 Great Britain – ICO. (2014)  https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/

英國針對數據保護評估 Data Privacy Impact Assessment (DPIA)提供模版

https://ico.org.uk/media/for-organisations/documents/2258857/dpia-template-v1.docx

該模版定義透过六个步骤来进行隐私数据保护的风险评估

Step 1: Identify the need for a DPIA
Step 2: Describe the processing

Step 3: Consultation process
Step 4: Assess necessity and proportionality
Step 5: Identify and assess risks
Step 6: Identify measures to reduce risk
Step 7: Sign off and record outcomes

其中第一步要先界定该专案是否需要隐私数据保护评估?

可以参考这篇 Annex 2 of WP29 Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (WP248) sets out a checklist of criteria for an acceptable DPIA.

 

法国隐私保护立法

保護措施

GDPR 第32條明訂,

“Taking into account the state of the art, the costs of implementation and the nature,
scope, context and purposes of processing as well as the risk of varying likelihood and
severity for the rights and freedoms of natural persons, the controller and the processor
shall implement appropriate technical and organizational measures to ensure a level of
security appropriate to the risk.”

 

 

主要参考

https://www.bitkom.org/noindex/Publikationen/2017/Leitfaden/170919-LF-Risk-Assessment-ENG-online-final.pdf

Leave a Reply

Your email address will not be published.