标准2025优步因其对5700万司机和用户个人信息被盗一事的反应登上头条
知名度高的公司信息泄露事件促使着世界各国开始调查政策和条规的潜在改革,其中最知名的案例之一就是由欧盟发布并于2018年5月份生效的《通用数据保护法规》,对全球有着借鉴意义。
个人隐私在如今的超连接世界有了新的维度。随着医疗保险和财政服务等部门的电子化,保护个人数据的需求显得越发紧急。越来越多的组织开始处理个人数据,且数量有增无减。
世界三大标准机构IEC(国际电工委员会),ISO(国际标准化组织)和ITU(国际电信联盟)制订的《保护个人验证信息的规程》,为个人数据的监管方提供了一项国际标准。
自愿性标准 ISO/IEC 29151 | ITU-T X.1058 为致力于加强个人数据保护力度的政府和工业提供了一个有价值的参考。
它树立了数据保护控制的目标,明确了所要求的控制并为他们的实施提供了指导。同时它也表明了这些管控措施如何安排才能满足组织在评估个人数据保护的风险和影响中提出的要求。
除了ISO/IEC 27002标准的新增补规定之外,ITU X.1058的附录提供了一套扩展的个人数据控制措施。这份附录进一步细化了和“许可与选择”有关的控制目标以及相关的“个人数据负责人的参与”,即数据需要获得其认可人的参与。他们提供指导,通过审查“目的合法性”判断保留个人数据是否合适。他们鼓励追求“收集限制”、“数据最小化”和组织在个人数据相关政策上的“开放和透明”。
ISO/IEC 29151 | ITU-T X.1058 是在ISO/IEC“安全技术”标准专家小组的协助下编撰而成, ISO/IEC JTC 1/SC 27 和ITU-T Study Group 17 为信息与通讯技术的使用增添了自信与安全。
International Standard looks to curb theft of personal data
Uber is making headlines for its reaction to the theft of the personal data of 57 million drivers and users
Geneva, Switzerland, 27 November 2017 – The July 2017 breach of Equifax, a large US credit bureau, exposed the social security numbers, birthdates and addresses of 143 million people. Yahoo last month – just prior to its acquisition by Verizon – shared new intelligence that a data breach in 2013 thought to have affected a billion users had in fact compromised all three billion Yahoo user accounts.
The increasing prevalence of high-profile data breaches has motivated countries worldwide to investigate potential reforms to policy and regulation. One of the best-known examples is the European Union’s General Data Protection Regulation to come into force in May 2018, with global implications.
Privacy has taken on new dimensions in our hyper connected world. The need to protect personal data is increasing in urgency with the digital transformation of sectors such as healthcare and financial services. More and more organizations are processing personal data, all of them dealing with an increasing amount of this data.
Personal data custodians have received new guidance from IEC, ISO and ITU – the three leading international standards bodies – in the form of an International Standard providing a ‘Code of Practice for the Protection of Personally Identifiable Information’.
The voluntary standard, ISO/IEC 29151 | ITU-T X.1058 provides a valuable point of reference to government and industry as they intensify their bid to guarantee the protection of personal data.
It establishes the objectives of data-protection controls, specifies the controls required and provides guidelines for their implementation. It shows how arrangements of these controls can meet the requirements identified by organizations’ risk and impact assessments relevant to the protection of personal data.
An Annex integral to ITU X.1058 provides an extended set of controls for personal data beyond the standard’s augmented provisions of ISO/IEC 27002.
The Annex details control objectives relevant to ‘consent and choice’ and the related ‘participation of personal data principals’, the people with whom data can be identified. They look at ‘purpose legitimacy’ to provide guidance as to whether or not the retention of personal data is appropriate. They encourage the pursuit of ‘collection limitation’ and ‘data minimization’ as well as the ‘openness and transparency’ of organizational policy with respect to personal data.
ISO/IEC 29151 | ITU-T X.1058 was developed in collaboration by the ISO/IEC standardization expert group for ‘security techniques’, ISO/IEC JTC 1/SC 27 and ITU-T Study Group 17 ‘building confidence and security in the use of ICTs’.