Personal information protection will go abroad mark: Delete Information immediately after use

Yesterday, a passenger scanned his train ticket information with his mobile phone. Through the scanning software can obtain train ticket two-dimensional code contains the ID information. Newspaper reporter Pu Feng

Recently, the Ministry of Technology directly under the Chinese Software Evaluation Center revealed that they jointly drafted by more than 30 units of the "Information security technologies, public and business services system Personal Information Protection Guide" has been formally approved by the review, is the approval of national standards.

OUYANGWU, deputy director of the Ministry of Industry Security Coordination, said that this guide can provide a good reference for the profession to carry out self-discipline work, for enterprises to deal with personal information developed a code of conduct. According to the introduction, China's information technology protection is not optimistic, and even formed the use of personal information to engage in illegal profits of the black chain. In particular, the disclosure of China's largest internet exposure at the end of last year, the protection of personal information to the forefront.

Many developed countries have long since begun to protect research and legislative work on personal information. In recent years, our country has also initiated the related work of personal information protection.

Last year, the National Information Security Standardization Technical Committee proposed the development of personal information protection guidelines. This Committee is mainly engaged in information security standardization work, the current Director by the Vice Minister of the Ministry of Yang Xueshan concurrently.

The full name of the personal Information Protection Guide is the personal Information Protection Guide for information security technology, public and business service information systems, which is led by the China Software Evaluation Center directly under the Ministry of Work, and is drafted by nearly 30 units.

Huang, deputy director of the center, said the guide is still waiting for the approval number, but its final release should be "around the corner." But this guide is not a national mandatory standard.

Focus

Delete Personal information immediately after use

In the absence of special legal norms for personal information security, an industry standard has become the hope of the industry.

"Last year formally passed the review, the approval of national standards," China Electronics and Information Industry Development Institute Dean, China Software Evaluation Center Director Rowan Hope this year to pass this standard, to expand the system of personal information protection.

The Personal Information Protection Guide's handling of personal information includes four main links of collection, processing, transfer and deletion, and the principle of personal information protection is also proposed.

OUYANGWU, deputy director of the Ministry of the Department of Safety and Coordination, said, "This principle includes the purpose of a clear, minimum use, public disclosure, personal consent, quality assurance, safety, integrity and responsibility of the specific eight." ”

The principle of "least use" is to get a person's amount of information, as long as it can meet the purpose of the use of the line.

Huang For example, some websites are doing a very small thing, but let users fill in the home address, mobile phone number, including many information, this is not in line with the "least use" principle.

"Security" is to require personal information managers once the collection of personal information, it is necessary to establish a personal information protection system, identify the responsible person and internal management process, as well as the risk of personal information leakage.

Gao Yan, deputy director of China Software Evaluation Center, estimates that the disclosure of personal information digestibility is an internal crime, this is the "safety and security" principle failed to implement good result.

He said that some commercial companies have a large amount of personal information, because the management system oversight, some internal employees can obtain customer information without authorization.

According to the Personal Information Protection Guide, personal information should be deleted immediately after the "use purpose" that is communicated during the collection of personal information is reached.

Gao Yan said that on one occasion, when he bought a ticket on an airline website and paid by phone, the staff collected his payment information: Name, ID number, credit card number and the last three digits of the credit card. The ticket was successful.

However, after a period of time when he went to buy tickets, the other side asked him, "Do you still use the card number at the end of the four is * * * Credit card payment?" If so, just tell me. ”

"(this company) stores my information. March 26, Gao Yan one side and shook his head.

Gao Yan said that his experience of airline telephone booking is that the airline has not been able to delete the customer information in time after reaching the booking purpose.

Information protection refers to the South African mandatory standard

"For economic benefits, no profit is not early." "Gao Yan estimates that no industry is currently leaking information.

For example, pregnant women have just come home, selling milk powder phone came over, the patient checked the body, the checklist has not yet read, the corresponding pharmaceutical companies have been called to sell medicine.

Liu Tao, a researcher at China Software Testing Center, likens personal information to "a lot of money in a paper-pasted bank, which is easy to hack." According to their survey, the public's most concerned about the financial, telecommunications and other areas of personal information security.

The concern is that this guideline is not a mandatory standard or even a recommended standard, and that the standard is still to be observed as to how much regulation will be imposed on the industry.

China Software Evaluation Center assistant Director Zhu Xuan said the personal information security national standards "belong to the technical guidance document."

The national standard divides into three kinds, one is the mandatory standard, one is the recommendation standard, one is the guiding technical document, the standard may take the reference. The national mandatory standard is more in the field of food safety.

However, Huang that the standard applies to various organizations and institutions other than public administration functions, such as telecommunications and medical services, which involve more personal sensitive information than government agencies.

Situation

40 laws difficult to restrain personal information disclosure

Ministry of Electronic Science and Technology Information Institute deputy Director Liu Jiulu statistics, there are nearly 40 laws, 30 dozen regulations, and nearly 200 regulations related to personal information protection, including the regulation of Internet Information regulations, medical information provisions, personal credit management methods.

"There are few laws and regulations on personal information, but the content is more dispersed and the level of laws and regulations is low." "Liu Jiulu said.

The amendment to the Penal Code (vii) is considered to be one of the landmark events in the legislation of personal information.

In 2009, the Criminal Law Amendment (vii) established the crime of "selling and illegally providing personal information for citizens" and "the crime of illegally acquiring personal information of citizens", and for the first time, the personal information of citizens was included in the Criminal law protection, and the criminal liability for disclosing, stealing and selling personal information of citizens

However, this criminal subject is "State organs or financial, telecommunications, transport, education, medical and other units of the staff." In addition, there are internet companies, real estate companies, property companies, car manufacturers, hotels, accounting firms, such as Master of personal information institutions and units.

Many legal professionals believe that the criminal law does not define the specific criteria for the crime, and this provision has further improvement and improvement of the space.

In addition, experts believe that the law on the information leakage of the punishment mechanism is not enough.

Some time ago, the police cracked csdn (that is, China Software Development Alliance) 600多万条 username and password disclosure cases, "so far the site punishment is only an administrative warning, too light, this punishment is almost no deterrent." Said Mechauzou, a professor at the University School of Economics and Management.

Mechauzou that, if abroad, such large-scale user information leakage, at least there should be economic penalties.

2009, the "Tort liability law" passed, so that "human flesh search" violations of the rights of victims of the responsibility to determine the unified regulation of the law, if the site ignores the victims of shielding, delete requirements, it is necessary to bear joint and several liability.

However, the Institute of Social Sciences researcher Zhou said that the criminal law and tort liability law are ex post facto relief, in the network era to network security and personal information to carry out the whole process of supervision is more effective.

Personal information Security Law does not enter into the legislative procedure

The Personal Information Security Act has not never tried to break ice.

Yang Xueshan, vice Minister of industry and Information Technology, recalled that 2003 April, the State Council information Office dedicated to personal information legislation research topics for deployment, the 2005 Personal Information Protection Act expert opinion draft has been submitted. However, this legislative proposal has been unable to enter into the formal legislative process.

Mechauzou, who participated in the expert opinion draft, said that the text had been reported from the State Council Information office to the State Council's legal system, the reason for the failure to enter the formal legislative procedure is very complex, mainly "from the urgency of speaking not too concerned about this issue."

Mechauzou admits that all things have priorities, the relevant departments will take into account, but in view of the current China's personal information leakage and theft, personal privacy violations and personal information transactions of the growing reality, and further development may affect the whole social and economic activities, "I think the urgency has long ago, It may feel different at all levels, and some people feel less pressing.

Vice Minister of the Ministry of Yang Xueshan urged to expedite legislation.

He said that the protection of personal information to implement a wide range, must be from the angle of law to standardize, in order to make this work in the legal basis.

"Over the years we have been working with everyone in the personal information legislation as soon as possible into the formal process." Yang Xueshan said, "in the efforts of everyone," especially in today's personal information protection has become an urgent problem of society, the legislative process will be accelerated.