Autor Wiadomość
87nuzc22j3
PostWysłany: Czw 6:36, 13 Sty 2011    Temat postu: Dalian Software and Information Services Personal

1 Scope

Apply to the use of computers and related and ancillary equipment (including network), according to a certain application purpose and rules of information gathering, processing, storage, transmission, retrieval processing business enterprises, social organizations and other units.

2 Definitions

2.1 Personal Information
Personal information is information associated with individuals exist, and can be used to identify a specific individual. Including name, birth date, the number assigned to individuals, signs and other symbols, can identify individual images or sounds (including some not recognized when used alone, but other data were compared with the reference, and thus identify a specific person information.)
2.2 Message Body
Or by specific identification information to identify the object. This means that the personal information I have.
2.3 Personal information obtained
Personal information is information for the establishment of access to personal information behavior.
2.4 Personal Information Processing
Is the use of computer or software to input personal information, store, edit, modify, retrieve, delete, export, transfer or other treatment process.
2.5 Personal information use
Means the unit will own the unit of personal information for internal use or provide to third parties.
2.6 Personal information entrusted to
Information processing units in order to entrust the business, but will their personal information entrusted to a third party.
2.7 Information of the main agreement
Information subject to the relevant personal information with their acquisition and use of agreed, in principle, and seal the subject of information and verbal commitment to prevail, the following conditions included in the default scope:
a minor thing and can not make the right judgments on behalf of parents or guardians of adults should be;
b The exact information has been notified body, and there is no objection;
c in obtaining personal information, information managers and information of the main provisions of the contract signed by the use of personal information, and information subject agreed to perform the contract.

Principle 3

Personal information should follow the following principles to protect them.
3.1 Access to and use of
Personal information to obtain reasonable and lawful means should be used, and should obtain the consent of information subjects. Should have a clear purpose of obtaining personal information,custom software development, shall not exceed the scope of use.
3.2 Security
Shall take reasonable security measures to avoid the loss of personal information, disclosure, alteration and destruction occurred. In addition to information on the main consent, personal information not be provided to third parties.
3.3 The right to information subject
Information where the main power to confirm personal information. Message body the right to make personal information deleted, modified and improved.
3.4 The information content up to date
The purpose of personal information shall ensure the correctness and completeness of the range, and up to date.

4 charge and responsibility

In order to establish and maintain personal information protection management system, the responsible person should be a clear authority and responsibility, documentation, and known to practitioners.
4.1 Unit Leader
Unit leaders who should pay attention to the protection of personal information, select people who have the ability to charge as a personal information protection, and financial and resource support.
4.2 Personal Information Protection Leader
Unit is responsible for personal information protection unit responsible for carrying out the protection of personal information; organizations to develop and implement the basic rules and regulations; organizations and departments the responsibility to protect personal information of people to formulate sector management rules; guide the training and education initiatives; responsible for checking the personal information protection unit health and write reports.
4.3 The person in charge of audit
4.3.1 the designated person in charge of audit
Dedicated units should audit the personal information protection person in charge of inspection of the unit responsible within the designated person can also be hired from the outside. Person in charge of audit should be independent and stand in a fair and impartial in the work.
4.3.2 OMV responsible persons
Person in charge is responsible for audit requirements and OMV OMV plan, the unit according to plan for the protection of personal information audit, responsible for writing audit reports and suggest improvements.
4.4 The person in charge of training and education
Personal Information Protection Units shall be appointed head of training and education is responsible for training and education requirements and training and education programs, and is responsible for implementation of the plan.
4.5 head of client window
Client window units should be designated responsible person, client or consumer is responsible for receiving comments and suggestions; put forward opinions and promote the implementation of views and feedback; in case of problems with customers or consumers to communicate and discuss remedies.
4.6 Other responsible person
Units and departments should be designated responsible person of personal information protection, the department responsible for the development and implementation of the protection of personal information management rules.

5 policy, risk analysis and basic rules

5.1 Policy
Protection of personal information by the person in charge of the development unit of personal information protection policy, guidelines should be simple, clear language to clarify the policy unit of the Personal Information Protection and basic measures. Policy formulation should note the following:
a unit of content should be consistent with the actual situation of the personal information protection principles and basic measures;
b can not be contrary to national laws and regulations;
c meet the specification requirements.
Personal Information Protection Policy Unit all personnel should be allowed to know, understand and implement, to the society and the public.
5.2 Risk Analysis
All units should have been involved and may involve personal information to confirm, and risk production flow of personal information, personal information through the flow chart of the unit to acquire, use, transfer, delegate, keeping the process may be recognized and the problems analysis, development of risk policies and measures
Protection of personal information for the unit to establish regulations to provide information.
5.3 Basic rules
Units should be based on the actual situation of regulatory requirements and units, refer to risk analysis flow chart analysis, the following basic rules and regulations related to the protection of personal information, and to maintain and improve:
a personal information protection requirements and responsibilities of organizations;
b personal information to obtain, use, offer, commission, handling and other regulations;
c personal physical security measures and information technology, document management requirements;
d personal information protection training and education requirements;
inspection of e provisions of the Personal Information Protection;
f breach of personal information protection regulations penalties.

6 Application and Implementation

6.1 Publicity
6.1.1 Internal
Promotion to all employees the importance of protecting personal information and strategies to get employees to work with the Personal Information Protection and attention.
6.1.2 External
Promotional materials in the unit or site to increase protection of personal information relevant content. Personal information in the undertaking business, customers and consumers should take the initiative to promote protection of personal information unit measures and regulations.
6.2 Sector Management Rules
6.2.1 development
Sector management rules, which are units and departments to develop according to the characteristics of the sector specific personal information protection measures, departmental administrative rules and regulations should be consistent with the basic unit should be practical, but also for each specific operator can understand and implement. Sector Management Unit Rule will eventually have to be responsible for personal information protection consent.
6.2.2 Implementation
Departmental administrative rules by the department the responsibility to protect personal information of people responsible for implementation.
6.3 Personal information obtained
6.3.1 Scope
Personal information should be made clear before the intended use and should obtain information on the subject agree that the purpose of a limited range of access. The information from being made public personal information should be made clear when the purpose of use.
6.3.2 Methods and means
To obtain personal information shall take appropriate methods and lawful and just means.
6.3.3 restrictions
Restrict access to the following personal information (not including the information of the main explicit consent or by special legal provisions of the circumstances):
a related thought, belief, religious matters;
b on human rights, physical disability, mental disorder, criminal history and related issues can lead to social discrimination;
c on political rights;
d on the medical and sexual health issues.
6.3.4 Direct access to personal information from the message body
Information directly from the main access to personal information should be in writing or by notice in writing to replace the message body, and obtain information on the subject agree that the main contents of the notification information should include:
a business name, information managers name, title, department, telephone number;
b the purpose of use;
c If the information to third parties should be clear the following:
?? The purpose of providing to a third party;
?? To provide personal information projects;
?? To provide means and methods;
?? Accept the personal information of the person or organization types and properties;
?? If use of personal information related to the contract and commission,Localization Software, citing its general content.
d bailment recipient of personal information and personal information information storage contract;
e message body if the information may refuse to provide their own consequences.
6.3.5 indirect access to personal information
Indirect access to personal information should be in writing or by notice in writing to replace the message body, and with the consent of information subjects agreed, but the following exceptions;
a clear use of the information the main purpose has been the case;
b of external business entrusted custody of the personal information entrusted, should ensure that the information will not be against the interests of the principal;
c will use the main purpose of notification messages or information released could jeopardize the lives of the principal or a third party, body, property and other interests of the;
d will be the main purpose of use or release notification information may result in units of the rights or legitimate interests in the case of damage;
e in accordance with national laws and regulations must perform official duties,Print solution outsourcing, notify the principal or the release of information may affect the case of public execution.
6.4 Personal information use and provide
6.4.1 limit the scope of
Use and provide personal information should be within the scope of the intended use, purpose of use is not out of range.
6.4.2 The purpose of the use and provision of outside
Outside the scope of use beyond the purpose of the use and provision should be prior approval of the information on the subject agreed, and matters in accordance with the requirements of 6.3.4, in writing or notify in writing instead of message body. But in the following cases can not obtain information on the subject agree that:
a corresponding laws and regulations in the case;
b In the message body or public life, health, property to protect the vital interests of the case;
c In order to safeguard public health and promote the cause of children's health, for some reason difficult to obtain information without the consent of the principal;
d accordance with national laws, regulations, the official must perform to notify the principal or the release of information may affect the case of public execution.
6.5 Personal information entrusted to
6.5.1 limit the scope of
Commission business for the bailment of personal information, should be agreed with the main purpose of the information within the scope or the Principal's (contract or otherwise) with the purpose of processing the information within, is not free to use and provide.
6.5.2 Conditions and supervision commission
Information processing services for the commission need storage of personal information, should develop a unified standard, select the Personal Information Protection unit of ability and appropriate supervision, should be stipulated in the contract the following:
a clear responsibility entrusted and authorized persons;
b personal information security management matters;
c and then delegate the related matters;
d status and use of personal information entrusted to those reporting requirements to the matters;
e protection of personal information relating to the contract terms;
f breach of contract approach;
g the responsibility of an accident and reporting matters;
h after the expiration of the contract, the return and the elimination of personal information.
6.6 The right to protection of information subject
6.6.1 Information of the main right
Message body the right to know the location of their information, the right to amend their own information, delete, and disclosure requirements, the right to recognition, extraction, copying their own personal information, the right to use the personal information of its own purpose of opposing views.
6.6.2 Obligation
Personal information managers should be the purpose of use of personal information, do not provide information on the consequences and correct their personal information query the right to tell the message body.
6.6.3 Information of the main comments and feedback
Information in the information requested by the principal of their own circumstances, to respond promptly and take appropriate action.
6.6.4 Personal information publicity
6.6.4.1 inform
Personal information should be publicized information of the main agreement. The reasons for the need for appropriate publicity units of personal information, should the following information in writing or notify the main readily available information on the principal:
a unit name and manager name;
b the purpose of use of personal information;
c information subject to the rights of publicity of information;
d If the required public notice or do not agree with the possible consequences of publicity.
Public notice under the following circumstances can not or does not have to notify the message body, but it should also inform the message body as much as possible, and explain the reasons:
Di Sanzhe a threatening message body or life, health, property and legitimate interests of the time;
b affect the business units of a reasonable run-time;
c violation of rules and laws.
6.6.4.2 information subject to the rights of publicity of personal information
Information known to the public body has the right to propose amendments to their information, add, delete, and stop the publicity requirements of publicity, personal information managers should be given timely information of the main requirements of the feedback and reasonable treatment.
6.7 Management
6.7.1 custody
Personal information managers should agree to use the main purpose of the information within the scope of information subject to the consent form the proper and timely care of their personal information,Outsourcing Solution For Retail Goods, security of personal information should take full responsibility. Storage of personal information should be clearly documented and the person responsible for the record shall include the type of business, information storage location, retention period, access methods, access channels, provide the purpose, abandoned ways.
6.7.2 Integrity and Availability
Personal information managers to ensure that personal information kept by the purpose of use within the scope of the integrity and availability of information at any time and updated to ensure that the information to date.
6.7.3 Document
Personal information management system unit regulations, documents, plans, records, contracts and other documents management system should be established, updated and improved;
6.7.4 Employees
To ensure the security of personal information, the unit should the use of personal information necessary for staff supervision and management.
6.7.5 technical and physical security measures
Unit should have the personal information of the unit to take reasonable security measures. Personal information security protection measures should refer to the national information security management standards and regulations developed. Security measures should at least include:
6.7.5.1 Permissions
Access to personal information clear authority and responsibility of staff to strengthen the management of relevant personnel, who have no right to prevent access to personal information.
6.7.5.2 Network and equipment
Computer,Offshore outsourcing, network, servers and related equipment safety precautions should be taken, including access and access control, key management, permissions, etc., to prevent unauthorized access to personal information, illegal modification, destruction, leakage, and delete;
E-mail on the external network and information exchange process, to study special precautionary measures to prevent illegal invasion and destruction of the virus.
6.7.5.3 Data Backup
Should be taken of personal information data backup and data recovery measures to prevent damage and loss of personal information.
6.7.5.4 Storage
Preservation of personal information on computers and media activities (including tape, disk, notebooks, input and output media, program listings, test reports and system documentation, etc.) to ensure the safe use, storage and disposal.
6.7.5.5 Prevention and treatment of emergency
Units should be possible for the loss of personal information, leakage, damage to the events and the potential economic losses and adverse impact analysis, development of appropriate preventive and treatment measures:
a process to establish the corresponding treatment, so when the event occurs, the losses to a minimum;
b promptly notify the leakage, loss and destruction of personal information, subject information, or to information of the main events that situation;
c In order to prevent similar incidents from happening again, as far as possible related events, causes and responsibility for the first time published;
d to establish event correlation, causes and countermeasures related mechanisms.
6.8 Training and Education
6.8.1 Implementation
Personal information protection unit should develop training and education programs, in accordance with the training and education programs on the protection of personal information of all staff training and education, training targets should include a formal staff, temporary workers, dispatched personnel. The content of education should include:
the importance of a personal information protection;
b protection of personal information in the unit employees in the functions and responsibilities;
c violation of personal information protection regulations may lead to damage and consequences.
6.8.2 Records
Training and education should be recorded on each record including training time, location, teaching materials, teachers, participants, training effect and the response of employees and so on.
6.9 comments and feedback
The main units of information and protection of customer personal information in the views, advice and counsel to timely feedback and appropriate treatment, and record and save.

7 Check

7.1 Internal inspection
Protection of personal information should always check the unit responsible for personal information protection status, and test results on a regular basis forming units of personal information protection system to run reports, newspaper unit leader.
7.2 OMV
7.2.1 Implementation
OMV OMV responsible person should develop plans and units in accordance with OMV protection of personal information on the status of audits, the results of the audit and make audit reports available to unit leaders.
7.2.2 Records
Each audit should have audit records, audit records should include: inspection of the object, purpose, scope, timing and outcome of the content. Audit records and audit reports kept by the unit.

8 Continuous Improvement

8.1 does not meet the treatment and prevention issues
Unit leaders should be responsible for and under the protection of personal information provided by the audit report and the person in charge of business development, protection of personal information that do not meet to improve matters, the establishment of preventive measures. Matters that do not meet the treatment and prevention measures to establish the following process:
a confirmation of nonconformity;
b happens because of nonconformity to improve the methods and preventive measures;
c limited period of time to improve and perfect;
d do not meet the issues and preventive measures to improve the record;
e improvement and preventive measures on the evaluation of the results.
8.2 Reassessment
In order to get a good unit protection of personal information, personal information should be protected units regularly re-evaluate rules and regulations, continuous improvement and perfection. Reference should be to improve and perfect the following:
OMV and a Personal Information Protection is responsible for the person in charge report;
b complaints and internal and external comments and suggestions;
c on the results of last update tracking;
d relevant state laws and regulations promulgated and amended;
e social forms, public awareness, changes in technological progress;
f corporate business areas and changes in the scope of

Powered by phpBB © 2001, 2005 phpBB Group