3-tcic-gdpr pims-2018-07-19-1-標準與法遵-r01 daniel liangtw.tcicgroup.com/edm/3-tcic-gdpr...

© TCIC Global Certification LTD. Class: Controlled Slide 1

ISMS與與與與PIMS的整合與應用的整合與應用的整合與應用的整合與應用

以法規遵循為例以法規遵循為例以法規遵循為例以法規遵循為例

July 19, 2018

Copyright © 2018 TCIC LTD ., All rights reserved.

All other trademarks are trademarks of their respective holders.

*Data sources are from indicated organizations in this presentation.

Prepared by : Daniel Liang梁日誠

TCIC Global Certification Ltd. 環奧國際驗證公司

Email: [email protected]


Mr.Daniel Liang 梁日誠梁日誠梁日誠梁日誠

Cellphone: +886-988292678 email: [email protected]

� TCIC環奧國際驗證公司董事暨全球營運總經理, 稽核師,講師,評鑑員

� Standards Council of Canada (SCC) Canadian advisory committee on GDPR 加拿大國家加拿大國家加拿大國家加拿大國家GDPR諮詢委員會諮詢委員會諮詢委員會諮詢委員會

� Canada’s Mirror Committee for ISO/PC317 - Consumer protection: privacy by design for consumer goods and

services

� 科技部政府資料開放諮詢小組委員

� 汽車聯結聯盟認可稽核師

� 台灣數位鑑識發展協會(ACFD) 能力發展委員會(CDC) 副主任委員

� 加拿大福爾摩沙商業協會會長

� ISO27001/ISO20000 Lead Auditor, TCIC-Canada

� APMG/itSMF Certified ISO20000 Auditor

� APMG/itSMF Certified ISO20000 Consultant

� Cloud Computing Foundation Certificate, APMG

� ITSM Foundation Certificate (based on ITIL)

� Certified Information Security Manager, CIS-Austria

� ISO27001 Lead Auditor, CIS-Austria & TCIC-Canada



� ISO9001 Lead Auditor, Quality Austria-Austria

� ISO29151/ISO27018/ISO27017 Lead Auditor, CIS-Austria & TCIC-Canada

� Accredited ISO20000 Auditor/Practitioner/Foundation Course Trainer, APMG

� ISO 29100/ISO 29134 Privacy Risk Management Course Trainer, CIS-Austria & TCIC-Canada

� ISO 31000/ISO 27005 Risk Management Course Trainer, TCIC-Canada

� Information Security and Service Management Trainer, CIS-Austria

� Information Security and Service Management Trainer, TCIC-Canada

Andrea Jelinek,

Chairwoman, Article 29 Working Party

Head of Austria's data protection authority

Austria Accreditation Body- the DPA

February 2018

Austria

PIMS/ISMS Certification Body

Personnel Certification Body


Table of Content

�ISMS/PIMS與相關法規

�ISMS/PIMS整合與應用

�他山之石-以Canada為例

�認驗證體制與合規展現

�國際標準驗證的合規展現


ISMS/PIMS與相關法規

ISMS-資訊安全管理系統

PIMS-個資管理系統

GDPR-General Data Protection Regulation

RPEC-

Regulation on Privacy and Electronic Communications


ISMS/PIMS與法規遵循

A.18.1.1

適用之法規與契約的要求事項之識別

Identification of applicable legislation and contractual requirements

控制措施

Control

對每個資訊系統與組織，應明確識別、文件化及保持最新所有相關法律、法

令、法規及契約要求事項，以及組織為符合此等要求之作法。

All relevant statutory, regulatory and contractual requirements and the

organization’s approach to meet these requirements shall be explicitly

identified, documented, and kept up to date for each information system

and the organization.

資通安全管理法

符合資通安全管理法的作法

個資法

符合個資法的作法

GDPR

符合GDPR的作法

資安要求=>ISMS 個資要求=>PIMS

RPEC

符合RPEC的作法


個人資料保護相關法規與風險管理

個人資料保護法施行細則

第十二條

三、個人資料之風險評估及管理機制

GDPR

Article 35

Data Protection Impact Assessment (DPIA)

資料保護衝擊評鑑

風險管理機制 + 隱私衝擊評鑑 = 個資風險管理機制

Privacy Impact Assessment (PIA)隱私衝擊評鑑

亦即GDPR所稱之DPIA

資訊安全風險 => 資訊安全控制措施 => 資訊安全管理系統

個資風險 => 個資控制措施 => 個資管理系統


RPEC與相關影響

1. This Regulation applies to:

(a) the provision of electronic communications services to end-users

in the Union, irrespective of whether a payment of the end-user is

required;

(b) the use of such services;

(c) the protection of information related to the terminal equipment of

end-users located in the Union.

ISO27001 A.9存取控制 A.10密碼學 A.12運作安全

A.13通訊安全 A.14系統獲取、開發及維護

ISO/PC317 – ISO23485(WD) Consumer protection:

privacy by design for consumer goods and services

影響領域: 網通業者、網通設備、Smartphone/APP、IoT….


ISMS/PIMS整合與應用

-以GDPR為例


How can I demonstrate that my

Organisation is compliant with the GDPR? - 1

Answer

The principle of accountability is a cornerstone of the General Data Protection Regulation (GDPR).

According to the GDPR, a business/organisation is responsible for complying with all data protection

principles and is also responsible for demonstrating compliance. The GDPR provides

businesses/organisations with a set of tools to help demonstrate accountability, some of which have

to be mandatorily put in place.

For example, in specific cases the establishment of a DPO or conducting data protection impact

assessments (DPIA) may be mandatory. Data controllers can choose to use other tools such as

codes of conduct and certification mechanisms to demonstrate compliance with data protection

principles.

You may adhere to a Code of Conduct prepared by a business association which has been

approved by a DPA. A Code of Conduct may be given EU-wide validity through an implementing act

of the Commission.

You may adhere to a certification mechanism operated by one of the certification bodies that have

received accreditation from a DPA or a national accreditation body or both, as decided in each

Member State law.

Source: https://ec.europa.eu/info/law/law-topic/data-protection_en


How can I demonstrate that my

Organisation is compliant with the GDPR? - 2

Example

The umbrella insurance body in the EU Member State of your company/organisation has had a

Code of Conduct approved by the supervisory authority. A number of rival insurance firms have

adhered to the Code. While adhering is voluntary, the adherence to the Code helps in

demonstrating compliance with the GDPR.

採用採用採用採用Code of Conduct 或或或或 Certification mechanism雖為志願性雖為志願性雖為志願性雖為志願性, 但但但但GDPR中中中中, 如如如如Article 25

Data Protection by design and by default 及及及及 Article 35 Data Protection Impact

Assessment為必須執行的要求且可透過為必須執行的要求且可透過為必須執行的要求且可透過為必須執行的要求且可透過Code of Conduct 或或或或 Certification mechanism展現展現展現展現

其合規性其合規性其合規性其合規性.



GDPR重點 (1)

擴大適用範圍 Art.3

較廣個資定義(包含cookies, IP位址) Art.4

明確有效同意(得隨時撤回同意) Art.7Guidelines on Consent under Regulation 2016/679 (wp259rev.01)

個資當事人權利

更正權及抹除權(被遺忘權) Art.16,17

資料可攜權 Art.20拒絕權(如拒絕全自動化剖繪) Art.21,22

Guidelines on Transparency under Regulation 2016/679 (wp260rev.01)

Guidelines on Automated individual decision-making and Profiling

for the purposes of Regulation 2016/679 (wp251rev.01)

Guidelines on the right to "data portability" (wp242rev.01)


GDPR重點 (2)

控制者負GDPR符合性舉證責任 Art.5

設計及預設的資料保護(DPbDbD) Art.25

書面委託歐盟境內代表(非公務機關與例外) Art.27

處理紀錄文件化要求(大於250人企業與例外) Art.30

個資外洩通報(72小時通報要求) Art.33,34Guidelines on Personal data breach notification under

Regulation 2016/679 (wp250rev.01)


GDPR重點 (3)

資料保護衝擊評鑑(DPIA) Art.35Guidelines on Data Protection Impact Assessment (DPIA) (wp248rev.01)

指定資料保護長(DPO) Art.37~39Guidelines on Data Protection Officers ('DPOs') (wp243rev.01)

跨境傳輸限制 Art.44,45,46~47,49Guidelines on Article 49 of Regulation 2016/679(Pending)

Adequacy Referential(wp254 rev.01)

European Essential Guarantees(wp237)

Opinion 04/2016 on European Commission amendments proposals

related to the powers of Data Protection Authorities in

Standard Contractual Clauses and adequacy decisions - wp241

建議認驗證及行為準則(含監控) Art.40~43Guidelines on the accreditation of certification bodies(Pending)


提高罰則 Art.83Guidelines on the application and setting of administrative fines (wp253)

GDPR重點 (4)

監管權責機構合作(one stop shop) Art.60~67Guidelines on the Lead Supervisory Authority (wp244rev.01)

獨立監管權責機構 Art.51~59

GDPR條款的適用性例外考量:

公務機構與否, 是否為偶發性, 是否為大規模,

是否處理特種個資, 是否處理犯罪紀錄,

高風險與否


GDPR的迷失

業界對GDPR一些迷失.

https://www.ithome.com.tw/news/116876

According to WP243 Rev.01, Guidelines on Data Protection Officers (‘DPOs’):

DPOs are not personally responsible for non-compliance with data protection

requirements. It is the controller or the processor who is required to ensure and to

be able to demonstrate that processing is performed in accordance with this

Regulation. Data protection compliance is the responsibility of the controller or the

processor.


他山之石-以Canada為例


Countries with Adequacy Decision

Recognised third countries providing adequate protection:

Andorra, Argentina, Canada (commercial organisations), Faroe Islands,

Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland,

Uruguay and the US (limited to the Privacy Shield framework).

Adequacy talks are ongoing with Japan and South Korea.

The adoption of an adequacy decision involves :

�a proposal from the European Commission

�an opinion of the of the European Data Protection Board

(Currently, Article 29 Working Party)

�an approval from representatives of EU countries

�the adoption of the decision by the European Commissioners

加拿大(the third country)商業組織(a sector)為範圍取得適

足性認定

國家層面的合規展現 –適足性認定


Third Country Example - Canada (1)According to Para.2.(a) Art.45

� Privacy Act, 1985 (federal act)

� Personal Information Protection and Electronic

Documents Act, 2000 (PIPEDA, federal act)

� Model Code for the Protection of Personal Information,

2003 (CAN/CSA-Q830-03, national standard)

� PERSONAL INFORMATION PROTECTION ACT

(provincial law, except for Newfoundland)

� A GUIDE FOR BUSINESSES AND ORGANIZATIONS

Your Privacy Responsibilities Canada’s Personal Information

Protection and Electronic Documents Act

by: Office of the Privacy Commissioner of Canada (OPC)

� Guidelines Processing Personal Data Across Borders

by: Office of the Privacy Commissioner of Canada

展現展現展現展現

公單位個資法公單位個資法公單位個資法公單位個資法

非公單位個資法非公單位個資法非公單位個資法非公單位個資法

國家標準國家標準國家標準國家標準

省個資法省個資法省個資法省個資法

企業個資保護指引企業個資保護指引企業個資保護指引企業個資保護指引

跨境傳輸指引跨境傳輸指引跨境傳輸指引跨境傳輸指引


PIPEDA for Private Sector

exclusion

Model Code for the Protection of Personal Information

Schedule-1

�Your Privacy Responsibilities Canada’s Personal Information

Protection and Electronic Documents Act

�Guidelines Processing Personal Data Across Borders

�……………….(other PIP Guidelines)

Privacy Act for Public Sector

(federal and provincial)

exclusion

Privacy Commissioner, OPC

Oversee

investigate complaints

Third Country Example - Canada (2)According to Para.2.(a)&(b) Art.45


Organizations (Private sector) shall follow a code for the protection of personal

information, which is included in PIPEDA as Schedule 1.

The 10 principles that businesses shall

follow are:

1. Accountability

2. Identifying purposes

3. Consent

4. Limiting collection

5. Limiting use, disclosure and retention

6. Accuracy

7. Safeguards

8. Openness

9. Individual access

10. Provide recourse

The 10 principles are from Model Code for the Protection of Personal

Information.

Third Country Example - Canada (3)According to Para.2.(a) Art45

ISO/CNS 29100 Privacy Principles with corresponding privacy

controls in ISO29151 and ISO/CNS27018

Consent and choice同意及選擇同意及選擇同意及選擇同意及選擇

Purpose legitimacy and specification目的適法性及規定目的適法性及規定目的適法性及規定目的適法性及規定

Collection limitation蒐集限制蒐集限制蒐集限制蒐集限制

Data minimization資料極小化資料極小化資料極小化資料極小化

Use, retention and disclosure limitation 利用利用利用利用、、、、持有與揭露限制持有與揭露限制持有與揭露限制持有與揭露限制

Accuracy and quality準確性及品質準確性及品質準確性及品質準確性及品質

Openness, transparency and notice 公開公開公開公開、、、、透明及告知透明及告知透明及告知透明及告知

Individual participation and access個人參與及存取個人參與及存取個人參與及存取個人參與及存取

Accountability 可歸責性可歸責性可歸責性可歸責性

Information security 資訊安全資訊安全資訊安全資訊安全

Privacy compliance隱私遵循隱私遵循隱私遵循隱私遵循

展現展現展現展現


Third Country Example - Canada (4)According to Art.55~59 wrt Supervisory Authority


Third Country Example - Canada (4)According to Para.2.(c)Art.45 wrt Supervisory Authority


Third Country Example - Canada (5)According to Para.4 Art.45

Chaired by Industry • Made up of Canadian stakeholders

impacted by/interested in GDPR • Supported by SCC

1

GOALS/

OUTCOMES

↓↓↓↓ risk of doing

business in Europe

↑↑↑↑ market

access (remove barriers)

↑↑↑↑ business

opportunities

Canadian

Advisory

Committee

on GDPR*

• Better understanding of GDPR

• Better understanding of the challenges in meeting compliance to the requirements

• Clear positions on GDPR or data protection and privacy

standards under development

• Tools & guidelines

• Resources/Network

• New business ideas (innovation)

• Etc.

Deliverables

.

CEN/CENELEC

ETSI ISO/IEC

Solutions in Canada for

Canadians

*Governance: ToRs, Code of Conduct (to be developed) Open, fair and transparent

Mandate: Identify challenges Canadian organizations face in complying with and/or in

seizing business opportunities regarding EU GDPR. Propose and implement solutions that can be supported by SCC and disseminated broadly to Canadian organizations.

Canadian Advisory Committee on GDPR – ONGOING BASIS

Working Groups on

法規詮釋法規詮釋法規詮釋法規詮釋,資訊分享資訊分享資訊分享資訊分享,法規遵循法規遵循法規遵循法規遵循


認驗證體制與合規展現

-以GDPR為例


Article 24 Responsibility of the controller

Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as

referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of

the controller

Article 25 Data protection by design and by default

An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate

compliance with the requirements set out in paragraphs 1 and 2 of this Article.

Article 28 Processor

Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification

mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient

guarantees as referred to in paragraphs 1 and 4 of this Article.

Article 32 Security of processing

Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism

as referred to in Article 42 may be used as an element by which to demonstrate compliance with the

requirements set out in paragraph 1 of this Article.

Article 35 Data protection impact assessment

Compliance with approved codes of conduct referred to in Article 40 by the relevant controllers or processors

shall be taken into due account in assessing the impact of the processing operations performed by such

controllers or processors, in particular for the purposes of a data protection impact assessment.

GDPR認驗證體制之良善管理展現 - 1


Article 46 Transfers subject to appropriate safeguards

(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of

the controller or processor in the third country to apply the appropriate safeguards, including as regards data

subjects' rights; or

(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable

commitments of the controller or

Article 57 Tasks

(m) encourage the drawing up of codes of conduct pursuant to Article 40(1) and provide an opinion and approve

such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5);

(n) encourage the establishment of data protection certification mechanisms and of data protection seals and

marks pursuant to Article 42(1), and approve the criteria of certification pursuant to Article 42(5);

Article 83 General conditions for imposing administrative fines

(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms

pursuant to Article 42; and

GDPR認驗證體制之良善管理展現 - 2


GDPR認驗證體制相關條文

CHAPTER IV Controller and processor

�Section 5 Codes of conduct and certification

�Article 40 Codes of conduct

�Article 41 Monitoring of approved codes of conduct

�Article 42 Certification

�Article 43 Certification bodies


�歐洲理事會European Council: Heads of state or government of EU countries,

European Commission President, High Representative for Foreign Affairs & Security Policy

�歐盟執行委員會European Commission: A team or 'College' of Commissioners, 1 from each EU country.

The European Commission is the EU's politically independent executive arm.

It is alone responsible for drawing up proposals for new European legislation,

and it implements the decisions of the European Parliament and the Council of the EU

�歐洲議會European Parliament: Directly-elected EU body with legislative,

supervisory, and budgetary responsibilities

�歐洲法院European Court of Justice

�歐盟資料保護委員會(前身為Article 29 Working Party)European Data Protection Board

https://europa.eu/european-union/about-eu/institutions-bodies_en

EU Institutions


GDPR的認證體制關係圖 Article 40&41

協會或其它團體

Associations and other bodies

監督機構

Monitoring Body

控制者Controller/處理者Processor

監管機構監管機構監管機構監管機構supervisory authority

歐盟會員國歐盟會員國歐盟會員國歐盟會員國Member State

監督Monitor

認證

accredit

起草Draft/核准Approve

歐盟資料保護委員會歐盟資料保護委員會歐盟資料保護委員會歐盟資料保護委員會

European Data Protection Board

提交Submit

維持Maintain

行為準則Code of Conduct

如果有多個

歐盟會員國

If multiple

Member Sates

The Commission執行委員會執行委員會執行委員會執行委員會

提交Submit 確保Ensure

中国个人信息保护法中国个人信息保护法中国个人信息保护法中国个人信息保护法(草案草案草案草案, 2017) 第第第第39条条条条【【【【自律规范自律规范自律规范自律规范】】】】

非国家机关信息处理主体依据本法制定的自律性规范非国家机关信息处理主体依据本法制定的自律性规范非国家机关信息处理主体依据本法制定的自律性规范非国家机关信息处理主体依据本法制定的自律性规范，，，，达到本法要求标准达到本法要求标准达到本法要求标准达到本法要求标准

的的的的，，，，经主管部门审批后具有与本法同等的效力经主管部门审批后具有与本法同等的效力经主管部门审批后具有与本法同等的效力经主管部门审批后具有与本法同等的效力。。。。


GDPR的認驗證體制關係圖 Article 42&43

認證機構認證機構認證機構認證機構

Accreditation Body (AB)

驗證機構

Certification Body (CB)

以ISO 17065及附加要求治理

監管機構監管機構監管機構監管機構supervisory authority

歐盟會員國歐盟會員國歐盟會員國歐盟會員國Member State

資料保護驗證certification, 印章seals或標章marks

治理準則

治理規定 (EC) No 765/2008

以奧地利以奧地利以奧地利以奧地利

Austria為例為例為例為例

共通

驗證

co

mm

on

ce

rtific

atio

n,

歐盟

資料

保護印章

the

Eu

rop

ea

n D

ata

Pro

tectio

n S

ea

l

最長5年

最長3年

加入Join

維持

核發核發

歐盟資料保護委員會歐盟資料保護委員會歐盟資料保護委員會歐盟資料保護委員會

European Data Protection Board

控制者Controller/處理者Processor


Data protection certification

mechanisms, Seals and Marks

�European Privacy Seal (EuroPriSe), which provides certifications for IT-

based products and services throughout the EU. [需要SA, AB or The Board

認證或同意]

�French data protection authority’s “Label CNIL” privacy certification

scheme. [需要The Board認證或同意][單一國家]

�PIMS, BS10012 promoted by BSI in UK. [需要SA, AB or The Board認證

或同意][單一國家,惟該國對此標準驗證不提供認證, 且UK於2019年3月脫歐

後,EU將難考量任何第三國標準]

�Privacy Information Management System (PIMS), published

by ISO under existing accreditation and certification scheme of

ISO27001.[已經存在於AB認證之下][歐盟會員國俱為ISO會員國等同採用

ISO標準]


ISO/IEC JTC1/SC27與WP29/EDPB

�Before Feb 2018, Head of French DPA(CNIL)

is the chairperson of WP29.

�CNIL played admin and coordination roles in WP29

�WP29 is focusing on ISO standards instead of specific

national standards e.g., BS10012

�ISO has its own perspectives in PIMS

�The withdrawal of UK in EU is one of reasons WP29

excluded BS standards in its PIMS planning


國際標準驗證的合規展現Demonstration of Compliance by PIMS Certification

On ISO Standards


ISO組織發展的個資保護驗證

ISO/IEC 27001

ISO/IEC 27009

醫療醫療醫療醫療

ISO 27799

雲個資保護雲個資保護雲個資保護雲個資保護

ISO 27018

個資保護個資保護個資保護個資保護

ISO 29151

雲安全雲安全雲安全雲安全

ISO 27017電信電信電信電信

ISO 27011

能源能源能源能源

ISO 27019

一般企業一般企業一般企業一般企業/組織組織組織組織

特定特定特定特定領域領域領域領域

註 : ISO仍持續發展資安與個資保護標準(如, ISO 27552 Enhancement to ISO/IEC

27001 for privacy management – Requirements) 來因應世界潮流(如, GDPR).


ISMS與PIMS

•ISO/IEC 27002

•(Security controls)

•ISO/IEC 27001

(Requirements for MS)

Management System/framework

•ISO/IEC 27002


•ISO/IEC 29151

(PII protection

controls)

•ISO/IEC 27018

•ISO/IEC 27001 (Requirements for MS)

•ISO/IEC 29100 : Privacy framework

• ISO/IEC 27005

• ISO/IEC 29134

•PIMS•ISMS

•Security

risk

treatment Risk

Management Controls

Source: ISO及及及及TCIC綜整綜整綜整綜整


ISO標準的PIMS驗證實績

Source: Internet


GDPR Principles mapping ISO 29100 Privacy Principles

GDPR Principles ISO 29100 Privacy Principles

Article 5 Principles relating to processing of

personal data

1.(a) lawfulness, fairness and transparency

7. Openness, transparency and

notice 公開、透明及告知

8. Individual participation and access

個人參與及存取

11. Privacy compliance 隱私遵循

(b) purpose limitation 3.Collection limitation蒐集限制

(c) data minimisation 4. Data minimization 資料極小化

(d) accuracy 6. Accuracy and quality 準確性及品質

(e) storage limitation 4. Data minimization 資料極小化

5. Use, retention and disclosure

limitation 利用、持有與揭露限制

(f) integrity and confidentiality 10. Information security 資訊安全

2. accountability 9. Accountability 可歸責性

Article 6 Lawfulness of processing 2.Purpose legitimacy and

specification 目的適法性及規定

Article 7 Conditions for consent 1. Consent and choice 同意及選擇


ISO/IEC &CNS 29100標準簡介

�Prepared by ISO/IEC JTC1/SC27

�Title - Information technology — Security

techniques — Privacy framework 隱私權框架

�First edition published on the 2011-12-15

國家標準CNS 29100於民國103年6月4日公布

�Purpose of this International Standard – Provides a

high-level framework for the protection of personally

identifiable information (PII,個人可識別資訊) within

information and communication technology (ICT) systems. It

is general in nature and places organizational, technical,

and procedural aspects in an overall privacy framework.


ISO/IEC 29100 - Clause 5

The privacy principles of ISO/IEC 29100

項次名稱

1 Consent and choice同意及選擇

2 Purpose legitimacy and specification目的適法性及規定

3 Collection limitation蒐集限制

4 Data minimization資料極小化

5 Use, retention and disclosure limitation利用、持有與揭露限制

6 Accuracy and quality 準確性及品質

7 Openness, transparency and notice公開、透明及告知

8 Individual participation and access個人參與及存取

9 Accountability 可歸責性

10 Information security資訊安全

11 Privacy compliance隱私遵循


A DPIA is required whenever processing is likely to result in a high risk to the rights and

freedoms of individuals. A DPIA is required at least in the following cases:

a systematic and extensive evaluation of the personal aspects of an individual, including

profiling; processing of sensitive data on a large scale; systematic monitoring of public areas

on a large scale.

National Data Protection Authorities, in concertation with the European Data Protection Board,

may provide lists of cases where a DPIA would be required. The DPIA should be conducted

before the processing and should be considered as a living tool, not merely as a one-off

exercise. Where there are residual risks that can’t be mitigated by the measures put in place,

the DPA must be consulted prior to the start of the processing.

Examples

DPIA required

A bank screening its customers against a credit reference database; a hospital about to

implement a new health information database with patients’ health data; a bus operator about

to implement on-board cameras to monitor drivers’ and passengers’ behaviour.

DPIA not required

A community doctor processing personal data of his patients. In that case, there is no need

for a DPIA since the processing by the community doctors isn’t done on a large scale in

cases where the number of patients is limited.


GDPR Article 35展現 - 1


ISO29134 is adopted by WP29, EC in a multiple member states base

WP248 by ARTICLE 29 DATA PROTECTION WORKING PARTY


Source: EC



Source: ISO 29151

Clause A.11.2, ISO/IEC 29151


ISO/IEC 29134:2017標準簡介

� Prepared by ISO/IEC JTC1/SC27

Title - Information technology -- Security techniques -- Guidelines

for privacy impact assessment

� Stage: 60.60

� 加拿大的PIA為重要參考文獻之一:

Treasury Board of Canada Secretariat Directive on Privacy

Impact Assessments

http://www.tbssct.gc.ca/pol/inconspicuous?id=18308

� 對應於GDPR Article 35 Data protection impact assessment

ISO29134是全球首個適用於是全球首個適用於是全球首個適用於是全球首個適用於一般組織一般組織一般組織一般組織的隱私衝擊評鑑的國際標準的隱私衝擊評鑑的國際標準的隱私衝擊評鑑的國際標準的隱私衝擊評鑑的國際標準

Source: ISO


Answer

Companies/organisations are encouraged to implement technical and organisational

measures, at the earliest stages of the design of the processing operations, in such a way

that safeguards privacy and data protection principles right from the start (‘data protection by

design’). By default, companies/organisations should ensure that personal data is processed

with the highest privacy protection (for example only the data necessary should be

processed, short storage period, limited accessibility) so that by default personal data isn’t

made accessible to an indefinite number of persons (‘data protection by default’).

Examples

Data protection by design

使用擬匿名化(pseudonymization)(用人工識別符代替個人可識別資訊)和加密，將訊息編碼，

只有被授權的人才能閱讀。

The use of pseudonymisation (replacing personally identifiable material with artificial

identifiers) and encryption (encoding messages so only those authorised can read them).

Data protection by default

社交媒體平台宜鼓勵用戶的隱私基本設置限制用戶個人資料的可訪問性，以在預設的情況下不

會讓所有的人可以訪問。

A social media platform should be encouraged to set users’ profile settings in the most

privacy-friendly setting by, for example, limiting from the start the accessibility of the users’

profile so that it isn’t accessible by default to an indefinite number of persons.

What does data protection ‘by design’

and ‘by default’ mean? [Article 25, GDPR] -1



Clause 4.4, ISO/IEC 29151

The controls in this Specification are explained in more detail in

clauses 5 to 18, along with implementation guidance. Implementation

may be made simpler if requirements for the protection of PII have

been considered in the design of the organization's information system,

services and operations. Such consideration is an element of the

concept that is often called privacy by design (PBD). More information

about selecting controls and other risk treatment options can be found

in ISO/IEC 29134. Other relevant references are listed in the

bibliography.

What does data protection ‘by design’

and ‘by default’ mean? [Article 25, GDPR] -2

Source: ISO 29151


ISO/IEC 29151標準簡介

� Prepared by ISO/IEC JTC1/SC27

Title - Information technology -- Security techniques -- Code of

practice for personally identifiable information protection

� Stage: 60.60

This Recommendation | International Standard establishes control objectives, controls and

guidelines for implementing controls, to meet the requirements identified by a risk and impact

assessment related to the protection of Personally Identifiable Information (PII).

In particular, this Recommendation | International Standard specifies guidelines based on

ISO/IEC 27002, taking into consideration the requirements for processing PII which may be

applicable within the context of an organization's information security risk environment(s).

This Recommendation | International Standard is applicable to all types and sizes of

organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and

private companies, government entities, and not-for-profit organizations, which process PII.

ISO29151是全球首個適用於是全球首個適用於是全球首個適用於是全球首個適用於所有類型組織所有類型組織所有類型組織所有類型組織的個資保護控制措施的國際標準的個資保護控制措施的國際標準的個資保護控制措施的國際標準的個資保護控制措施的國際標準

Source: ISO


ISO/IEC 29151:2017 目錄

Foreword 前言

0. Introduction 介紹

1. Scope 適用範圍

2. Normative references 引用標準

3. Definitions and abbreviated terms 定義及縮寫用語

4. Overview 概述

5. Information security policies 資訊安全政策

6. Organization of information security 資訊安全的組織

7. Human resource security 人力資源安全

8. Asset management 資產管理

9. Access control 存取控制

10. Cryptography 密碼學

11. Physical and environmental security 實體與環境安全

12. Operations security 作業安全


ISO/IEC 29151:2017 目錄

13. Communications security 通訊安全

14. System acquisition, development and maintenance 系統獲取、發展與維護

15. Supplier relationships 供應商關係

16. Information security incident management 資訊安全事故管理

17. Information security aspects of business continuity management 營運持續管理的資訊安全方面

18. Compliance 遵循性

Annex A (normative) Extended control set for PII protection PII保護的擴增控制措施 (This annex forms an integral part of this Recommendation | International Standard. 此附錄為此標準完整的一部份)


ISO 27002:2013 ISO 29151:2017

條款名稱擴增指引

5 Information security policies 資訊安全政策 1

6 Organization of information security資訊安全之組織 5

7 Human resource security人力資源安全 2

8 Asset management資產管理 8

9 Access control存取控制 5

10 Cryptography 密碼學 0

11 Physical and environmental security實體及環境安全 1

12 Operations security運作安全 5

13 Communications security通訊安全 2

14 System acquisition, development and maintenance系統獲取、開發及維護 3

15 Supplier relationships 供應者關係 1

16 Information security incident management資訊安全事故管理 2

17 Information security aspects of business continuity management

營運持續管理之資訊安全層面0

18 Compliance遵循性 2

37


ISO 29151:2017 依ISO 29100之privacy principles新增控制措施

條款名稱新增控制目標

及控制措施

A.1 General 一般 0

A.2General policies for the use and protection of PII對於PII的利用

和保護的一般性政策1

A.3 Consent and choice同意及選擇 2

A.4 Purpose legitimacy and specification目的適法性及規定 2

A.5 Collection limitation蒐集限制 1

A.6 Data minimization資料極小化 1

A.7 Use, retention and disclosure limitation利用、持有與揭露限制 5

A.8 Accuracy and quality 準確性及品質 1

A.9 Openness, transparency and notice公開、透明及告知 2

A.10 Individual participation and access個人參與及存取 3

A.11 Accountability 可歸責性 6

A.12 Information security資訊安全 1

A.13 Privacy compliance隱私遵循 2

27


ISMS vs PIMS

�ISMS:

� Information Security Management System

�資訊安全管理系統資訊安全管理系統資訊安全管理系統資訊安全管理系統

�驗證標準驗證標準驗證標準驗證標準: ISO/CNS27001

�PIMS :

� Privacy Information Management System

�個資管理系統個資管理系統個資管理系統個資管理系統

�驗證標準驗證標準驗證標準驗證標準: ISO29151 & ISO/CNS27018(有對外雲服務有對外雲服務有對外雲服務有對外雲服務

時適用時適用時適用時適用, PII Processor) including ISO29134 and

based on ISO/CNS27001 and ISO/CNS29100


Case Study –資安與個資管理標準運用

ISO27001

ISO29100

ISO27018

公眾服務公眾服務公眾服務公眾服務

個資安全管理個資安全管理個資安全管理個資安全管理

ISMS/ISO27001

ISO 29100/29134 組織的個資安全管理組織的個資安全管理組織的個資安全管理組織的個資安全管理

ISO27001/29100/29151/27018

PIMS


ISO組織直接對應GDPR的標準(正發展中)

- ISO/IEC 27552

ISO/IEC CD 27552

Information technology -- Security techniques -- Enhancement to

ISO/IEC 27001 for privacy management -- Requirements

�ISO/IEC 27552 is a Privacy information Management System (PIMS)

Introduced by French DPA (CNIL) = WP29 = EDPB (GDPR)

�Based on something organizations already know how to do

�PIMS is a new management system extending 27001 with privacy

requirements (new) as well as controls (ISO 27018 +)

�Certification standard, like ISO 27001, with the same ecosystem

of auditor, accreditation bodies and certificates

Source: Presentation by Laura Lindsay on

ISO/IEC JTC 1/SC 27 Work in Support of Legislation


�PIMS-specific requirements and other information regarding the information security

controls in ISO/IEC 27001 and PIMS-specific controls, appropriate to an organization acting

as either a PII controller or a PII processor, are given in clause 5.

�PIMS-specific guidance and other information regarding the information security

controls in ISO/IEC 27002 and PIMS-specific controls, appropriate to an organization acting

as either a PII controller or a PII processor, are given in clause 6.

�Additional guidance for PII controllers is given in clause 7, and additional guidance for

PII processors is given in clause 8.

�Annex A (normative) Reference control objectives and controls (PII Controllers)

�Annex B (normative) Reference control objectives and controls (PII Processors)

�Annex C (informative) Mapping to the General Data Protection Regulations

�Annex D (informative) Mapping to ISO/IEC 29100

�Annex E (informative) Mapping to ISO/IEC 27018 and ISO/IEC 29151

The proposed title is:

Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy

information management – Requirements and guidelines

Content of ISO 27552

Source: ISO CD 27552


ISO27552與GDPR的直接對應關係

Source: ISO/IEC CD 27552


EU各國對ISO27552的工作進展 –德國

Source: ISO, DIN


EU各國對ISO27552的工作進展 –英國

Source: BCS, The Chartered Institute for IT, BSI


Management System/framework

•ISO 27002


•ISO 29151

(PII Controller

controls)

•ISO 27018

(PII Processor controls)

•ISO 27001 (Requirements for MS)

•ISO 29100 : Privacy framework

• ISO

27005/31000

• ISO 29134

ISMS & PIMS

Risk

Management Controls

CBPR/PRP

Compliance

GDPR

Compliance

ISO27552(Under Development) or

GDPR Certification Criteria

ISMS+PIMS Demonstration

Art.47 BCR

Para.2.(c) Art.45

Referential

WP212

台灣地區

資安/個資保護法規


ISO國際標準(ISO27001, ISO31000, ISO29134,

ISO29151,ISO27018)與對應的CNS標準為GDPR

合規展現的最佳對策!

加拿大驗證機構(TCIC)在台分公司(環奧國際驗證

公司)與CSA加拿大標準協會合作, 於2018-3月提

出CNS29134及CNS29151制定建議案函送經濟部

標準檢驗局, 已通過標準委員會審查.

個資國家標準(CNS)的落實與推動為第三國安全適

足性的有效展現, 若有國家標準卻出現政府機關與

企業使用其它國家標準或單行/行業標準而無法展

現與國家標準的一致性, 將是一大負面影響.


For further information or enquiries, please contact :

TCIC環奧國際驗證公司

Email: [email protected] , TEL: 02-27260262, FAX: 02-27260663

Any questions ?

Thank you．．．．謝謝謝謝謝謝謝謝．．．． Merci

Slide 60