SANS 22307-2008 Financial services - Privacy impact assessment《金融业务 隐私影响评估》.pdf

1、 Collection of SANS standards in electronic format (PDF) 1. Copyright This standard is available to staff members of companies that have subscribed to the complete collection of SANS standards in accordance with a formal copyright agreement. This document may reside on a CENTRAL FILE SERVER or INTRA

2、NET SYSTEM only. Unless specific permission has been granted, this document MAY NOT be sent or given to staff members from other companies or organizations. Doing so would constitute a VIOLATION of SABS copyright rules. 2. Indemnity The South African Bureau of Standards accepts no liability for any

3、damage whatsoever than may result from the use of this material or the information contain therein, irrespective of the cause and quantum thereof. ISBN 978-0-626-22208-6 SANS 22307:2008 Edition 1 ISO 22307:2008 Edition 1SOUTH AFRICAN NATIONAL STANDARD Financial services Privacy impact assessment Thi

4、s national standard is the identical implementation of ISO 22307:2008 and is adopted with the permission of the International Organization for Standardization. Published by SABS Standards Division 1 Dr Lategan Road Groenkloof Private Bag X191 Pretoria 0001 Tel: +27 12 428 7911 Fax: +27 12 344 1568 w

5、ww.sabs.co.za SABS This standard may only be used and printed by approved subscription and freemailing clients of the SABS.SANS 22307:2008 Edition 1 ISO 22307:2008 Edition 1 Table of changes Change No. Date Scope National foreword This South African standard was approved by National Committee SABS T

6、C 168, Financial services, in accordance with procedures of the SABS Standards Division, in compliance with annex 3 of the WTO/TBT agreement. This SANS document was published in November 2008. This standard may only be used and printed by approved subscription and freemailing clients of the SABS. Re

7、ference number ISO 22307:2008(E) ISO 2008INTERNATIONAL STANDARD ISO 22307 First edition 2008-05-01 Financial services Privacy impact assessment Services financiers valuation de limpact priv SANS 22307:2008This standard may only be used and printed by approved subscription and freemailing clients of

8、the SABS.ISO 22307:2008(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing.

9、 In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be foun

10、d in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the

11、address given below. COPYRIGHT PROTECTED DOCUMENT ISO 2008 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either

12、 ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO 2008 All rights reservedSANS 22307:2008This stand

13、ard may only be used and printed by approved subscription and freemailing clients of the SABS.ISO 22307:2008(E) ISO 2008 All rights reserved iii Contents Page Foreword iv Introduction v 1 Scope . 1 2 Normative references . 1 3 Terms and definitions. 1 4 Abbreviated terms 2 5 PIA requirements 3 5.1 O

14、verview of PIA requirements. 3 5.2 General PIA process requirements. 3 5.3 Specific PIA process requirements 3 Annex A (informative) Frequently asked questions related to PIA . 8 Annex B (informative) General questionnaire to determine when to begin a PIA. 16 Annex C (informative) Questionnaire for

15、PIA objectives . 17 Annex D (informative) Questionnaire on PIA initial procedures . 18 Annex E (informative) Questionnaire on adequacy of internal controls and procedures 19 Annex F (informative) PIA questionnaire for assessing privacy impacts for retail financial systems 20 Bibliography . 28 SANS 2

16、2307:2008This standard may only be used and printed by approved subscription and freemailing clients of the SABS.ISO 22307:2008(E) iv ISO 2008 All rights reservedForeword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodie

17、s). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and n

18、on-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Pa

19、rt 2. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies castin

20、g a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO 22307 was prepared by Technical Committee ISO/TC 68, Financial services, Subcommittee S

21、C 7, Core banking. SANS 22307:2008This standard may only be used and printed by approved subscription and freemailing clients of the SABS.ISO 22307:2008(E) ISO 2008 All rights reserved v Introduction Rapid advances in computer systems and networking allow financial institutions to record, store, and

22、 retrieve vast amounts of consumer data with more speed and efficiency than ever before. These advances enable financial services companies to acquire and process consumer data in ways that were previously out of reach to many due to the cost or to the specialized knowledge and training necessary to

23、 build and use these technologies. Advanced data processing, storage, collection, and retrieval technology is now available to all sectors of business and government. Businesses have access to extremely powerful technology with significantly better price and performance than in the past. With these

24、new abilities, businesses can effortlessly process information in ways that, intentionally or unintentionally, impinge on the privacy rights of their customers and partners. These capabilities raise concerns about the privacy of individuals in these large networked information technology environment

25、s. Furthermore, regulated industries such as financial services, law, and policy now place additional conditions on how personal information is collected, stored, shared and used. The financial services community recognizes how important it is to protect and not abuse their customers privacy, not ju

26、st because it is required by law, but also because as systems are developed or updated, there is an opportunity to enhance business processes and to provide improved services to customers. Ensuring compliance with the Organization for Economic Cooperation and Development (OECD) privacy principles me

27、ans that an institutions privacy policies are consistent with established privacy principles such as having an external body establish a set of rules, guidelines or prohibitions. The presence of an external body can encourage corporations to protect financial information, either simply to comply wit

28、h the letter of the law, or to enhance their privacy protection in general. New ways of using existing technology and new technologies bring new or unknown risks. It is advisable that corporations handling financial information be proactive in protecting and not abusing the privacy of their consumer

29、s and partners. One way of proactively addressing privacy principles and practices is to follow a standardized privacy impact assessment process for a proposed financial system (PFS), such as the one recommended in this International Standard. A privacy impact assessment (PIA) is a tool that, when u

30、sed effectively, can identify risks associated with privacy and help organizations plan to mitigate those risks. Recognizing that the framework for privacy protection in each country is different, the internationalization of privacy impact assessments is critical for global banking, in particular fo

31、r cross-border financial transactions. SANS 22307:2008This standard may only be used and printed by approved subscription and freemailing clients of the SABS.SANS 22307:2008This standard may only be used and printed by approved subscription and freemailing clients of the SABS.INTERNATIONAL STANDARD

32、ISO 22307:2008(E) ISO 2008 All rights reserved 1 Financial services Privacy impact assessment 1 Scope This International Standard recognizes that a privacy impact assessment (PIA) is an important financial services and banking management tool to be used within an organization, or by “contracted” thi

33、rd parties, to identify and mitigate privacy issues and risks associated with processing consumer data using automated, networked information systems. This International Standard describes the privacy impact assessment activity in general, defines the common and required components of a privacy impa

34、ct assessment, regardless of business systems affecting financial institutions, and provides informative guidance to educate the reader on privacy impact assessments. A privacy compliance audit differs from a privacy impact assessment in that the compliance audit determines an institutions current l

35、evel of compliance with the law and identifies steps to avoid future non-compliance with the law. While there are similarities between privacy impact assessments and privacy compliance audits in that they use some of the same skills and that they are tools used to avoid breaches of privacy, the prim

36、ary concern of a compliance audit is simply to meet the requirements of the law, whereas a privacy impact assessment is intended to investigate further in order to identify ways to safeguard privacy optimally. This International Standard recognizes that the choices of financial and banking system de

37、velopment and risk management procedures are business decisions and, as such, the business decision makers need to be informed in order to be able to make informed decisions for their financial institutions. This International Standard provides a privacy impact assessment structure (common PIA compo

38、nents, definitions and informative annexes) for institutions handling financial information that wish to use a privacy impact assessment as a tool to plan for, and manage, privacy issues within business systems that they consider to be vulnerable. 2 Normative references The following referenced docu

39、ments are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. OECD Guidelines on the protection of privacy and transborder flows of personal

40、 data, 1980 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 financial activities activities including lending, exchanging, transferring, investing for others, or safeguarding money or securities, SANS 22307:2008This standard may only be used

41、and printed by approved subscription and freemailing clients of the SABS.ISO 22307:2008(E) 2 ISO 2008 All rights reserved insuring, guaranteeing or indemnifying against loss, harm, damage, illness, disability or death, providing financial investment or economic advisory services, underwriting or dea

42、ling with securities 3.2 financial system all services, facilities, business processes and data flows used by financial institutions to implement and perform financial activities 3.3 proposed financial system all of the components of a financial system assessed in a privacy impact assessment 3.4 bus

43、iness process process with clearly defined deliverable or outcome, which entails the execution of a sequence of one or more process steps NOTE A business process is defined by the business event that triggers the process, the inputs and outputs, all the operational steps required to produce the outp

44、ut, the sequential relationship between the process steps, the business decisions that are part of the event response, and the flow of material and/or information between process steps. 3.5 data model representation of the specific information requirements of a business area 3.6 information access m

45、odel model that depicts access to key process and organization information for reporting and/or security purposes NOTE An information flow model is a model that visually depicts information flows in the business between business functions, business organizations, and applications. 3.7 preliminary pr

46、ivacy impact assessment assessment conducted when the proposed financial system is at the early conception or design phase and detailed information is not known NOTE A preliminary privacy impact assessment can be planned for a proposed financial system in defining the need and/or scope of a full pri

47、vacy impact assessment for a proposed financial system. 4 Abbreviated terms CPO Chief Privacy Officer NPI Non-public Personal Information OECD Organization for Economic Cooperation and Development PIA Privacy Impact Assessment PII Personally Identifiable Information PFS Proposed Financial System SAN

48、S 22307:2008This standard may only be used and printed by approved subscription and freemailing clients of the SABS.ISO 22307:2008(E) ISO 2008 All rights reserved 3 5 PIA requirements 5.1 Overview of PIA requirements The objectives of a PIA include: ensuring that privacy protection is a core conside

49、ration in the initial considerations of a PFS and in all subsequent activities during the system development life cycle; ensuring that accountability for privacy issues is clearly incorporated into the responsibilities of respective system developers, administrators and any other participants, including those from other institutions, jurisdictions and sectors; providing decision-makers with the information necessary to make fully-informed policy, system design and procurement decisions for proposed financial systems bas