ISO 22307:2008 金融服务 隐私影响评定

标准编号：ISO 22307:2008

中文名称：金融服务 隐私影响评定

英文名称：Financial services — Privacy impact assessment

发布日期：2008-05

标准范围

ISO 22307:2008承认隐私影响评估（PIA）是一种重要的金融服务和银行管理工具，可在组织内或由“签约”第三方使用，以识别和减轻与使用自动化、网络化信息系统处理消费者数据相关的隐私问题和风险。ISO 22307:2008描述一般的隐私影响评估活动，定义隐私影响评估的常见和必需组成部分，无论影响金融机构的业务系统如何，以及提供信息性指导，教育读者了解隐私影响评估。隐私合规审计与隐私影响评估的不同之处在于，合规审计确定机构当前的法律合规水平，并确定避免未来不遵守法律的步骤。遵守法律。虽然隐私影响评估和隐私合规性审计之间有相似之处，因为它们使用一些相同的技能，并且它们是用于避免侵犯隐私的工具，但合规性审计的主要关注点只是满足法律的要求，而隐私影响评估旨在进一步调查，以确定最佳保护隐私的方法。ISO 22307:2008认识到，金融和银行系统开发和风险管理程序的选择是商业决策，因此，商业决策者需要被告知，以便能够为其金融机构做出明智的决策。ISO 22307:2008为希望使用隐私影响评估作为规划和管理业务内隐私问题的工具的处理财务信息的机构提供了隐私影响评估结构（通用PIA组件、定义和信息性附件）他们认为脆弱的系统。

ISO 22307:2008 recognizes that a privacy impact assessment (PIA) is an important financial services and banking management tool to be used within an organization, or by “contracted” third parties, to identify and mitigate privacy issues and risks associated with processing consumer data using automated, networked information systems.ISO 22307:2008

• describes the privacy impact assessment activity in general,
• defines the common and required components of a privacy impact assessment, regardless of business systems affecting financial institutions, and
• provides informative guidance to educate the reader on privacy impact assessments.

A privacy compliance audit differs from a privacy impact assessment in that the compliance audit determines an institution's current level of compliance with the law and identifies steps to avoid future non-compliance with the law. While there are similarities between privacy impact assessments and privacy compliance audits in that they use some of the same skills and that they are tools used to avoid breaches of privacy, the primary concern of a compliance audit is simply to meet the requirements of the law, whereas a privacy impact assessment is intended to investigate further in order to identify ways to safeguard privacy optimally.ISO 22307:2008 recognizes that the choices of financial and banking system development and risk management procedures are business decisions and, as such, the business decision makers need to be informed in order to be able to make informed decisions for their financial institutions. ISO 22307:2008 provides a privacy impact assessment structure (common PIA components, definitions and informative annexes) for institutions handling financial information that wish to use a privacy impact assessment as a tool to plan for, and manage, privacy issues within business systems that they consider to be vulnerable.

标准预览图