Theoretical logic and system construction of personal information protection compliance audit
Wang Chong
School of Law, Tsinghua University, Beijing 100084, China
Abstract: Personal information protection compliance audit is not only a legal obligation for personal information processors, but also its preventive exemption function helps to incentivize personal information processors to reasonably avoid legal risks, improve personal information protection capabilities proactively, and promote the synergy between government supervision and enterprise selfdiscipline in the context of regulatory model transformation. The Personal Information Protection Law provides for a twotier audit model of "autonomous audit+mandatory audit", and the Administrative Measures for Personal Information Protection Compliance Audit (Draft for Comments) provides an important basis for the implementation of compliance audit, but there are still gaps in terms of system connection, legal effect, and the conduct of audit.
Key words : personal information protection compliance audit; risk assessment; autonomous audit; mandatory audit
個(gè)人信息保護(hù)合規(guī)審計(jì)的內(nèi)涵個(gè)人信息保護(hù)合規(guī)審計(jì)是指基于審計(jì)材料對(duì)個(gè)人信息處理者遵守法律、行政法規(guī)等規(guī)范的情況進(jìn)行評(píng)估審查的活動(dòng)。11風(fēng)險(xiǎn)內(nèi)涵《個(gè)人信息保護(hù)法》中“風(fēng)險(xiǎn)”一詞出現(xiàn)了多次,但并未明確其概念屬于個(gè)人信息保護(hù)風(fēng)險(xiǎn)還是合規(guī)風(fēng)險(xiǎn)。個(gè)人信息保護(hù)風(fēng)險(xiǎn)是指?jìng)€(gè)人信息處理可能具有的屬性(如處理范圍、處理性質(zhì)、處理類型等)對(duì)數(shù)據(jù)主體造成損害的可能性。這一風(fēng)險(xiǎn)概念在美國(guó)國(guó)家標(biāo)準(zhǔn)與技術(shù)研究院(NIST)2017年提出的隱私管理框架(Privacy Engineering and Risk Management, NIST 8062)中也有所體現(xiàn),該框架規(guī)定其目標(biāo)是以“能夠設(shè)置適當(dāng)?shù)目刂拼胧┮詼p輕潛在問題”,即關(guān)注數(shù)據(jù)處理對(duì)數(shù)據(jù)主體造成的損害[1]。相比于個(gè)人信息保護(hù)風(fēng)險(xiǎn),合規(guī)風(fēng)險(xiǎn)則指?jìng)€(gè)人信息處理者遵守個(gè)人信息保護(hù)相關(guān)的法律法規(guī)可能存在的風(fēng)險(xiǎn)。