管理資料隱私權法規的使用資訊Govern information subject to data privacy regulation

您可以在您的環境中使用資訊控管控制,以協助滿足資料隱私權符合性需求,包括一般資料保護法規的特定數位 (GDPR) 、HIPAA-高科技 (美國衛生保健隱私權法案) 、加州消費者 Protection 法案 (CCPA) ,以及巴西資料保護法案 (LGPD) 。Information governance controls can be employed in your environment to help address data privacy compliance needs, including a number that are specific to General Data Protection Regulation (GDPR), HIPAA-HITECH (the United States health care privacy act), California Consumer Protection Act (CCPA), and the Brazil Data Protection Act (LGPD).

這些控制項主要分為下列解決方案區域:These controls primarily fall into the following solution areas:

  • 保留原則Retention policies
  • 保留標籤Retention labels
  • 記錄管理Records management

影響資訊管理控制的資料隱私權法規Data privacy regulations impacting information governance controls

以下是可能與資訊管理控制相關之資料隱私權法規的範例清單:Here is a sample listing of data privacy regulations that may relate to information governance controls:

  • GDPR 文章 (13) # B2 2) # B4 a) GDPR Article (13)(2)(a)
  • GDPR 文章 (5) # B2 1) # B4 f) GDPR Article (5)(1)(f)
  • HIPAA-高科技 (45 CFR 164.312 (c) # B3 2) # A5HIPAA-HITECH (45 CFR 164.312(c)(2))
  • HIPAA-高科技 (45 CFR 164.316 (b) # B3 1) # B5 i) # A7HIPAA-HITECH (45 CFR 164.316(b)(1)(i))
  • HIPAA-高科技 (45 CFR 164.316 (b) # B3 1) # B5 ii) # A7HIPAA-HITECH (45 CFR 164.316(b)(1)(ii))
  • LGPD 文章46LGPD Article 46

如需這些法規的詳細資訊,請參閱 評估資料隱私權風險及識別敏感資訊文章For more information on these regulations, see the assess data privacy risks and identify sensitive information article.

針對資訊管理,資料隱私權規定一般會呼叫下列各項:For information governance, data privacy regulations typically call for the following:

  • 您應該針對儲存在 Microsoft 365 中的個人資料,使用技術方案進行保留和刪除。You should employ a technical scheme for retention and deletion for personal data stored in Microsoft 365.
  • 如果您想要儲存個人資料,請將儲存資料的時間,告知其使用時間,這是前端網頁系統的標準作法。If you're going to store personal data, inform the subject of how long the data will be stored, which is a standard practice now on front-end web systems.
  • 個人資料應受到保護,避免意外處理、遺失或篡改使用可驗證的方法。Personal data should be protected against accidental processing, loss, or alteration using verifiable methods.
  • 應該記錄針對個人資料執行的任何動作,而且檔應保留指定期間內。Any action executed against personal data should be documented and that documentation should be retained for a specified period.

因為資料保密規定是資料保留和刪除的特別不足之處,所以必須考慮其他因素,以規定儲存在 Microsoft 365 訂閱中的個人資訊的資訊控管指導方針。Because the data privacy regulations are not very specific when it comes to data retention and deletion, other factors need to be taken into consideration that may dictate information governance guidelines for personal information stored in your Microsoft 365 subscription. 以下是一些範例:Here are a few examples:

  • 使用五年後的使用者帳戶,且需要在該點之後刪除或匿名帳戶資料,需要在儲存與通知及其他自動化相關之資料和工作流程的系統之間進行業務流程。Aging out consumer accounts after 5 years of inactivity and requires deletion or anonymization of account data after that point, requiring orchestration between the system storing the data and workflows related to notifications and other automation.
  • 設定規則,使與 GDPR 相關的原則和程式在已被取代後,以三年為依據,與組織的原則和程式保留排程相符。Configuring rules for keeping policies and procedures related to GDPR around for three years after they've been superseded, which aligns with the organization's retention schedule for policies and procedures.
  • 維護個別訂閱,以透過其支援組織與消費者進行通訊。Maintaining a separate subscription for communicating with consumers through its support organization. 所有的電子郵件通訊會在兩周後保留並刪除,以減少系統中的任何隱私權債務。All email communications were retained and deleted after two weeks to reduce any privacy debt buildup in the system.

要回答的重要問題是:A key question to answer is:

  • 包含個人資料的資訊必須保留多久,以避免「永遠保留它」做法,以避免有效的商業理由?How long does information containing personal data need to be kept around for valid business reasons to avoid "keep it forever" practices? 這必須與業務持續性的保留需求平衡。This must be balanced with retention needs for business continuity.

不論保留或刪除個人資訊的法律和業務原因為何,Microsoft 都會提供一些功能,以在 Microsoft 365 中實施您的資料管理架構。Regardless of the legal and business reasons for keeping personal information around or deleting it, Microsoft provides a number of capabilities to implement your data governance scheme in Microsoft 365.

管理 Microsoft 365 中的資訊管理Managing information governance in Microsoft 365

若要開始,請參閱管理 Microsoft 365 中的 資訊 管理和 資料保留、刪除和銷毀To begin, see Manage information governance and Data Retention, Deletion and Destruction in Microsoft 365.

開發容器、電子郵件和內容的資料保留時間表Develop data retention schedules for containers, email, and content

請記住下列事項:Keep the following in mind:

  • 為定義的資訊類型建立資料保留排程,應視為實施任何保留或刪除配置的必要條件。Establishing a data retention schedule for defined information types should be considered a prerequisite to implementing any retention or deletion scheme.

  • 根據大多陣列織認為重要的資訊類型數量,以及與這些類型相關的大型記錄保留排程,實現資料保留及記錄管理原則需要規劃。Given the number of information types that most organizations consider important and the corresponding large records retention schedules that go along with them, implementing a data retention and records management strategy requires planning.

  • 建立這種類型的有效資料控管策略,主要是著重于需要更正式管理的最高優先順序商務功能和資訊類型。The key to establishing an effective data governance strategy of this type is to focus on the highest priority business functions and information types that require more formal management. 例如法律合約、金融報表和法規規範檔。Examples are legal contracts, financial statements, and regulatory compliance documentation. 請嘗試避免每一種單一資訊類型都有個別的保留排程。Try to avoid having a separate retention schedule for every single information type. 請盡可能盡可能使用一般類別,例如,針對一般商務內容使用7年的保留時間表。Try to utilize general categories as much as possible, for example, with retention schedules of 7 years for general business content.

  • 一旦環境中的個人資訊類型更知名,請建立這種內容類型的保留和刪除排程,並調整您的資訊架構,以簡化這類資訊的管理。Once the personal information types in your environment are better known, establish retention and deletion schedules for this type of content and adjust your information architecture to make governance of this sort of information easier. 例如,以可控存取方式隔離個別網站、文件庫或資料夾中的個人資訊。For example, isolate personal information in separate sites, libraries, or folders with controlled access.

保留原則和保留標籤Retention policies and retention labels

使用 保留原則和保留標籤 ,保留或刪除包含或預計包含個人資料之 Microsoft 365 中的內容。Use retention policies and retention labels to retain or delete content in Microsoft 365 that contains or is expected to contain personal data.

記錄管理Records management

使用可宣告內容 a 記錄的保留標籤,以對 Microsoft 365 中的資料執行 記錄管理解決方案Use retention labels that declare content a record to implement a records management solution for data in Microsoft 365.

針對資料隱私權,合法系所收到的資料主體要求 (Dsr) 會宣告一筆記錄,而且可以使用大量儲存或處置憑證,以遵守法規活動的保留規格。For data privacy, data subject requests (DSRs) received by the legal department are declared a record and can be stored indefinitely or disposed of with proof, to adhere to regulatory activity retention specifications.