在清华大学法学院副教授程啸看来，近年来媒体披露的涉及考生个人信息泄露的考试，可根据组织者的性质分为两类：一类是公务员考试、司法考试等由国家机关组织的考试。考生个人信息一旦被泄露造成损害的，可能产生国家赔偿责任，因为这属于行政机关行使行政职权造成财产损失的违法行为。

An associate professor at tsinghua university law school ChengXiao looks,In recent years the media disclosure of personal information involving the examinee leak test,According to the nature of the organizers are divided into two classes:One kind is civil service examination/Judicial examination by state organs organization examination.The examinee personal information once leak caused damage,May produce national liability to pay compensation,Because it belongs to the administrative authority of administrative power loss of property caused by the illegal behavior.

　　另一类是行业协会组织的考试，比如由中国注册会计师协会组织的注册会计师考试等。“它们的性质属于社会团体法人或事业单位法人。从民法的角度来说，其与考生都属于平等的民事主体，存在合同关系，协会提供考试服务，同时也应履行信息保密的义务。”程啸说。

Another kind is industry associations examination,Such as the Chinese institute of certified public accountants organization of CPA exam, etc."They belong to the social group legal person or institution legal person.From the point of view of civil law,The candidates are equal civil subject,Existing contract relationship,Association provide testing service,At the same time also should perform the obligation of information confidential."ChengXiao said.

　　事实上，无论考试性质如何，大量考生个人信息具有很大的利用价值。程啸认为，一方面，商家可以利用这些信息发布广告，如举办培训班、推销保险等。另一方面，不法分子还可以利用这些信息来实施违法犯罪活动。

In fact,No matter how nature exam,A large number of candidates personal information has great value in use.ChengXiao think,On the one hand,Merchants can use that information to release advertisement,Such as holding training/Sell insurance, etc.On the other hand,Illegal molecule can also use these information to the implementation of the illegal and criminal activities.

　　由于这类考试都具备一定普遍性和公信力，考生往往不得不如实填写真实、充分的个人信息。

Because this kind of exam has a certain universality and credibility,Students often have to fill in the real/Sufficient personal information.

　　江苏汇商律师事务所律师吕剑峰认为，有关考试组织机构并未能完全地履行对考生个人信息的保护义务。考生频繁接到骚扰短信或电话只有两个可能：第一，考试组织机构的工作人员主动泄密；第二，他们的信息系统存在缺陷。

Jiangsu remittance business law firm lawyers LvJianFeng think,The exam organization and failed to completely fulfill the candidates personal information protection obligation.The examinee frequent received text messages or phone harassment there are only two possible:The first,The exam organization staff active leak;The second,Their information system defects.

　　程啸补充说，从法律的角度来看，有损害才有赔偿，如果有人利用考生个人信息实施侵权行为造成他人损害，而受害人往往找不到这些直接从事侵权行为的人时，根据我国《侵权责任法》的规定，如果组织者有过错的，应承担赔偿责任。当然前提是，考生必须证明组织者因过错泄露了其个人信息。

ChengXiao added,From a legal point of view,Damage to have compensation,If someone using the examinee personal information implementation tort causes damage to others,And the victim usually can't find these directly engaged in the tort person,According to our country[Tort liability law]regulations,If the organizers have fault,Shall bear the liability of compensation.Of course the premise is,The examinee must prove the organizers for fault revealed the personal information.

　　程啸建议，国家应当对组织考试的机构在个人信息的收集与保护方面做出规定，要求无论是国家机关还是社会团体，如果要大规模收集个人信息，都应当履行严格的保密义务，并把保护个人信息的能力作为考核的要求。

ChengXiao Suggestions,Countries should to the organization examination institutions in the personal information collection and protection regulations make,Requirements whether state organs or social groups,If you want to large-scale collect personal information,All shall perform strict confidentiality obligations,And the protection of personal information ability as assessment requirements.

　　他强调，如果出现个人信息的泄露，应对承担保护个人信息义务的机构进行相应的处罚，比如暂停其组织考试的资格等。

He stressed that,If a personal information leak,To undertake the obligation of protecting personal information agencies corresponding punishment,Such as suspend its organization exam qualification, etc.

　　程啸认为，公民个人信息保护涉及的法律既有民法领域的，也有行政法领域的。其中，侵权责任法主要规定因泄露个人信息而产生的侵权责任的问题，这属于法律的事后救济。“要保护考生的个人信息，事前的预防比事后的救济更重要毕竟，要查明信息究竟是在哪个环节泄露的，并不容易。”

ChengXiao think,Citizens' personal information protection of legal both in the field of civil law,Also in the field of administrative law.the,Tort liability law main provisions through divulging personal information and produce the problem of tort liability,This belongs to the law relief afterwards."To protect the examinee's personal information,Advance prevention is more important than afterwards relief after all,To find out what is information in which link discoverable,Is not easy."

　　曾在德国访学的程啸发现，在德国，公民如需填写个人信息，都会被明确告知个人信息正在被采集；同时，采集个人信息的机构也要明确承诺保护个人信息。

Once in Germany visit learn ChengXiao found,In Germany,Citizens should fill out personal information,Will be explicitly told personal information is being acquisition;At the same time,Collecting personal information agencies also a clear commitment to protect personal information.

　　“这就是个人信息在采集前的告知义务与采集后的保密义务。”程啸说。

"This is the personal information collected in before and after the collection of the inform obligation of confidentiality obligations."ChengXiao said.

　　在他看来，国内一些考试需要考生提交的信息过于繁杂和不必要。“个人信息收集得越多，泄露的风险和保密的责任也就越大。”程啸指出，个人信息收集要遵循必要性的原则。

In his view,Domestic some examination need to the candidate's personal information is too multifarious and unnecessary."The more personal information collection,Let the cat out of the risks and confidential responsibility bigger also."ChengXiao pointed out that,Personal information collection should abide by the principle of necessity.

　　除一些考试外，大规模采集个人信息的情形随处可见，如在网站注册账户、第三方支付工具等。要求填写的信息常有：姓名、手机号、座机号、身份证号、家庭住址、邮箱甚至是银行账号等。

In addition to some examination outside,Large-scale acquisition personal information situation can be seen everywhere,As in the site registered account/The third party payment tools etc.Often are required to fill in this information:name/Mobile phone number/Machine number/Id number/Home address/Mail or even bank account number.

　　“对于个人信息数据库的安全性，我国有明确的信息等级安全保护策略。”中国传媒大学计算机学院讲师黄玮告诉记者，如果是比较重要的考试，其信息系统可能有强制的安全保障。“越是地方性的考试，本身定的安全等级可能低些，安全也稍微差一些。”

"For the security of personal information database,Our country has definite information level security protection strategy."The Chinese media university computer college lecturer HuangWei told reporters,If is the more important exam,The information system may have forced safety guarantee."The more local examination,Itself fixed safety level may be less,Security also slightly lower."

　　记者在公安部、国家保密局等4部门2007年7月发布的《关于开展全国重要信息系统安全等级保护定级工作的通知》上看到，根据信息损害后的损害程度，一些单位的信息安全保护分为五个级别，级别越高，保密措施程度自然越高。

Reporter in the ministry of public security/4 the state secrecy bureau department released in July 2007[About to carry out the national important information system security level grading protection work of the notice]See on,According to the information after the damage extent of the damage,Some units of information security protection is divided into five levels,higher,The higher the degree of security measures nature.

　　同年8月发布的《信息安全技术、信息系统安全管理测评》的公共安全行业标准，也对机构和人员管理、运行和维护管理、监督和检查管理等提出了要求。

In the same year released August[Information security technology/Information system safety management evaluation]Public security industry standard,Also to institutions and personnel management/Operation and maintenance management/Supervise and check management puts forward requirements.

　　但黄玮指出，一些单位在评估信息安全时，认为有的数据没有足够价值，便不会投入足够成本进行安全建设。甚至，一些地方政府在公布公务员考试或事业单位考试的成绩时，还公开列出了考生完整的身份证号。“这显然没有意识到公民个人信息的重要性。”黄玮说。

But HuangWei pointed out that,Some units in the evaluation of the information safety,Think some data do not have enough value,Won't put in enough safety construction cost.even,Some local government announced in the civil service examination or business unit when the result of the examination,Publicly listed the examinee complete id number."This obviously did not realize the importance of citizen personal information."HuangWei said.

　　提起考生信息在多部门间的传递，黄玮认为，信息的确可以经过多个节点，但安全领域有一个基本的常识：需要保密时，知道信息的人、传播的节点越少越好，因为任何一个节点都可能泄密。

Mention the examinee information in multi-departmental transfer,HuangWei think,Information can indeed after multiple nodes,But security fields has a basic common sense:When need to be kept secret,Know that information/The spread of the node fewer is better,Because any a node could leak.

　　其实，信息采集规范的制定并非没有在尝试。程啸举例说，住房与城乡建设部颁布的行业标准《房地产登记技术规程》中，就要求在登记申请书中做出“信息收集声明”，表明个人信息“是依法定职权收集的”，且“用于房地产登记和登记资料利用”这一特定目的。

In fact,Information collection standard formulation is not without trying.ChengXiao for example,Housing and urban and rural issued by the ministry of industry standard[The real estate registration technical regulations]in,Requires in the registration application form to make the"Information collection statement",Show that personal information"In accordance with statutory functions and powers is collected",and"For real estate registration and registration material utilization"A particular purpose.

　　“目前，各单位的信息化建设已经从纸面化逐渐发展到电子化、互联化。例如，为实现房屋限购的政策，购房人的房屋信息、婚姻家庭信息等都联网了。”程啸指出，如果不抓紧对公民信息的采集和保护做出统一、科学的规范，未来产生危害的可能会更大。 "At present,Each unit's information construction has been changed gradually from paper to electronic/Internet change.For example,For the realization of housing purchasing policy,The person that buy a house information/Marriage and family information and so on all the networking."ChengXiao pointed out that,If you don't pay close attention to the collection of the information of the citizens and protection made unified/The scientific standard,The future harm may be more big.