China Issues New Personal Information Security Standard
On 29 December 2017, the Standardization Administration of China ("SAC") released the final version of the national standard on personal information/data protection, which is called Information Security Technology - Personal Information Security Standard (GB/T 35273-2017) (hereinafter "the Standard").
The Standard will take effect on 1 May 2018. The main content of the Standard includes: 1) the basic definition of personal information and related terms; 2) the basic principles of personal information security; 3) the requirements for collection, preservation, use and processing of personal information; 4) the requirements of handling, organization and management for emergency of personal information security.
The Definition of Personal Information
The Standard provides that personal information means these information that can be recorded by electronic or otherwise means, and they can identify a particular natural person or reflect the activity of a particular natural person, such as name, date of birth, identification number, personal biometric information, address, communication and correspondence way, communication records and content, account password, property information, credit information, whereabouts, accommodation information, and healthy situation and so on.
The Relevant Provisions on the Transfer of Personal Information
In the field of information collection, the Standard requires: 1) Legitimacy. the Standard provides that personal information controllers need to comply with the limits prescribed by laws and regulations, and use legal means, when they collect personal information or request others to provide personal information; 2) Minimum. The types, frequencies and quantities of personal information collected by personal information controllers should not exceed the necessary scope; 3) Authorization. The purpose, methods, scope and related rules of the handling for personal information, need to be authorized by the individual.
With regard to sensitive personal information, the Standard provides that the personal information controllers need to obtain the full consent of the individual before acquiring such information. In the meantime, if the product or service involves the core functions and/or additional functions, the personal information controllers need to clearly inform the individual, that he/she has the right to consent or refuse and the adverse effects.
In addition, the Standard requires personal information controllers to make relevant privacy policies, and also to explain the purpose of collecting personal information, and to describe the relevant legal responsibilities.
For the preservation of personal information, the Standard requires the personal information controllers to take technical measures and other necessary measures, to ensure the personal information collected by the personal information controller, is safe from leakage, damage and loss. Specific measures include: 1) Minimum time of preservation. The preservation of personal information need to be consistent with the purpose of use, the related information need to be deleted or anonymized immediately when they are in excess of the necessary period of preservation; 2) Removal of identification. The features/identifications of the information need to be removed, and the data recovery cannot be re-identified, the collected data need to be properly kept.
For personal sensitive information, the Standard further requires that personal information controllers need to take measures to encrypt personal sensitive information. For biometric information, technical measures need to be taken before storing. In addition, the Standard requires, when the personal information controllers cease to operate their products or services, they need to stop collecting personal information in a timely manner and notify the individual immediately; at the same time, the personal information held by personal information controllers also need to be deleted or anonymized immediately.
The Standard provides the obligations of use of personal information by the personal information controllers, such as data access controls, restrictions on the display of personal information, restrictions on use in details.
In addition, the Standard requires the access to personal information should strictly follow the principle of minimum authorization. In addition, the Standard strictly restrict the personnel who can access personal information, the Standard requires that these personnel who are responsible for approval and/or handle related information beyond the his/her limit of authority, need to be recorded by personal information controllers; besides, personal information controllers need to take measures to set standards to regulate the visit mode and so on. With respect to restrictions on the display and use of personal information, the Standard requires personal information controllers to use technical means to de-identify in the process of using or displaying information and to avoid the identification for information; besides, the Standard states that the individual has the right to access, correct, delete, withdraw the consent, cancel the account, and obtain copies of personal information. When the individual discovers his/her personal information has been accessed, corrected or deleted by third parties, and the individual inquire into this, the personal information controllers need to respond promptly and reply.
4. External Supply
External supply of personal information data, includes process delegation, sharing, transfer to third parties, and public disclosure and so on. The Standard stipulates that personal information controllers need to carry out the process delegation within the scope authorized by law and the individual; and that personal information controllers should not only evaluate the personal information security but also supervise the entrusted parties in a certain way.
For the sharing, transfer and public disclosure, the Standard respectively requires: 1) the sharing and transfer of personal information should be approved by the individual and can be implemented only if there is indeed a need to share and transfer; the personal information controllers need to make record to the data information of transfer and sharing; the personal information controllers also need to confirm if the third party has enough ability to receive information and ensure the data security.
With regard to the information disclosure, public disclosure of personal information, need to be authorized by law or permitted by other reasonable cause; at the same time, personal information controllers need to conduct a safety assessment for information disclosure, and obtain the consent by the individual. In addition, the Standard states that the personal biometrics information cannot be publicly disclosed, considering that it has a specific function of identifying individual organisms.
The Requirements of Handling, Organization, and Management for Emergency of Personal Information Security
The handling, organization, and management for emergency of personal information security mainly involves the response measures after the emergency happen. The Standard stipulates that the personal information controllers need to formulate the plan and carry out the pre-drill before any emergency happen; after the accident happen, personal information controllers need to make the record for the emergency and assess the possible impact; at the same time, they also need to inform the affected individuals and try to minimize the adverse consequences of the incident.
In addition, the Standard formulates a series of relevant regulations for the organization and management for personal information. The main measures includes: 1) personal information controllers need to evaluate the security of personal information from time to time, and establish their own evaluation mechanisms; 2) to establish appropriate data security systems to conduct regular management training for relevant personnel, and evaluate the effectiveness of security measures and the relevant privacy policies; and 3) to improve the evaluation system, and to prevent personal information from leakage, damage and loss.
ABOUT THE AUTHOR: Sarah Xuan
Sarah Xuan is a Senior Associate in the MMLC Group.
Copyright MMLC Group
More information from MMLC Group
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer. For specific technical or legal advice on the information provided and related topics, please contact the author.