Information security technology—Personal Information Security Specifications (Draft for Solicitation of Comments)

ALL TRANSLATIONS ON THIS SITE ARE UNOFFICIAL AND ARE PROVIDED FOR REFERENCE PURPOSES ONLY. THESE TRANSLATIONS ARE CREATED AND CONTINUOUSLY UPDATED BY USERS --THEY ARE FREE TO VIEW, BUT PROPER ATTRIBUTION IS REQUIRED FOR DISTRIBUTION OF THESE OR DERIVATIVE TRANSLATIONS.

Source:https://www.tc260.org.cn/front/postDetail.html?id=20190201173320
Comment period ends, 3/3/2019

Foreword

These standards are drafted in accordance with the rules given in GB/T1.1--2009 "Standardization Work Guide Part 1: Structure and Preparation of Standards". These standards replace GB/T35273-2017 "Information security technology—Personal Information Security Specifications", and the primary changes from that document are as follows:

a) In '3 Abbreviations' added '3.15 Personalized Displays';

b) added '5.3 Requirement that collection of personal information must not be compulsory'

'c)revised '5.7 Exceptions to receiving authorized consent';

d) added '7.4 Personalized displays and withdrawal';

e) added '7.5 aggregation and integration based on personal information collected for different operation goals'

f) Added '8.3 Management of third-party access';

g) Revised '10.1 Clarify responsible departments and personnel'

h) added "10.2 Personal information processing activity records;"

i) Revised "Informative Annex C: Methods of Safeguarding the Personal Data Subjects' Right to Choose to Grant Consent"

j) added 'Appendix C.1 Distinction between basic business functions and extended business functions', C.2 Information and explicit consent on basic business functions', and 'C3 Information and explicit consent for extended business functions.'

Please not that the other content of this document might involve patents, and the bodies issuing this document do not bear responsibility for identifying these patents. These standards are proposed and controlled by the National Information Security Standardization Technology Committee. Drafted by: China Electronics Standardization Institute, Peking University, Beijing Information Security Evaluation Center, Yixin Technology Co. Ltd., Sichuan University, Tsinghua University, China Information Security Research Institute Co. Ltd., First Research Institute of Ministry of Public Security, Shanghai Institutes for International Studies, Alibaba (Beijing) software services Ltd., Shenzhen Tencent computer system Co. Ltd., Cyberspace Great Wall Co. Internet system applications, Ali cloud computing Ltd., Huawei technologies Co., Ltd., and Qiang Yue Data Co. LTD.

The main drafters of this standard are: Hong Yanqing, Qian Xiubin, He Yanzhe, Zuo Xiaodong, Chen Xingshu, Gao Lei, Liu Xiangang, Shao Hua, Cai Xiaodan, Huang Xiaolin, Gu Wei, Huang Jin, Shangguan Xiaoli, Zhao Zhangjie, Fan Hong, Du Yuejin, Yang Shilei, Zhang Yanan, Jin Tao, Ye Xiaojun, Zheng Bin, Min Jinghua, Lu Chuanying, Zhou Yachao, Yang Lou, Wang Haizhou, Wang Jianmin, Qin Song, Yao Xiangzhen, Ge Xiaoyu, Wang Daokui, Zhao Ran and Shen Xiyong.

Introduction

In recent years, with the rapid development of information technology and the popularization of Internet applications, more and more organizations collect and use a large amount of personal information, bringing convenience to people's lives, but at the same time, problems such as the illegal collection, abuse and disclosure of personal information have emerged, which pose a serious threat to personal information security.

These standards are aimed at the security problems facing personal information and regulates relevant conduct of personal data controllers in information processing , such as collection, preservation, use, sharing, transfer and public disclosure; its purpose is to rein in disorder such as in the illegal collection, abuse and leaking of personal information and to protect the lawful rights and interests of individuals and the societal public interest to the greatest extent possible.

For specific matters in the standards where the laws or administrative regulations otherwise provide, follow those provisions.

Information security technology—Personal Information Security Specifications

1. Scope

These standards regulate the principles and security requirements that should be followed in acts handling personal information such as collection, storage, use, sharing, transfer, and disclosure.

These standards are applied to regulate all types of organizations' activities handling personal information, and is also applied to the competent supervisory departments and third-party assessment organizations supervision, management and evaluation of personal information handling activities.

2 Normative reference documents

The following documents are essential for the application of this document. For dated reference documents, only the dated version is applied for this document. For undated reference documents, the newest version (including all revision lists) is applied for this document.

GB/T25069一2010 Technical language for information security

3 Terms and Definitions

The following terms and definitions and those defined in GB/T 25069—2010 apply to this document.

3.1

个人信息 personal information

All kinds of information recorded electronically or through other means, that either alone or in combination with other information can identify specific natural persons or reflect the activities of specific natural persons.

Note 1. Personal information includes the full name, date of birth, identification card number, personal biometric information, address, communications contact Information, communication records and content, account passwords, property information, credit investigation information, tracking of whereabouts, accommodation information, health and physiological information, transaction information, and so forth.

Note 2:Consult Appendix A regarding the scope and types of personal information.

3.2

个人敏感信息personal sensitive information

Personal information that, once disclosed, illegally provided, or abused, might endanger personal and property security, can easily lead to harms to personal reputation, physical and psychological health, or discriminatory treatment, and so forth.

Note 1: Personal sensitive information includes the personal ID card numbers, personal biometric information, bank account numbers, communication records and content, property information, credit investigation information, tracking of whereabouts, accommodation information, health and physiological information, and transaction information of children up to 14 years old (inclusive).

Note 2: Consult Appendix B for the scope and types of personal sensitive information.

3.3

个人信息主体 personal information subject

The natural person identified by personal information.

3.4

个人信息控制者personal information controller

The organization or individual that has the right to make decisions such as on the purpose and methods of disposing of personal information.

3.5

收集collect

Acts of acquiring control of personal information, including by active provision by the Personal Data Subject, through automatically collecting such as in interactions or recording the activity of Personal Data subjects, as well as through the sharing, transfer, compilation or other such indirect methods of acquiring of public information.

If the provider of a product or service provides tools for use by Personal Data Subject, but the provider does not access personal information, it is not collection as referred to in this standard. For example, offline navigation software that does not report back to the software provider after the terminal acquires user location information, is not a personal information collection behavior

3.6

明示同意 explicit consent

The act of giving explicit authorization by the Personal Data Subject, through written statement or affirmative confirmation, to the specific handling of its personal information.

Note: Affirmative confirmation including statements actively made by the Personal Data Subject (electronic or on paper), actively checking off selections; as well as clicking on "agree", "register", "send", or "call"; or active completion or provision.

3.7

用户画像 user profiling

The process of using the collection, aggregation, and analysis of personal information to form a model of the personal features of a particular natural person, such as their employment, economics, health, education, personal preferences, credit, and behavior, to make analysis and predictions. Note: Directly using the personal information of a specific natural person to form a model of the natural person's features, is called a direct user profile. Using personal information other than that from a specific natural person, such as the data of groups they are in, to form a model of the features of that natural person, is called an indirect user profile.

3.8

个人信息安全影响评估personal information security impact assessment

The process of testing the compliance with legal and regulatory procedures, aimed at activities handling personal information, to judge all kinds of risks to Personal Data Subject's lawful rights and interests, as well as assessing the effectiveness of all measures used to protect Personal Data Subject.

3.9

删除 delete

Removal of personal information from the system during routine business functions, to keep it in a state where it cannot be retrieved or accessed.

3.10

公开披露 public disclosure

The act of publishing information to the public or to unspecified groups of people.

3.11

转让 transfer of control

The process of transferring control of personal data to another controller.

3.12

共享 sharing

The process by which Personal Data Controllers provide personal information to other controllers, and both have separate and independent control of the personal information.

3.13

匿名化 anonymization

The process of technically processing personal information so that the Personal Data Subject cannot be identified, and so that after processing, the information cannot be restored.

Note: After anonymization of personal is carried out, the information obtained is not personal information.

3.14

去标识化 de-identification

The process of technical processing of personal information so that without additional information the Personal Data Subject cannot be identified.

Note: De-identification is built upon individual foundations, storing individual particles, and employing technological measures such as encryption and hash functions to stand in for personal information.

3.15

个性化展示 personalized display

Displaying information content and providing search results for products and services personal data subject based on specified personal data subjects' personal information such as their internet browsing history, interests, purchase records and habits.

4. Basic Principles of Personal Information Security

Personal Data Controllers controllers carrying out activities handling personal information should obey the following basic principles:

a) Principle of commensurate powers and responsibilities--- employ necessary technological or other measures to safeguard the security of personal information, and bear responsibility for harms caused to Personal Data Subject's lawful rights and interests in processing their information.

b) Clear purpose principle ---- have a legal, legitimate, necessary , and clear reason for processing personal information.

c) principle of choice and consent ---- express the purpose, methods, scope, and rules for processing personal information to the Personal Data Subject, and solicit their authorization and consent.

Displaying information content and providing search results for products and services personal data subject based on specified personal data subjects' personal information such as their internet browsing history, interests, purchase records and habits. After the purpose is achieve, the personal information should be promptly deleted.

e) Principle of openness and transparency ---- Disclose the scope, purpose, and rules for processing personal information in a clear and comprehensible manner, and accept external oversight.

f) Principle of ensuring security--- possess security capacity corresponding to the security risks faced, and employ sufficient management and technical measures to protect the confidentiality, integrity, and usability of personal information.

g) Principle of subject participation: Provide means for Personal Data Subject to access, modify, and delete their personal information, and to revoke consent, unregister accounts, and complain.

5 Collection of Personal Information

5.1 Requirements for the legality of the collection of personal information

Requirements for Personal Data Controllers include:

a) personal information must not be obtained through trickery, enticements, or misdirection;

b) Functions of products or services that collect personal information must not be concealed;

c) personal information must not be obtained indirectly through illegal channels;

d) Personal information that the collection of is expressly prohibited by laws and administrative regulations must not be collected.

5.2 Requirements for minimizing the collection of personal information

Requirements for Personal Data Controllers include:

a) The type of personal information collected should be directly related to realizing the products or services' business functions. Directly related refers to the products or services' business functions being impossible to realize without that information;

b) The frequency of the automatic collection of personal information should be the minimum frequency necessary to achieve the business function of a product or service;

c) The amount of indirectly acquired personal information should be the minimum amount that is necessary to achieve the business function of a product or service.

5.3 Requirement that personal information must not be collected through coercion

When products or services provide multiple business functions that require the collection of personal information, the personal data controller must not force the personal data subject to accept the business functions provided by the product or service and the corresponding personal information collection requests against their independent will. Requirements for Personal Data Controllers include:

a) Must not use bundling of business functions of goods or services to request that personal data subjects accept, authorize, and consent to each operational function's request to collect personal information at one time.

b) should have the personal data subjects' proactive signing, clicking, selection, or other initiating conduct as a condition for starting products or services' business functions' collection of personal information, and provide channels or methods for closing or exiting the business functions. The channels or methods for closing or exiting business functions should be just as simple and convenient as the channels or methods by which personal data subjects select to use the business functions;

Note: Personal data controllers may bring about closure or exiting of business functions in accordance with 7.9 of these Standards.

c) If personal data subjects do not consent to use, close or exit specified business functions, the personal data controllers must not frequently solicit the personal data subjects' consent;

d) If personal data subjects do not consent to use, close or exit specified business functions, the personal data controllers must not suspend other business functions that the personal data subjects voluntarily selected to use, or lower the service quality of operational functions.

5.4 Authorization and consent for collection of personal information

Requirements for Personal Data Controllers include:

a) Before personal information is collected, the Personal Data Subject should be clearly informed of the types of personal information that will be separately collected by different business functions of the services or products to be provided, as well as the rules for collection and use of personal information (such as the purpose of collecting and using personal information, method and frequency of collection, storage domain, storage period, capacity for data security, and situations relevant to external sharing, transfer, and public disclosure of personal information), and obtain the Personal Data Subject's authorization and consent.

b) When indirectly collecting personal information:

1) The party providing the personal information should be requested to explain the source of the personal information and, and a confirmation of the legality of the sources of personal information should be conducted;

2) The scope of authorization and consent that the party providing the personal information has already obtained should be understood, including the purposes of use, whether the Personal Data Subject has authorized and consented to transfer, sharing, and public disclosure, and so forth. If the the personal information processing activities that need to be carried out for that organizations business operations exceed the scope of authorization and consent, the Personal Data Subject's explicit consent should be obtained within a reasonable period of time after the personal information is acquired of before the personal information is processed.

5.5 Explicit consent when collecting personal sensitive information

Requirements for Personal Data Controllers include:

a) When personal sensitive information is collected, the Personal Data Subject's explicit consent should be obtained. It should be ensured that the Personal Data Subject's explicit consent was voluntarily given by them on a foundation of full understanding, is specific, and is a clear and definite expression of their desires.

b) Before collecting information through active provision or automatic collection, one should:

1) Inform the Personal Data Subject of the personal sensitive information required for the basic business functions of the products or services provided, and clearly inform them of the impact of refusing to provide it or refusing consent. Personal Data Subjects should be allowed to select whether or not to so provide or to consent to automatic collection;

2) When products or service such as provision extended business functions need to collect personal sensitive information, explanations of the extended business functions that the personal sensitive information is needed to complete should be made to the Personal Data Subject one-by-one before collection, and the Personal Data Subject should be allowed to select whether or not to provide each item or whether to consent to automatic collection of personal sensitive information. When Personal Data Subjects refuse, the corresponding extended business functions may be not provided, but this should not be used as the grounds for stopping provision of basic business functions, and the quality of the services should be guaranteed.

Note: Refer to appendix C for methods of realizing the above requirements.

c) Before collecting the personal information of minors who are 14 years-old, their explicit consent, or that of their guardians should be obtained; for those not yet 14 years-old, the explicit consent of their guardians should be obtained.

5.6 Requirements for Privacy Policies

Requirements for Personal Data Controllers include:

a) should draft privacy policies, and the content is to include but not be limited to:

1) The basic situation of Personal Data Controllers, including their registered name, registered address, regular office location, contact information for responsible persons, and so forth;

2) The purpose of collecting and using personal information, as well as each operation function covered by the purpose, such as using personal information for delivery of commercial advertisements, or using personal information to form the direct user profile and its uses;

3. The type of personal information collected separately by each operational function, distinguishing between basic business functions and the personal information they require to operate and extended business functions and the data they need to operate, and where sensitive personal information is involved, this must be clearly identified or prominently displayed;

4) The method and frequency of collecting personal information, the storage domain, the storage period, situations of sending information abroad, and other rules for processing personal information and the actual scope of collection of personal information.

5) the security risks that might be present after providing the personal information, and the impact that might come from not providing the personal information;

6) Comply with the basic principles of personal information security, posses the capacity for data security, as well as employing personal information security protection measures; and when necessary proof of compliant data security and personal information protections may be made public;

7) The purpose of external sharing, transfer, or public disclosure of personal information, the types of personal information involved, the types of third-parties receiving personal information, as well as the legal responsibility borne.

8) The rights of Personal Data Subject and mechanisms for realizing them, such as inquiry methods, correction methods, deletion methods, methods for unregistering accounts, methods for revoking consent, methods for obtaining copies of personal information, methods for restricting automatic decisions by the information system, and so forth;

9) Channels of mechanisms for handling Personal Data Subject's inquiries and complaints, as well as contact information for external conflict resolution bodies.

b) The information given in privacy policies should be true, accurate, and complete;

c) The content of privacy policies should be clear and understandable, consistent with common customary language, use standardized figures, illustrations, and so forth, avoid the use of ambiguous language, and provide a summary at the beginning, outlining the focus of the content. Where there is a disagreement over the content of privacy policies, adopt the understanding that is most beneficial to the lawful rights and interests of the personal data subjects;

d) Privacy policies should be publicly disclosed and easily accessed, such as by setting up links on websites' home page, the installation page for mobile applications, and social media homepages, or the interfaces provided for in these standards at 5.4 and 5.5, and other conspicuous places;

e) privacy policies should be send to personal data subject individually. When the costs are too high or there are clear difficulties, they may be published through public announcement;

f) Where the matters indicated in a) of this article are changed, the privacy policy should be promptly updated and the Personal Data Subject should be newly informed.

Note: Consult Appendix D for content of privacy policies. Note 2: When personal data subjects use products or services for the first time, register accounts, or in other such situations, use methods such as pop up windows to proactively alert them to the primary or core content of the privacy policy, to help users understand and decide whether to choose to consent to relevant rules and continue to use the products or services.

5.7 Exceptions to acquiring authorization and consent

In the following situations, Personal Data Controllers do not need to obtain the authorization and consent of the Personal Data Subject for collection and use of personal information;

a) Where it is related to Personal Data Controllers performance of obligations provided by laws or regulations;

b) where there is a direct relation to national security or national defense;

c) where there is direct relation to public safety, public health, or major public interests;

d) Where there is a direct relation to criminal investigations, prosecutions, trials, or enforcement of judgments and the like;

e) Where it is done to preserve the life, property, or major lawful rights and interests of the Personal Data Subject or another person, and it is very difficult to obtain their consent;

f) Where the personal information involved was voluntarily disclosed to the public by the Personal Data Subject;

g) Personal information that is collected from lawfully disclosed information, such as lawful news reports, open government information, and other such channels;

h) where used to preserve the secure and stable operations of products or services they provide, such as discovering or handling problems with the product or service.

i) Where the Personal Data Controller is a news unit and needs it for carrying out lawful news reporting;

j) Where the Personal Data Controller is an academic research institution, and it is needed to carry out statistics or academic research in the public interest, and when providing academic research outcomes or descriptions they carry out de-identification processing of personal information contained in the results.

6. Storage of Personal Information

6.1 Minimization of Personal Information Storage times

Requirements for Personal Data Controllers include:

a) the retention period for personal information should be the shortest time necessary to realize the purpose of the use authorized by the personal data subjects, unless otherwise provided by laws and regulations or otherwise agreed by the personal data subjects;

b) After the period for storing personal information described above is exceeded, the personal information should be deleted or anonymized.

6.2 De-indentification processing

After personal information is completed, Personal Data Controllers should immediately conduct de-identification processing, employ technical and management measures, separately store the de-identified information and information that can be used to restore identifiers.

6.3 Transfer and Storage of Personal sensitive information

Requirements for Personal Data Controllers include:

a) When personal sensitive information is transferred or stored, security measures such as encryption should be employed;

b) When storing personal biometric identification information, it should be stored again after ensuring information security through technological measures, such as separately storing the original information and a summary of personal biometric identification information, or storing only summary information.

6.4 Stopping operations of Personal Data Controllers

When Personal Data Controllers stop operations of their products or services, they should:

a) Promptly stop the continuation of activities collecting personal information;

b) Send the notice of stopping operations to every Personal Data Subject either individually or by public announcement;

c) Carry out deletion or anonymization of the personal information they possess.

7. Use of Personal Information

7.1 Personal Information Access Control Measures

Requirements for Personal Data Controllers include:

a) An minimum authorization acceess control policy should be established for personnel who are authorized to access personal information, only giving them access to the minimum amount of personal information sufficient for their duties, and only have the minimum authority to manipulate data required to complete their duties;

b) Set up an internal examination and approval process for important operations such as conducting batch modifications, copying, and downloading, and other important operations;

c) Conduct separated setup of the different roles of security management personnel, data manipulation personal, and accounting personnel;

d) If the work requires authorization for specific personnel to exceed authority to handle personal information, it should be subject to examination and approval by the person responsible for protecting personal information or the working body for personal information protection and recorded;

NOTE: To determine the person responsible for protecting personal information or the working body for personal information protection organization, see 10.1 of these Standards.

e) Access and revision of personal sensitive information, and other such operations conduct, should be controlled according the scope of authority by role, and based on action triggered authorization as needed for the operations processes. For example, complaint handling personnel may only access users' relevant information upon a complaint by that user.

7.2 Limits on displaying information

Where interface displays are involved in displaying personal information (such as on screen or paper), Personal Data Controllers should employ measures such as deintification of the displayed personal information, reducing the risk that the personal information will be leaked during the display. For example, when personal information is displayed, prevent unauthorized internal personnel and persons other than the Personal Data Subject, from obtaining the personal information without authorization.

7.3 Limits on the use of personal information

Requirements for Personal Data Controllers include:

a) Except as necessary to achieve the purposes authorized by the personal data subjects, when using personal information clear identity indicators should be removed, to avoid precise targeting of specific individuals. For example, to accurately appraise personal credit states, direct user profiles may be used, but when used for the purpose of delivering commercial advertisements, it is appropriate to use indirect user profiles.

b) All information produced through the processing of collected personal information that can, either independently or in conjunction with other information, identify natural persons, or reflect the activities of natural persons, should be considered personal information. Its handling should comply with the scope of authorization and consent obtained when the personal information was collected;

Note: Where personal information generated through processing is personal sensitive information, its handling shall comply with these Standards requirements for personal sensitive information.

c) When using personal information, it must not exceed a scope directly and reasonably connected with the purpose stated when collecting the personal information. Where due to operational requirements, it is truly necessary to use personal information beyond the scope described above, the Personal Data Subject's explicit consent should should be obtained again.

Note: Descriptions of the overall state of the use of collected personal information in academic research or natural, scientific, social, economic, or other phenomenon arrived at, are within the scope of that reasonably related to the purpose for collecting personal information. But, when providing academic research externally or describing results, the personal information contained in the results should be de-identified.

7.4 Personalized displays and withdrawal

Requirements for Personal Data Controllers include:

a) Where using personalized displays in delivering news and information services to personal data subjects, should:

1) Clearly indicate language such as 'personalized display' or 'recommended' in a conspicuous manner;

2) Provide simple and intuitive options for personal data subjects to exit the personalized display mode.

Note: Exiting targetted delivery mode refers to no longer using deliver methods based on specified individuals' personal information when providing business functions to that person.

b) Where e-business operators provide consumers with personalized displays based on their hobbies and interests, spending habits, or search results for merchandise or services, they shall at the time provide said consumers with options not targeting their personal characteristics;

Note: Ordering displays and search results based on the specified locations selected by users, but not displaying different content and search result orders due to users' different identities, are options that do not target personal characteristics.

c) Where personalized displays are used in providing business functions to personal data subjects, they should:

1) Establish independent control mechanisms for personal data subjects for the personal information relied upon by personalized displays (such as signatures, image sizes, and so forth) to ensure that personal data subjects' ability to adjust the extent of personalized displays;

2) When personal data subject opt to exit personalized display mode, provide the personal data subjects with options to delete or anonymize the personal information on which the targeted delivery is based.

7.5 Aggregation and Integration of Personal Information Collected for Different Operational Purposes

Requirements for Personal Data Controllers include:

a) should comply with the requirements of 7.3 of these standards;

b) Personal information security impact assessments shoudl be carried out based on the purposes for which aggregated and integrated personal information is used, and appropriate measures for protecting personal information should be employed;

7.6 Inquiries into personal information

Personal Data Controllers provide Personal Data Subject with methods for inquiries into the following information:

a) All personal information they have regarding that subject or class;

b) The source and reason for having personal information described above;

c) The identity or class of third parties that have already obtained the personal information described above.

Note: When Personal Data Subjects propose inquiries into personal information that was not actively provided, upon comprehensive consideration of the risks and harms that not complying might cause for the lawful rights and interests of the Personal Data Subject, as well as the technical feasibility, costs of bringing about the request and other such factors, the Personal Data Controller is to make a decision on whether or not to comply, and give explanations.

7.7 Correction of personal information

Where Personal Data Subjects find that there are errors in the their own personal information that is in possession of Personal Data Controllers, or that it is incomplete, the Personal Data Controller should provide them with methods for correcting or supplementing information.

7.8 Deletion of personal information

Requirements for Personal Data Controllers include:

a) Where the following conditions are met and Personal Data Subjects request deletion, the personal information should be promptly deleted;

1) Personal Data Controllers violate provisions of laws or regulations, in collecting or using personal information;

2) Personal Data Controllers violate agreements with the Personal Data Subject in collecting or using information.

b) Where Personal Data Controllers share or transfer personal information in violation of laws, regulations, or agreements with Personal Data Subject, and the Personal Data Subject requests that they delete it, the Personal Data Controller should immediately stop the sharing and transfer, and inform third-parties to delete it;

c) Where Personal Data Controllers violate provisions of laws or regulations, or agreements with Personal Data Subject, in publicly disclosing personal information, and the Personal Data Subject requests deletion, the Personal Data Controller should immediately stop the public disclosure, and issue a notice requesting that relevant recipients delete the corresponding information.

7.9 Revocation of consent by Personal Data Subject

Requirements for Personal Data Controllers include:

a)Personal Data Subjects should be provided with methods for revoking consent and authorization for collection and use of personal information. After consent is revoked, Personal Data Controllers must not continue to handle the relevant personal information.

b)Personal Data Subjects' right to refuse to accept delivery of commercial advertisements based on their personal information should be guaranteed. Personal Data Subjects should be provided with a method for revoking consent for external sharing, transfer, and public disclosure of personal information.

Note: Revocation of consent does not impact the prior handling of personal information based on that consent.

7.10 Unregistering Personal Data Subject's accounts

Requirements for Personal Data Controllers include:

a) Personal Data Controllers that provide services through registered accounts should provide Personal Data Subject with methods for unregistering accounts, and those methods should be simple and easy to perform;

b) After Personal Data Subject unregister accounts, their personal information should be promptly deleted or anonymized.

7.11 Personal Data Subjects acquisition of copies of personal information

Based on the requests of the Personal Data Subject, Personal Data Controllers should provide methods for Personal Data Subject to obtain copies of the following types of personal information, or, where so long as it is technically possible, directly transfer the following personal information to third parties designated by the personal data subject.

a) Basic personal materials and personal ID information;

b) Personal health and physiological information, and personal education and work information.

7.12 Restrictions on information systems' automatic decisions

When decisions are made based solely on automatic decisions of information systems that clearly impact the rights and interests of Personal Data Subject (such as decisions on individual's credit reporting level and borrowing amount based on their user profile, or using profiles in employment interview screenings), Personal Data Controllers should provide methods for raising appeals.

7.13 Responding to requests from personal data subjects

Requirements for Personal Data Controllers include:

a) After verifying the Personal Data Subject's identities, Personal Data Subject's requests based on 7.6-7.12 of these Measures should be promptly complied with, a response and explanation should be made within thirty days or within the period provided by laws and regulations, and the Personal Data Subject is to be informed of channels for external dispute resolution;

b) Appropriate mechanisms should be set up directly in the functional interfaces provided by goods or services (e.g. appllication programs may set up special options, functions, or interfaces, etc.), facilitating personal data subjects' online exercise of their rights to access, correct, delete, withdraw consent, deregister accounts, and so forth;

c) In principle, fees are not accepted for reasonable requests, but where duplicative requests are made in a certain time period, fees for costs may be collected in light of the circumstances;

d) If directly realizing the requests of the Personal Data Subject requires spending large amounts, or if there are clear difficulties, the Personal Data Controller should provide the Personal Data Subject with alternative methods, to protect the lawful rights and interests of the Personal Data Subjects;

e) In the following situations, they may choose to not respond to Personal Data Subject's requests based on 7.6 - 7.12 of these standards, including but not exclusively:

1) related to Personal Data Controllers performance of obligations provided by laws or regulations;

2) where there is a direct relation to national security or national defense;

3) It is directly related to public safety, public health, and major public interests;

4) Where there is a direct relation to criminal investigations, prosecutions, trials, or enforcement of judgments and the like;

5)Where Personal Data Controllers have sufficient evidence to show that the Personal Data Subject has subjective malice or abused power;

6) Where it is done to preserve the life, property, or major lawful rights and interests of the Personal Data Subject or another person, and it is very difficult to obtain their consent;

7) Where responding to the request of the Personal Data Subject would cause serious harm to the lawful rights and interests of other individuals or organizations;

8) Where commercial secrets are involved.

7.14 Complaints management

Personal Data Controllers should establish mechanisms for managing complaint appeals follow up processes, and respond to complaint appeals in a reasonable amount of time.

8. Commissioned handling, sharing, transfer, and public disclosure of personal information

8.1 Commissioning Handling

When commissioning the handling of personal information, the following requirements shall be complied with:

a) Where Personal Data Controllers make commissions, the must not exceed the scope of authority and consent obtained from the Personal Data Subject, or comply with the circumstances provided for in standard 5.7;

b) Personal Data Controllers should conduct a personal information security impact assessment on commissions, ensuring that the the commissioned parties achieve

10.4 Data Security Capacity Requirements

c) The party accepting the commission should:

1) Strictly follow the requirements of Personal Data Controllers in handling personal information. If, for special reasons, the commissioned party does not follow the Personal Data Controllers' requirements in handling personal information, they should promptly reflect this to the Personal Data Controller;

2) If when the commissioned party truly needs to be commissioned again, it should first obtain the authorization of the Personal Data Controller;

3) Assist Personal Data Controllers respond to Personal Data Subject's requests based on 7.6 - 7.12 of these standards;

4) If the commissioned party cannot provide a sufficient level of security protections, or security incidents occur, in the course of handling personal information, they should promptly reflect this to the Personal Data Controllers.

5) When the retention relationship is dissolved, personal information is to no longer be stored.

d) Personal Data Controllers should conduct oversight of commissioned parties by means including, but not restricted to:

1) Using contracts or other such methods to provide the commissioned party's responsibilities and obligations;

2)Conducting audits of the commissioned party.

e) Personal Data Controllers should accurately record and store circumstances of commissioned handling of personal information.

8.2 Sharing and transfer of personal information

In principle, personal information must not be shared or transferred. When personal data controllers truly need to share or transfer, they should pay full attention to risks. Where sharing or transfer or personal information for reasons other than acquisition, merger, reorganization, or bankruptcy should comply with the following requirements:

a) Carry out personal information security impact assessments beforehand, and employ effective measures for protecting Personal Data Subject based on the assessment results;

b) Inform the Personal Data Subject of the goal of sharing or transferring personal information and the type of recipient, and obtain the authorization and consent of the Personal Data Subject in advance; and except where sharing or transferring personal information that has been de-identified, ensuring that the recipient has no way to newly identify the Personal Data Subject.

c) Before sharing or transferring personal sensitive information, in addition to the information in 8.2b), the Personal Data Subject should also be informed of the type of personal sensitive information involved, the identity and security capability of the recipient, and obtain the explicit consent of the Personal Data Subject;

d) Accurately record and store the circumstances of sharing or transferring personal information, including the date, scale, and purpose of the sharing or transfer, as well as the basic circumstances of the recipient parties, and so forth;

e) Bear responsibility corresponding to the harms caused to Personal Data Subject's lawful rights and interests by the sharing or transfer of personal information;

f) Help Personal Data Subject understand circumstances such as the recipients' retention and use of personal information, as well as the rights of Personal Data Subject, for example, to access, correct, delete, or unregister accounts.

8.3 Transfer of personal information in acquisition, merger, reorganization, or bankruptcy

When Personal Data Controllers have acquisitions, mergers, reorganizations, bankruptcy or other changes, the Personal Data Controller should:

a) Inform the Personal Data Subject of the relevant situation;

b) The modified Personal Data Controllers should continue to perform the responsibilities and obligations of the original Personal Data Controller, and if changing the purpose of using personal information, should newly obtain the Personal Data Subject's express consent.

8.4 Disclosure of personal information

In principle, personal information must not be disclosed. When Personal Data Controllers have legal authorization or truly need to publicly disclose for legitimate reasons, they should fully emphasize risks and follow the requirements below:

a) Carry out personal information security impact assessments beforehand, and employ effective measures for protecting Personal Data Subject based on the assessment results;

b) Inform the Personal Data Subject of the goal and types of personal information being publicly disclosed, and obtain the explicit consent of the Personal Data Subject in advance;

c) Before publicly disclosing personal sensitive information other than the content of the notice in 8(b), the Personal Data Subject should also be informed of the content of sensitive personal information;

d) The circumstances of disclosing personal information are to be accurately recorded and stored, including the date, scale, goals, and scope of disclosure.

e) corresponding responsibility is borne for harms caused to Personal Data Subject by the public disclosure of personal information;

f) personal biometric distinguishing information and genetic information must not be publicly disclosed.

8.5 Exceptions to obtaining authorization and consent prior to sharing, transferring, and publicly disclosing personal information

In the following circumstances, Personal Data Controllers sharing, transferring, or publicly disclosing personal information do not need to first obtain the Personal Data Subject's authorization and consent:

a) Where it is related to Personal Data Controllers performance of obligations provided by laws or regulations;

b) where there is a direct relation to national security or national defense;

c) where there is direct relation to public safety, public health, or major public interests;

d) Where there is a direct relation to criminal investigations, prosecutions, trials, or enforcement of judgments and the like;

e) Where it is done to preserve the life, property, or major lawful rights and interests of the Personal Data Subject or another person, and it is very difficult to obtain their consent;

f) personal information that the Personal Data Subject discloses to the public themselves;

g) Personal information that is collected from lawfully disclosed information, such as lawful news reports, open government information, and other such channels;

8.6 Joint Personal Data Controllers

When Personal Data Controllers and third parties are joint Personal Data Controllers (such as service platforms and businesses contracting with the platform), the Personal Data Controllers should satisfy personal information security requirements through methods such as joint confirmation with the third party in contract or other forms, as well as separately bearing responsibility and obligations for personal information security between themselves and the third party, and clearly informing the Personal Data Subject.

Note: Personal Data Controllers deploying third-party plugins that collect personal information in the course of providing products or services (such as website businesses, deploying statistical analysis tools, software development tools including SDK or API map calls) in that webpage or applications, where the third-party has not independently obtained the authorization and consent of the Personal Data Subject to collect and use personal information, the Personal Data Controller and the third party are joint Personal Data Controllers.

8.7 Management of third-party access

When the products or services of personal data controllers connect to third-party products or services that have personal information collecting functions and don't apply 8.1-8.6 of these standards, the requirements for the personal data controller include:

a) Should establish managmeneng mechanisms and work flows for third-party product and services access, and when necessarary, establish access requirements for security assessment and other such mechanisms;

b) should us contracts with the third-party provider of goods or services, or other forms, to clarify the security responsibilities and of each party and the personal information security measures to be taken;

c) should clearly identify the products and services to the personal data subject as having a third-party provider;

d) should appropriately retain contracts and management records for third-party access to the platform, to ensure that access to them may be provided to the relevant parties;

e) Should request that third-parties solicit personal data subjects' authorization and consent to collect personal information based on the requirements of these standards, and verify the methods by which they will implement the request;

f) Should request that the third-party goods or services establish mechanisms for responding to personal data subjects' requests, complaints, and so forth, and appropriately store, promptly update them to ensure inquiries and use by personal data subjects

g) Should prompt and oversee third-party goods and services providers strengthening of personal information security management, and where it is discovered that third-party goods and services providers have not implemented security management requirements and responsibility, should promptly urge them to make corrections, and when necessary, stop their access;

h) Where involving third-parties embedded or accessed automation tools (such as codes, scripts, interfaces, algorithm models, software development kits, applets, etc.) it is appropriate to:

1) Conduct technological testing to ensure that conduct collecting or using personal information complies with agreed upon requirements;

2) Appropriately audit third-party embedded or accessed automation tools' conduct collecting personal information, and promptly cutting access where conduct exceeding agreements is discovered.

8.8 requirements for cross-border transmission of personal information

Where personal information collected during business operations in the mainland territory of the People's Republic of China is provided outside the mainland territory, the Personal Data Controller shall conduct security assessments in accordance with the Measures and relevant standards drafted by the State Internet Information Departments together with the relevant departments of the State Council, and comply with their requirements.

9. Resolution of Personal Information Security Incidents

9.1 Resolution of Personal Information Security Incidents

Requirements for Personal Data Controllers include:

a) a personal information security incident response plan should be drafted;

b) Emergency response training and drills should be periodically (at lest once annually) organized for relevant internal personal, giving the a grasp on the duties of their position and and emergency tactics and procedures.

c) After personal information security incidents occur, Personal Data Controllers should conduct the following disposition measures based on the emergency response plan:

1) Record the content of the incident, including but not limited to: the personnel who discovered the incident, the time, place, number of persons' personal information involved, name of the system in which the incident occurred, the impact on other connected systems, and whether enforcement organs or relevant departments have already been contacted;

2) Assess the impact that might be caused by incidents, and employ necessary measures to control the status and eliminate the emergency;

3) Follow the relevant procedures of the "National Network Security Emergency Response Plan" to promptly make a report, and the content of the report is to include, but is not limited to: the type, number, content, character, and other overall circumstances of the Personal Data Subject involved; the impact that the incident might cause, disposition measures that have already been employed, and contact information for the relevant incident response personnel;

4) If personal information leaks might have a larger impact on personal data subjects, such as leaks of sensitive personal information, consult the requirements of 10.2 of these standards to give information on the security incident.

d) Where security incidents occur in which the personal information of more than 1,000,000 people, or sensitive personal information affecting the national welfare and the people's livelihood or public interest (e.g. information on genetic or physioglogical characteristics, sickness, or other sensitive personal information), is leaked, destroyed, or lost, the requirements of c) of this article should be consulted in reporting the relevant circumstances to the internet information departments;

e) Promptly update the emergency response plan on the basis of changes in the relevant laws and regulations, as well as the handling of incidents.

9.2 Notifications of security incidents

Requirements for Personal Data Controllers include:

a)Personal Data Subjects that have been impacted should be promptly informed on the circumstances of an incident through means such as mail, letter, phone, push notification, and so forth. When it is difficult to notify Personal Data Subject one by one, reasonable and effective methods should be used to release warning information relevant to the public;

b) The content of the notification should included, but is not limited to:

1) The content and impact of the security incident;

2) handling measures that have been taken or will be taken;

3) recommending that the Personal Data Subject independently take precautions to prevent and reduce risks;

4) Provision of remedial measures aimed at personal information subjects;

5) Contact information of persons responsible for protection of personal information and institutions working on personal information protection.

10. Organizational Management Requirements

10.1 Clarify responsible departments and personnel

Requirements for Personal Data Controllers include:

a) It should be made clear that their legally-designated representative or principal responsible person has comprehensive leadership responsibility for personal information security, including providing manpower, assets, and material safeguards for personal information security efforts;

b)Personnel responsible for personal information protection and organizations for personal information protection work should be appointed; and a person with relevant management experience and professional knowledge of personal information protection should serve as the person responsible for personal information protection and participate in important decisions related to personal information processing activities and report the work directly to organization's principle responsible person.

c) Organizations that satisfy any of the following requirements should set up a full time person responsible for personal information protection and a personal information protection body, responsible for personal information security work:

1) the primary operations involve handling personal information, and the scale of operations personnel is greater than 200;

2)Handling the personal information of more than 1,000,000 people, or expecting to handle the personal information of more than 1,000,000 people within 12 months.

d) The duties to be performed by persons responsible for protecting personal information and personal information protection work bodies include, but are not limited to:

1) Comprehensively planning the implementation and organization of personal information security work, and being directly responsible for personal information security:

2) Organize the formulation of personal information protection work plans and oversee their implementation;

3) Drafting, issuing, implementing, and periodically updating privacy policies and relevant procedures;

4) Should establish, preserve and update lists of personal information in the organization's possession (including the types, number, source, recipients and so for of personal information) and tactic for authorizing access;

5) Carrying out personal information security impact assessments, submitting countermeasures and suggestions for protecting personal information;

6) Organizing the carrying out of personal information security training;

7) Conducting tests before products or services are released online, avoiding unknown collection, use, sharing, or other handling of personal information;

8) Publishing information such as the methods for complaints and making reports, and promptly accept complaints and reports;

9) Conducting security audits.

10) Maintain communication with the oversight and management departments, reporting on circumstances such as personal information protection and handling of incidents.

e) Necessary resources should be provided to persons with responsibility for personal information protection and personal information protection bodies, ensuring their independence performance of duties.

10.2 Personal information processing activity records

It is appropriate to establish, maintain, and update records on personal information processing activities that collect or use personal information, and the content of the records may include the following aspects:

a) the type, amount, and sources of personal information involved (for example that collected directly from personal data subjects or obtained through indirect methods);

b) Distinguish the purpose and usage scenarios for personal information processing based on business functions and authorizations, as well as commissioned processing, sharing, transfer, public disclosure, whether it involves crossing borders, and other such circumstances;

c) with each informational system, individual, or personnel related to each step of personal information handling.

10.3 Carrying out personal information security impact assessments;

Requirements for Personal Data Controllers include:

a) Establish systems for personal information security impact assessments, assessing and addressing security risks in the handling of personal information;

b) Personal information security impact assessments should primarily assess handling activities compliance with the basic principles of personal information security, as well as the impact of personal information handling on Personal Data Subject's lawful rights and interests, with content including, but not limited to:

1)Where the personal information collection phases complied with principles such as the clear purpose principle, selective consent, and minimum sufficient use principle;

2)Whether handling of personal information might cause adverse impact to the lawful rights and interests of Personal Data Subject, including whether handling can harm personal and property security, harm personal reputations and physical health, or lead to discriminatory treatment;

3) The effectiveness of personal information security measures;

4) The risks that concentrating anonymized or de-indentified data might newly identify Personal Data Subjects; or risks that following other types of data aggregation, Personal Data Subjects could be newly identified;

5) The adverse impacts that might be caused to Personal Data Subject's lawful rights and interests from sharing, transfer, or public disclosure or personal information;

6)The adverse impacts that might be caused to Personal Data Subject's lawful rights and interests if security incidents occur.

c) Before products or services are published, or when major changes occur to functions, a personal information security impact assessment should be conducted;

d) When laws and regulations have new requirements, or when there are major changes in operations models, information systems, or the operating environment, or when major personal information security incidents occur, a personal information security impact assessment should be conducted;

e) Form a personal information security impact assessment report, and employ measures to protect Personal Data Subject on this basis, reducing risks to an acceptable level;

f) Properly retain personal information security impact assessment reports, ensure that they may be provided for review to relevant parties, and disclose them externally in appropriate forms.

10.4 Data Security Capacity

On the basis of the requirements of relevant international standards, Personal Data Controllers should establish appropriate data protection capacity, put in place necessary management and technical measures, and prevent leaks, damage, and loss of personal information.

10.5 Personnel management and training

Requirements for Personal Data Controllers include:

a) confidentiality agreements should be signed with practitioners in posts handling personal information, and background investigations conducted for personnel encountering large quantities of personal sensitive information;

b) The internal security duties for different positions that involve handling personal information should be made clear, as well as punishment mechanisms for the occurrence of security incidents;

c) When personnel in positions handling personal information are transferred to other posts or terminate employment, they should be required to continue performing on confidentiality obligations;

d) Requirements for personal information security for external service personnel that might access personal information should be clarified.

e) Should establish corresponding internal systems and policies putting forward guides and requirements for staff protection of personal information;

f) Periodically (at least once each year) or when there are major changes to the privacy policy, carry out specialized training of and evaluations of personnel in positions handling personal information, ensuring that the relevant personnel are familiar with and understand the relevant provisions of the privacy policy.

10.6 Security Audits

Requirements for Personal Data Controllers include:

a) Should conduct audits of the privacy policy and relevant provisions, as well the efficacy of security measures;

b) Should establish automated auditing systems monitoring and recording activities handling personal information;

c) Records formed in the course of auditing should be able to provide support for handling security incidents and investigations following emergency responses;

d) precautions should be taken against unauthorized access, tampering, or deletion of the audit records;

e) Use and monitoring of personal information in violation of rules, and similar circumstances, that is discovered in the course of audits, should be promptly handled.

About China Law Translate 748 Articles
CLT is a crowdsourced, crowdfunded legal translation project that enables English speaking people to better understand Chinese law.

Be the first to comment

Leave a Reply

Your email address will not be published.


*