Information Security Techniques - Personal Information Security Specifications (6/26/19) Draft for Solicitation of Comments

ALL TRANSLATIONS ON THIS SITE ARE UNOFFICIAL AND ARE PROVIDED FOR REFERENCE PURPOSES ONLY. THESE TRANSLATIONS ARE CREATED AND CONTINUOUSLY UPDATED BY USERS --THEY ARE FREE TO VIEW, BUT PROPER ATTRIBUTION IS REQUIRED FOR DISTRIBUTION OF THESE OR DERIVATIVE TRANSLATIONS.

【Source】https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20190625175932390453&norm_id=20190104153824&recode_id=34879
【Comment Period】至2019年8月8日

1Scope

These standards regulate the principles and security requirements that should be followed in acts handling personal information such as collection, storage, use, sharing, transfer, and disclosure.

These standards are applied to regulate all types of organizations' activities handling personal information, and is also applied to the competent supervisory departments and third-party assessment organizations supervision, management and evaluation of personal information handling activities.

2Normative reference documents

The following documents are essential for the application of this document. For dated reference documents, only the dated version is applied for this document. For undated reference documents, the newest version (including all revision lists) is applied for this document.

GB/T 25069—2010 Information Security Technology, Terminology

3Terms and Definitions

The following terms and definitions and those defined in GB/T 25069—2010 apply to this document.

3.1

个人信息 personal information

All kinds of information recorded electronically or through other means, that either alone or in combination with other information can identify specific natural persons or reflect the activities of specific natural persons.

Note 1. Personal information includes the full name, date of birth, identification card number, personal biometric information, address, communications contact Information, communication records and content, account passwords, property information, credit investigation information, tracking of whereabouts, accommodation information, health and physiological information, transaction information, and so forth.

Note 2: Refer top Appendix A for measures on designation of personal information and personal information types.

3.2

个人敏感信息 personal sensitive information

Personal information that, once disclosed, illegally provided, or abused, might endanger personal and property security, can easily lead to harms to personal reputation, physical and psychological health, or discriminatory treatment, and so forth.

Note 1: Personal sensitive information includes the personal ID card numbers, personal biometric information, bank account numbers, communication records and content, property information, credit investigation information, tracking of whereabouts, accommodation information, health and physiological information, and transaction information of children up to 14 years old (inclusive).

Note 2: Consult Appendix B for the means of determining and types of personal sensitive information.

3.3

个人信息主体 personal information subject

The natural person identified by personal information.

3.4

个人信息控制者 personal information controller

The organization or individual that has the right to make decisions such as on the purpose and methods of disposing of personal information.

3.5

收集 collect

Acts of acquiring control of personal information, including by active provision by the Personal Data Subject, through automatic collection conduct such as in interactions or recording the activity of Personal Data Subjects, as well as through the sharing, transfer and compilation of public information or other such indirect methods of acquiring personal information.

Note: If the provider of a product or service provides tools for use by Personal Data Subject, but the provider does not access personal information, it is not collection as referred to in this standard.

3.6

明示同意 explicit consent

The act of giving explicit authorization by the Personal Data Subject, through proactive written statement or autonomous affirmative confirmation, to the specific handling of its personal information.

Note: Affirmative confirmation including statements actively made by the Personal Data Subject (electronic or on paper), actively checking off selections; as well as clicking on "agree", "register", "send", or "call"; or active completion or provision.

3.7

用户画像 user profiling

The process of using the collection, aggregation, and analysis of personal information to form a model of the personal features of a particular natural person, such as employment, economics, health, education, personal preferences, credit, and behavior, to make analysis and predictions.

Note: Directly using the personal information of a specific natural person to form a model of the natural person's features, is called a direct user profile. Using personal information other than that from a specific natural person, such as the data of groups they are in, to form a model of the features of that natural person, is called an indirect user profile.

3.8

个人信息安全影响评估 personal information security impact assessment

The process of testing the compliance with legal and regulatory procedures, aimed at activities handling personal information, to judge all kinds of risks to Personal Data Subject's lawful rights and interests, as well as assessing the effectiveness of all measures used to protect Personal Data Subject.

3.9

删除 delete

Removal of personal information from the system during routine business functions, to keep it in a state where it cannot be retrieved or accessed.

3.10

公开披露 public disclosure

The act of publishing information to the public or to unspecified groups of people.

3.11

转让 transfer of control

The process of transferring control of personal data to another controller.

3.12

共享 sharing

The process by which Personal Data Controllers provide personal information to other controllers, and both have separate and independent control of the personal information.

3.13

匿名化 anonymization

The process of technically processing personal information so that the Personal Data Subject cannot be identified, and so that after processing, the information cannot be restored.

Note: After anonymization of personal is carried out, the information obtained is not personal information.

3.14

去标识化 de-identification

The process of technical processing of personal information so that without additional information the Personal Data Subject cannot be identified.

Note: De-identification is built upon individual foundations, storing individual particles, and employing technological measures such as encryption and hash functions to stand in for personal information.

3.15

个性化展示 personalized display

Displaying information content and providing search results for products and services personal data subject based on specified personal data subjects' personal information such as their internet browsing history, interests, purchase records and habits.

3.16

业务功能 business function

Operations or functions satisfying the specific usage needs of Personal Data Subjects. Such as map navigation, online ride-hailing services, instant messaging, online payments, News Alerts, Online Shopping, Courier Services, Transportation Ticketing, and so forth.

4Basic principles of personal information security

Personal Data Controllers controllers carrying out activities handling personal information should obey the following basic principles:

a) Principle of commensurate powers and responsibilities--- employ necessary technological or other measures to safeguard the security of personal information, and bear responsibility for harms caused to Personal Data Subject's lawful rights and interests in processing their information.

b) Principle of Purpose and Clarity: the purpose [of this principle] is to have a lawful, correct, essential, and clear-cut handling of personal information.

c) principle of choice and consent : express the purpose, methods, scope, and rules for processing personal information to the Personal Data Subject, and solicit their authorization and consent.

d) Smallest adequate amount principle-- Only handling the smallest amount and type of personal information necessary to satisfy the purpose for which the personal data subject received authorization and consent. After the purpose is achieve, the personal information should be promptly deleted.

e) Principle of openness and transparency ---- Disclose the scope, purpose, and rules for processing personal information in a clear and comprehensible manner, and accept external oversight.

f) Principle of Guaranteeing Security: In case of a security hazard, the relevant security measures shall be adopted as well as sufficient administrative and technological measures to safeguard the secrecy, integrity, and usability of personal information.

g) Principle of subject participation: Provide means for Personal Data Subject to access, modify, and delete their personal information, and to revoke authorization and consent, unregister accounts, and complain.

5Collection of Personal Information

5.1 legality of the collection of personal information

Requirements for Personal Data Controllers include:

a) personal information should not be obtained through trickery, enticements, or misdirection;

b) Functions of products or services that collect personal information should not be concealed;

c) information should not be obtained through illegal channels;

d) Personal information that the collection of is expressly prohibited by laws and administrative regulations should not be collected.

5.2Necessity of minimizing the collection of personal information

Requirements for Personal Data Controllers include:

a) The type of personal information collected should be directly related to realizing the products or services' business functions; and directly related refers to the products or services' business functions being impossible to realize without such information;

b) The frequency of the automatic collection of personal information should be the minimum frequency necessary to achieve the business function of a product or service;

c) The amount of indirectly acquired personal information should be the minimum amount that is necessary to achieve the business function of a product or service.

5.3Not compelling acceptance of multiple business functions

When products or services provide multiple business functions that require the collection of personal information, the personal data controller should not force the personal data subject to accept the business functions provided by the product or service and the corresponding personal information collection requests against their independent will.

a) Should not use bundling of business functions of goods or services to request that personal data subjects accept, authorize, and consent to each business function's request to collect personal information at one time.

b) Should make autonomous acts of selection by Personal Data Subjects, such as actively clicking, checking, or filling out, a requirement for activating specified business functions of products and services. Personal data controllers should begin collecting personal information only after Personal Data Subjects have activated business functions and the requirements of 5.4 of these Standards are met;

c) The channels or methods for closing or exiting business functions should be just as convenient as the channels or methods by which personal data subjects select to use the business functions. After personal data subjects close or exit specified business functions, the personal data controllers should stop that business functions' collection of personal information;

d) Where Personal Data Subjects do not consent to the use, or close or exit specified business functions, the personal data controllers should not frequently solicit the personal data subjects' authorization and consent;

e) Where Personal Data Subjects do not consent to the use, or close or exit specified business functions, the personal data controllers must not suspend other business functions that the personal data subjects voluntarily selected to use, or lower the service quality of other business functions.

5.4Authorization and consent for collection of personal information

Requirements for Personal Data Controllers include:

a) In collection of personal information, information is to be given to the Personal Data Subject on the purpose, methods, and scope, and Personal Data Subjects' authorization and consent is to be acquired;

Note 1: When the product or service only provides one business function that collects or uses personal information, personal data controllers may go through the privacy policy to inform Personal Data Subjects; where products or services provide multiple business functions that collect or use personal information, in addition to the privacy policy, personal data controllers are to provide Personal Data Subjects with the purpose, methods, and scope of collection and use of personal information at the start of collecting specified personal information, to facilitate the Personal Data Subjects' full consideration of the specific impact on them before they decide whether to give specific authorization and consent.

Note 2: Refer to Appendix C for Realization Measures meeting the requirements of 5.3 and 5.4a) of these Standards

b) Before personal sensitive information is collected, the Personal Data Subject's explicit consent should be solicited, and it should be ensured that the Personal Data Subject's explicit consent was autonomously given by them on a foundation of full understanding, is specific, and is a clear and definite expression of their wishes.

c) Before collecting the personal information of minors who are 14 years-old, their explicit consent, or that of their guardians should be obtained; for those not yet 14 years-old, the explicit consent of their guardians should be obtained.

d) When indirectly collecting personal information:

1) The party providing the personal information should be requested to explain the source of the personal information and, and a confirmation of the legality of the sources of personal information should be conducted;

2) The scope of authorization and consent that the party providing the personal information has already obtained should be understood, including the purposes of use, whether the Personal Data Subject has authorized and consented to transfer, sharing, and public disclosure, and so forth. If the the personal information processing activities that need to be carried out for that organizations business operations exceed the scope of authorization and consent, the Personal Data Subject's explicit consent should be obtained within a reasonable period of time after the personal information is acquired of before the personal information is processed.

5.5Privacy Policy Template

Requirements for Personal Data Controllers include:

a)should draft privacy policies, and the content is to include but not be limited to:

1) Personal data controllers' basic circumstances including the entity identity, contact information, etc;

2) Business functions that collect or use personal information, as well as the types of personal information collected by each business function separately.Where personal sensitive information is involved, it needs to be clearly identified or conspicuously highlighted;

3) Rules for the processing of personal information, such as the collection methods, storage period, and situations of sending information abroad;

4) The purpose of external sharing, transfer, or public disclosure of personal information, the types of personal information involved, the types of third-parties receiving personal information, as well as the security and legal responsibility borne;

5) The rights of Personal Data Subject and mechanisms for realizing them, such as methods for making inquiries, making corrections, making deletions, unregistering accounts, revoking authorization and consent, obtaining copies of personal information, appealing outcomes of automatic decisions by information systems, and so forth;

6) the security risks that might be present after providing the personal information, and the impact that might come from not providing the personal information;

7) Comply with the basic principles of personal information security, posses the capacity for data security, as well as employing personal information security protection measures; and when necessary proof of compliant data security and personal information protections may be made public;

8) Channels of mechanisms for handling Personal Data Subject's inquiries and complaints, as well as contact information for external conflict resolution bodies.

b) The information given in privacy policies should be true, accurate, and complete;

c) The content of privacy policies should be clear and understandable, consistent with common customary language, use standardized figures, illustrations, and so forth, and avoid the use of ambiguous language;

d) Privacy policies should be publicly disclosed and easily accessed, such as by setting up links on websites' home page, the installation page for mobile applications, the interactive interface in Appendix C of these Standards, or by setting up other conspicuous places;d) Privacy policies should be publicly disclosed and easily accessed, such as by setting up links on websites' home page, the installation page for mobile applications, the interactive interface in Appendix C of these Standards, or by setting up other conspicuous places;

e) privacy policies should be send to Personal Data Subjects individually. When the costs are too high or there are clear difficulties, they may be published through public announcement;

f) Where the matters indicated in a) of this article are changed, the privacy policy should be promptly updated and the Personal Data Subject should be newly informed.

Note: Consult Appendix D for content of privacy policies.

Note 2: When Personal Data Subjects use products or services for the first time, register accounts, or in other such situations, use methods such as pop up windows to proactively alert them to the primary or core content of the privacy policy, to help users understand and the scope and rules for that product or service processing personal information, decide whether to continue to use the products or services.

5.65.6 Exceptions to acquiring authorization and consent

In the following situations, Personal Data Controllers do not need to obtain the authorization and consent of the Personal Data Subject for collection and use of personal information;

a) Where it is related to Personal Data Controllers performance of obligations provided by laws or regulations;

b) where there is a direct relation to national security or national defense;

c) where there is direct relation to public safety, public health, or major public interests;

d) Where there is a direct relation to criminal investigations, prosecutions, trials, enforcement of judgments, and so forth;

e) Where it is done to preserve the life, property, or major lawful rights and interests of the Personal Data Subject or another person, and it is very difficult to obtain their authorization and consent;

f) Where the personal information involved was voluntarily disclosed to the public by the Personal Data Subject;

g) as necessary for signing and performing on a contract requested by the Personal Data Subject;

The primary function of privacy policies is to disclose the scope and rules for collection and use of personal information by personal data controllers.

h) Personal information that is collected from lawfully disclosed information, such as lawful news reports, open government information, and other such channels;

i) where preserving the secure and stable operations of products or services they provide, such as discovering or handling problems with the product or service.

j) Where the personal data controller is a news unit, and it is needed to carry out lawful new reporting; where the Personal Data Controller is an academic research institution, and it is needed to carry out statistics or academic research in the public interest, and when providing academic research outcomes or descriptions they carry out de-identification processing of personal information contained in the results.

6Storage of Personal Information

6.1Minimization of Personal Information Storage times

Requirements for Personal Data Controllers include:

a) the retention period for personal information should be the shortest time necessary to realize the purpose of the use authorized by the personal data subjects, unless otherwise provided by laws and regulations or otherwise authorized and consented to by the personal data subjects;

b) After the period for storing personal information described above is exceeded, the personal information should be deleted or anonymized.

6.2De-indentification processing

After personal information is completed, Personal Data Controllers should immediately conduct de-identification processing, employ technical and management measures, separately store the de-identified information and information that can be used to restore identifiers.

6.3Transfer and Storage of Personal sensitive information

Requirements for Personal Data Controllers include:

a) When personal sensitive information is transferred or stored, security measures such as encryption should be employed;

b) When storing personal biometric identification information, it should be stored again after ensuring information security through technological measures, such as separately storing the original information and a summary of personal biometric identification information, or storing only summary information.

6.4Stopping operations of Personal Data Controllers

When Personal Data Controllers stop operations of their products or services, they should:

a) Promptly stop the continuation of activities collecting personal information;

b) Send the notice of stopping operations to every Personal Data Subject either individually or by public announcement;

c) Carry out deletion or anonymization of the personal information they possess.

7The use of personal information

7.1Measures on Controlling Access to Personal Information

Requirements for Personal Data Controllers include:

a) An minimum authorization access control policy should be established for personnel who are authorized to access personal information, only giving them access to the minimum amount of personal information sufficient for their duties, and only have the minimum authority to manipulate data required to complete their duties;

b) Set up an internal examination and approval process for important operations such as conducting batch modifications, copying, and downloading, and other important operations;

c) Conduct separated setup of the different roles of security management personnel, data manipulation personal, and accounting personnel;

d) If the work requires authorization for specific personnel to exceed authority to handle personal information, it should be subject to examination and approval by the person responsible for protecting personal information or the working body for personal information protection and recorded;

NOTE: To determine the person responsible for protecting personal information or the working body for personal information protection organization, see 10.1 of these Standards.

e) Access, revisions, and other operations to personal sensitive information should be controlled according the scope of authority by role, and authorization triggered in accordance with the needs of business processes. For example, complaint handling personnel may only access users' relevant information upon a complaint by that user.

7.2Limits on displaying personal information

Where interface displays are involved in displaying personal information (such as on screen or paper), Personal Data Controllers should employ measures such as deintification of the displayed personal information, reducing the risk that the personal information will be leaked during the display. For example, when personal information is displayed, prevent unauthorized internal personnel and persons other than the Personal Data Subject, from obtaining the personal information without authorization.

7.3Requirements for Personal Data Controllers include:

Requirements for Personal Data Controllers include:

a) When using personal information, it should not exceed a scope directly and reasonably connected with the purpose stated when collecting the personal information. Where due to operational requirements, it is truly necessary to use personal information beyond the scope described above, the Personal Data Subject's explicit consent should should be obtained again;

NOTE: Descriptions of the overall state of the use of collected personal information in academic research or natural, scientific, social, economic, or other phenomenon arrived at, are within the scope of that reasonably related to the purpose for collecting personal information. But, when providing academic research externally or describing results, the personal information contained in the results should be de-identified.

b) All information produced through the processing of collected personal information that can, either independently or in conjunction with other information, identify natural persons, or reflect the activities of natural persons, should be considered personal information.

Note: Where personal information generated through processing is personal sensitive information, its handling shall comply with these Standards requirements for personal sensitive information.

7.4Limits on the Use of User Profiles

Requirements for Personal Data Controllers include:

Descriptions of Personal Data Subjects' characteristics in user profiles should not:

1) Include pornographic, sexual, superstitious, terrorist or violent content;

2) Express content which is ethnically, racially, religiously or health-based discrimination;

b) Where user profiles are used in business operations or external cooperative operations, they should not:

1) Infringe protections of citizens, legal persons, and other organizations' lawful rights and interests;

2) endanger network security, and must not use the network to engage in activities endangering national security, national honor and interests, inciting subversion of national sovereignty, the overturn of the socialist system, inciting separatism, undermining national unity, advocating terrorism or extremism, inciting ethnic hatred and ethnic discrimination, disseminating violent, obscene or sexual information, creating or disseminating false information to disrupt the economic or social order.

c) Except as necessary to achieve the purposes authorized by the personal data subjects, when using personal information clear identity indicators should be removed, to avoid precise targeting of specific individuals. For example, to accurately appraise personal credit states, direct user profiles may be used, but when used for the purpose of delivering commercial advertisements, it is appropriate to use indirect user profiles.

7.5Personalized displays and exit

Requirements for Personal Data Controllers include:

a) Where personalized displays are used in delivering news information services to personal data subjects, they should:

a) Where personalized displays are used in delivering news information services to personal data subjects, they should:

2) Provide simple and intuitive options for personal data subjects to exit or close the personalized display mode.

b) Where e-business operators provide consumers with personalized displays based on their hobbies and interests, spending habits, or search results for merchandise or services, they shall at the time provide said consumers with options not targeting their personal characteristics;

Note: Ordering displays and search results based on the specified locations selected by users, but not displaying different content and search result orders due to users' different identities, are options that do not target personal characteristics.

c) Where personalized displays are used in providing business functions to personal data subjects, they should:

1) Establish independent control mechanisms for personal data subjects for the personal information relied upon by personalized displays (such as signatures, image sizes, and so forth) to ensure that personal data subjects' ability to adjust the extent of personalized displays;

2) When personal data subjects opt to exit personalized display mode, provide the personal data subjects with options to delete or anonymize the personal information on which the targeted delivery is based.

7.6Aggregation and Integration of Personal Information Collected for Different Operational Goals

Requirements for Personal Data Controllers include:

a) Comply with the requirements of 7.3 of these Standards;

b) Personal information security impact assessments should be carried out based on the purposes for which aggregated and integrated personal information is used, and appropriate measures for protecting personal information should be employed.

7.7Use of automatic decision making mechanisms in information systems

Where information systems used by personal data controllers' business operations possess automatic decision making mechanisms that can cause clear impact to the rights and interests of personal data subjects (such as systems automatically deciding on personal credit reporting and lending systems, or automating personnel selection interviews) they should:

a) In the planning stage or before the first use, carry out personal information security impact assessments , and employ effective measures for protecting Personal Data Subject based on the assessment results.

b) In the course of use, periodically carry out (at least once annually) personal information security impact assessments beforehand, and improve measures for protecting Personal Data Subject based on the assessment results;

c) Provide Personal Information Subjects with channels for complaint appeals directed at the outcomes of automatic decision making, and making manual corrections to automatic decision making outcomes.

7.8Inquiries into personal information

Personal Data Controllers provide Personal Data Subject with methods for inquiries into the following information:

a) All personal information they have regarding that subject or class of personal information;

b) The source, and reason for having, the personal information described above;

c) The identity or class of third-parties that have already obtained the personal information described above.

Note: When Personal Data Subjects propose inquiries into personal information that was not actively provided, upon comprehensive consideration of the risks and harms that not complying might cause for the lawful rights and interests of the Personal Data Subject, as well as the technical feasibility, costs of bringing about the request and other such factors, the Personal Data Controller is to make a decision on whether or not to comply, and give explanations.

7.9Correction of personal information

Where Personal Data Subjects find that there are errors in the their own personal information that is in possession of Personal Data Controllers, or that it is incomplete, the Personal Data Controller should provide them with methods for correcting or supplementing information.

7.10Deletion of personal information

Requirements for Personal Data Controllers include:

a) Where the following conditions are met and Personal Data Subjects request deletion, the personal information should be promptly deleted;

1) Personal Data Controllers violate provisions of laws or regulations, in collecting or using personal information;

2) Personal Data Controllers violate agreements with the Personal Data Subject in collecting or using information.

b) Where Personal Data Controllers share or transfer personal information in violation of laws, regulations, or agreements with Personal Data Subject, and the Personal Data Subject requests that they delete it, the Personal Data Controller should immediately stop the sharing and transfer, and inform third-parties to delete it.

c) Where Personal Data Controllers violate provisions of laws or regulations, or violate agreements with Personal Data Subject, in publicly disclosing personal information, and the Personal Data Subject requests deletion, the Personal Data Controller should immediately stop the public disclosure, and issue a notice requesting that relevant recipients delete the corresponding information.

7.11Personal Data Subjects revocation of authorization and consent

Requirements for Personal Data Controllers include:

a) Personal Data Subjects should be provided with methods for revoking authorization and consent for collection and use of personal information. After authorizations consent is revoked, Personal Data Controllers should not continue to handle the relevant personal information.

b) Personal Data Subjects' right to refuse to accept delivery of commercial advertisements based on their personal information should be guaranteed. Personal Data Subjects should be provided with a method for revoking authorization and consent for external sharing, transfer, and public disclosure of personal information.

Note: Revocation of authorization and consent does not impact the prior handling of personal information based on that authorization and consent.

7.12Unregistering Personal Data Subject's accounts

Requirements for Personal Data Controllers include:

a) Personal Data Controllers that provide services through registered accounts should provide Personal Data Subject with methods for unregistering accounts, and those methods should be simple and easy to perform;

b) After Personal Data Subject unregister accounts, their personal information should be promptly deleted or anonymized.

7.13Personal Data Subjects acquisition of copies of personal information

Based on the requests of the Personal Data Subject, Personal Data Controllers should provide methods for Personal Data Subject to obtain copies of the following types of personal information, or, where so long as it is technically possible, directly transfer the following types of personal information to third parties designated by the personal data subject:

a) Basic personal materials and personal ID information;

b) Personal health and physiological information, and personal education and work information.

7.14Responding to requests from personal data subjects

Requirements for Personal Data Controllers include:

a) After verifying the Personal Data Subject's identities, Personal Data Subject's requests based on 7.8-7.13 of these Measures should be promptly complied with, a response and explanation should be made within thirty days or within the period provided by laws and regulations, and the Personal Data Subject is to be informed of channels for external dispute resolution;

b) Appropriate mechanisms should be set up directly in the functional interfaces provided by goods or services (e.g. application programs may set up special options, functions, or interfaces, etc.), facilitating personal data subjects' online exercise of their rights to access, correct, delete, withdraw authorization and consent, deregister accounts, and so forth;

c) In principle, fees are not accepted for reasonable requests, but where duplicative requests are made in a certain time period, fees for costs may be collected in light of the circumstances;

d) If directly realizing the requests of the Personal Data Subject requires spending large amounts, or if there are clear difficulties, the Personal Data Controller should provide the Personal Data Subject with alternative methods, to protect the lawful rights and interests of the Personal Data Subjects;

e) In the following situations, they may choose to not respond to Personal Data Subject's requests based on 7.8 - 7.13 of these standards, including but not exclusively:

1) Where it is related to Personal Data Controllers performance of obligations provided by laws or regulations;

2) where there is a direct relation to national security or national defense;

3) where there is direct relation to public safety, public health, or major public interests;

4) Where there is a direct relation to criminal investigations, prosecutions, trials, or enforcement of judgments and the like;

5) Where Personal Data Controllers have sufficient evidence to show that the Personal Data Subject has subjective malice or abused power;

6) Where it is done to preserve the life, property, or major lawful rights and interests of the Personal Data Subject or another person, and it is very difficult to obtain their authorization and consent;

7) Where responding to the request of the Personal Data Subject would cause serious harm to the lawful rights and interests of other individuals or organizations;

8) Involves commercial secrets.

7.15Complaint Management

Personal Data Controllers should establish mechanisms for managing complaint appeals follow up processes, and respond to complaint appeals in a reasonable amount of time.

8. Commissioned handling, sharing, transfer, and public disclosure of personal information

8.1 Commissioned processing

When commissioning the handling of personal information, the following requirements shall be complied with:

a) Where Personal Data Controllers make commissions, the should not exceed the scope of authority and consent obtained from the Personal Data Subject, or should comply with the circumstances provided for in standard 5.6.

b) Personal Data Controllers should conduct a personal information security impact assessment on commissions, ensuring that the the commissioned parties meet the data security capacity requirements provided for in 10.4 of these Standards.

c) The party accepting the commission should:

1) Strictly follow the requirements of Personal Data Controllers in handling personal information. Where for special reasons, the commissioned party does not follow the Personal Data Controllers' requirements in handling personal information, they should promptly reflect this to the Personal Data Controller;

2) When the commissioned party truly needs to be commissioned again, it should first obtain the authorization of the Personal Data Controller;

3) Assist Personal Data Controllers respond to Personal Data Subject's requests based on 7.8 - 7.13 of these standards;

4) Where the commissioned party cannot provide a sufficient level of security protections, or security incidents occur, in the course of handling personal information, they should promptly reflect this to the Personal Data Controllers.

5) When the retention relationship is dissolved, personal information is to no longer be stored.

d) Personal Data Controllers should conduct oversight of commissioned parties by means including, but not restricted to:

1) Using contracts or other such methods to provide the commissioned party's responsibilities and obligations;

2)Conducting audits of the commissioned party.

e) Personal Data Controllers should accurately record and store circumstances of commissioned handling of personal information.

8.2 Sharing and transfer of personal information

When personal data controllers share or transfer personal information, they should pay full attention to risks. Where sharing or transfer or personal information for reasons other than acquisition, merger, reorganization, or bankruptcy should comply with the following requirements:

a) Carry out personal information security impact assessments beforehand, and employ effective measures for protecting Personal Data Subject based on the assessment results.

b) Inform the Personal Data Subject of the goal of sharing or transferring personal information and the type of recipient, and obtain the authorization and consent of the Personal Data Subject in advance. Except where sharing or transferring personal information that has been de-identified, ensure that the recipient has no way to newly identify the Personal Data Subject.

c) Before sharing or transferring personal sensitive information, in addition to the information in 8.2b), the Personal Data Subject should also be informed of the type of personal sensitive information involved, the identity and security capability of the recipient, and obtain the explicit consent of the Personal Data Subject;

d) Accurately record and store the circumstances of sharing or transferring personal information, including the date, scale, and purpose of the sharing or transfer, as well as the basic circumstances of the recipient parties, and so forth;

e) Bear responsibility corresponding to the harms caused to Personal Data Subject's lawful rights and interests by the sharing or transfer of personal information;

f) Help Personal Data Subject understand circumstances such as the recipients' retention and use of personal information, as well as the rights of Personal Data Subject, for example, to access, correct, delete, or unregister accounts.

8.3Transfer of personal information in acquisition, merger, reorganization, or bankruptcy

When Personal Data Controllers have acquisitions, mergers, reorganizations, bankruptcy or other changes, the Personal Data Controller should:

a) Inform the Personal Data Subject of the relevant situation;

b) The modified Personal Data Controllers should continue to perform the responsibilities and obligations of the original Personal Data Controller, and if changing the purpose of using personal information, should newly obtain the Personal Data Subject's express consent.

8.4Disclosure of personal information

In principle, personal information should not be disclosed. When Personal Data Controllers have legal authorization or truly need to publicly disclose for legitimate reasons, they should fully emphasize risks and comply with the requirements below:

a) Carry out personal information security impact assessments beforehand, and employ effective measures for protecting Personal Data Subject based on the assessment results.

b) Inform the Personal Data Subject of the goal and types of personal information being publicly disclosed, and obtain the explicit consent of the Personal Data Subject in advance;

c) Before publicly disclosing personal sensitive information other than the content of the notice in 8.4(b), the Personal Data Subject should also be informed of the content of sensitive personal information;

d) The circumstances of disclosing personal information are to be accurately recorded and stored, including the date, scale, goals, and scope of disclosure.

e) corresponding responsibility is borne for harms caused to Personal Data Subject by the public disclosure of personal information;

f) personal biometric distinguishing information and genetic information should not be publicly disclosed.

8.5Exceptions to obtaining authorization and consent prior to sharing, transferring, and publicly disclosing personal information

In the following circumstances, Personal Data Controllers sharing, transferring, or publicly disclosing personal information do not need to first obtain the Personal Data Subject's authorization and consent:

a) Where it is related to Personal Data Controllers performance of obligations provided by laws or regulations;

b) where there is a direct relation to national security or national defense;

c) where there is direct relation to public safety, public health, or major public interests;

d) Where there is a direct relation to criminal investigations, prosecutions, trials, enforcement of judgments, and so forth;

e) Where it is done to preserve the life, property, or major lawful rights and interests of the Personal Data Subject or another person, and it is very difficult to obtain their authorization and consent;

f) the Personal Data Subject discloses the personal information to the public themselves;

g) Personal information that is collected from lawfully disclosed information, such as lawful news reports, open government information, and other such channels;

8.6Joint Personal Data Controllers

When Personal Data Controllers and third parties are joint Personal Data Controllers (such as service platforms and businesses contracting with the platform), the Personal Data Controllers should satisfy personal information security requirements through methods such as joint confirmation with the third party in contract or other forms, as well as separately bearing responsibility and obligations for personal information security between themselves and the third party, and clearly informing the Personal Data Subject.

Note: Personal Data Controllers deploying third-party plugins that collect personal information in the course of providing products or services (such as website businesses, deploying statistical analysis tools, software development tools including SDK or API map calls) in that webpage or applications, where the third-party has not independently obtained the authorization and consent of the Personal Data Subject to collect and use personal information, the Personal Data Controller and the third party are joint Personal Data Controllers.

8.7Management of third-party access

When the products or services of personal data controllers connect to third-party products or services that have personal information collecting functions and don't apply 8.1-8.6 of these standards, the requirements for the personal data controller include:

a) Should establish management mechanisms and work flows for third-party product and services access, and when necessary, establish access requirements for security assessment and other such mechanisms;

b) should us contracts with the third-party provider of goods or services, or other forms, to clarify the security responsibilities and of each party and the personal information security measures to be taken;

c) should clearly identify the products and services to the personal data subject as having a third-party provider;

d) should appropriately retain contracts and management records for third-party access to the platform, to ensure that access to them may be provided to the relevant parties;

e) Should request that third-parties solicit personal data subjects' authorization and consent to collect personal information based on the requirements of these standards, and verify the methods by which they will accomplish it;

f) Should request that the third-party goods or services establish mechanisms for responding to personal data subjects' requests, complaints, and so forth, and appropriately store, promptly update them to facilitate inquiries and use by personal data subjects

g) Should prompt and oversee third-party goods and services providers strengthening of personal information security management, and where it is discovered that third-party goods and services providers have not implemented security management requirements and responsibility, should promptly urge them to make corrections, and when necessary, stop their access'

h) Where involving third-parties embedded or accessed automation tools (such as codes, scripts, interfaces, algorithm models, software development kits, applets, etc.) it is appropriate to:

1) Conduct technological testing to ensure that conduct collecting or using personal information complies with agreed upon requirements;

2) Appropriately audit third-party embedded or accessed automation tools' conduct collecting personal information, and promptly cutting access where conduct exceeding agreements is discovered.

8.8cross-border transmission of personal information

Where personal information collected during business operations in the mainland territory of the People's Republic of China is provided outside the mainland territory, the Personal Data Controllers are to comply with the Measures and relevant standards drafted by the State Internet Information Departments together with the relevant departments of the State Council, and comply with their requirements.

9 Resolution of Personal Information Security Incidents

9.1Emergency response and reporting of personal information security incidents

Requirements for Personal Data Controllers include:

a) a personal information security incident response plan should be drafted;

b) Emergency response training and drills should be periodically (at least once annually) organized for relevant internal personal, giving the a grasp on the duties of their position and and emergency tactics and procedures.

c) After personal information security incidents occur, Personal Data Controllers should conduct the following disposition measures based on the emergency response plan:

1) Record the content of the incident, including but not limited to: the personnel who discovered the incident, the time, place, number of persons' personal information involved, name of the system in which the incident occurred, the impact on other connected systems, and whether enforcement organs or relevant departments have already been contacted;

2) Assess the impact that might be caused by incidents, and employ necessary measures to control the status and eliminate the emergency;

3) Follow the relevant procedures of the "National Network Security Emergency Response Plan" to promptly make a report, and the content of the report is to include, but is not limited to: the type, number, content, character, and other overall circumstances of the Personal Data Subject involved; the impact that the incident might cause, disposition measures that have already been employed, and contact information for the relevant incident response personnel;

4) Where personal information leaks might have a larger impact on personal data subjects, such as leaks of sensitive personal information, consult the requirements of 9.2 of these standards to give information on the security incident.

d) Promptly update the emergency response plan on the basis of changes in the relevant laws and regulations, as well as the handling of incidents.

9.2Notification of security incidents

Requirements for Personal Data Controllers include:

a)Personal Data Subjects that have been impacted should be promptly informed on the circumstances of an incident through means such as mail, letter, phone, push notification, and so forth. When it is difficult to notify Personal Data Subject one by one, reasonable and effective methods should be used to release warning information relevant to the public.

b) the content of the notification should include, but is not limited to:

1) the content and impact of security incidents;

2) handling measures that have been taken or will be taken;

3) recommending that the Personal Data Subject independently take precautions to prevent and reduce risks;

4) Provision of remedial measures aimed at personal information subjects;

5) Contact information of persons responsible for protection of personal information and institutions working on personal information protection.

10Organization and Management Requirements

10.1 Clarify responsible departments and personnel

Requirements for Personal Data Controllers include:

a) It should be made clear that their legally-designated representative or principal responsible person has comprehensive leadership responsibility for personal information security, including providing manpower, assets, and material safeguards for personal information security efforts;

b)Personnel responsible for personal information protection and organizations for personal information protection work should be appointed; and a person with relevant management experience and professional knowledge of personal information protection should serve as the person responsible for personal information protection and participate in important decisions related to personal information processing activities and report the work directly to organization's principle responsible person;

c) Organizations that satisfy any of the following requirements should set up a full time person responsible for personal information protection and a personal information protection body, responsible for personal information security work:

1) the primary operations involve handling personal information, and the scale of operations personnel is greater than 200;

2)Handling the personal information of more than 1,00,000 people, or expecting to handle the personal information of more than 1,00,000 people within 12 months.

d) The duties of persons responsible for protecting personal information and personal information protection work bodies include, but are not limited to:

1) Comprehensively planning the implementation and organization of personal information security work, and being directly responsible for personal information security:

2) Organizing the drafting of work plans for personal information protection and overseeing their implementation;

3) Drafting, issuing, implementing, and periodically updating privacy policies and relevant procedures;

4) Establish, preserving and updating lists of personal information in the organization's possession (including the types, number, source, recipients and so for of personal information) and tactic for authorizing access;

5) Carrying out personal information security impact assessments, submitting countermeasures and suggestions for protecting personal information;

6) Organizing the carrying out of personal information security training;

7) Conducting tests before products or services are released online, avoiding unknown collection, use, sharing, or other handling of personal information;

8) Publishing information such as the methods for complaints and making reports, and promptly accept complaints and reports;

9) Conducting security audits.

10) Maintaining communication with the oversight and management departments, reporting on circumstances such as personal information protection and handling of incidents.

e) Necessary resources should be provided to persons with responsibility for personal information protection and personal information protection bodies, ensuring their independence performance of duties.

10.2 Protect the security of personal information.

When developing products and services with functions that process personal information, personal data controllers are to consider requirements for personal information security based relevant national standards during system project steps such as requirements, design, development, testing, and release; ensuring that personal information protection measures are planned, established, and used in sync with the establishment of the system,

10.3 Personal information processing activity records

It is appropriate to establish, maintain, and update records on personal information processing activities that collect or use personal information, and the content of the records may include:

a) the type, amount, and sources of personal information involved (for example that collected directly from personal data subjects or obtained through indirect methods);

b) Distinguish the purpose and usage scenarios for personal information processing based on operational functions and authorizations, as well as commissioned processing, sharing, transfer, public disclosure, whether it involves crossing borders, and other such circumstances;

c) with each informational system, individual, or personnel related to each step of personal information handling.

10.4 Carry out personal information security impact assessments

Requirements for Personal Data Controllers include:

a) Establish systems for personal information security impact assessments, assessing and addressing security risks in the handling of personal information

b) Personal information security impact assessments should primarily assess handling activities compliance with the basic principles of personal information security, as well as the impact of personal information handling on Personal Data Subject's lawful rights and interests, with content including, but not limited to:

1)Where the personal information collection phases complied with principles such as the clear purpose principle, selective consent, and minimum sufficient use principle;

2)Whether handling of personal information might cause adverse impact to the lawful rights and interests of Personal Data Subject, including whether it harms personal and property security, harms personal reputations and physical health, or leads to discriminatory treatment;

3) The efficacy of personal information security measures;

4) The risks that concentrating anonymized or de-indentified data might newly identify Personal Data Subjects; or risks that following other types of data aggregation, Personal Data Subjects could be newly identified;

5) The adverse impacts that might be caused to Personal Data Subject's lawful rights and interests from sharing, transfer, or public disclosure or personal information.

6)The adverse impacts that might be caused to Personal Data Subject's lawful rights and interests when security incidents occur.

c) Before products or services are published, or when major changes occur to functions, a personal information security impact assessment should be conducted;

d) When laws and regulations have new requirements, or when there are major changes in operations models, information systems, or the operating environment, or when major personal information security incidents occur, a personal information security impact assessment should be conducted;

e) Form a personal information security impact assessment report, and employ measures to protect Personal Data Subject on this basis, reducing risks to an acceptable level;

f) Properly retain personal information security impact assessment reports, ensure that they may be provided for review to relevant parties, and disclose them externally in appropriate forms.

10.5 Data Security Capacity

On the basis of the requirements of relevant international standards, Personal Data Controllers should establish appropriate data protection capacity, put in place necessary management and technical measures, and prevent leaks, damage, and loss of personal information.

10.6Personnel management and training

Requirements for Personal Data Controllers include:

a) confidentiality agreements should be signed with practitioners in posts handling personal information, and background investigations conducted for personnel encountering large quantities of personal sensitive information;

b) Clarify the internal security duties for different positions that involve handling personal information, and establish punishment mechanisms for the occurrence of security incidents;

c) When personnel in positions handling personal information are transferred to other posts or terminate employment, they should be required to continue performing on confidentiality obligations;

d) Requirements for personal information security for external service personnel that might access personal information should be clarified.

e) Corresponding internal mechanisms and policies should be established putting forward guidelines and requirements for staff in protecting personal information;

f) Periodically (at least once each year) or when there are major changes to the privacy policy, carry out specialized training of and evaluations of personnel in positions handling personal information, ensuring that the relevant personnel are familiar with and understand the relevant provisions of the privacy policy.

10.7 Security Audits.

Requirements for Personal Data Controllers include:

a) Should conduct audits of the privacy policy, relevant provisions, and the efficacy of security measures;

b) Should establish automated auditing systems monitoring and recording activities handling personal information;

c) Records formed in the course of auditing should be able to provide support for handling security incidents and investigations following emergency responses;

d) precautions should be taken against unauthorized access, tampering, or deletion of the audit records;

e) audits should be promptly addressed

 

About China Law Translate 800 Articles
CLT is a crowdsourced, crowdfunded legal translation project that enables English speaking people to better understand Chinese law.

Be the first to comment

Leave a Reply

Your email address will not be published.


*