Earlier this year, China released the final version of the national standard on personal information protection, GB/T 35273-2017 Information Technology – Personal Information Security Specification (信息安全技术 个人信息安全规范) (the “Specification”). The Specification will take effect on May 1, 2018.
The Specification is not a law or regulation that requires mandatory compliance. However, it likely will be relied on by Chinese government agencies as a standard to determine whether companies are following China’s data protection rules. Businesses that collect or process personal information in China should check their current practices against this Specification to identify and minimize their potential risks. The below provides the basics on this new Specification.
Personal Information and Sensitive Personal Information. Under the Cybersecurity Law of China, personal information means information that can be used to identify a person if used separately or in combination with other information. This new Specification expands this definition to include information that reflects a person’s activities, such as browsing history.
Sensitive personal information includes information that, if leaked, illegally provided or used inappropriately, will likely threaten personal and property safety and can easily harm personal reputation, physical or mental health or lead to discriminatory treatment. Examples of sensitive personal information include a person’s ID card number, bank account number, and personal information of minors of age 14 or younger.
Data Controller. The new Specification introduces the concept of a personal data controller, which means a natural person or an organization that determines the purposes and means for processing personal data. A data controller is responsible for compliance with applicable laws and regulations in the collection, retention, use, sharing and transfer of personal information, as well as in handling data breaches.
Data Collection. The new Specification states that collecting personal data should be done legally and minimally. It requires a data controller obtain consent from the personal data subject (the natural person whose data is being collected) and further requires explicit consent when sensitive data is being collected. There are a few exceptions when consent is not required. For example, when the collection and use of personal data is necessary for executing and performing contracts, for criminal investigation, or for news reports when the data controller is a news agency.
Data Retention. Personal information must be retained for the shortest period of time and only to the extent necessary. After personal information has been collected, the data controller must de-identify such information and retain the de-identified information separate from any personal identifiable information. When a data controller ceases operations, it must stop collecting personal information, inform relevant data subjects of the same, and delete or anonymize all of the personal information it has retained.
Use of Data. A data controller must limit access to collected personal information to the minimum extent necessary. Data subjects have the right to access data and to rectify incorrect or incomplete data, the right to erasure and to data portability, as well as the right of account cancellation
Third-Party Processors; Sharing and Transfer of Data. When a data controller outsources data processing to a third party, the data controller must conduct a security assessment to ensure the third-party processor is capable of offering sufficient security. The data controller must also supervise the processor by audits and by imposing contractual obligations regarding data processing security.
If a data controller needs to share or transfer personal information, it must first conduct a security assessment, use effective measures to safeguard data subjects, inform data subjects of the purpose and the recipient of the data transfer and obtain prior consent (a separate consent in addition to the initial consent to collecting and processing data). If a data controller is acquired by or merged with other entities, it must notify the data subjects of this fact and its successor shall continue to perform the original data controller’s responsibilities and obligations.
Data Breach Incidents. Data controllers must have security incident response plans in place, provide periodic training and perform emergency drills at least annually. When a data breach occurs, the data controller must record the incident, assess potential impact and take remedial measures. It shall also notify affected data subjects of the incident by email, mail, phone, push notification, or other reasonable and effective method when individual notice is not practically possible.