On 25th January 2018, the Standardisation Administration of China (SAC) released the final version of the Personal Information Security Specification. The aim of the Standard is to regulate all phases of big data operations and related conduct, including the collection, storage, processing, use and disclosure of personal information.
The new voluntary national standards on the protection of personal information will come into effect on 1 May 2018. While the Standard is voluntary and does not mandate compliance, it is considered as establishing the Best Practice expected by Chinese regulators auditing companies and enforcing Chinese data protection laws, such as the 2016 Cybersecurity Law.
Under the Standard, ‘personal information’ is defined in accordance with the 2016 Cybersecurity Law, as “various types of electronic or otherwise recorded information that can be used separately or in combination with other information to identify a natural person.” The Standard also explicitly includes biometric data (biological identification data), geolocation data and behavioural data.
The Standard introduces a concept of “sensitive personal information”. This is any personal information, which, if lost or misused, may endanger personal security or property, cause damage to personal reputation, mental health and physical health, or lead to discriminatory treatment. As under Australian privacy laws, the Standard sets out different rules for the collection and use of personal sensitive information.
The Standard applies to ‘personal information controllers’ – similar to the concept of the EU GDPR’s ‘data controller’ – including any private or public organisation that can decide the purpose and method of processing personal information. Under the Standard, personal information controllers should:
- undertake a data protection impact assessment at least annually,
- maintain information security incident response plans, including undertaking regular training and testing of the information security incident response plans
- implement internal procedures to grant access to personal information, including subjecting individuals with access to large amounts of sensitive personal information to background checks
- obtain prior notice and consent from individuals to transfer or share their personal information unless the information is de-identified
- conduct risk assessments and ensure vendors (processors) offer adequate security before outsourcing the processing of personal information
Individuals are provided with a broad range of rights, including a straightforward account cancellation right, erasure rights (including significant obligations on the personal information controller to notify third parties of the erasure), and a data portability right limited to certain information.
The Standard contains 8 key substantive principles including:
- Responsibility Principle
All personal information controllers are responsible for the security are all personal information they possess, regardless of how the personal information was obtained.
- Clear Purpose Principle
Personal information must only be processed for a lawful, legitimate and specific purpose. In addition, the purpose for the processing of personal information must not be changed without prior authorisation from the individual (also known as a ‘personal data subject’).
- Data Minimisation Principle
The type, quantity and frequency of personal information collected should directly relate to carrying out a relevant business activity or service and should be limited to the minimum standard necessary for performing the business activity or service. The personal information should be deleted promptly after the purposes are achieved.
- Consent and Choice Principle
Individuals should be allowed to choose whether to consent to the processing of their personal information. Consent includes agreeing on the purposes, method and scope of the processing personal information. Data controllers cannot refuse to provide services or products, or lower the quality of service, because a data subject refuses to provide consent – unless the provision of the service relies on the collection of personal information. In addition, personal information controllers will be required to solicit additional consent if there are any changes to the purpose, method and scope of the processing of personal information.
- Individual Participation Principle
Individuals should be provided with measures to access, correct and delete their personal information. In addition, individuals should be provided with mechanisms to withdraw consent and deregister accounts.
- Quality Assurance Principle
Personal data controllers must ensure that the personal information it processes is accurate, authentic, up to date and usable.
- Security Assurance Principle
Personal data controllers must protect personal information and implement appropriate technical and organisational measures to ensure data security.
- Openness & Transparency Principle
Personal information controllers must inform data subjects about the scope, purpose and rules of the processing of personal information. This notification must be explicit, comprehensible and provided in a reasonable manner.