Finally, Guidelines for Personal Information Protection

Real Guidelines: Personal Information Protection

On April 10, 2019, the Network Security Bureau of the Ministry of Public Security, together with the Third Research Institute of the Ministry of Public Security and the Beijing Network Industry Association published the Guideline for Internet Personal Information Security Protection (“Guideline”).

This Guideline is the first effective legal document issued by the Ministry of Public Security in relation to online personal information protection. It is applicable to “personal information holders”, the scope of which includes “units that provide services through the Internet” and “organizations that control and process personal information using networks or non-networked environments.”

The Guideline provides some detailed and specific operational standards to refer to when dealing with personal information online, divided into three main parts. Some of the highlights include:

  • Internal Management Mechanisms

The Guideline recommends, for example, that organizations:

      • set up a management system and a department which is specially responsible for personal information management;
      • provide training (job skills, data security knowledge, etc.) to personnel that manage personal information;
      • set up physical and online security measures for any external parties to access the relevant equipment and information systems.
  • Technological Security Measures

The Guideline also recommends that the technological security measures used when processing personal information (e.g. access control, invasion precaution, data backup and recovery, etc.) should meet the requirements set out under the GB/T 22239: Information Security Technology – Baseline for Classified Protection of Information System Security.

  • Business Processes for Dealing with Personal Information Online

The Guideline recommends creating principled practices for handling personal information (collection, storage, application, deletion; commission process; share and transfer; disclosure). For example:

      • Personal information collection – Only collect personal data in conformance with “principles of legality, propriety and necessity.” That is, only when it’s legal, appropriate, and necessary;
      • Personal information storage – Personal information collected within the territory should be stored locally in encrypted storage, etc.;
      • Informed Consent to processing of personal information – An agreement should be signed; the entrusted party should delete the personal information after processing, etc.;
      • Deletion of personal information – If information is no longer needed, delete it;
      • Transfer and sharing: Do not transfer or share personal information. If transfer or sharing is called for, an assessment of legal necessity must be made and the express consent of the information subject must be obtained;
      • Disclosure of personal information – Prohibited in principle. If required by legal process or other acceptable reasons, a safety assessment must be carried out and the express consent of the original information subject must be obtained. The analyzed results of individual biometrics and sensitive data are prohibited from disclosure.

The core purpose of the Guideline is to mitigate the security risks encountered when dealing with online personal information. It was conceived and drafted based on real enforcement cases undertaken by competent public security departments. Although the Guideline is not mandatory, it is likely to be used by competent Public Security Departments when taking enforcing actions. In other words, if a company follows the Guideline, it stands a reasonably good chance of being found in compliance with the legal framework surrounding personal information protection in China.