Personal information Protection Compliance Content and Practice … · 2017. 8. 25. · CONTENT 02 03 Background of relevant laws，regulations and standards 01 Personal information

2017Personal information Protection

Compliance Content and Practice

（China）

SESEC translation, for reference only

SESEC translated Document

In June 2017, Mr. Yanzhe He from CESI delivered a Presentation on “Personal Information ProtectionCompliance Obligations and Practices” in a meeting. SESEC translated this presentation and distributed itto EU stakeholders.

Please note The translated documents are for informational purposes only among SESEC stakeholdersand should not be construed as business or legal advice. SESEC team will not be responsible for theaccuracy and completeness of the information provided and will accept no liability for errors or omissions.The provisions of relevant standards introduced at the meeting and this document reflect the currentdrafts and may not be final.

Seconded European Standardization Expert in China (SESEC)

A project co-funded by CEN, CENELEC, ETSI, EC and EFTA

CONTENT

02

03

Background of relevant

laws， regulations and

standards

01

Personal information

protection requirements in

Cybersecurity Law

Main content of Personal

Information Security Specification

04Practice Direction of

Personal Information

Protection


Background of relevant laws, regulations

and standards PI（personal information） protection has been focused

and concerned by Chinese regulators and law

enforcement agencies

2016.4.19 Cybersecurity and Infomatization Symposium

“Cybersecurity for the people, Cybersecurity by the

people“ ---Speech by president Xi Jinping

Part 01


01✓ 2000 Decision of the Standing Committee of the National People's Congress on safeguarding InternetSecurity

✓ 2005 Amendment to the criminal law of the People's Republic of China (5th Modification)

✓ 2009 Amendment to the criminal law of the People's Republic of China (7th Modification)

✓ 2012 Decision of the Standing Committee of the National People's Congress on strengthening network information protection

✓ GB/Z 28828—2012 Guideline for personal information protection within information system for public and

commercial services

✓ 2013 Provisions on the protection of personal information of telecommunications and Internet users byMIIT

✓ 2015

✓ 2016

✓ 2017

Amendment to the criminal law of the People's Republic of China (9)

Cybersecurity Law (chapter 4 network and information security)

Interpretation of several issues concerning the application of law in handling criminalcases of infringing personal information of citizens

✓ 2017 General provisions of civil law

✓ 2017 GB/T Personal information protection specification (draft for approval)

✓ ……

Key Rules（laws/Regulations/Standards）SESEC translation, for reference only

01

Example：

Article4 In order to protect the personal, property and other legal rights of individuals, legal persons and other groups, according to the pertinent regulations of criminal law, those that conduct on of the following acts that constitute an offence, will criminal responsibility:

(I): Using the Internet to humiliate others or trump up facts to slander others;(II): Illegally intercepting and seizing, distorting, deleting other’s email or other data, violating citizen’s freedom to communicate and secrecy of communication;(III): Using the Internet to perform theft, swindle, blackmail.

reference： http://www.npc.gov.cn/wxzl/gongbao/2001-03/05/content_5131101.htm

Decision of the Standing Committee of the National

People's Congress on safeguarding Internet Security28 December 2000


http://www.npc.gov.cn/wxzl/gongbao/2001-03/05/content_5131101.htm

01

reference： http://www.npc.gov.cn/wxzl/gongbao/2013-04/16/content_1811077.htm

Decision of the Standing Committee of the National People's

Congress on strengthening network information protection28 December 2012

Example：

Article 2 Network service providers and other enterprise and undertaking work units that collect oruse citizens’ individual electronic information during their business activities, shall abide by theprinciples of legality, legitimacy and necessity, clearly indicate the objective, methods and scope forcollection and use of information, and obtain agreement from the person whose data is collected, theymay not violate the provisions of laws and regulations, and the agreement between both sides, incollecting or using information.

Article 4 Network service providers and other enterprise and undertaking work units shall adopttechnological measures and other necessary measures to ensure information security and prevent thatcitizens’ individual electronic information collected during business activities is divulged, damaged orlost. When divulging, damage to or loss of information occurs or may occur, remedial measures shall beadopted immediately.



01

reference： http://www.miit.gov.cn/n11293472/n11293877/n16381515/n16381547/16389765.html

Provisions on the protection of personal information of

telecommunications and Internet users by MIIT1 September 2013

example：Article 4: Personal user data as named in these regulations, refers to users’ names, dates of birth,

identity card number, address, telephone number, account number, password and other information

with which the identity of the user can be distinguished independently or in combination with other

information, as well as the time, and place of the user using the service and other

information, collected by telecommunications business operators and Internet information service

providers in the process of providing services.

Article 5: Telecommunications business operators and Internet information service providers that

collect and use personal user data in the process of providing services, shall abide by the principles of

legality, propriety and necessity.

Article 6: Telecommunications business operators and Internet information service providers areresponsible for the security of personal user data collected and used in the process of providingservices.


http://www.miit.gov.cn/n11293472/n11293877/n16381515/n16381547/16389765.html

01Example：Amendment 9 Article 17, Modify Criminal Law article 253-1 to read: "Violating provisions to sell or provide others with citizens' personal information, where the circumstances are serious, is sentenced to up to three years imprisonment, short-term detention or controlled release and/or a fine; where circumstances are especially serious, the sentence is between three and seven years imprisonment and a concurrent fine."Where provisions are violated to sell or provide others with citizens' personal information which was obtained while performing professional duties, and the circumstances are serious, follow the provisions of the preceding paragraph in giving a heavier sentence.“Where citizens' personal information is stolen or illegally obtained through other means and the circumstances are serious, punishment is in accordance with the provisions of the first paragraph of this article.

reference：http://www.npc.gov.cn/wxzl/gongbao/2005-04/25/content_5337649.htm

http://www.npc.gov.cn/huiyi/cwh/1107/2009-02/28/content_1476563.htm

http://www.npc.gov.cn/npc/xinwen/2015-08/31/content_1945587.htm

Amendment to the criminal law of the People's Republic of China (5)(7)(9)



http://www.npc.gov.cn/huiyi/cwh/1107/2009-02/28/content_1476563.htm


Personal information administrators should abide by the following basic principles when using information systems to handle personal information:a) The principle of a clear purpose – handling personal information shall have a specific, clear and reasonable purpose, the usescope is not to be expanded, and the purpose for handling personal information shall not be changed under situations where subjects of personal information are unaware of this.5) The principle of least sufficient use – only the smallest amount of information related to the purpose for handling is to be handled, when the handling purpose is achieved, personal information is to be deleted in the shortest time.c) The principle of open notification – there is a duty to notify, explain and warn subjects of personal information as well as possible. The purpose for handling personal information, the scope of personal information collection and use, personal information protection measures and other such information are to be truthfully notified to subjects of personal information in clear, easily understandable and appropriate ways,d) The principle of individual consent – before personal information handling, the consent of the subject of the personal information must be obtained.e) The principle of quality guarantee – it is to be guaranteed that personal information is kept secret, intact and usable in the process of handling, and this remains in the newest condition.f) The principle of security guarantee – adopting appropriate management measures and technical methods that are suited to the possibility and gravity of harm to personal information, protecting personal information security, preventing retrieval or disclosure of information without the authorization of the personal information, and the loss, leakage, destruction and alteration of personal information.g) The principle of honest implementation – handling personal information according to the commitments made at the time of collection, or on the basis of statutory grounds, no longer continuing to handle personal information after achieving the fixed purpose.h) The principle of clear responsibilities – clarifying the responsibilities of personal information handling processes, adopting corresponding measures and implementing corresponding responsibilities, and recording personal information handling processes in such a manner that they can be easily traced back.

01 GB/Z 28828—2012 "Guideline for personal information protection

within information system for public and commercial services


01 Cybersecurity Law（CSL）7 November 2016

Example（detailed introduction in the following slides）：

Chapter III: Network Operations Security - Section 1: General Provisions – Article 22

Chapter III: Network Operations Security - Section 2: Operations Security for Critical Information Infrastructure – Article 37

Chapter IV: Network Information Security – Article 40,41,42,43,44

Chapter VI: Legal Responsibility – Article 64,66

reference：http://www.npc.gov.cn/npc/xinwen/2016-11/07/content_2001605.htm



01Example：Article 1 The term "personal information of a citizen" as mentioned in Article 253A of the Criminal Law refers to all kinds of information recorded by electronic means or otherwise that can be used independently or together with other information to identify a particular natural person's identity or reflect particulars on his or her activities, including the natural person's name, ID number, contact information about his or her e-mail address or phone number, address, account name and password thereof, property conditions, whereabouts and tracks, etc.

Article 5 The act of illegally obtaining, selling or providing citizens' personal information shall be deemed as "one resulting in a serious case" as mentioned in Article 253A of the Criminal Law, in the case of any of the following circumstances,3. illegal procurement, sale or provision of more than 50 pieces of information concerning geographic location, content of correspondence, credit history, and financial assets of an individual;4. illegal procurement, sale or provision of more than 500 pieces of information concerning records of accommodation or correspondence, health, transaction, or other personal data that may affect the safety or any property/assets of an individual;5. illegal procurement, sale, or provision of more than 5,000 pieces of personal information concerning other information of an individual other than above;

reference：http://www.spp.gov.cn/xwfbh/wsfbt/201705/t20170509_190088.shtml

Interpretation of several issues concerning the application of law in handling criminal cases of

infringing personal information of citizens by Supreme People's Court and Supreme People's

Procuratorate

9 May 2017


http://www.spp.gov.cn/xwfbh/wsfbt/201705/t20170509_190088.shtml

01

Example：

Article 111 The personal information of a natural person shall be

protected by law. Any organization or individual needing to obtain the

personal information of other persons shall legally obtain and ensure the

security of such information, and shall not illegally collect, use, process, or

transmit the personal information of other persons, nor illegally buy, sell,

provide, or publish the personal information of other persons.

reference：

http://www.chinacourt.org/law/detail/2017/03/id/149272.shtml

General provisions of civil law15 March 2017


http://www.chinacourt.org/law/detail/2017/03/id/149272.shtml

01

Introduced in Part3

Refer to the laws, regulations and standards mentioned above

To sum up： PI protection wasn’t initiated in the Cybersecurity Law. It’s a long-term process of accumulation.

GB/T Personal information protection specification

(draft for approval)


PI protection requirements in

Cybersecurity Law Cybersecurity Law forms a "watershed effect”

PI protection requirements in Cybersecurity law are

basic framework and further strengthened

Part 02


Accountability of Data

Controller

02 China Cybersecurity Law compared to the General

Data Protection Regulation (GDPR)

——China Cybersecurity Law dedicates a whole chapter for

information security. Chapter IV: Network Information Security.

——Article 40-44 for Personal information protection, compared to

the GDPR for a better understanding.

Cybersecurity Law of China GDPR

Article 40 Network operators shall keep the user

information they have collected strictly

confidential and establish and improve user

information protection system.


GDPR

Principle of lawfulness,

fairness and

transparency

Principle of purpose

limitation

Principle of data

minimisation

China Cybersecurity Law compared to the General

Data Protection Regulation (GDPR)02Article 41

Cybersecurity Law of China

When collecting or using the personal information, network

operators shall comply with the principles of lawfulness, justification and

necessity, publicize the rules for collection and use, clearly indicate the

purposes, methods and scope of the information collection and use, and

obtain the consent of those from whom the information is collected.

A network operator shall not collect the personal information irrelevant

to the services it provides or collect or use the personal information in

violation of the provisions of laws and administrative regulations and the

agreements between both parties and shall process the personal

information it has stored in accordance with the provisions of laws and

administrative regulations and the agreements with the user.


GDPR

Anonymized Data

Principle of

accountability

Principle of integrity

and confidentiality

mandatory data breach

notification

China Cybersecurity Law compared to the General

Data Protection Regulation (GDPR)02Article 42


Network operators shall not divulge, tamper with or damage the

personal information they have collected; they shall not provide such personal

information to others without consent of those from whom the information is

collected, except for the information that has been processed and cannot be

recovered and through which no particular individual may be identified.

Network operators shall take technical measures and other necessary

measures to ensure the security of the personal information they have

collected and prevent the personal information from being divulged, damaged

or lost. When the personal information is or might be divulged, damaged or

lost, they shall take remedial measures immediately, notify the users in a timely

manner in accordance with relevant provisions and report the same to relevant

competent authorities.


GDPR

Right of Data Subject:

right to delete

right to rectify

02 China Cybersecurity Law compared to the General

Data Protection Regulation (GDPR)


Article 43 If any person finds that a network operator collects or uses

his/her personal information in violation of the provisions of laws and

administrative regulations or the agreements between both parties, the

person shall have the right to require the network operator to delete

his/her personal information; if the person finds that his/her personal

information collected or stored by the network operator is erroneous, the

person shall have the right to require the network operator to make

correction. The network operator shall take measures to delete or correct

such information.


02 Other provisions of China Cybersecurity Law

Article 44 No individuals or organizations may steal or otherwise illegally obtain the

personal information or illegally sell or provide the personal information to others.

Article 37 Personal information and important business data[important data] collected and

generated in the operation of key information infrastructures operators within the territory of

the People's Republic of China shall be stored within the territory.

Where it is necessary to provide such information and data abroad due to business

needs[operational needs], security assessment shall be carried out according to the measures

formulated by the national Internet information department in conjunction with the relevant

departments of the State Council; if there are other provisions in laws and regulations, those

provisions shall be prevail.

The specific implementation of this article will be interpreted later.


Main content of Personal Information

Security Specification

Basically covers the principles and requirements of

existing personal information protection

The core idea is problem-driven and practical

Important reference for compliance

Part 3


• collect PI excessively, secretly, deceptively, forced and unlawful

• purchase data unlawful• mandatory push commercial AD• storage, use of personal

information unlimitedly• Personal information is used

in the case of non-essentialto maintain personal identity

• Change the purpose of using personal information

03 PI protection typical problems——Problem-driven

• without consent to provide personal• Illegal disclosure of personal

information• Internal staff illegally reselling

personal information• Ignoring the user‘s query and

complaint• The outsourcing process leads to

personal information breach• After failure of business free to

dispose of personal information• platform lack of control to

commercial tenant in collecting and using personal information


Introduction

Task force established on May 12, 2016 National Information Security Standardization Technical Committee (TC260) approves this project proposal on July 11th and designates it as the priority standardization task.Now the standard is being submitted forapproval.

03 National Standard——Personal


During the public consultation of the standard,hundreds of comments werereceived ,meanwhile carefully studied and absorbed.Participating organizations include the representative Internet companies, the European Union Chamber of Commerce, United States Information Technology Office (USITO).


Scope

Principles and security requirements for PI processing（collection、preservation、use、transfer、sharing、public disclosure）

Apply to organizations who standardize their PIdisposal activities, to supervisory department,third party assessment agencies who supervise,manage and assess PI disposal activities.

03 National Standard——Personal


Major Object: personal data controller. An organization or person that decides the purpose and method of processing personal information.


Standard[1] GB/Z 28812-2012 Information security technology – Guideline for personal information protection within information system for public and commercial services[2] GB/T 32921—2016 Information security technology – security criterion on supplier conduct of information technology products[3] ISO/IEC FDIS 29100:2011(E) - Information technology - Security

techniques - Privacy framework[4] ISO/IEC FDIS 29101(E) - Information technology - Security techniques - Privacy architecture framework[5] ISO/IEC 2nd CD 29134 – Information technology - Securitytechniques – Privacy impact assessment[6] ISO/IEC 2nd CD 29151 – Information technology - Security techniques - Code of practice for personally identifiable information protection[7] NIST SP 800-53 Rev. 4 Security and Privacy Controls for

Federal Information Systems and Organizations[8] NIST SP800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)[9] NISTIR 8062 (Draft) Privacy Risk Management for Federal Information Systems[10] ISO/IEC 1st WD 29184 — Information technology — Security

techniques — Guidelines for online privacy notices and consent[11] CWA 16113:2012 Personal Data Protection Good Practices

Law and regulationDomestic laws and regulations：See Part1.

EU, US PI legistation：[5] EU. General Data Protection Regulation. [2015-5-24].[6] EU-U.S. Privacy Shield [2016-2-2[7] Consumer Bill of Rights,

White House 2012.2

International rules：[8] The OECD Privacy Framework,OECD 2013[9] APEC Privacy Framework, APEC 2005.12

03 ReferencesSESEC translation, for reference only

03 Several important definition

personal information: A variety of information recorded by electronic or other means that can be identified individually or in combination with other information to identify a particular natural

person's identity or reflect a particular natural person's activity.Note1： Personal information includes name, date of birth, identity document number, personal biometric information, address, communication and communication contact information, communication records and content, account password, property information, credit information, whereabouts, accommodation information, health and physical information, Information and so on.

Note2：Please refer to Appendix A for the scope and type of personal information

personal sensitive information: personal information that disclosure, illegal provision or misuse may lead to damage to personal and property safety, personal reputation, physical and mental health, or the discriminatory treatment.Note 1: Personal sensitive information includes identity document number, personal biometric information, bank account number, communication record and content, property information, credit information, whereabouts, accommodation information, health and physiological information, transaction information. Note 2: Refer to Appendix B for the scope and category of personal sensitive information.

Innovation point

Two ways:Definition and Exemplifying

The individual sensitive information that use, tampering, disclosure may bring significant risks to the rights of natural persons, should be given enhanced protection. This standard provides both specific examples and refined rules.


✓ A single travel record or a path can not be associated

with an individual, but multiple messages can separatethe person associated with the information from thecrowd (similar to the precise portraits). It’s notthe most important who he/she is

✓ Personal activity information reflects the more

commercial value (such as taking taxi frequently at night represents he/she always work overtime, taking high-end taxi reflects a white-collar workers, etc.)

✓ Value of more business opportunity

Several PIOr several personal

activityinformation

✓ No doubt, a mobile phone number

can be identified to anindividual and belongs to typicalpersonal information

✓ The commercial value of PII itself

lies on the link path

✓ Value of link path

Typical PII

PI VS PII or other definition

Phone number

Travel record

（ Path, brand, time

and so on ）

A mobile No. Information

Several travelrecord (path、brand、time，etc.)


Conclusion

✓ Obviously，PII 、PI or personal activity information all impact on personal interests，so all need protection；

✓ The analysis of PI must beplaced in the scenarios. The onethat can affect individualrights and interests, and occurswith other PIs at the same timeshall be protected

✓ The defined text is not the most important, Protecting personal rights is the most important thing.

PI VS PII or other definitionToday's PI

Protection Concept

Mobile No.：18XXXXXXXXX

VS

QR Code:


03collectObtain the control of personal information, including the initiative provided bythe personal data subject, through the interaction of the automatic acquisition,through the indirect way as transfer or sharing.

public disclosureAn act releasing information to the public or a specific group.

transferThe process by which the personal data controller is changed.

sharingA process that a personal data controller provides data to other controllers and each has independent control of the data.

Several important definitionSESEC translation, for reference only

03 Basic Principles of Personal Information SecurityPersonal data controllers follow the following basic principles when processing

personal information:

a) Principle of consistent rights and responsibilities——To take responsibility

for the damage caused by the personal information processing activities to the

legal rights and interests of the personal data subject.b）Principle of clear purpose— data controllers shall have a legitimate, fair,

necessary, specific, and clear purpose to process personal information. c）Principle of consent and choice — data controllers shall make clear to the

personal data subject the purpose, method, scope, rule of personal data

processing and obtain personal data subject's consent; personal data subject has

the right to make selective consent to matters other than the Minimum Set of

Personal Information.

d）Principle of minimum necessity — data controllers shall process the

minimum amount of information necessary to fulfill the user’s purpose

authorized by consent, unless the personal data subject agrees otherwise. After

the purpose is fulfilled, the personal information should be deleted in time as

agreed.


03 Basic Principles of Personal Information Security

Personal data controllers follow the following basic principles when processing

personal information:

e）Principle of openness and transparency — data controllers shall provide the

scope, purpose and rules of personal information processing as clear,

understandable, and fair public information, which is subject to external

supervision.f）Principle of security assurance — data controllers shall have security

capability matching the potential security risks, and adopt adequate administrative

measures and technical methods to ensure the confidentiality, integrity and

availability of personal information.

g）Principle of subject participation — data controllers shall provide the

personal data subject methods to access, amend, and delete their personal

information, as well as methods to withdraw consent and deregistration.


4

2

1

Collection of PI• Legitimacy requirements

• Minimize requirements• Explicit consent and exceptional

circumstances

• The content and publication of the PI

protection strategy

03 Security requirements of PI processing

Preservation of PI• Minimum PI Storage Period

• De-identification

• Storage requirements• Personal Data Controller Stopping

Operation

Use of PI• Access control measures

• Restrictions on using and displaying PI

• Access, rectification , deletion, withdrawal ofconsent, cancellation of accounts, obtaining

copies and other mechanisms

• Response to Personal Data Subject Request

3Delegated processing、Sharing、Transfer and Public disclosure of PI

• Delegated processing requirements

• Sharing、 Transfer and Public

disclosure requirements• Joint personal data controller

requirements

• Cross-border transfer requirements


Security Incidents Handling

• Response and Reporting of Security

Incidents

• Notification of Security Incidents

03 Requirements of security Management

Requirements of Organization Management

• Specified Principal Department and Personnel

• Conduct Personal Information Security Impact

Assessment

• Data security capability

• Personnel Management and Training

• Security Audit


03 Notable provisions

5.1 collect PI legallyA) shall not deceive, trick, force the personal information subject to provide their personal information;B) shall not conceal the function of the automatic collection of personal information provided by the product or service; c) shall not obtain personal information from illegal channels;D) shall not collect legal information that laws and regulations prohibit to collect。

5.4 Indirect access to PI with explicit consentA) A personal information provider shall be required to indicate the source of personal information and to confirm its legality.B) It shall be aware of the scope of authorization of personal information that has been obtained by the personal information provider, including the purpose of use, whether the subject of personal information is authorized to transfer, share, publicly disclose and so on. If the organization's personal information processing activities need to be carried out beyond the scope of the authorization, the express consent of the personal information subject shall be obtained within a reasonable period of time after obtaining personal information or before processing personal information.



5.3 Explicit consent when collecting personal information bymeans of proactive or automated collectionA) Before collecting personal information by means of proactive or automatic collection, shall inform the individual information subject of the core business functions of the supplied product or service and the minimum set of personal information collected, and shall expressly inform the impact that refusal to provide or reject the consent will bring. Shall allow the personal information subject to choose whether to provide or agree to automatic collection;B) Where additional additional functions are required for products and services, and more personal information thanthe minimum set needs to be collected, the personal information subject shall be stated one by one of the personalinformation necessary to complete the additional function before the collection, and allow the individual informationsubject selects whether to provide or agree to automatic collection. When the personal information subject isrejected, no corresponding additional function is provided, but shall not stop providing the core business functionon the basis of this, and shall guarantee the corresponding service quality;C) shall inform the personal information subject of the data security capacity of personal information controllorbefore the collection ;D) When collecting personal information, shall obtain the express consent of the personal information subject. Shallensure that the express consent is a voluntary, explicit and clear expression of wish, for example, take the measuresof personal information subject taking initiative to declare (electronic or paper form), taking the initiative to check,taking the initiative to click "agree" and so on;E) Shall obtain the explicit consent of him or his guardian before the collection of personal information of a minorwho is at least 14 years of age; and obtain the express consent of the guardian for a minor under the age of 14 years;F) Shall protect the right of the personal information subject to refuse to use his personal information for thepromotion of commercial advertising.



5.5 Exclusion of explicit consent In the following cases, the collection of personal information does not require the consent of the subject of personal information: a) related to national security and national defense;B) related to public safety, public health, significant public interest; c) related to criminal investigation, prosecution, trial and enforcement;D) for the maintenance of personal information subject’s or other individual’s life, property and other major legitimate rights and interests but it is difficult to get consent of personal information subject.E) the personal information collected has been opened to the public by the personal information subject;F) the collection of personal information from legally publicly disclosed information, such as legal news reports, government information disclosure and other channels;G) necessary to sign a contract in accordance with the requirements of the individual information subject;H) necessary to maintain the safety and compliance of the products and services provided, such as the discovery, for example the malfunction disposal of products and services;I) necessary for legal news reporting;J) Personal information that is necessary for academic research institutions to carry out statistical or academic research based on public interests, the institutions provide the results of the academic research or description, and the personal information contained in the results are de-identified. H)Other circumstances regulated by laws and regulations

SESEC elected translation, for reference only


6.2 De-identification After collecting personal information, it shall be immediately de-identified and take technical and management measures to separate the identified data from the information that can be used to restore the identification of the individual and to ensure not to re-identify individuals in subsequent personal information processing.

6.4 PI controller out of service When a personal information controller ceases to operate its products or services, it shall:A) Immediately cease activities to continue to collect personal information;B) inform the subject of personal information in the form of one-on-one or notice of the suspension of operation;C) delete or anonymize the personal information held by it.



7.3 Restrictions on the use of Personal InformationA) Unless necessary for business functions, personal information should be used after eliminating explicit identity and avoiding precise positioning to specific individuals. For example, in order to accurately evaluate personal credit status, direct user portraits can be used, while only indirect user portrait should be used for commercial advertising purposes B) Personal information includes the information generated by the processing of the collected personal information that can be used alone or in combination with other information to identify a natural person's personal identity or to reflect the personal circumstances of a natural person. It shall be used within the scope of authorization obtained when collecting personal information;C) the use of personal information shall not exceed the extent of a direct or reasonable connection with the purpose claimed for the collection of personal information. the use of personal information, when needs to exceed the scope due to business requirements, shall once again obtain personal information subject express consent.Note: The use of personal information collected for academic research or the description of the general state ofnature, science, society, economy, etc., is within the scope of a reasonable association with the purpose ofcollection. However, when the results of academic research or description are provided, the personal informationcontained in the results shall be de-identified.



7.6 Delete of Personal InformationA) in the following circumstances, the personal information subject requires to delete, shall promptly delete personal information:

1) personal information controller collect and use personal information in violation of laws and regulations;

2) the personal information controller violates the agreement with the personal information subject to collect and use the personal information;

B) If the personal information controller violates the laws and regulations or violates the agreement with the personal information subject to share

and transfer personal information to the third party, and the personal information subject requests the deletion, the personal information controller

shall immediately stop the act of sharing and transfer and notify the third party to delete timely;

C) If the personal information controller violates the provisions of the laws and regulations or agrees with the personal information subject to

publicly disclose the personal information and the personal information subject requests the deletion, the personal information controller shall

immediately stop the public disclosure and issue a notice requesting the relevant recipient to delete the corresponding information.

7.8 PI data subject unsubscribe accountA) the personal information controller who provides the service through the registered account shall provide the personal information subject with the method of canceling the account and the method shall be easy to operate;B) After personal information subject cancels his/her account, the personal information controller shall delete or anonymize the personal information.



8.1 delegated processingWhen handling personal information, the following requirements shall be obeyed:A) only for the purpose of obtaining the express consent of the subject of personal information;b) The personal data controller shall conduct the personal information security impact assessment for thedelegated behavior, and ensure that the delegated processer has sufficient data security capability and provides sufficient level of security protection;C) Shall require the delegated party :

1) deal with personal information in strict accordance with the requirements of personal information controller. If the delegated party deal with personal information not in accordance with the requirements of personal information controller for special reasons, timely feedback shall be made;2) the delegated party person shall obtained the authorization of personal information controller to conduct re-delegation;3) to assist delegated party to meet the requests made by the individual information subject based on the articles 7.4 – 7.10 of this standard;4) If the delegated party is not able to provide adequate security, or or security incident occurs in the process of dealing with personal information, timely feedback shall be made;5) no longer retain personal information when the delegation relationship is removed;

D) The personal information controller shall supervise the delegated party, including but not limited to: 1) Confirm the liability and obligation for the delegated party by means of contract;2) auditing the delegated party;

e) Accurately record and save relevant information of delegated processing


8.6 Cross-Border PI Transfer RequirementBefore the cross border transmission of personal information collected and

generated in the territory of the People's Republic of China, security assessment shall be

carried out in accordance with the methods and standards established by the relevant

governmental departments of China

Refer to Measures on the Security Assessment for Personal Information and

Important Data & Guidelines for Data Cross-border Transfer Security Assessment (draft)

03 Notable provisionsSESEC translation, for reference only

Effective

nessComprehen

sive

Operab

ility

immediate effect on the

status of PI security?

Cover all points? Overlapping parts?

03 How to control the Standard quality and application effect

not applicable? Curb

the development?

Negativ

e

Impact

Operability?Applicability?


Practice Direction of PI Protection Laws and regulations for the compliance program

National standards for compliance

Promote business development with compliance

Part 04


04

Step1: Self check by Laws

Step2: Self check by

Regulations

Step3: refer to Standards

Direction one: 3-phase conformity self checkSESEC translation, for reference only

04 Direction two: Standardize PI processRefer to personal information security specification

Innovation point

Annex C template for data subject to express consentPersonal information controller can design function interface referring to the template on the right, to protect the PI subjects can fully exercise the right to choose their consent. The function interface should be provided by PI controller to PI subject before the PI controller collects the personal information, such as during the product installation process, or when the PI subject uses the product or service for the first time, or when the PI subject registers.


04 Direction three: Standardize PI processRefer to personal information security specification

Innovation point

Annex D template for PI protection strategy

Personal information protection strategy is animportant manifestation of PI controller to followthe principle of open and transparent, animportant measure to ensure that PI subject’sright to know of information, and an importantmechanism to constrain their own behavior tomeet the requirements of supervision andmanagement. The personal information protectionstrategy should clearly, accurately and completelydescribe the personal information processingbehavior of PI controller.


Lose the right of self-determination（ e.g. being forced to, the lack of relevant channels to

correct personal information ）

Discriminatory treatment

（e.g. discrimination from the leak of illness or marriage information）

Damage to personal reputation and suffer

from mental pressure

（e.g. disclosure of private habit or past experience）

Damage to personal property

（e.g. Account stolen, fraud ）

04 Direction four: PI security impact assessmentrefer to PI security impact assessment guideline (under drafting)


04

De-Identification

Direction four: de-identificationRefer to PI de-identification guideline (under drafting)

Re-identification Risk:

isolation： Isolate the data of the different PI subjects ；

association： Associate the different data sets of the same PI subject ；

inference：inferparticular attribute through other attributs


04 Direction Five: PI cross border security assessment——Guidelines for Data Cross-Border Transfer Security Assessment

Several important definition

domestic operation

An activity carried out by a network operator in the territory of the People 's Republic of China to provide a product or service.

Note 1: A network operator who is not registered in the territory of the People's Republic of China but operates within the territory of the People's Republic of China or provides products or services to the People's Republic of China belongs to domestic operation. The reference factors to determine whether the network operator in the People's Republic of China to carry out business, or provide products or services to the People's Republic of China include but not limited to: the use of Chinese language; the use of RMB as the settlement currency; the distribution of goods to China

Note 2: network operators in the territory of the People's Republic of China are not regarded as domestic operations only if they just do business with, provide goods or services to foreign institutions, organizations or individuals and do not involve personal information and important data of domestic citizens.



Several important definition

Data cross-border transfer One-off or continuous activities that network

operator provides personal information and important data generated and collected in the territory of the People's Republic of China directly or by means of business, services and products, to overseas institutions, organizations or individuals.

Note 1: The following circumstances belong to the data cross border transfer: provide personal information and important data to the subject that is in the territory, but does not belong to the jurisdiction of the country or not registered within the territory; data is not transferred to places outside the country, but accessed by foreign institutions, organizations, individuals (Except for public information and webpage); The internal data of a network operator is transferred from the territory to the outside and involves personal information and important data collected and generated within the territory.

Note 2: Personal information and important data that is not collected and produced in domestic operations, and leave the country without any change or processing, is not subject to data.

Note 3: Personal information and important data that is not collected and produced but stored and processed in domestic operations, and does not involve personal information and important data collected and produced in domestic operation, is not subject to data.



Legality and Legitimacy

Data cross-border

Risk controllable

Permission of data cross-border

Restriction of data cross-border

Yes

Yes

No

No

Assessment principle：



Legality and Legitimacy Assessment：

Legality includes any of the following:A) is not prohibited by laws and regulations;B) fulfill the provisions of the treaties and agreements signed by our government with other countries and regions and international organizations;C) the PI subject has agreed, except for emergency, such as endangering the life and property of citizens; d) does not belong to the information that national network competent authority, public security departments, security departments and other relevant departments identify as those not allowed to leave the country.Note 1: Making international and roaming calls, sending international e-mails, conducting international instant messaging, cross-border transactions via the Internet, and other personal initiatives, can be regard as the personal information subject has agreed.Note 2: across border transferring personal information that has been disclosed to public legally can be regard as the personal information subject has agreedNote 3: Before the consent of PI subject, the network operator shall inform the PI subject of the information destination, the type, the data receiver and the possible risk of data transfer, the contact person and the contact information of the network operator.Note 4: When the privacy rules of the network operator, the cross border purpose, scope, type and quantity of the data, the data receiver, or the risk of data transfer change, the transfer shall re-obtain consent of PIsubject.

Legitimacy includes any of the following:A) necessary for the fulfillment of the contractual obligations;

B) Necessary for the same organization to carry out business internally;

C) necessary for our government departments to perform their official duties;

D) needed to maintain cyberspace sovereignty and national security, economic development, social and public

interests and protect the legitimate interests of citizens


04 Direction Five: PI cross border security assessment——

Guidelines for Data Cross-Border Transfer Security Assessment

Security Risk Assessment：



Reference Approach: Determine Personal rights and interests Impact l eve l

Key elements

Impact level

modification

Sensitive level amount scope Technical disposal

Personal sensitive data > 50%

3 The impact level can beincreased by 1 if the totalamount of cross borderpersonal information in ayear is greater than theamount regulated providedby competent authority

the impact level can beincreased by 1 if theamount of cross borderpersonal information isgreater than the minimumset that can meet thepurpose of cross border

The Impact level can bereduced by 1 if de-identification measures aretaken to effectivelyprevent the identificationof individuals

Contains a small amount ofpersonal sensitiveinformation （e.g. Personalsensitive data < 50% ）

2

Only personal date, not

include personal sensitive

data

1



Reference Approach: Determine Likelihood of Security Incidents

Likelihoodlevel

Major criteria modification

3

The management support capabilities of sender; thetechnical support capabilities of sender; The managementsupport capabilities of receiver, the technical supportcapabilities of receiver, the background of receiver.

The value of any item is "low"

The value of Political and legal environment

is “high”, the likelihood level can be

reduced by 1

2


The values of items include “intermediate” or “high”

The value of Political and legal environment is “low”, the likelihood level can be increased by 1

1


All values of items are “high”



Reference Approach: Likelihood of Security Incidents

Restriction of PI Cross-

border transfer: very

high/high level Risk

Let's conduct a simple self-Assessment and get a preliminary result.

Likelihood level of security incidents

Impactlevel

1 2 3

≥5 HIGH Very High Very High

4 Intermediate

HIGH HIGH

3 low Intermediate

HIGH

2 low Intermediate

Intermediate

1 low low Intermediate


..Thank You

Q&A


Contact details: Beijing office: Room 2080, Beijing Sunflower Tower No.37, Maizidian Street, Chaoyang District, Beijing 100125, P.R. China Phone: +86 10 85275366-801 Fax: +86 10 8527 6363 E-mail: [email protected]

Documents

Personal information Protection Compliance Content and Practice … · 2017. 8. 25. · CONTENT 02 03 Background of relevant laws，regulations and standards 01 Personal information