Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
2017Personal information Protection
Compliance Content and Practice
(China)
SESEC translation, for reference only
SESEC translated Document
In June 2017, Mr. Yanzhe He from CESI delivered a Presentation on “Personal Information ProtectionCompliance Obligations and Practices” in a meeting. SESEC translated this presentation and distributed itto EU stakeholders.
Please note The translated documents are for informational purposes only among SESEC stakeholdersand should not be construed as business or legal advice. SESEC team will not be responsible for theaccuracy and completeness of the information provided and will accept no liability for errors or omissions.The provisions of relevant standards introduced at the meeting and this document reflect the currentdrafts and may not be final.
Seconded European Standardization Expert in China (SESEC)
A project co-funded by CEN, CENELEC, ETSI, EC and EFTA
CONTENT
02
03
Background of relevant
laws, regulations and
standards
01
Personal information
protection requirements in
Cybersecurity Law
Main content of Personal
Information Security Specification
04Practice Direction of
Personal Information
Protection
SESEC translation, for reference only
Background of relevant laws, regulations
and standards PI(personal information) protection has been focused
and concerned by Chinese regulators and law
enforcement agencies
2016.4.19 Cybersecurity and Infomatization Symposium
“Cybersecurity for the people, Cybersecurity by the
people“ ---Speech by president Xi Jinping
Part 01
SESEC translation, for reference only
01✓ 2000 Decision of the Standing Committee of the National People's Congress on safeguarding InternetSecurity
✓ 2005 Amendment to the criminal law of the People's Republic of China (5th Modification)
✓ 2009 Amendment to the criminal law of the People's Republic of China (7th Modification)
✓ 2012 Decision of the Standing Committee of the National People's Congress on strengthening network information protection
✓ GB/Z 28828—2012 Guideline for personal information protection within information system for public and
commercial services
✓ 2013 Provisions on the protection of personal information of telecommunications and Internet users byMIIT
✓ 2015
✓ 2016
✓ 2017
Amendment to the criminal law of the People's Republic of China (9)
Cybersecurity Law (chapter 4 network and information security)
Interpretation of several issues concerning the application of law in handling criminalcases of infringing personal information of citizens
✓ 2017 General provisions of civil law
✓ 2017 GB/T Personal information protection specification (draft for approval)
✓ ……
Key Rules(laws/Regulations/Standards)SESEC translation, for reference only
01
Example:
Article4 In order to protect the personal, property and other legal rights of individuals, legal persons and other groups, according to the pertinent regulations of criminal law, those that conduct on of the following acts that constitute an offence, will criminal responsibility:
(I): Using the Internet to humiliate others or trump up facts to slander others;(II): Illegally intercepting and seizing, distorting, deleting other’s email or other data, violating citizen’s freedom to communicate and secrecy of communication;(III): Using the Internet to perform theft, swindle, blackmail.
reference: http://www.npc.gov.cn/wxzl/gongbao/2001-03/05/content_5131101.htm
Decision of the Standing Committee of the National
People's Congress on safeguarding Internet Security28 December 2000
SESEC translation, for reference only
01
reference: http://www.npc.gov.cn/wxzl/gongbao/2013-04/16/content_1811077.htm
Decision of the Standing Committee of the National People's
Congress on strengthening network information protection28 December 2012
Example:
Article 2 Network service providers and other enterprise and undertaking work units that collect oruse citizens’ individual electronic information during their business activities, shall abide by theprinciples of legality, legitimacy and necessity, clearly indicate the objective, methods and scope forcollection and use of information, and obtain agreement from the person whose data is collected, theymay not violate the provisions of laws and regulations, and the agreement between both sides, incollecting or using information.
Article 4 Network service providers and other enterprise and undertaking work units shall adopttechnological measures and other necessary measures to ensure information security and prevent thatcitizens’ individual electronic information collected during business activities is divulged, damaged orlost. When divulging, damage to or loss of information occurs or may occur, remedial measures shall beadopted immediately.
SESEC translation, for reference only
01
reference: http://www.miit.gov.cn/n11293472/n11293877/n16381515/n16381547/16389765.html
Provisions on the protection of personal information of
telecommunications and Internet users by MIIT1 September 2013
example:Article 4: Personal user data as named in these regulations, refers to users’ names, dates of birth,
identity card number, address, telephone number, account number, password and other information
with which the identity of the user can be distinguished independently or in combination with other
information, as well as the time, and place of the user using the service and other
information, collected by telecommunications business operators and Internet information service
providers in the process of providing services.
Article 5: Telecommunications business operators and Internet information service providers that
collect and use personal user data in the process of providing services, shall abide by the principles of
legality, propriety and necessity.
Article 6: Telecommunications business operators and Internet information service providers areresponsible for the security of personal user data collected and used in the process of providingservices.
SESEC translation, for reference only
01Example:Amendment 9 Article 17, Modify Criminal Law article 253-1 to read: "Violating provisions to sell or provide others with citizens' personal information, where the circumstances are serious, is sentenced to up to three years imprisonment, short-term detention or controlled release and/or a fine; where circumstances are especially serious, the sentence is between three and seven years imprisonment and a concurrent fine."Where provisions are violated to sell or provide others with citizens' personal information which was obtained while performing professional duties, and the circumstances are serious, follow the provisions of the preceding paragraph in giving a heavier sentence.“Where citizens' personal information is stolen or illegally obtained through other means and the circumstances are serious, punishment is in accordance with the provisions of the first paragraph of this article.
reference:http://www.npc.gov.cn/wxzl/gongbao/2005-04/25/content_5337649.htm
http://www.npc.gov.cn/huiyi/cwh/1107/2009-02/28/content_1476563.htm
http://www.npc.gov.cn/npc/xinwen/2015-08/31/content_1945587.htm
Amendment to the criminal law of the People's Republic of China (5)(7)(9)
SESEC translation, for reference only
Personal information administrators should abide by the following basic principles when using information systems to handle personal information:a) The principle of a clear purpose – handling personal information shall have a specific, clear and reasonable purpose, the usescope is not to be expanded, and the purpose for handling personal information shall not be changed under situations where subjects of personal information are unaware of this.5) The principle of least sufficient use – only the smallest amount of information related to the purpose for handling is to be handled, when the handling purpose is achieved, personal information is to be deleted in the shortest time.c) The principle of open notification – there is a duty to notify, explain and warn subjects of personal information as well as possible. The purpose for handling personal information, the scope of personal information collection and use, personal information protection measures and other such information are to be truthfully notified to subjects of personal information in clear, easily understandable and appropriate ways,d) The principle of individual consent – before personal information handling, the consent of the subject of the personal information must be obtained.e) The principle of quality guarantee – it is to be guaranteed that personal information is kept secret, intact and usable in the process of handling, and this remains in the newest condition.f) The principle of security guarantee – adopting appropriate management measures and technical methods that are suited to the possibility and gravity of harm to personal information, protecting personal information security, preventing retrieval or disclosure of information without the authorization of the personal information, and the loss, leakage, destruction and alteration of personal information.g) The principle of honest implementation – handling personal information according to the commitments made at the time of collection, or on the basis of statutory grounds, no longer continuing to handle personal information after achieving the fixed purpose.h) The principle of clear responsibilities – clarifying the responsibilities of personal information handling processes, adopting corresponding measures and implementing corresponding responsibilities, and recording personal information handling processes in such a manner that they can be easily traced back.
01 GB/Z 28828—2012 "Guideline for personal information protection
within information system for public and commercial services
SESEC translation, for reference only
01 Cybersecurity Law(CSL)7 November 2016
Example(detailed introduction in the following slides):
Chapter III: Network Operations Security - Section 1: General Provisions – Article 22
Chapter III: Network Operations Security - Section 2: Operations Security for Critical Information Infrastructure – Article 37
Chapter IV: Network Information Security – Article 40,41,42,43,44
Chapter VI: Legal Responsibility – Article 64,66
reference:http://www.npc.gov.cn/npc/xinwen/2016-11/07/content_2001605.htm
SESEC translation, for reference only
01Example:Article 1 The term "personal information of a citizen" as mentioned in Article 253A of the Criminal Law refers to all kinds of information recorded by electronic means or otherwise that can be used independently or together with other information to identify a particular natural person's identity or reflect particulars on his or her activities, including the natural person's name, ID number, contact information about his or her e-mail address or phone number, address, account name and password thereof, property conditions, whereabouts and tracks, etc.
Article 5 The act of illegally obtaining, selling or providing citizens' personal information shall be deemed as "one resulting in a serious case" as mentioned in Article 253A of the Criminal Law, in the case of any of the following circumstances,3. illegal procurement, sale or provision of more than 50 pieces of information concerning geographic location, content of correspondence, credit history, and financial assets of an individual;4. illegal procurement, sale or provision of more than 500 pieces of information concerning records of accommodation or correspondence, health, transaction, or other personal data that may affect the safety or any property/assets of an individual;5. illegal procurement, sale, or provision of more than 5,000 pieces of personal information concerning other information of an individual other than above;
reference:http://www.spp.gov.cn/xwfbh/wsfbt/201705/t20170509_190088.shtml
Interpretation of several issues concerning the application of law in handling criminal cases of
infringing personal information of citizens by Supreme People's Court and Supreme People's
Procuratorate
9 May 2017
SESEC translation, for reference only
01
Example:
Article 111 The personal information of a natural person shall be
protected by law. Any organization or individual needing to obtain the
personal information of other persons shall legally obtain and ensure the
security of such information, and shall not illegally collect, use, process, or
transmit the personal information of other persons, nor illegally buy, sell,
provide, or publish the personal information of other persons.
reference:
http://www.chinacourt.org/law/detail/2017/03/id/149272.shtml
General provisions of civil law15 March 2017
SESEC translation, for reference only
01
Introduced in Part3
Refer to the laws, regulations and standards mentioned above
To sum up: PI protection wasn’t initiated in the Cybersecurity Law. It’s a long-term process of accumulation.
GB/T Personal information protection specification
(draft for approval)
SESEC translation, for reference only
PI protection requirements in
Cybersecurity Law Cybersecurity Law forms a "watershed effect”
PI protection requirements in Cybersecurity law are
basic framework and further strengthened
Part 02
SESEC translation, for reference only
Accountability of Data
Controller
02 China Cybersecurity Law compared to the General
Data Protection Regulation (GDPR)
——China Cybersecurity Law dedicates a whole chapter for
information security. Chapter IV: Network Information Security.
——Article 40-44 for Personal information protection, compared to
the GDPR for a better understanding.
Cybersecurity Law of China GDPR
Article 40 Network operators shall keep the user
information they have collected strictly
confidential and establish and improve user
information protection system.
SESEC translation, for reference only
GDPR
Principle of lawfulness,
fairness and
transparency
Principle of purpose
limitation
Principle of data
minimisation
China Cybersecurity Law compared to the General
Data Protection Regulation (GDPR)02Article 41
Cybersecurity Law of China
When collecting or using the personal information, network
operators shall comply with the principles of lawfulness, justification and
necessity, publicize the rules for collection and use, clearly indicate the
purposes, methods and scope of the information collection and use, and
obtain the consent of those from whom the information is collected.
A network operator shall not collect the personal information irrelevant
to the services it provides or collect or use the personal information in
violation of the provisions of laws and administrative regulations and the
agreements between both parties and shall process the personal
information it has stored in accordance with the provisions of laws and
administrative regulations and the agreements with the user.
SESEC translation, for reference only
GDPR
Anonymized Data
Principle of
accountability
Principle of integrity
and confidentiality
mandatory data breach
notification
China Cybersecurity Law compared to the General
Data Protection Regulation (GDPR)02Article 42
Cybersecurity Law of China
Network operators shall not divulge, tamper with or damage the
personal information they have collected; they shall not provide such personal
information to others without consent of those from whom the information is
collected, except for the information that has been processed and cannot be
recovered and through which no particular individual may be identified.
Network operators shall take technical measures and other necessary
measures to ensure the security of the personal information they have
collected and prevent the personal information from being divulged, damaged
or lost. When the personal information is or might be divulged, damaged or
lost, they shall take remedial measures immediately, notify the users in a timely
manner in accordance with relevant provisions and report the same to relevant
competent authorities.
SESEC translation, for reference only
GDPR
Right of Data Subject:
right to delete
right to rectify
02 China Cybersecurity Law compared to the General
Data Protection Regulation (GDPR)
Cybersecurity Law of China
Article 43 If any person finds that a network operator collects or uses
his/her personal information in violation of the provisions of laws and
administrative regulations or the agreements between both parties, the
person shall have the right to require the network operator to delete
his/her personal information; if the person finds that his/her personal
information collected or stored by the network operator is erroneous, the
person shall have the right to require the network operator to make
correction. The network operator shall take measures to delete or correct
such information.
SESEC translation, for reference only
02 Other provisions of China Cybersecurity Law
Article 44 No individuals or organizations may steal or otherwise illegally obtain the
personal information or illegally sell or provide the personal information to others.
Article 37 Personal information and important business data[important data] collected and
generated in the operation of key information infrastructures operators within the territory of
the People's Republic of China shall be stored within the territory.
Where it is necessary to provide such information and data abroad due to business
needs[operational needs], security assessment shall be carried out according to the measures
formulated by the national Internet information department in conjunction with the relevant
departments of the State Council; if there are other provisions in laws and regulations, those
provisions shall be prevail.
The specific implementation of this article will be interpreted later.
SESEC translation, for reference only
Main content of Personal Information
Security Specification
Basically covers the principles and requirements of
existing personal information protection
The core idea is problem-driven and practical
Important reference for compliance
Part 3
SESEC translation, for reference only
• collect PI excessively, secretly, deceptively, forced and unlawful
• purchase data unlawful• mandatory push commercial AD• storage, use of personal
information unlimitedly• Personal information is used
in the case of non-essentialto maintain personal identity
• Change the purpose of using personal information
03 PI protection typical problems——Problem-driven
• without consent to provide personal• Illegal disclosure of personal
information• Internal staff illegally reselling
personal information• Ignoring the user‘s query and
complaint• The outsourcing process leads to
personal information breach• After failure of business free to
dispose of personal information• platform lack of control to
commercial tenant in collecting and using personal information
SESEC translation, for reference only
Introduction
Task force established on May 12, 2016 National Information Security Standardization Technical Committee (TC260) approves this project proposal on July 11th and designates it as the priority standardization task.Now the standard is being submitted forapproval.
03 National Standard——Personal
Information Security Specification
During the public consultation of the standard,hundreds of comments werereceived ,meanwhile carefully studied and absorbed.Participating organizations include the representative Internet companies, the European Union Chamber of Commerce, United States Information Technology Office (USITO).
SESEC translation, for reference only
Scope
Principles and security requirements for PI processing(collection、preservation、use、transfer、sharing、public disclosure)
Apply to organizations who standardize their PIdisposal activities, to supervisory department,third party assessment agencies who supervise,manage and assess PI disposal activities.
03 National Standard——Personal
Information Security Specification
Major Object: personal data controller. An organization or person that decides the purpose and method of processing personal information.
SESEC translation, for reference only
Standard[1] GB/Z 28812-2012 Information security technology – Guideline for personal information protection within information system for public and commercial services[2] GB/T 32921—2016 Information security technology – security criterion on supplier conduct of information technology products[3] ISO/IEC FDIS 29100:2011(E) - Information technology - Security
techniques - Privacy framework[4] ISO/IEC FDIS 29101(E) - Information technology - Security techniques - Privacy architecture framework[5] ISO/IEC 2nd CD 29134 – Information technology - Securitytechniques – Privacy impact assessment[6] ISO/IEC 2nd CD 29151 – Information technology - Security techniques - Code of practice for personally identifiable information protection[7] NIST SP 800-53 Rev. 4 Security and Privacy Controls for
Federal Information Systems and Organizations[8] NIST SP800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)[9] NISTIR 8062 (Draft) Privacy Risk Management for Federal Information Systems[10] ISO/IEC 1st WD 29184 — Information technology — Security
techniques — Guidelines for online privacy notices and consent[11] CWA 16113:2012 Personal Data Protection Good Practices
Law and regulationDomestic laws and regulations:See Part1.
EU, US PI legistation:[5] EU. General Data Protection Regulation. [2015-5-24].[6] EU-U.S. Privacy Shield [2016-2-2[7] Consumer Bill of Rights,
White House 2012.2
International rules:[8] The OECD Privacy Framework,OECD 2013[9] APEC Privacy Framework, APEC 2005.12
03 ReferencesSESEC translation, for reference only
03 Several important definition
personal information: A variety of information recorded by electronic or other means that can be identified individually or in combination with other information to identify a particular natural
person's identity or reflect a particular natural person's activity.Note1: Personal information includes name, date of birth, identity document number, personal biometric information, address, communication and communication contact information, communication records and content, account password, property information, credit information, whereabouts, accommodation information, health and physical information, Information and so on.
Note2:Please refer to Appendix A for the scope and type of personal information
personal sensitive information: personal information that disclosure, illegal provision or misuse may lead to damage to personal and property safety, personal reputation, physical and mental health, or the discriminatory treatment.Note 1: Personal sensitive information includes identity document number, personal biometric information, bank account number, communication record and content, property information, credit information, whereabouts, accommodation information, health and physiological information, transaction information. Note 2: Refer to Appendix B for the scope and category of personal sensitive information.
Innovation point
Two ways:Definition and Exemplifying
The individual sensitive information that use, tampering, disclosure may bring significant risks to the rights of natural persons, should be given enhanced protection. This standard provides both specific examples and refined rules.
SESEC translation, for reference only
✓ A single travel record or a path can not be associated
with an individual, but multiple messages can separatethe person associated with the information from thecrowd (similar to the precise portraits). It’s notthe most important who he/she is
✓ Personal activity information reflects the more
commercial value (such as taking taxi frequently at night represents he/she always work overtime, taking high-end taxi reflects a white-collar workers, etc.)
✓ Value of more business opportunity
Several PIOr several personal
activityinformation
✓ No doubt, a mobile phone number
can be identified to anindividual and belongs to typicalpersonal information
✓ The commercial value of PII itself
lies on the link path
✓ Value of link path
Typical PII
PI VS PII or other definition
Phone number
Travel record
( Path, brand, time
and so on )
A mobile No. Information
Several travelrecord (path、brand、time,etc.)
SESEC translation, for reference only
Conclusion
✓ Obviously,PII 、PI or personal activity information all impact on personal interests,so all need protection;
✓ The analysis of PI must beplaced in the scenarios. The onethat can affect individualrights and interests, and occurswith other PIs at the same timeshall be protected
✓ The defined text is not the most important, Protecting personal rights is the most important thing.
PI VS PII or other definitionToday's PI
Protection Concept
Mobile No.:18XXXXXXXXX
VS
QR Code:
SESEC translation, for reference only
03collectObtain the control of personal information, including the initiative provided bythe personal data subject, through the interaction of the automatic acquisition,through the indirect way as transfer or sharing.
public disclosureAn act releasing information to the public or a specific group.
transferThe process by which the personal data controller is changed.
sharingA process that a personal data controller provides data to other controllers and each has independent control of the data.
Several important definitionSESEC translation, for reference only
03 Basic Principles of Personal Information SecurityPersonal data controllers follow the following basic principles when processing
personal information:
a) Principle of consistent rights and responsibilities——To take responsibility
for the damage caused by the personal information processing activities to the
legal rights and interests of the personal data subject.b)Principle of clear purpose— data controllers shall have a legitimate, fair,
necessary, specific, and clear purpose to process personal information. c)Principle of consent and choice — data controllers shall make clear to the
personal data subject the purpose, method, scope, rule of personal data
processing and obtain personal data subject's consent; personal data subject has
the right to make selective consent to matters other than the Minimum Set of
Personal Information.
d)Principle of minimum necessity — data controllers shall process the
minimum amount of information necessary to fulfill the user’s purpose
authorized by consent, unless the personal data subject agrees otherwise. After
the purpose is fulfilled, the personal information should be deleted in time as
agreed.
SESEC translation, for reference only
03 Basic Principles of Personal Information Security
Personal data controllers follow the following basic principles when processing
personal information:
e)Principle of openness and transparency — data controllers shall provide the
scope, purpose and rules of personal information processing as clear,
understandable, and fair public information, which is subject to external
supervision.f)Principle of security assurance — data controllers shall have security
capability matching the potential security risks, and adopt adequate administrative
measures and technical methods to ensure the confidentiality, integrity and
availability of personal information.
g)Principle of subject participation — data controllers shall provide the
personal data subject methods to access, amend, and delete their personal
information, as well as methods to withdraw consent and deregistration.
SESEC translation, for reference only
4
2
1
Collection of PI• Legitimacy requirements
• Minimize requirements• Explicit consent and exceptional
circumstances
• The content and publication of the PI
protection strategy
03 Security requirements of PI processing
Preservation of PI• Minimum PI Storage Period
• De-identification
• Storage requirements• Personal Data Controller Stopping
Operation
Use of PI• Access control measures
• Restrictions on using and displaying PI
• Access, rectification , deletion, withdrawal ofconsent, cancellation of accounts, obtaining
copies and other mechanisms
• Response to Personal Data Subject Request
3Delegated processing、Sharing、Transfer and Public disclosure of PI
• Delegated processing requirements
• Sharing、 Transfer and Public
disclosure requirements• Joint personal data controller
requirements
• Cross-border transfer requirements
SESEC translation, for reference only
Security Incidents Handling
• Response and Reporting of Security
Incidents
• Notification of Security Incidents
03 Requirements of security Management
Requirements of Organization Management
• Specified Principal Department and Personnel
• Conduct Personal Information Security Impact
Assessment
• Data security capability
• Personnel Management and Training
• Security Audit
SESEC translation, for reference only
03 Notable provisions
5.1 collect PI legallyA) shall not deceive, trick, force the personal information subject to provide their personal information;B) shall not conceal the function of the automatic collection of personal information provided by the product or service; c) shall not obtain personal information from illegal channels;D) shall not collect legal information that laws and regulations prohibit to collect。
5.4 Indirect access to PI with explicit consentA) A personal information provider shall be required to indicate the source of personal information and to confirm its legality.B) It shall be aware of the scope of authorization of personal information that has been obtained by the personal information provider, including the purpose of use, whether the subject of personal information is authorized to transfer, share, publicly disclose and so on. If the organization's personal information processing activities need to be carried out beyond the scope of the authorization, the express consent of the personal information subject shall be obtained within a reasonable period of time after obtaining personal information or before processing personal information.
SESEC translation, for reference only
03 Notable provisions
5.3 Explicit consent when collecting personal information bymeans of proactive or automated collectionA) Before collecting personal information by means of proactive or automatic collection, shall inform the individual information subject of the core business functions of the supplied product or service and the minimum set of personal information collected, and shall expressly inform the impact that refusal to provide or reject the consent will bring. Shall allow the personal information subject to choose whether to provide or agree to automatic collection;B) Where additional additional functions are required for products and services, and more personal information thanthe minimum set needs to be collected, the personal information subject shall be stated one by one of the personalinformation necessary to complete the additional function before the collection, and allow the individual informationsubject selects whether to provide or agree to automatic collection. When the personal information subject isrejected, no corresponding additional function is provided, but shall not stop providing the core business functionon the basis of this, and shall guarantee the corresponding service quality;C) shall inform the personal information subject of the data security capacity of personal information controllorbefore the collection ;D) When collecting personal information, shall obtain the express consent of the personal information subject. Shallensure that the express consent is a voluntary, explicit and clear expression of wish, for example, take the measuresof personal information subject taking initiative to declare (electronic or paper form), taking the initiative to check,taking the initiative to click "agree" and so on;E) Shall obtain the explicit consent of him or his guardian before the collection of personal information of a minorwho is at least 14 years of age; and obtain the express consent of the guardian for a minor under the age of 14 years;F) Shall protect the right of the personal information subject to refuse to use his personal information for thepromotion of commercial advertising.
SESEC translation, for reference only
03 Notable provisions
5.5 Exclusion of explicit consent In the following cases, the collection of personal information does not require the consent of the subject of personal information: a) related to national security and national defense;B) related to public safety, public health, significant public interest; c) related to criminal investigation, prosecution, trial and enforcement;D) for the maintenance of personal information subject’s or other individual’s life, property and other major legitimate rights and interests but it is difficult to get consent of personal information subject.E) the personal information collected has been opened to the public by the personal information subject;F) the collection of personal information from legally publicly disclosed information, such as legal news reports, government information disclosure and other channels;G) necessary to sign a contract in accordance with the requirements of the individual information subject;H) necessary to maintain the safety and compliance of the products and services provided, such as the discovery, for example the malfunction disposal of products and services;I) necessary for legal news reporting;J) Personal information that is necessary for academic research institutions to carry out statistical or academic research based on public interests, the institutions provide the results of the academic research or description, and the personal information contained in the results are de-identified. H)Other circumstances regulated by laws and regulations
SESEC elected translation, for reference only
03 Notable provisions
6.2 De-identification After collecting personal information, it shall be immediately de-identified and take technical and management measures to separate the identified data from the information that can be used to restore the identification of the individual and to ensure not to re-identify individuals in subsequent personal information processing.
6.4 PI controller out of service When a personal information controller ceases to operate its products or services, it shall:A) Immediately cease activities to continue to collect personal information;B) inform the subject of personal information in the form of one-on-one or notice of the suspension of operation;C) delete or anonymize the personal information held by it.
SESEC translation, for reference only
03 Notable provisions
7.3 Restrictions on the use of Personal InformationA) Unless necessary for business functions, personal information should be used after eliminating explicit identity and avoiding precise positioning to specific individuals. For example, in order to accurately evaluate personal credit status, direct user portraits can be used, while only indirect user portrait should be used for commercial advertising purposes B) Personal information includes the information generated by the processing of the collected personal information that can be used alone or in combination with other information to identify a natural person's personal identity or to reflect the personal circumstances of a natural person. It shall be used within the scope of authorization obtained when collecting personal information;C) the use of personal information shall not exceed the extent of a direct or reasonable connection with the purpose claimed for the collection of personal information. the use of personal information, when needs to exceed the scope due to business requirements, shall once again obtain personal information subject express consent.Note: The use of personal information collected for academic research or the description of the general state ofnature, science, society, economy, etc., is within the scope of a reasonable association with the purpose ofcollection. However, when the results of academic research or description are provided, the personal informationcontained in the results shall be de-identified.
SESEC translation, for reference only
03 Notable provisions
7.6 Delete of Personal InformationA) in the following circumstances, the personal information subject requires to delete, shall promptly delete personal information:
1) personal information controller collect and use personal information in violation of laws and regulations;
2) the personal information controller violates the agreement with the personal information subject to collect and use the personal information;
B) If the personal information controller violates the laws and regulations or violates the agreement with the personal information subject to share
and transfer personal information to the third party, and the personal information subject requests the deletion, the personal information controller
shall immediately stop the act of sharing and transfer and notify the third party to delete timely;
C) If the personal information controller violates the provisions of the laws and regulations or agrees with the personal information subject to
publicly disclose the personal information and the personal information subject requests the deletion, the personal information controller shall
immediately stop the public disclosure and issue a notice requesting the relevant recipient to delete the corresponding information.
7.8 PI data subject unsubscribe accountA) the personal information controller who provides the service through the registered account shall provide the personal information subject with the method of canceling the account and the method shall be easy to operate;B) After personal information subject cancels his/her account, the personal information controller shall delete or anonymize the personal information.
SESEC translation, for reference only
03 Notable provisions
8.1 delegated processingWhen handling personal information, the following requirements shall be obeyed:A) only for the purpose of obtaining the express consent of the subject of personal information;b) The personal data controller shall conduct the personal information security impact assessment for thedelegated behavior, and ensure that the delegated processer has sufficient data security capability and provides sufficient level of security protection;C) Shall require the delegated party :
1) deal with personal information in strict accordance with the requirements of personal information controller. If the delegated party deal with personal information not in accordance with the requirements of personal information controller for special reasons, timely feedback shall be made;2) the delegated party person shall obtained the authorization of personal information controller to conduct re-delegation;3) to assist delegated party to meet the requests made by the individual information subject based on the articles 7.4 – 7.10 of this standard;4) If the delegated party is not able to provide adequate security, or or security incident occurs in the process of dealing with personal information, timely feedback shall be made;5) no longer retain personal information when the delegation relationship is removed;
D) The personal information controller shall supervise the delegated party, including but not limited to: 1) Confirm the liability and obligation for the delegated party by means of contract;2) auditing the delegated party;
e) Accurately record and save relevant information of delegated processing
SESEC translation, for reference only
8.6 Cross-Border PI Transfer RequirementBefore the cross border transmission of personal information collected and
generated in the territory of the People's Republic of China, security assessment shall be
carried out in accordance with the methods and standards established by the relevant
governmental departments of China
Refer to Measures on the Security Assessment for Personal Information and
Important Data & Guidelines for Data Cross-border Transfer Security Assessment (draft)
03 Notable provisionsSESEC translation, for reference only
Effective
nessComprehen
sive
Operab
ility
immediate effect on the
status of PI security?
Cover all points? Overlapping parts?
03 How to control the Standard quality and application effect
not applicable? Curb
the development?
Negativ
e
Impact
Operability?Applicability?
SESEC translation, for reference only
Practice Direction of PI Protection Laws and regulations for the compliance program
National standards for compliance
Promote business development with compliance
Part 04
SESEC translation, for reference only
04
Step1: Self check by Laws
Step2: Self check by
Regulations
Step3: refer to Standards
Direction one: 3-phase conformity self checkSESEC translation, for reference only
04 Direction two: Standardize PI processRefer to personal information security specification
Innovation point
Annex C template for data subject to express consentPersonal information controller can design function interface referring to the template on the right, to protect the PI subjects can fully exercise the right to choose their consent. The function interface should be provided by PI controller to PI subject before the PI controller collects the personal information, such as during the product installation process, or when the PI subject uses the product or service for the first time, or when the PI subject registers.
SESEC translation, for reference only
04 Direction three: Standardize PI processRefer to personal information security specification
Innovation point
Annex D template for PI protection strategy
Personal information protection strategy is animportant manifestation of PI controller to followthe principle of open and transparent, animportant measure to ensure that PI subject’sright to know of information, and an importantmechanism to constrain their own behavior tomeet the requirements of supervision andmanagement. The personal information protectionstrategy should clearly, accurately and completelydescribe the personal information processingbehavior of PI controller.
SESEC translation, for reference only
Lose the right of self-determination( e.g. being forced to, the lack of relevant channels to
correct personal information )
Discriminatory treatment
(e.g. discrimination from the leak of illness or marriage information)
Damage to personal reputation and suffer
from mental pressure
(e.g. disclosure of private habit or past experience)
Damage to personal property
(e.g. Account stolen, fraud )
04 Direction four: PI security impact assessmentrefer to PI security impact assessment guideline (under drafting)
SESEC translation, for reference only
04
De-Identification
Direction four: de-identificationRefer to PI de-identification guideline (under drafting)
Re-identification Risk:
isolation: Isolate the data of the different PI subjects ;
association: Associate the different data sets of the same PI subject ;
inference:inferparticular attribute through other attributs
SESEC translation, for reference only
04 Direction Five: PI cross border security assessment——Guidelines for Data Cross-Border Transfer Security Assessment
Several important definition
domestic operation
An activity carried out by a network operator in the territory of the People 's Republic of China to provide a product or service.
Note 1: A network operator who is not registered in the territory of the People's Republic of China but operates within the territory of the People's Republic of China or provides products or services to the People's Republic of China belongs to domestic operation. The reference factors to determine whether the network operator in the People's Republic of China to carry out business, or provide products or services to the People's Republic of China include but not limited to: the use of Chinese language; the use of RMB as the settlement currency; the distribution of goods to China
Note 2: network operators in the territory of the People's Republic of China are not regarded as domestic operations only if they just do business with, provide goods or services to foreign institutions, organizations or individuals and do not involve personal information and important data of domestic citizens.
SESEC translation, for reference only
04 Direction Five: PI cross border security assessment——Guidelines for Data Cross-Border Transfer Security Assessment
Several important definition
Data cross-border transfer One-off or continuous activities that network
operator provides personal information and important data generated and collected in the territory of the People's Republic of China directly or by means of business, services and products, to overseas institutions, organizations or individuals.
Note 1: The following circumstances belong to the data cross border transfer: provide personal information and important data to the subject that is in the territory, but does not belong to the jurisdiction of the country or not registered within the territory; data is not transferred to places outside the country, but accessed by foreign institutions, organizations, individuals (Except for public information and webpage); The internal data of a network operator is transferred from the territory to the outside and involves personal information and important data collected and generated within the territory.
Note 2: Personal information and important data that is not collected and produced in domestic operations, and leave the country without any change or processing, is not subject to data.
Note 3: Personal information and important data that is not collected and produced but stored and processed in domestic operations, and does not involve personal information and important data collected and produced in domestic operation, is not subject to data.
SESEC translation, for reference only
04 Direction Five: PI cross border security assessment——Guidelines for Data Cross-Border Transfer Security Assessment
Legality and Legitimacy
Data cross-border
Risk controllable
Permission of data cross-border
Restriction of data cross-border
Yes
Yes
No
No
Assessment principle:
SESEC translation, for reference only
04 Direction Five: PI cross border security assessment——Guidelines for Data Cross-Border Transfer Security Assessment
Legality and Legitimacy Assessment:
Legality includes any of the following:A) is not prohibited by laws and regulations;B) fulfill the provisions of the treaties and agreements signed by our government with other countries and regions and international organizations;C) the PI subject has agreed, except for emergency, such as endangering the life and property of citizens; d) does not belong to the information that national network competent authority, public security departments, security departments and other relevant departments identify as those not allowed to leave the country.Note 1: Making international and roaming calls, sending international e-mails, conducting international instant messaging, cross-border transactions via the Internet, and other personal initiatives, can be regard as the personal information subject has agreed.Note 2: across border transferring personal information that has been disclosed to public legally can be regard as the personal information subject has agreedNote 3: Before the consent of PI subject, the network operator shall inform the PI subject of the information destination, the type, the data receiver and the possible risk of data transfer, the contact person and the contact information of the network operator.Note 4: When the privacy rules of the network operator, the cross border purpose, scope, type and quantity of the data, the data receiver, or the risk of data transfer change, the transfer shall re-obtain consent of PIsubject.
Legitimacy includes any of the following:A) necessary for the fulfillment of the contractual obligations;
B) Necessary for the same organization to carry out business internally;
C) necessary for our government departments to perform their official duties;
D) needed to maintain cyberspace sovereignty and national security, economic development, social and public
interests and protect the legitimate interests of citizens
SESEC translation, for reference only
04 Direction Five: PI cross border security assessment——
Guidelines for Data Cross-Border Transfer Security Assessment
Security Risk Assessment:
SESEC translation, for reference only
04 Direction Five: PI cross border security assessment——Guidelines for Data Cross-Border Transfer Security Assessment
Reference Approach: Determine Personal rights and interests Impact l eve l
Key elements
Impact level
modification
Sensitive level amount scope Technical disposal
Personal sensitive data > 50%
3 The impact level can beincreased by 1 if the totalamount of cross borderpersonal information in ayear is greater than theamount regulated providedby competent authority
the impact level can beincreased by 1 if theamount of cross borderpersonal information isgreater than the minimumset that can meet thepurpose of cross border
The Impact level can bereduced by 1 if de-identification measures aretaken to effectivelyprevent the identificationof individuals
Contains a small amount ofpersonal sensitiveinformation (e.g. Personalsensitive data < 50% )
2
Only personal date, not
include personal sensitive
data
1
SESEC translation, for reference only
04 Direction Five: PI cross border security assessment——Guidelines for Data Cross-Border Transfer Security Assessment
Reference Approach: Determine Likelihood of Security Incidents
Likelihoodlevel
Major criteria modification
3
The management support capabilities of sender; thetechnical support capabilities of sender; The managementsupport capabilities of receiver, the technical supportcapabilities of receiver, the background of receiver.
The value of any item is "low"
The value of Political and legal environment
is “high”, the likelihood level can be
reduced by 1
2
The management support capabilities of sender; thetechnical support capabilities of sender; The managementsupport capabilities of receiver, the technical supportcapabilities of receiver, the background of receiver.
The values of items include “intermediate” or “high”
The value of Political and legal environment is “low”, the likelihood level can be increased by 1
1
The management support capabilities of sender; thetechnical support capabilities of sender; The managementsupport capabilities of receiver, the technical supportcapabilities of receiver, the background of receiver.
All values of items are “high”
SESEC translation, for reference only
04 Direction Five: PI cross border security assessment——Guidelines for Data Cross-Border Transfer Security Assessment
Reference Approach: Likelihood of Security Incidents
Restriction of PI Cross-
border transfer: very
high/high level Risk
Let's conduct a simple self-Assessment and get a preliminary result.
Likelihood level of security incidents
Impactlevel
1 2 3
≥5 HIGH Very High Very High
4 Intermediate
HIGH HIGH
3 low Intermediate
HIGH
2 low Intermediate
Intermediate
1 low low Intermediate
SESEC translation, for reference only
..Thank You
Q&A
SESEC translation, for reference only
Contact details: Beijing office: Room 2080, Beijing Sunflower Tower No.37, Maizidian Street, Chaoyang District, Beijing 100125, P.R. China Phone: +86 10 85275366-801 Fax: +86 10 8527 6363 E-mail: [email protected]