China’s “Information Security Technology Personal Information Security Specification” in Four Aspects
On December 11th, 2017, there were two kinds of mobile phone APPs, Baidu and Baidu, which were owned by Baidu. They included “listening phone”, “reading short MMS”, “reading contacts”, etc. involving consumer personal information. In the case of security related rights and refusal to rectify the situation, the Jiangsu Provincial Consumer Protection Committee initiated a consumer civil public interest litigation concerning suspected illegal access to consumer personal information and related issues by Beijing Baidu.com, which was held on January 2 of this year in Nanjing. The Intermediate People’s Court has formally opened the case. On January 6th, with the fermentation of Alipay’s annual billing event, the State Administration of Cybernetics Network Security Coordination Bureau interviewed relevant persons in charge of Alipay (China) Network Technology Co., Ltd. and Sesame Credit Management Co., Ltd. and pointed out that Alipay, The way in which sesame credits collect personal information does not conform to the spirit of the National Standard for Information Security Technology and Personal Information Security. It violates the promise of the Personal Information Protection Initiative that it signed shortly and should strictly follow the Cyber Security Law. The following is called the “net security law” requirements, strengthen the comprehensive investigation of the platform, carry out special rectification, and take effective measures to prevent similar incidents from happening again. Since the official implementation of the “Network Security Law”, the National People’s Congress, Industry and Information Technology, Internet Information, Internet Security, and Consumers’ Association systems have launched a series of special inspections and rectifications of personal information throughout the country. At the same time, they have also strengthened punishments for violations of laws and regulations. The public’s emphasis on the protection of personal information.
However, because of the principle, fuzziness and fragmentation of legal norms and local regulatory policies, many articles lack detailed rules for landing, which brings great confusion to many network operators’ personal information compliance work. On December 29 last year, the China National Standardization Administration officially issued the “Information Security Technology Personal Information Security Specification” (hereinafter referred to as the “Safety Code”). On January 24, the national standard full-text publication system officially announced the full text of the specification, and It will be implemented on May 1, 2018. The “Safety Code” clarifies the compliance requirements for the collection, preservation, use, and sharing of personal information in the form of national standards, and provides guidelines for network operators to formulate privacy policies and improve internal controls.
Related legal concepts
Based on the existing principles and provisions of the “Net Security Law”, the “Safety Regulations” specifies the specific definitions of relevant legal concepts in light of the specific issues that network operators are concerned about in practice.
First, regarding personal sensitive information, the “Guide to the Protection of Personal Information in Information and Security Technology Public and Commercial Service Information Systems” implemented in 2013 defined personal sensitive information as personal information that would adversely affect the personal information subject after being exposed or modified. At the same time, it is recommended that the specific content of personal sensitive information in various industries be determined based on the willingness of the personal information subject to the service and their respective business characteristics. The “Safety Regulations” further emphasizes in the definition that the disclosure of personal sensitive information, illegal provision or misuse may endanger the safety of people and property, cause personal reputation, physical and mental health damage or discriminatory treatment and other serious consequences, and in Appendix B A specific example of personal sensitive information was drawn up, linking up with the data classification obligations stipulated in Article 21 of the “Network Security Law”.
Secondly, regarding the collection of personal information, the “Safety Regulations” defines three types of “collection” as the provision of personal information subjects, automatic collection by network operators, and indirect acquisition from third parties. At the same time, exceptions are stipulated and individuals are acquired at terminals. Information not returned to the operator’s server does not belong to “collection.”
Finally, with respect to the anonymization and de-identification of personal information, the “Safety Code” distinguishes the two. The anonymized information cannot be restored and is no longer part of personal information; de-identification processing guarantees Personal information can’t identify the main body of information without relying on additional information, but it still retains the granularity of the individual and uses pseudonyms, encryption, hash functions, etc. instead of the original personal information. In addition, on August 15 last year, the “Information Security Technology Personal Information De-identification Guide” was released for solicitation of public opinions. The contents involved the process of de-identification and technical applications. Currently, the network operators are implementing the personal information during the review stage. Marking work is worth learning from.
Collection of personal information
The “Safety Regulations” stipulates that the collection of personal information should comply with the requirements of legality and minimization. Among them, the requirements for authorization to obtain personal information indirectly and the explicit consent requirements for collecting personal sensitive information are worthy of attention.
When obtaining personal information indirectly, the company as the recipient is obliged to require the provider to explain the source of the relevant personal information and confirm its legitimacy. At the same time, it should also understand the scope of the personal information subject’s authorization to the provider, including the purpose of use and the individual. Whether the information subject is authorized to consent to the transfer, sharing, public disclosure, etc. If the recipient handles personal information beyond the above-mentioned range, it shall also obtain the explicit consent of the personal information subject within a reasonable time limit. Establishing an authorization consent model for indirect collection of personal information is one of the highlights of the Personal Information Collection section of the “Safety Code”. This model reinforces the review obligation of information receivers and increases the corresponding compliance costs.
In the collection of personal sensitive information, first of all, the “Safety Code” further requires the express consent of the personal information subject on the basis of the “Net Security Law” to be a voluntary, concrete, clear and clear wish given by the individual on the basis of full knowledge. Representation; Second, if the personal information controller collects personal sensitive information for the core business functions of its products or services, it shall explicitly inform the information subject of the core business functions it provides, the personal sensitive information it needs to collect, and the personal information subject. Three choices of rights; Finally, if personal information controllers collect personal sensitive information for other additional functions, they should clearly inform specific additional functions and the right to choose personal information, but refuse personal sensitive information required for additional functions. It does not mean that the core business functions have stopped providing.
Sharing of personal information
When entrusting a third party to process personal information, apart from the fact that the commissioning itself must not exceed the scope of the authorized consent of the personal information subject, the “Safety Code” also stipulates that the personal information controller should carry out personal information security impact assessment and take the responsibility of the contract. Obligation, auditing, etc. supervise the trustee and ensure accurate recording and preservation of the trustee’s handling of personal information.
With respect to the sharing and transfer of personal information, the “Safety Code” also stipulates the obligations of the personal information controller on the security impact assessment. At the same time, the personal information controller shall notify the personal information subject of the purpose of sharing, transferring the personal information, and the type of the data receiver. In the case of personal sensitive information, the type of sensitive information, the identity of the recipient of the data, and the security capabilities should also be notified, and sharing or transfer may be made only after obtaining the explicit consent of the personal information subject. In addition, personal information controllers need to accurately record and preserve the sharing and transfer of personal information, and bear the legal responsibility for the harm caused by sharing and transferring personal information to the legitimate rights and interests of the information subject. Where changes in the controlling body occur due to mergers and acquisitions, restructuring, etc., they shall individually notify the subject of personal information.
With regard to the cross-border transmission of personal information, the “Safety Code” requires that personal information controllers should conduct security assessments in accordance with the standards set by the Network Information Office and relevant departments. According to the “Personal Information and Important Data Outbound Security Assessment Methodology (Exposure Draft)” published in April last year, network operators should organize their own data outbound security assessment before leaving the country and be responsible for the results if they contain or accumulate 500,000. If the personal information above the person or the personal information provided by the key information infrastructure is provided to the outside, it shall also be reported to the industry supervisor or the supervisory authority for organizing the safety assessment. The Guidelines for Outbound Security Assessment of Information Security Technology Data (Draft for Solicitation of Comments) (hereinafter referred to as the “Evaluation Guide”) issued by the National Information Security Standardization Technical Committee on August 30 last year are also worthy of attention. The Assessment Guide clearly indicates the data. The use scope and exceptions of outbound security assessments are to refine the types of personal information and important data, increase the disclosure obligation of network operators for personal information, distinguish security self-assessment and assessment processes of competent authorities, and implement personal information for personal information controllers. Cross-border transmission provides a reference.
Safety management requirements
Original Mandarin Chinese: