On January 25, 2018, the Standardization Administration of China published the full text of the Information Security Technology – Personal Information Security Specification (the “Specification”). The Specification will come into effect on May 1, 2018. The Specification is voluntary, but could become influential within China because it establishes benchmarks for the processing of personal information by a wide variety of entities and organizations. In effect, the Specification constitutes a best practices guide for the collection, retention, use, sharing and transfer of personal information, and for the handling of related information security incidents.
The Specification divides personal information into two categories: personal information and sensitive personal information. “Sensitive personal information” includes personal information such as financial information, identifying information (such as an ID card, social insurance card, passport or driver’s license) and biological identifying information. The Specification provides specific requirements for the collection and use of sensitive personal information, as well as a sample functional interface with a data subject which could be incorporated by an enterprise in its products or services for the collection of sensitive personal information. The sample functional interface is a template for an interactive web page or software that is designed in accordance with the Specification, shows information such as the purpose, scope and transfer of personal information, and contains a checkbox to obtain consent.
The Specification reiterates the applicability of the principles of legitimacy and minimization, and the obligation to obtain the consent of a data subject, when collecting personal information, as well as the requirement to formulate and publish a privacy policy. These appear in earlier privacy-related laws and regulations, such as the Cybersecurity Law. In addition, the Specification provides several exceptions to the consent requirement, including when the collection and use of personal information is (1) directly related to national security, public security, a matter of material public interest, the investigation or trial of a crime or the enforcement of a judgement, or (2) requested by a data subject and is necessary for the execution and performance of a contract. The Specification also includes a template privacy policy. When collecting personal information indirectly from a third party (rather than directly from the data subject), an entity must require the party providing the information to explain the source by which the personal information was originally obtained, and to check whether that party obtained the consent of the data subject for the sharing, transfer or disclosure of the personal information.
According to the Specification, personal information must be retained for only the minimum extent necessary, and must be deleted or anonymized after the expiration of the retention period. Encryption measures must be adopted whenever sensitive personal information is retained. When a personal information controller ceases to provide a product or service, it must inform the relevant data subjects and must delete or anonymize all personal information retained in relation to the data subjects.
When an enterprise uses personal information, it must adopt controls on access and restrictions on the display of the information. The use of personal information must not go beyond the purpose stated when collecting it. Personal data subjects have the right to request correction, deletion and copies of personal information that pertains to them, as well as the right to withdraw their consent to the collection and use of the personal information. An enterprise must respond to the request of a data subject for correction, deletion or copying once it has verified his or her identity.
When an enterprise engages a third party to process personal information, it must conduct a security assessment to ensure that the processor possesses sufficient security capabilities. The enterprise must also require the third party to safeguard the personal information, and must also supervise the third party’s processing of the personal information. If an enterprise needs to share or transfer personal information, it must conduct a security assessment and adopt security measures, inform the data subjects of the purpose of the sharing or transfer and of the categories of recipients, and obtain the consent of the data subjects.
An enterprise must formulate a contingency plan for security incidents that involve personal information and conduct emergency drills at least once a year. In the event of an actual data breach incident, the enterprise must inform the affected data subjects by email, letter, telephone or other reasonable and efficient method. The notice must include information such as the substance of the incident and its impact, remedial measures that have been taken or will be taken, suggestions for the data subjects on how to reduce risks, remedial measures made available to data subjects, and the responsible person and his or her contact information.
The Specification requires entities to clarify which of their departments and staff would be responsible for the protection of personal information, and to establish a system to evaluate impacts on the security of personal information. Enterprises must also implement staff training and audit the security measures which they have adopted to protect personal information.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code