MIIT published China’s first draft set of national standards for the protection of personal information on February 10, 2012. Organized by the Department of Information Security at MIIT, the new draft guidelines, entitled Information Security Technology: Guide for Personal Information Protection (the "Guide"), are currently open to public comment. At present, there is no comprehensive law or regulation governing the protection of personal information in China.
The Guide sets out both general principles and specific requirements with respect to the collection, processing, transmission, utilization and management of personal information in various information systems. It also specifies the rights of the owner of personal information (the "Owners").
The Guide requires that personal information be processed only for specific and reasonable purposes without any abuse and that Owners be notified of their rights (e.g., the purpose and scope of use) before their personal information is processed. Entities are required to ensure that the personal information collected is accurate and updated and is protected with necessary management and technical measures to prevent unauthorized access, release, loss, leak, destruction or alteration. The Guide also requires that the methods used to process personal information should be reasonable and that no illegal, disguised or indirect collection of personal information is permitted. According to the Guide, the processing of personal information should be subject to the Owners’ consent. The Guide further provides that all inappropriate actions with respect to how personal information is used should be subject to corresponding liabilities.
The Guide also further prohibits entities processing personal information (the "Managers") from collecting personal information from juveniles below 16 or collecting any personal information irrelevant to the defined purposes, especially with respect to race, religion, genetic background, fingerprints, health status or sexual activities. Entities are required to formulate and implement detailed policies in connection with their handling of personal information.
According to the Guide, Owners have the right to request that Managers keep their personal information confidential and to inform them of relevant information with respect to how the information is obtained, process and/or disclosed. The Owners also have the right to demand that any false information be corrected.