(寄递服务用户个人信 息安 全 管理规 定) and (邮 政 行 业 安 全 信息 报 告 和 处 理 规 定)( referred to collectively as the “Provisions”), issued by the State Postal Bureau of the People’s Republic of China (“SPBC”)
Having established the regime of personal information protection in telecommunication services, the Provisions reflect the legislator’s intention to establish a comprehensive legal environment for personal information protection in China, specific to information protection in postal and delivery services, by setting out the following rules:
Provisions on managing the security of postal and delivery service users’ personal information
- “Postal and delivery service users’ personal information” (“Users’ Information”) is defined as information used in a postal and delivery services process, including the name, address, identification number, telephone number of the sender, and the order number, delivery time and item details.
- The Provisions set out general requirements to protect Users’ Information:
- Franchised express delivery enterprises must establish safeguards for Users’ Information and specify security responsibilities of the franchisee and franchisor in the franchise agreement. If a franchisor is involved in an information security incident, the franchisee will carry out security management responsibilities.
- A postal or express delivery enterprise (“Deliverer”) must sign a confidentiality agreement with its employee to clarify confidentiality obligations regarding Users’ Information, and must provide ongoing training and guidance to improve the employee’s knowledge and skills regarding the security of Users’ Information.
- A Deliverer must establish a mechanism for dealing with complaints related to the security of Users’ Information.
- If a Deliverer is engaged by business operators of ecommerce or TV shopping to provide delivery services, the engagement agreement must include clauses regarding the security of Users’ Information.
- If the Deliverer asks a third party to store Users’ Information, the Deliverer must ensure that the third party is qualified to implement information security safeguards and that the third party will be liable for any information security incidents it causes.
- No Deliverer or Deliverer’s employee is allowed to transfer Users’ Information to a third party without explicit legal authorization or without the users’ written consent
- The Provisions require Deliverers to strengthen the security of physical and electronic information on waybills.
- They also establish non-compliance liabilities, such as warnings, fines and even criminal liability
Provisions on reporting and handling security information of the postal sector
- They define “security information that should be reported and handled” as emergency and operational information related to the security of the Deliverer’s daily processes.
- They specify the circumstances under which information is regarded emergency and operational information related to the security of the Deliverer’s daily processes.
- They provide the deadline for reporting and the guidelines for handling the above types of information.
Date of issue: March 26, 2014. Date of effectiveness: March 26, 2014.