The National Information Security Standardisation Technical Committee (the so-called “TC260”) published the “Information Security Technology – Personal Information Security Specification” (“Specification”) on 24 January 2018. Although the nature of the Specification is non-mandatory, it is recommended and the requirements contained therein are considered to be best practice in China.
The Specification sets out detailed requirements concerning the collection, processing, storage and use of personal information. Amongst other things, the Specification:
- defines “personal sensitive information” and provides a non-exclusive list of personal sensitive information. A data subject’s explicit consent must be obtained before any personal sensitive information can be collected. The processing and storage of such information is also subject to additional requirements;
- requires a data controller to carry out a due diligence check before it obtains personal information from another party, in order to know clearly the sources of the information and the agreed scope of how the information shall be processed and used;
- sets out the exceptions where a data subject’s consent is not required, including (but not limited to) where the collection of personal information is to protect the data subject’s personal, property or other significant rights, but it is difficult to obtain his consent; where the data controller collects the information from legally public information, and where the collection is necessary for the data controller to maintain the security or stability of the products or services supplied to the data subject;
- differentiates anonymisation and de-identification, and identifies the circumstances where an anonymisation or a de-identification shall be considered to be sufficient processing measures;
- emphasises the protection of a data subject’s rights. For example, a data subject now has a specific right of revoking consent. Where a decision that can significantly affect a data subject’s interests is made solely by automated means, the data subject should be provided with channels to make complaints;
- sets out requirements that a data controller must follow when engaging a date processor. For example, the data controller must carry out a security assessment upon the processor. In addition, the Specification also sets out the rules governing the sharing and transfer of personal data among parties;
- restates the requirements concerning data incidence responses. Among others, it sets out the items that must be included in the reports and notifications sent to the relevant government authorities and affected data subjects; and
- specifies how an organisation shall establish its internal data protection management systems and what technical measures must be implemented during daily operation.
Please click here to read the full text of the Specification