Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

China Releases New Personal Information Privacy Standards

Share

On January 25, 2018, China released the final version of the Personal Information Security Specification, new voluntary standards on the protection of personal information.  The standards anticipate and address the “issues faced in personal information security during the rapid development of IT technology; with the protection of personal information as their core” and is meant to “regulate all phases of big data operations and related conduct, such as the collection, storage, processing, use and disclosure of personal information.”  The standards will go into effect on May 1, 2018.

The standards will apply to organizations using information systems to process personal information; specific departments that involve network security, third party assessment organizations; and other organizations that deal with the oversight, management, and assessment of personal information security.  Generally, they lay out the following 8 basic principles of personal information security.

  1. Responsibility Principle: Responsibility should be borne for the security of all personal information they possess, regardless of the path through which this information was obtained.
  2. Clear Purpose Principle: There should be a lawful, legitimate, and specific purpose for personal data processing, and the purpose for the personal data processing must not be changed without authorization from the personal data subject.
  3. Smallest Adequate Amount Principle: Except where it has been agreed otherwise with the personal data subject, only the smallest amount of information necessary to satisfy the purposes should be processed. After the purposes are achieved, the personal information should be promptly deleted in accordance with agreements.
  4. Principle of Consent and Choice: The personal data subject should be allowed to choose whether to consent to processing of their personal information, including the agreeing upon its purposes, methods, and scope, and when changes are made the personal data subject’s consent should be solicited again. The personal data subject’s not giving consent must not be the reason for refusals to provide them services or for reducing the quality of services, except where the services rely on users’ personal information.
  5. Quality Assurance Principle: In the course of processing personal information, the accuracy, veracity, validity, and usability of the personal information should be ensured.
  6. Security Assurance Principle: Appropriate management principles and technological measures should be employed to ensure security in all phases of processing personal information.
  7. Subject Participation Principle: Personal data subjects should be provided measures to access, correct, and delete their personal information, as well as to withdraw consent, deregister accounts, and so forth.
  8. Principle of Openness and Transparency: The scope, purpose, and rules for processing personal information should be disclosed in a clear, understandable, and reasonable fashion, and when necessary, accept outside supervision.

The standards also provide definitions for data privacy terms such as personal information, personal sensitive information, personal data subject, personal data controller, explicit and implied consent, disclosure, transfer, anonymization, and pseudonymization.

These new standards come on the heels of China’s new Cybersecurity Law, which took effect in June 2017, and add to China’s complex and evolving data protection regime.  The Cybersecurity Law regulates the construction, operation, maintenance and usage of networks, as well as network security supervision and management within mainland China, and mandates several forms of data-related regulation, including with respect to requiring that certain types of information be hosted within China, implementing incident management procedures and consent requirements when collecting personal data, and creating key operations security protections for critical information infrastructures.

Though the new privacy standards are completely voluntary, organizations should aim to comply by employing privacy-focused efforts such as reviewing data privacy policies, implementing stricter security practices, carrying out data protection impact assessments, employing and training privacy personnel, and maintaining detailed internal recordkeeping of data processing activities.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Receive Email Alerts to New Articles

SUBSCRIBE

February 21, 2018
Written by: Discerning Data Editorial Board
Category: Cybersecurity, Privacy
Tags: China, cybersecurity

Post navigation

Previous Previous post: Drafting an Information Governance Program Charter
Next Next post: Involuntary Dissolution Does Not Absolve Business Associate of HIPAA Obligations

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT