Personal Information Security Specifications (Mainland China)

Joyce Wen

Pursuant to No. 32 China National Standard Notice of the Standardization Administration in 2017, the National Information Security Standardization Technical Committee prescribed the GB/T 35273-2017 national standard (Information Security Technologies – Personal Information Security Specifications) (the “Standard”), which was formally released on December 29, 2017 for centralized administration and will go into effect on May 1, 2018.  The Standard is a recommended national standard primarily covering the principles and safety requirements to be followed for the collection, preservation, use, sharing, transfer, and public disclosure of personal information, and is applicable to the regulation of personal information processing activities of various organizations.  It also applies to organizations such as regulators and third-party assessment agencies that supervise, manage and evaluate personal information processing activities.  The Standard is specifically discussed below:

1. Major contents about the Standard

This release of the Standard primarily covers the collection, preservation, use, commissioned processing, sharing, transfer, public disclosure, security event disposal, and organization management requirements of personal information.  Specifically, the Standard first defines personal information and personal sensitive information by providing specific examples of such, and puts forth the basic principles of personal information security.

On this basis, in terms of collection, the Standard requires the “minimization of information collection” and compels the need to obtain express consent before acquiring sensitive personal information.  For retention, the Standard proposes the “minimization of retention time of” requirement.  For usage, the Standard sets requirements for controls on access, display and usage of personal information, among others.  In terms of commissioned processing, the Standard requires the commission to not exceed the scope of authorization provided by the personal information owners.  For sharing and transfer, the Standard states that “[personal] information shall in principle not be shared and transferred,” and in case transfer and sharing occurs, the owners of such shared or transferred personal information shall be informed of the purposes of such sharing and transferring personal information and the types of data recipients; in all cases consent of such owners shall be obtained in advance unless information is processed in a way that specific individuals cannot be identified.  In addition, on the issue of disclosing personal information, the Standard also points out that personal information in principle shall not be publicly disclosed, and if disclosure is required, prior authorization and consent must be obtained.  However, the Standard also indicates certain exceptions where public disclosure does not require prior consent, namely circumstances involving public interest, such as national security, public health and public safety, as well as the handling of crime, or if the information is already disclosed by the owner or by the media.  For the cross-border transmission of personal information, the controller of such personal information shall conduct a security assessment prior to the transmission.  Furthermore, the Standard also requires information controllers to formulate security contingency plans and make timely notification in case of any security incident.

It is worth noting that this Standard clearly explains in its schedules by providing examples to illustrate how to obtain consent and a privacy policy template that facilitates the execution and implementation of such policies by their implementers.

2. The Standard’s impact on enterprise compliance

Although this release of the Standard is merely a recommended national standard and does not have any compulsory effect, pursuant to the Circular of the General Office of the State Council of the People’s Republic of China on Printing and Issuing the Development Plan for the National Standardization System (2016-2020), the establishment of a national standardization system inherently follows the principle of putting “mandatory standards as the bottom line, recommended standards as the basics and enterprise standards with enhanced quality”, the classification of the Personal Information Security Specification as a recommended standard should be regarded as a generic implementation guide for enterprises with broad applicability.  Furthermore, the Standard is also very likely to be used by law enforcement agencies as a reference standard for enforcement.  If an enterprise falls below the standard, it may face higher compliance risks.  Therefore, the standard is a worthy baseline for corporate compliance management.