New standard on personal information security in China

0
1567
LinkedIn
Facebook
Twitter
Whatsapp
Telegram
Copy link

The Standardization Administration of China on 2 January 2018 released the final version of the national standards on personal information security, titled Information Security Techniques − Personal Information Security Specifications. These voluntary and non-binding standards take effect on 1 May 2018.

The new standards cover similar territory as the previous Guideline for Personal Information Protection Within Information Systems for Public and Commercial Services (2012 Guideline). However, the new standards apply to all entities that are personal information controllers, whereas the 2012 guideline was arguably more limited in scope (although the scope of those guidelines was not completely clear).

Under the new standards, personal information controllers are defined as all private or public organizations that have “the power to decide the purpose and method” of processing personal information, which is likely to include employers collecting personal information from employees for employment or business-related purposes.

The new standards contain much more detailed and comprehensive guidance than the 2012 guideline, and set out new best practices for collecting, storing, using, sharing, transferring, disclosing and handling personal information. According to those best practices, personal information controllers should, among other things:

  • Adopt encryption and other security measures before transmitting or storing sensitive personal information;
  • Require any personnel who handle personal information to sign a confidentiality agreement;
  • Conduct periodic (at least annual) assessments on personal information processing to determine whether it conforms with the new standards’ security guidance, and to evaluate its potential impact on the interests of individuals whose personal data is being processed;
  • Conduct a security assessment on the overseas transfer of personal information collected in China; and
  • Require its legal representative or main person-in-charge to assume responsibility for the security of personal information.

Business Law Digest is compiled with the assistance of Baker McKenzie. Readers should not act on this information without seeking professional legal advice. You can contact Baker McKenzie by e-mailing Danian Zhang (Shanghai) at danian.zhang@bakermckenzie.com

LinkedIn
Facebook
Twitter
Whatsapp
Telegram
Copy link