New America
Cybersecurity Initiative

Translation: China’s Personal Information Security Specification

The Chinese government’s first major digital privacy rules
Blog Post
By 

Mingli Shi

Samm Sacks

Qiheng Chen

, and 

Graham Webster

Feb. 8, 2019

[UPDATE: This translation is of the original Personal Information Security Specification, effective May 2018; it discusses a draft revision, which went into effect in 2020. The Chinese government released an official English translation of the 2020 revision, available here (and archived here). –GW 2021.01.02]

The Personal Information Security Specification took effect in May 2018. It lays out granular guidelines for consent and how personal data (called “personal information”) should be collected, used, and shared. While the 2017 Cybersecurity Law is currently the most authoritative law protecting personal information, among other functions, the Specification is the effective centerpiece of an emerging system around personal data.

Issued by the national information technology security standards-setting organization known as TC260, it was developed by a drafting team with input from national and local cybersecurity audit and standards organizations, major universities, prominent internet companies, and government ministry research units.

Just six months after the Specification entered force, the standard’s drafters have already begun to revise it to close legal loopholes that they believe allow excessive collection of personal data by companies.

On January 30, 2019, TC260 released a draft of a revised version of the Specification that includes several new or modified requirements for personal information controllers:

  • A ban on coercing users to agree to data collection by bundling services;
  • Differentiating levels of consent required for "basic business functions" versus "additional business functions" of a product or service;
  • A requirement that "personalized display" of content like news feeds or search results should be clearly marked as such, and users should be able to opt out of personalization;
  • A comprehensive data protection framework for third-parties whose products or services connected to platforms; and
  • Changes to the exemptions from the default requirement of obtaining consent from personal information subjects when collecting their data.

DigiChina will continue to track revision of the Specification, as well as developments in other elements of the system as part of our Charting Chinese Data Governance initiative.

[Chinese-language original]

Information Security Technology - Personal Information Security Specification

Table of Contents

  • 1 Scope
  • 2 Normative References
  • 3 Terms and Definitions
  • 4 Basic Principles of Personal Information Security
  • 5 Collection of Personal Information
    • 5.1 Requirements for Legitimate Collection of Personal Information
    • 5.2 Minimization Requirements for Collection of Personal Information
    • 5.3 Authorized Consent When Collecting Personal Information
    • 5.4 Exceptions to Authorized Consent
    • 5.5 Explicit Consent for Collection of Personal Sensitive Information
    • 5.6 Contents and Publication of Privacy Policy
  • 6 Retention of Personal Information
    • 6.1 Time Minimization for Personal Information Retention
    • 6.2 De-identification
    • 6.3 Personal Sensitive Information Transfer and Storage
    • 6.4 Cessation of Operations by Personal Information Controllers
  • 7 Use of Personal Information
    • 7.1 Personal Information Access Control Measures
    • 7.2 Limiting Display of Personal Information
    • 7.3 Restrictions on the Use of Personal Information
    • 7.4 Personal Information Access
    • 7.5 Personal Information Rectification
    • 7.6 Personal Information Deletion
    • 7.7 Withdrawal of Consent by a Personal Information Subject
    • 7.8 Personal Information Subject Account Cancellation
    • 7.9 Personal Information Subjects Obtaining Copies of Personal Information
    • 7.10 Limits on Information System Automated Decision-making
    • 7.11 Responding to Personal Information Subject Requests
    • 7.12 Complaint Management
  • 8 Delegated Processing, Sharing, Transfer, and Public Disclosure of Personal Information
    • 8.1 Delegated Processing
    • 8.2 Sharing and Transfer of Personal Information
    • 8.3 Transfer of Personal Information During Merger, Acquisition, or Restructuring
    • 8.4 Public Disclosure of Personal Information
    • 8.5 Exemptions From Obtaining Authorized Consent Prior to Sharing, Transfer, and Public Disclosure of Personal Information
    • 8.6 Joint Personal Information Controllers
    • 8.7 Requirements for Cross-border Transfer of Personal Information
  • 9 Personal Information Security Incident Handling
    • 9.1 Security Incident Emergency Handling and Reporting
    • 9.2 Security Incident Notification
  • 10 Requirements for Organizational Management
    • 10.1 Designating Responsible Departments and Personnel
    • 10.2 Carrying Out Personal Information Security Impact Assessments
    • 10.3 Data Security Capabilities
    • 10.4 Managing and Training Personnel
    • 10.5 Security Audits

[Translators’ note: Appendices and Foreword are not translated but may be added at a later time.]

Introduction

In recent years, with the fast development of information technology and the popularization of internet, more and more entities collect and use personal information (PI) in bulk, bringing convenience to people’s life but also producing problems such as illegal collection, abuse, and leakage of PI that seriously threaten PI security.

This Specification targets security challenges to PI, and regulates related behaviors by PI controllers during information processing such as collection, retention, use, sharing, transfer, and public disclosure. It intends to restrain the chaos caused by issues like illegal collection, abuse, and leakage of PI, protecting individuals‘ lawful rights and interests and society’s public interests to the greatest degree.

Where specific items in the Specification are otherwise provided for by law or regulations, such provisions shall be followed accordingly.

1. Scope

This Specification lays down principles and security requirements relating to the processing of PI, including collection, storage, use, sharing, transfer, and public disclosure.

This Specification applies to the processing of PI by various entities, as well as to the supervision, administration, and assessment of PI processing activities by entities such as supervisory authorities and third-party review organizations.

2. Normative References

The following references are indispensable for the application of this Specification. For all cited documents carrying a date, only the indicated version applies. For all cited documents not carrying a date, the latest version (including all amendments) applies.

GB/T 25069-2010 Information Security Technology - Terminology

3. Terms and Definitions

Terms and definitions from GB/T 25069-2010 and defined hereunder apply to this document.

3.1 Personal Information 个人信息

All kinds of information, recorded by electronic or other means, that can be used, alone or combined with other information, to identify a specific natural person or reflect activities of a specific natural person.

Note 1: PI includes names, dates of birth, identity card numbers, biometric information, addresses, telecommunication contact methods, communication records and contents, account passwords, property information, credit information, location data, accommodation information, health and physiological information, transaction data, etc.

Note 2: For the scope and categories of PI see Appendix A. [Translators’ note: Appendix A is not translated at this time.]

3.2 Personal Sensitive Information 个人敏感信息

PI that, once leaked, illegally provided, or abused, can threaten personal and property security and/or easily cause personal reputational damage, physical and mental health damage, or discrimination.

Note 1: Personal sensitive information includes identity card numbers, biometric information, bank account numbers, communication records and contents, property information, credit information, location data, accommodation information, health and physiological information, transaction data, and the PI of children 14 years of age or under.

Note 2: For the scope and categories of personal sensitive information see Appendix B. [Translators’ note: Appendix B is not translated at this time.]

3.3 Personal Information Subject 个人信息主体

A natural person identified by PI.

[Translators’ note: The Specification provides the English translation “personal data subject” for this term and “personal data controller” for the term below. We follow the plain meaning of the Chinese-language term and translate them as “personal information (PI) subject” and “personal information (PI) controller.]

3.4 Personal Information Controller 个人信息控制者

An organization or individual that has the authority to determine the purposes and/or methods of the processing of PI.

3.5 Collection 收集

The activity of obtaining control of PI, including through: first-hand gathering through voluntary provision by the PI subject, interaction with the PI subject, or recording the behavior of the PI subject; and indirect collection through sharing, transfer, or collecting public information.

Note: If a product or service provider provides tools to the PI subject, but does not access the PI, it is not engaged in collection under this Specification. For example, if offline navigation software obtains user location data at the terminal and does not transmit it to the software provider, this is not PI collection.

The explicit authorization by the PI subject of specific PI processing through a written statement or an affirmative action on the PI subject’s own initiative.

Note: Affirmative action includes the PI subject, on his or her initiative, making a statement (in electronic form or on paper), checking a box, or clicking “agree,” “sign up,” “send,” “dial,” etc.

3.7 User Profiling 用户画像

The process of collection, aggregation, and/or analysis of PI to analyze or predict certain personal features relating to a specific natural person, such as profession, economic situation, health, education, personal preferences, financial credit, and behavior, to form a model of certain personal characteristics.

Note: It is “direct user profiling” when the PI of a specific natural person is directly used to form a model of the natural person’s characteristics. It is “indirect user profiling” when the PI is obtained from sources other than the specific natural person, such as data on a group the person belongs to, to form a model of the natural person’s characteristics.

3.8 Personal Information Security Impact Assessment 个人信息安全影响评估

A process to evaluate: the degree to which PI processing complies with laws and regulations; whether there are any risks of damaging the lawful rights and interests of PI subjects; and how effective various measures are to protect PI subjects.

3.9 Deletion 删除

The process of removing PI from systems used to realize daily business operations, to make the information irretrievable and inaccessible.

3.10 Public Disclosure 公开披露

The action of disclosing information to the public or an not specially designated population.

3.11 Transfer (of Control) 转让

The process of transferring the control of PI from one controller to another controller.

3.12 Sharing 共享

The process by which a PI controller shares the PI with another controller such that both have independent control over the PI.

3.13 Anonymization 匿名化

Technical processing of PI in such a manner that the PI subject cannot be identified and the processed information cannot be de-anonymized.

Note: Information produced by anonymizing PI does not does not qualify as PI.

3.14 De-identification 去标识化

Technical processing of PI in such a manner that the PI subject cannot be identified without the use of additional information.

Note: De-identification is set up on an individual basis, retains the individual granularity, and uses technical means such as pseudonyms, encryption, and hash functions to replace the identifiers on the PI.

4. Basic Principles of Personal Information Security

PI controllers should follow the basic principles below when processing PI:

a) Commensurability of Powers and Responsibilities Principle: Bear responsibility for damage to the lawful rights and interests of the PI subject caused by PI processing.

b) Purpose Specification Principle: Process PI for legal, justified, necessary, and specific purposes.

c) Consent Principle: Obtain authorized consent from the PI subject after expressly providing the PI subject with the information including the purpose, method, scope, and rules of the processing.

d) Minimization Principle: Unless otherwise agreed by the PI subject, only process the minimum types and quantity of PI necessary for the purposes for which the authorized consent is obtained from the PI subject. After the purposes have been achieved, the PI should be deleted promptly according to the agreement.

e) Openness and Transparency Principle: The scope, purposes, and rules, etc., of PI processing should be open to public in an explicit, intelligible, and reasonable manner, and outside supervision should be accepted.

f) Ensuring Security Principle: Possess the appropriate security capacity taking into account the security risks [the controller] faces, and implement sufficient management and technical measures to safeguard the confidentiality, integrity, and availability of PI.

g) Subject Participation Principle - Provide the PI subject with means to access, correct, and delete the PI, to withdraw consent, and to close accounts.

5. Collection of Personal Information

5.1 Requirements for Legitimate Collection of Personal Information

Requirements for PI controllers include:

a) It is forbidden to deceive, trick, or coerce the PI subject to provide PI.

b) It is forbidden to conceal the PI collection functions of products or services.

c) It is forbidden to obtain PI from illegal channels.

d) It is forbidden to collect PI, the collection of which is expressly prohibited by laws or regulations.

5.2 Minimization Requirements for Collection of Personal Information

Requirements for PI controllers include:

  1. The types of PI collected should have a direct relationship with realization of the business functions of the products or services. “Direct relationship” means that without such information, the products or services could not realize their function.
  2. The frequency of automatic collection of PI should be the minimum frequency necessary to realize the operational functions of the products or services.
  3. The quantity of PI collected indirectly should be the minimum quantity essential to realizing the operational functions of the products or services.

Requirements for PI controllers include:

a) Prior to the collection of the PI, clearly provide the information subject with the following information and obtain the authorized consent from the PI subject: the respective types of the PI collected by different operational functions of the products or services; the rules of collecting and using the PI (e.g., purpose of collection and use; manner and frequency of collection; storage location; storage period; [the controller’s] data security capabilities; information related to sharing, transferring, and public disclosure; etc.).

b) When the PI is collected indirectly:

  1. Require the provider of the PI to explain the information source, and confirm the legitimacy thereof.
  2. Understand the scope of the authorized consent obtained by the provider of the PI regarding the processing of that PI, including the purposes of use, authorized consent provided by the PI subject for transfer, sharing, and public disclosure, etc. If the organization needs to process PI for business needs beyond the scope of the authorized consent, it should obtain explicit consent from the PI subject within a reasonable period after obtaining the PI or prior to the processing of the PI.

The PI controller does not need to obtain authorized consent from the PI subject for the collection and use of PI under the following types of situations:

a) those directly related national security and national defense;

b) those directly related to public safety, public health, and significant public interests;

c) those directly related to criminal investigation, prosecution, trial, and judgment enforcement, etc.;

d) when safeguarding the major lawful rights and interests such as life and property of PI subjects or other persons, and it is difficult to obtain the consent of the PI subject;

e) when the PI subject voluntarily opened the collected PI to the general public;

f) when the PI is collected from legitimate public information channels, such as the legitimate news reports and open government information;

g) when necessary to sign and perform a contract according to the PI subject’s request;

h) when necessary to maintain the safe and stable operation of the provided products or services, such as to detect and handle product or service malfunctions;

i) when necessary for the PI controller, as a news agency, to make legal news reports;

j) when necessary for the PI controller, as an academic research institute, to conduct statistical or academic research in the public interest, which also has de-identified the PI when providing academic research or results externally;

k) when other situations specified by laws and regulations.

Requirements for PI controllers include:

a) When collecting personal sensitive information, obtain explicit consent from the PI subject. Ensure that the explicit consent from the PI subject is a freely given, specific, clear, and unequivocal indication of the wishes of the well-informed PI subject.

b) Prior to the collection of personal sensitive information via voluntary provision or automatic collection, [the PI controller] should:

  1. inform the PI subject of the core functions of the provided products or services and the personal sensitive information necessary to collect, and clearly disclose the impacts which may occur if the PI subject refuses to provide it or refuses to consent. The PI controller should allow the PI subject to choose whether the provision or automatic collection [of the personal sensitive information] should be allowed.
  2. where the products or services provide other additional functions and personal sensitive information needs to be collected, explain to the PI subject prior to the data collection that what personal sensitive information is needed for which specific additional functions and allow the PI subject to choose one by one whether the provision or automatic collection of the personal sensitive information will be allowed. When the PI subject rejects, the related additional functions can be stopped, but this should not be a reason to stop providing core business functions, and the related service quality should be maintained.

Note: Please refer to the Appendix C for the details to realize the above mentioned requirements. [Translators’ note: Appendix C is not translated at this time.]

c) Prior to the collection of the PI of a child 14 years old or older, explicit consent should be obtained from the child or the child’s guardian; if the child is below the age of 14 years, explicit consent should be obtained from the child’s guardian.

5.6 Contents and Publication of Privacy Policy

Requirements for PI controllers include:

a) PI controllers should establish privacy policies with contents including but not limited to:

  1. the basic information of the PI controller, including the registered name and address, the usual place of business, the contact details of a person in charge, etc.;
  2. the purposes of the collection and use of PI, and the business functions covered by each purpose. For example, using PI to deliver commercial advertisements, or using PI to form direct user profiles, etc.;
  3. the PI collected respectively by each business function, the processing rules such as the manner and frequency of the PI collection, the storage location and the storage time limit, and the actual scope of the collection of PI;
  4. the purposes of sharing, transfer, and public disclosure of the PI, the types of the involved PI, the type of the third-party recipient, and the corresponding legal responsibilities;
  5. the basic principles followed for PI security, the data security capabilities, and the PI security measures taken;
  6. PI subjects’ rights and mechanisms to use them, such as the methods to access, correct, or delete data; to deactivate the account, to withdraw consent; to obtain a copy of the data; to restrain automated decision-making by the information system; etc.;
  7. the potential security risks after the provision of the PI, and the potential impact of not providing the PI;
  8. the channels and mechanism to handle requests and complaints by PI subjects, and the external organizations and contact details for dispute resolution.

b) The information in the privacy policy should be true, accurate, and complete;

c) The contents of the privacy policy should be clear and intelligible, follow common language usage, and use standardized numbers, graphical forms, etc. Ambiguous language should be avoided, and a summary should be provided at the beginning to briefly lay out the key contents.

d) The privacy policy should be public and easy to access. For example, hyperlinks are provided in conspicuous places such as the main webpage, the installation page of mobile apps, the homepage of social media, etc.

e) The privacy policy shall be delivered to each PI subject. When the cost may become excessive or there is significant difficulty, it may be publicized in the form of public announcement.

f) Whenever any changes occur to the items listed in section a) above, the privacy policy should be updated promptly and a notification should be sent to the PI subject.

Note: Please refer to the Appendix D for the content of the privacy policy. [Translators’ note: Appendix D is not translated at this time.]

6. Retention of Personal Information

6.1 Time Minimization for Personal Information Retention

Requirements for PI controllers include:

a) The PI retention period should be the shortest time needed to achieve the purpose.

b) After the aforementioned PI retention period, [controllers] should carry out deletion or anonymization.

6.2 De-identification

After collecting PI, PI controllers immediately carry out de-identification. Taking technical and management measures store the de-identified data separately from information that can be used to recover the identity of individuals, making sure not to recover individual identities during later processing.

6.3 Personal Sensitive Information Transfer and Storage

Requirements for PI controllers include:

a) When transferring and storing personal sensitive information, they should use security measures such as encryption;

b) When storing personal biometric information, they should carry out technical measures of processing before storage, for example only storing a summary of personal biometric information.

6.4 Cessation of Operations by Personal Information Controllers

When PI controllers stop operating their products or services, they should:

a) Promptly stop PI collection activities;

b) Notify PI subjects of cessation of operations individually or through public announcement;

c) Carry out deletion or anonymization of all PI in their possession.

7. Use of Personal Information

7.1 Personal Information Access Control Measures

Requirements for PI controllers include:

a) Internal data operations personnel authorized to access PI should, according to the principle of minimum authorization, only be able to access the minimum amount of PI necessary and have the minimum data operation privileges necessary to carry out their duties.

b) Set up internal approval processes for important PI operations such as such as batch modification, copying, download, etc.

c) Security managers, data operators, and auditors should be set up as separate personnel roles;

d) If it is truly necessary for work requirements to authorize specific personnel to exceed their privileges to process PI, the person responsible for PI protection or the PI protection work organization should conduct assessment and approval and make a record;
Note: See section 10.1 of this specification regarding designation of a person responsible for information protection or PI protection work organization.

e) Regarding access, modification, or other action with personal sensitive information, on the foundation of privilege control by role, operational authorization is triggered based on business process requirements. For example, for those handling user complaints, only when processing user complaints can personnel access a given customer’s relevant information.

7.2 Limiting Display of Personal Information

In the display of PI on an interface (like on a display screen or paper), PI controllers should take measures such as de-identification to lower risk of PI disclosure in the course of display. For example, when displaying PI, prohibit unauthorized internal personnel and those other than the PI subject from accessing PI.

7.3 Restrictions on the Use of Personal Information

Requirements for PI controllers include:

a) Unless required for the purpose, when using PI [controllers] should eliminate explicit identity indicators, and avoid precise orientation toward specific individuals. For example, in making accurate evaluations of an individual’s credit situation, a direct profile of the user can be used. However, when the purpose is to deliver business advertisements, an indirect profile of the user may be employed instead.

b) Regarding the situation of information created by processing collected PI, that can be used, alone or combined with other information, to identify a specific natural person or reflect activities of a specific natural person, should be treated as PI. The processing should be in accordance with the scope of authorized consent obtained when collecting PI. Note: PI generated by processing is classified as personal sensitive information. Its processing should be in accordance with requirements of personal sensitive information in this Specification.

c) Use of PI must not exceed the scope of direct or reasonable association with the stated purpose at the time the PI was collected. If business needs necessitate the use of PI beyond the aforementioned scope, then explicit consent should be sought from the PI subject again.

Note: Using the PI collected for academic research or descriptions of overall situations of natural, scientific, social, economic, etc., phenomena falls within the scope of reasonable association with the purpose of collection. But when providing the description of academic research or results externally, the PI contained in the results should be de-identified.

7.4 Personal Information Access

PI controllers should provide PI subjects with ways to access the following information:

a) What PI or category of PI about the subject is held;

b) The origin and purpose of use of the aforementioned PI;

c) The identity or category of third parties which already have obtained the aforementioned PI.

Note: When a PI subject requests access to PI which they have not voluntarily provided, PI controllers can consider the request in a comprehensive manner, taking into account risk or harm to the subject’s lawful rights and interests that could arise from not responding to the request, technical feasibility, cost, and other factors in carrying out the request. After the decision is made, an explanation of the decision should be provided.

7.5 Personal Information Rectification

When a PI subject finds an error or something incomplete about their PI held by PI controllers, PI controllers should provide a way to make a modification or supplemental information in response to their request.

7.6 Personal Information Deletion

Requirements for PI controllers include:

a) According to the below circumstances, when PI subjects request deletion of their PI, deletion should take place promptly:

  1. PI controllers violated laws and/or regulations in the collection and/or use of PI;
  2. PI controllers violated an agreement with the PI subject in the collection and/or use of their PI.

b) If PI controllers violate laws and regulations or agreements with PI subjects in the sharing or transfer of their PI with third parties, and PI subjects request deletion, [controllers] should immediately cease sharing and transfer activities, and notify third parties to promptly delete the information.

c) If PI controllers violate laws and regulations or agreements with PI subjects, resulting in the public disclosure of PI, and PI subjects request deletion, PI controllers should immediately cease public disclosure activities, and notify recipients to delete the information.

Requirements for PI controllers include:

a) PI subjects should be provided with ways to withdraw authorized consent to collect and use their PI. After withdrawal of consent, PI controllers must not continue to process corresponding PI;

b) Rights of PI subjects to refuse to receive business advertisements delivered on the basis of their PI should be safeguarded. Regarding external sharing, transfer, and public disclosure of PI, ways for PI subjects to withdraw consent should be provided.

Note: Withdrawal of consent does not impact consent-based PI processing prior to withdrawal of consent.

7.8 Personal Information Subject Account Cancellation

Requirements for PI controllers include:

a) PI controllers who provide services through registered accounts should provide means for PI subjects to cancel their account in ways that are simple and convenient to operate;

b) After PI subjects cancel their accounts, their PI should be deleted or anonymized.

7.9 Personal Information Subjects Obtaining Copies of Personal Information

In accordance with requests by PI subjects, PI controllers should provide PI subjects with means of obtaining copies of the following categories of PI, or if technically feasible, directly transfer to a third party the following PI:

a) Individuals’ basic information and information about their identities;

b) Individuals’ health, psychological, education, and work information.

7.10 Limits on Information System Automated Decision-making

When a decision is made on the basis of information system automated decision-making and has significant impact on the PI subject’s rights and interests (for example, when user profiling determines personal credit and loan amounts, or in user profiling for interview screening), the PI controller should provide means for PI subjects to lodge a complaint.

7.11 Responding to Personal Information Subject Requests

Requirements for PI controllers include:

a) After verifying the PI subject’s identity, [PI controllers] should promptly respond to PI subject requests filed under articles 7.4 to 7.10 of this standard within 30 days or the time limit of the laws and regulations with an answer and reasonable explanation, and inform the PI subject of ways to resolve the issue through external parties.

b) In principle, fees should not be charged for reasonable requests, but if within a certain period of time there are multiple repeated requests, a fee related to cost may be charged;

c) If meeting the PI subjects’ request directly proves very costly or difficult in some other aspect, PI controllers should provide alternative means to the PI subject in order to protect PI subjects’ lawful rights and interests;

d) Non-response to PI subject requests in accordance with articles 7.4 to 7.10 of this standard is permissible under certain circumstances including, but not limited to:

  1. those directly related national security and national defense;
  2. those directly related to public safety, public health, and significant public interests;
  3. those directly related to criminal investigation, prosecution, trial, and judgment enforcement, etc.;
  4. PI controllers have sufficient evidence to show that the PI subject is subjectively malicious or abuses rights;
  5. Responding to PI subjects’ request would lead to the serious harm of the lawful rights and interests of themselves, other people, or organizations;
  6. Involving trade secrets

7.12 Complaint Management

PI controllers should set up complaint management structures, including process tracking, and within a reasonable period of time respond to complaints.

8. Delegated Processing, Sharing, Transfer, and Public Disclosure of Personal Information

8.1 Delegated Processing

The following requirements should be followed during the delegated processing of PI:

a) The delegation by the PI controller shall not exceed the scope of the authorized consent by the PI subject, except of the situations specified under Section 5.4 herein.

b) The PI controller shall carry out a PI security impact assessment, ensuring that the delegatee has sufficient data security capabilities and provides sufficient security safeguards.

c) The delegatee shall:

  1. process PI strictly in accordance with the requirements of the PI controller. If the delegatee cannot process the PI according to the requirements of the PI controller due to special reasons, the delegatee shall promptly inform the PI controller;
  2. obtain the authorization of the PI controller in advance if the delegatee needs to conduct another delegation;
  3. assist the PI controller in responding to the requests from the PI subject based on Sections 7.4 to 7.10 herein;
  4. inform the PI controller promptly if the delegatee cannot provide sufficient security safeguards or there is a security incident during the processing of PI;
  5. no longer retain the PI when the delegation relationship terminates.

d) The PI controller should supervise the delegatee in the manners including but not limited to:

  1. establish the delegatee’s responsibilities and duties through contract or other such means;
  2. carry out an audit of the delegatee.

e) The PI controller should correctly record and retain the arrangement for delegation of the processing of PI.

8.2 Sharing and Transfer of Personal Information

PI, in principle, may not be shared or transferred. The PI controller should pay attention to risks if the sharing and/or transfer is indeed necessary. The following requirements shall be followed during the sharing and transfer of PI for reasons other than merger, acquisition, and restructuring:

a) Carry out a PI security impact assessment and adopt effective measures to protect the PI subject accordingly;

b) Inform the PI subject of the purposes of sharing and transfer of PI and the type of the data recipient, and obtain the authorized consent from the PI subject, with an exception where the PI shared and transferred has been de-identified and it is guaranteed that the data recipient cannot re-identify the PI subject;

c) Prior to the sharing and transfer of personal sensitive information, in addition to the disclosure requirements specified under Section 8.2 b), the PI subject should also be informed of the types of the personal sensitive information involved as well as the identity and data security capability of the data recipient, and authorized consent shall be obtained from the PI subject;

d) Correctly record and store the circumstances of sharing and transfer of PI, including the dates of sharing and transfer, the scale, the purposes, the basic information of the data recipient, etc.;

e) Take corresponding liability for the damage to the lawful rights and interests of the PI subject due to the sharing and transfer of the PI;

f) Help the PI subject to understand how the data recipient retains, uses, etc., the PI, and the rights of the PI subject such as, access, rectification, deletion, and deactivation of the account.

8.3 Transfer of Personal Information During Merger, Acquisition, or Restructuring

When merger, acquisition, or restructuring occurs to the PI controller, the PI controller should:

a) inform the PI subject of the related situation;

b) the new PI controller after the change should continue to take the responsibilities and obligations of the original PI controller, and, if the purposes of using the PI are changed, another explicit consent should be obtained from the PI subject.

8.4 Public Disclosure of Personal Information

PI, in principle, may not be publicly disclosed. Where authorized by the law or where for reasonable cause the PI has to be publicly disclosed, the PI controller should pay attention to risks and comply with the following requirements:

a) Carry out a PI security impact assessment, and adopt effective measures to protect the PI subject accordingly;

b) Inform the PI subject of the purposes and types of the disclosed information, and obtain the explicit consent from the PI subject in advance;

c) Prior to the disclosure of personal sensitive information, in addition to the disclosure requirements specified under Section 8.4 b), the PI subject should also be informed of the content of the personal sensitive information involved;

d) Correctly record and store the conditions of the public disclosure of PI, including the date, the scale, the purposes, and the scope of the public disclosure;

e) Take corresponding liability for the damage to the lawful rights and interests of the PI subject due to the public disclosure of the PI;

f) Public disclosure of personal biometric information is not allowed.

The PI controller does not need to obtain authorized consent from the PI subject prior to sharing, transfer, or public disclosure of PI in the following circumstances:

a) Those directly related to national security and national defense;

b) Those directly related to public safety, public health, and significant public interests;

c) Those directly related to criminal investigation, prosecution, trial, and judgment enforcement, etc.;

d) When safeguarding the major lawful rights and interests such as life and property of PI subjects and other individuals, and it is difficult to obtain consent from PI subject;

e) When the PI subject voluntarily opened the collected PI to the general public;

f) When the PI is collected from legitimate public information channels, such as legitimate news reports and open government information.

8.6 Joint Personal Information Controllers

When PI controller and a third party are joint PI controllers (for example, service platform and merchants on the platform), PI controller should jointly determine PI security requirements with the third party via means such as contract, and ascertain responsibilities and duties that PI controller and the third party respectively bear and explicitly inform PI subjects.

Note: If PI controller, in the course of offering products or services, deployed third-party plugins that collect PI (for example, website operators deploy analytic tools, software development kits and mapping API interface on the website or in applications), and the third party has not individually obtained authorization consent regarding the use and collection of PI from PI subject, then PI controller and the third party are joint PI controllers.

8.7 Requirements for Cross-border Transfer of Personal Information

Where PI collected and produced during operation in the mainland territory of the People’s Republic of China is transferred abroad, PI controller should conduct security assessment and comply with requirements in measures and relevant standards issued by cyberspace and informatization offices and relevant bureaus in the State Council.

9. Personal Information Security Incident Handling

9.1 Security Incident Emergency Handling and Reporting

Requirements for PI controllers include:

a) Make emergency response plans for PI security incidents;

b) Periodically (at least once a year) organize emergency response trainings and emergency exercises for relevant personnel within the organization, allowing them to grasp job responsibilities and emergency response strategies and procedures.

c) After a PI security incident occurs, PI controllers should carry out the following steps according to the emergency response plan:

  1. Record event content, including but not limited to: the person, time and location of incident discovery; affected PI and the number of affected PI subjects; the name of the system where security incident occurs; impact on other interconnected systems, and whether law enforcement or relevant agencies have been contacted.
  2. Assess possible impacts and adopt necessary measures to control the situation and eliminate hidden dangers.
  3. Report in a timely manner according to provisions in the “National Cybersecurity Incident Emergency Response Plan.” The content of the report should include but not be limited to: type, quantity, content, and nature of PI subject; possible impact of the incident; measures that have been or will be adopted; and contact information of relevant personnel handling the incident.
  4. Carry out security incident notification as per section 9.2 in this specification.

d) Promptly update the emergency plan based on changes to applicable laws and regulations and the situation of incident handling.

9.2 Security Incident Notification

Requirements for PI controllers include:

a) Promptly notify affected PI subjects of incident-related information through means such as email, letter mail, telephone, or push notification. If it is difficult to individually inform PI subjects, a public warning should be delivered in an appropriate and effective manner.

b) The content of notification should include but not be limited to:

  1. The details and impact of the security incident;
  2. Measures that have been or will be adopted;
  3. Suggestions for PI subjects to protect themselves and reduce risk;
  4. Remedial measures available to PI subjects;
  5. Contact information of person responsible for PI protection and the PI protection entities.

10. Requirements for Organizational Management

10.1 Designating Responsible Departments and Personnel

Requirements for PI controllers include:

a) Assure that the legal representative or principal takes full responsibility for PI security, including the provision of human, financial and material support for PI security protection;

b) Appoint the person responsible for PI protection and the department in charge of PI protection;

c) Organizations that meet one of the following criteria should establish in-house PI protection officer and department in charge of persona data security:

  1. Main business involves the processing of PI and the number of employees exceeds 200;
  2. Processes PI of more than 500,000 people or expects to process PI of more than 500,000 people within 12 months;

d) The responsibilities of the person and departments responsible for PI protection include but are not limited to:

  1. Comprehensively coordinate and carry out PI security work within the organization, taking direct responsibility for PI security;
  2. Formulate, issue, implement and regularly update a privacy policy and relevant procedures;
  3. Establish, maintain and update the list of PI controlled by the organization (including the type, quantity, source and receiver of PI) and the strategy on access authorization;
  4. Conduct PI security impact assessments;
  5. Organize and conduct PI security training;
  6. Before a product or service launch, conduct an examination, and avoid unknown collection, use, and sharing of PI;
  7. Conduct security audits.

10.2 Carrying Out Personal Information Security Impact Assessments

Requirements for PI controllers include:

a) Establish a PI security impact assessment system and regularly (at least once a year) conduct a PI security impact assessment;

b) PI security impact assessments mainly evaluate whether processing activities obey the basic principles of PI security and assess the impact of PI processing on the lawful rights and interests of PI subject, including but not limited to:

  1. Whether PI collection follows purpose specification, consent, and minimization principles;
  2. Whether PI processing could cause negative impact on the lawful rights and interests of PI subjects, including whether processing would endanger personal and property safety, infringe on reputation and mental health, or lead to discriminatory treatment;
  3. The effectiveness of PI security measures;
  4. The risk of identifying PI subjects from anonymized or de-identified datasets;
  5. Possible negative impacts of sharing, transfer, or public disclosure of PI on the lawful rights and interests of PI subjects;
  6. Possible negative impact on the lawful rights and interests of PI subjects in the event of a security incident.

c) When laws and regulations have new requirements, or when a major change occurs to the business model, information system, or operational environment, or when a major PI security incident transpires, a new PI security impact assessment should be conducted;

d) Formulate an evaluation report on PI security impact, and, building upon the report, take measures to protect PI subjects, reducing risk to an acceptable level;

e) Properly preserve the evaluation report on PI security impact, make it available for relevant parties to browse, and make it publicly accessible in an appropriate manner.

10.3 Data Security Capabilities

PI controllers should, according to requirements in relevant national standards, establish appropriate data security capabilities, implement necessary managerial and technical measures, and prevent PI from leakage, damage, and loss.

10.4 Managing and Training Personnel

Requirements for PI controllers include:

a) Sign non-disclosure agreements with personnel in positions of PI processing and conduct security review on personnel with access to bulk personal sensitive information;

b) Determine security responsibilities for different internal positions that involve the processing of PI as well as punishment mechanisms in case of security incident;

c) Require personnel in PI processing roles to continue honoring data confidentiality after switching roles or terminating employment;

d) Determine the PI security requirements for outside service personnel who may gain access to PI, sign non-disclosure agreements with them and carry out supervision;

e) Regularly (at least once a year) or when the privacy policy undergoes major changes, conduct professional training and examination on personnel in PI processing roles, and make sure relevant personnel are proficient in privacy policy and relevant procedures.

10.5 Security Audits

Requirements for PI controllers include:

a) Conduct an audit on privacy policies, relevant procedures, and the effectiveness of security measures;

b) Establish an automated audit system, monitoring and logging PI processing activities;

c) Logs from the auditing process should be able to support security incident handling, emergency response, and post-incident investigation;

d) Prevent unauthorized access, falsification, and deletion of auditing records;

e) Promptly deal with any illegal use and abuse of PI once discovered in the auditing process.