Information Security Technology Guidelines for Personal Information Protection on Public and Commercial Service Information Systems
Includes explanatory notes published by the Ministry of Industry and Information Technology.
Our country’s first national personal information protection standards, the “Information Security Technology Guidelines for Personal Information Protection on Public and Commercial Service Information Systems” will be implemented from 1 February 2013. The said standard’s clearest characteristic is that, before sensitive personal information is collected and used, the clear authorization of the subject of that personal information must be obtained in advance.
The Ministry of Industry and Information Technology Information Security Coordination Department’s vice-director Ouyang Wu said, at a teaching meeting on national standards for personal information protection, that these standards are put forward and specifically organized by the National Information Security Standardization Technology Committee, the China Software Observation Centre took the lead in formulating them jointly with many work units. The said standards are our country’s first national standards concerning personal information protection, and were published last year in November.
These standards clearly require that handling personal information shall have a specific, clear and reasonable objective, take place with consent by the subject of the personal information under a situation where the personal information subject is clearly informed, and personal information is to be deleted after the goal for the personal information use has been achieved.
Furthermore, the clearest characteristic of the standard is that it divides personal information into common personal information and sensitive personal information, and puts forward the concept of tacit consent and explicit consent. Handling of common personal information may take place on the basis of tacit consent, as long as personal information subjects do not clearly express opposition, it may be collected and used. Concerning sensitive personal information handling, this must be established on a basis of explicit consent, before collection and use, the authorization of the subject of the personal information must be obtained in advance.
This standard also puts forward eight basic principles that shall be observed in handling personal information, which are having clarity of the purpose, least sufficient use, open notification, individual consent, quality guarantee, security guarantee, honest performance and clear responsibility.
The China Software Observation Centre Vice-Director Zhu Xuan said that the roll-out of the standard means that our country’s personal information protection work has officially entered the stage that “there is a standard to rely on”. The China Software Observation Centre has also taken the lead in establishing a personal information protection promotion association and establishing enterprise self-discipline models, which remedies the lack of organizations and institutions for personal information protection in our country.
Information Security Technology Guidelines for Personal Information Protection on Public and Commercial Service Information Systems
This guiding document standardizes the complete or part of the process of handling personal information through information systems, and provides guidance on the protection of personal information at different stages of personal information handling in information systems.
This guiding document is applicable to the guidance of all sorts of organizations and organs other than government organs and other organs exercising public management responsibilities, such as service organs in telecommunications, finance, medicine and other such areas, to develop personal information protection work in information systems.
2. Referenced normative documents
The following documents are indispensible in the application of this document. For all dated referenced documents, only dated versions apply to this document. For all undated reference documents, the newest version (including all revisions) applies to this document.
GB/T 20269-2006 Information Security Technology – Information System Security Management Requirements
GB/Z 20986-2007 Information Security Technology – Information Security Incident Categorization and Classification Guidelines
3. Technical terminology and definitions
The definitions from documents GB/T 20269-2006 and GB/Z 20986-2007 and the following technical terminology and definitions apply to this technological guiding document.
Computer information systems, composed of computers (including mobile telecommunications terminals) and related or complementary equipment and facilities (including networks), that are able to conduct information collection, processing, storage, transmission, search and other such processes according to certain applied goals and rules
Computer data that is handled in computer systems, that are related to a specific natural person, and that can be used independently or in combination with other information to distinguish that specific natural person. Personal information may be divided into sensitive personal information and common personal information.
Subject of personal information
The natural person to whom personal information refers.
Personal information administrator
Organizations and institutions that decide the purpose for and method of personal information handling, who actually control personal information and se information systems to handle personal information.
Personal information receiver
Individuals, organizations and institutions who obtain personal information from information systems, and who handle the personal information obtained on the basis of the wishes of the subject of the personal information.
Third party testing and evaluation agency
Specialist testing and evaluation institutions independent from personal information administration.
Sensitive personal information
Personal information that, once it is leaked or altered, may bring about harmful influence to the subject of the indicated personal information. The concrete content sensitive personal information in different sectors is to be determined on the basis of the wishes of the subject of the personal information who receives the service and the particular characteristics of different sectors. Personal information listed as sensitive may include identity card numbers, mobile telephone numbers, ethnicity, political viewpoints, religious beliefs, genes, fingerprints, etc.
Common personal information
Personal information other than sensitive personal information.
Personal information handling
Acts of dealing with personal information, including collection, processing, transmission and deletion.
Considering that the subject of personal information consents under circumstances where the subject of personal information has not clearly expressed opposition.
Clear authorization and consent by the subject of personal information, for which evidence is kept.
4. Personal information protection overview
4.1. Roles and responsibilities
The main roles in the process of the protection of personal information protection on information systems include the subject of personal information, personal information administrators, personal information receivers and third party testing and evaluation agencies, for their duties, see 4.1.2. – 4.1.5.
4.1.2. Subjects of personal information
Before providing personal information, they must actively understand the purpose for which personal information administrators collect information, the use and other such information, and provide personal information according to their individual wishes; after they discover that personal information is leaked, lost or altered, they are to appeal or put forward an interpellation with the personal information administrator, or file a complaint with the personal information protection management departments.
4.1.3. Personal information administrators
They are responsible for planning, designing and establishing workflows for personal information handling on information systems according to State laws, regulations and guiding technical documents; formulating individual personal information management system, implementing personal information management responsibilities; assigning special bodies or personnel to be responsible for personal information protection work inside the institution, and receiving complaints and interpellations from subjects of personal information; formulating personal information protection education and training plans and organizing their implementation; establishing personal information protection internal control mechanisms, and regularly conducting self-inspection of the security situation of information system personal information, protection systems and the implementation situation of measures, or entrusting a third party testing and evaluation agencies to conduct testing and evaluation.
Controlling risks in the process of handling personal information on information systems, formulating advance planning to deal with leaks, losses, damage, alteration, improper use and other such incidents that may occur in the process of handling personal information; after discovering that personal information is leaked, lost or altered, timely adopting necessary response measures, prevent the further expansion of the influence of the incident, and timely notifying the subject of the personal information of the influence received; where major incidents occur, timely reporting them to personal information protection and management departments.
Accepting inspection, supervision and guidance from personal information protection and management departments with relation to the situation of personal information protection, vigorously participating and coordinating with third party testing and evaluation organs’ testing and evaluation of the protection situation of personal information on information systems.
4.1.4. Personal information receivers
Where the receipt of personal information proceeds from processing entrustment by another party and other such objectives, personal information receivers must process personal information according to this guiding technical document and the entrustment contract, and after completing processing duties, immediately delete the corresponding personal information.
4.1.5. Third party testing and evaluation agencies
Starting from the angle of safeguarding the public interest, on the basis of authorization of personal information protection management departments and sector associations, or with the entrustment of personal information administrators, and other basis of State laws, regulations and this guiding technical document, conducting testing and evaluation of information systems, obtaining the personal information protection situation, as a basis for personal information administrators’ evaluating, supervising and guiding personal information protection.
4.2. Basic principles
Personal information administrators should abide by the following basic principles when using information systems to handle personal information:
a) The principle of a clear purpose – handling personal information shall have a specific, clear and reasonable purpose, the use scope is not to be expanded, and the purpose for handling personal information shall not be changed under situations where subjects of personal information are unaware of this.
5) The principle of least sufficient use – only the smallest amount of information related to the purpose for handling is to be handled, when the handling purpose is achieved, personal information is to be deleted in the shortest time.
c) The principle of open notification – there is a duty to notify, explain and warn subjects of personal information as well as possible. The purpose for handling personal information, the scope of personal information collection and use, personal information protection measures and other such information are to be truthfully notified to subjects of personal information in clear, easily understandable and appropriate ways,
d) The principle of individual consent – before personal information handling, the consent of the subject of the personal information must be obtained.
e) The principle of quality guarantee – it is to be guaranteed that personal information is kept secret, intact and usable in the process of handling, and this remains in the newest condition.
f) The principle of security guarantee – adopting appropriate management measures and technical methods that are suited to the possibility and gravity of harm to personal information, protecting personal information security, preventing retrieval or disclosure of information without the authorization of the personal information, and the loss, leakage, destruction and alteration of personal information.
g) The principle of honest implementation – handling personal information according to the commitments made at the time of collection, or on the basis of statutory grounds, no longer continuing to handle personal information after achieving the fixed purpose.
h) The principle of clear responsibilities – clarifying the responsibilities of personal information handling processes, adopting corresponding measures and implementing corresponding responsibilities, and recording personal information handling processes in such a manner that they can be easily traced back.
5. Personal information protection
The handling process of personal information on information systems can be divided into four main segments: collection, processing, transmission and deletion. Protection of personal information penetrates the four segments:
a) Collection refers to obtaining and recording personal information.
b) Processing refers to conducting operations with personal information, including entering, storing, revising, annotating, comparing, mining, screening, etc.
c) Transmission refers to the act of providing personal information to personal information receivers, such as open publication, disclosure to specific groups, reproduction onto other information systems because of entrustment of processing to other persons, etc.
d) Deletion refers to ensuring that personal information can no longer be used on information systems.
5.2. The collection stage
5.2.1. There must be a specific, clear and reasonable purpose
5.2.2. Before collection, a method to easily inform the subject of the personal information must be adopted, and the subject of the personal information must be notified and warned about the following matters:
a) the purpose for personal information handling
b) the personal information collection means and methods, the concrete collected content and duration of preservation;
c) the use scope of personal information, including the scope of disclosure or of provision of personal information to other organizations and institutions;
d) personal information protection protection measures;
e) the name, address, contact method and other such relevant information of the personal information administrator;
f) the risks that may exist after the subject of the personal information provides personal information;
g) the consequences that may occur if the subject of the personal information does not provide personal information;
h) the complaint channels for the subject of the personal information;
i) if it is necessary to transmit personal information to or entrust it with other organizations or institutions, the notification to subject of the personal information must contain but is not limited to the following information: the purpose of transmission or entrustment, the concrete content and use scope of transmitted or entrusted personal information, the name, address and contact method of the personal information receiver to whom it is transmitted or entrusted, etc.
5.2.3. Before handling personal information, the consent of the subject of the personal information must be obtained, which includes tacit consent and explicit consent. When collecting common personal information, it may be assumed that the subject of the personal information gives tacit consent, if the subject of the personal information clearly voices opposition, the collection of personal information must be ceased and personal information deleted; when collecting sensitive personal information, the explicit consent of the subject of the personal information must be obtained.
5.2.4. Only collect the smallest amount of information necessary to achieve the notified purpose.
5.2.5. Adopt notified methods and means to directly collect from subjects of personal information, do not adopt hidden means or indirect means to collect personal information.
5.2.6. Provide corresponding functions during the collection of personal information, permitting the subject of personal information to dispose of, adjust and close personal information collection functions.
5.2.7. Do not directly collect sensitive personal information from minors under the age of 16 and other persons whose civil capacity to act is limited or who do not have the capacity to act, where it is truly necessary to collect their sensitive personal information, the explicit consent of their statutory guardian must be obtained.
5.3. The processing stage
5.3.1. Do not violate the use purpose notified during the collection stage, or process personal information in excess of the notified scope.
5.3.2. Adopt notified methods and means.
5.3.3. Guarantee that personal information does not become known to any individual, organization or institution that is unrelated to the purpose of handling during the processing stage.
5.3.4. Without clear consent of the subject of the personal information, do not leak the personal information being handled to other individuals, organizations or institutions.
5.3.5. Guarantee that in the process of processing, stable operation of information systems is maintained, that personal information remains intact and in a usable state, and is maintained in the newest condition.
5.3.6. When subjects of personal information discover that flaws exist in their personal information or it needs to be revised, personal information administrators must inspect and check matters according to the requirements of the subject of the personal information, and under the precondition of guaranteeing the integrity of personal information, revise or supplement the corresponding information.
5.3.7. Record the condition of personal information minutely, when subjects of personal information demand to inspect their personal information, personal information administrators must truthfully and without charge notify whether or not it holds personal information, the content of the personal information it holds, the processing condition of personal information and other content, except where the costs of notification or the frequency of requests exceeds a reasonable scope.
5.4. The transmission stage.
5.4.1. Do not violate the transmission purpose notified during the collection stage, or transmit personal information in excess of the notified scope.
5.4.2. Before transmitting personal information to other organizations or institutions, assess whether they are able or not to handle personal information according to the requirements of this guiding technical document, and guarantee the responsibility for personal information protection of that organization or institution through contract.
5.4.3. Guarantee that in the process of transmission, personal information does not become known by individuals, organizations or institutions outside of the personal information receiver.
5.4.4. Before and after personal information transmission, the integrity and usability of personal information is to be maintained in the newest conditions.
5.4.5. Without explicit consent by the subject of personal information, or clear provisions in laws or regulations, or without the agreement of the controlling departments, personal information administrators may not transmit personal information to foreign personal information receivers, including individuals abroad or foreign-registered organizations and institutions.
5.5. The deletion stage
5.5.1. When subjects of personal information have a legitimate reason to demand the deletion of their personal information, timely delete the personal information. When deleting personal information may influence law enforcement organs’ investigations or evidence-gathering, adopt appropriate storage and screening measures.
5.5.2. After the purpose for personal information use notified during the collection stage has been achieved, immediately delete personal information; if it is necessary to continue handling, content that enables the distinction of a concrete individual must be deleted; if it is necessary to continue to handle sensitive personal information, the explicit consent of the subject of the personal information must be obtained.
5.5.3. When exceeding the personal information preservation period notified during the collection stage has been exceeded, corresponding information must be deleted immediately; where there are explicit provisions concerning preservation periods, the corresponding provisions are to be implemented.
5.5.4. When personal information administrators go bankrupt or close down, if it is impossible to continue to complete the commitments of the purpose for personal information handling, personal information must be deleted. Where deleting personal information may influence law enforcement organs’ investigations or evidence-gathering, adopt appropriate storage and screening measures.
GB/T 20269-2006 信息安全技术 信息系统安全管理要求
GB/Z 20986-2007 信息安全技术 信息安全事件分类分级指南
GB/T 20269-2006 和GB/Z 20986-2007中界定的以及下列术语和定义适用于本技术性指导文件。
信息系统 information system
个人信息 personal information
个人信息主体 subject of personal information
个人信息管理者 administrator of personal information
个人信息获得者 receiver of personal information
第三方测评机构 third party testing and evaluation agency
个人敏感信息 personal sensitive information
个人一般信息 personal general information
个人信息处理 personal information handling
默许同意 tacit consent
明示同意 expressed consent