Beijing's Guideline ensures firms must take care with personal info
Veronica Lockyer of the law firm Orrick says Beijing's data privacy guidelines are likely to be part of a formal data privacy law in the future
Mainland specifications for personal information protection, under the name of the "Guideline", mark the latest step by Beijing to address data privacy issues after a number of recent high-profile cases involving unauthorised use and disclosure of personal information.
The Guideline is an indication of the increasing attention being paid to data privacy issues on the mainland. The provisions of the guidelines are worth noting as they are likely to form the foundation of future legally binding data privacy laws.
What are the key points worth noting?
The Guideline establishes eight basic principles regarding the handling of personal information. They are:
- Information collectors should have specific and clear purposes as well as justifiable reasons when processing personal information;
- Organisations should collect no more information than is necessary to fulfill their purposes and must delete the information once its intended use has been fulfilled;
- Information collectors must inform individuals in a clear, understandable and appropriate manner of the purpose, scope and use of personal information collected and of the measures which will be taken to keep the information secure;
- Information collectors must obtain consent to the collection of personal information;
- Information collectors must ensure that all personal information is complete and up to date;
- Organisations must take appropriate management and technical measures to keep information secure;
- Organisations must not continue to use information once the purpose for which it has been collected has been fulfilled; and
- Organisations must clearly define internal responsibilities for personal information, must take appropriate measures to implement the responsibilities and must keep records of data processing.
The Guideline divides personal information into general and sensitive information, although no detail is provided regarding what information will be classed as sensitive.
The Guideline provides that collectors of personal information may obtain general information on condition that an individual does not object.
Sensitive personal data, on the other hand, may only be collected with the authorisation of the individual. It appears that the intention is to allow "opt out" consent for the collection of general information (that is, information may be collected provided that the individual is given the opportunity to object and does not do so) but make the collection of sensitive information subject to "opt in" consent.
What are the penalties for failure to comply?
The Guideline has been issued as a "state standard" to provide data privacy guidance. It provides recommendations only and is not legally binding. However, the public is becoming increasingly sensitised to data privacy issues. As a result, the damage to an organisation's reputation caused by a failure to keep personal information secure or by the inappropriate use of such information could be significant.
What are the implications for companies doing business on the mainland?
Companies should be aware of the increasing attention paid to data privacy issues on the mainland. Although not binding, the Guideline constitutes the most comprehensive guidance so far from the mainland authorities regarding data privacy and it is likely that it will be used as the basis on which to develop a comprehensive binding data privacy law in the future.
What policies and procedures should companies put in place to support compliance?
Companies that collect personal data should ensure that they have in place privacy policies which inform individuals what personal data they are collecting and what such data will be used for.
They should ensure that the data collected are only used within the scope of the permission obtained. They should also ensure that they have appropriate management and technical measures in place to keep data secure and that their employees are trained in and understand the importance of compliance with the company's data privacy policies.