Enterprises’ Obligation on Personal Information Protection

In recent years, the protection of personal information (“PI”) becomes a hot topic in China. Although, Personal Information Protection Law has not been promulgated yet, the legislation shows the trend on strengthening the protection of PI, especially, after Decision on Strengthening Information Protection on Networks (“Decision”) has been promulgated at the end of 2012, the employers’ obligation of PI protection has been legislatively defined to a certain extent.

General Principles of the Civil Law and Tort Liability Act have limited PI protection in the scope of personal privacy, but have not regulated the collection and usage of PI by enterprises. Criminal Law Amendment (VII) has stipulated the crime of selling and illegally providing PI, the crime of illegal accessing to PI, however, it has limited the subjects to a government institution or a financial, telecommunication, transportation, education or medical organization and other similar entities. In 2011, Ministry of Industry and Information Technology issued Several Provisions on Regulating the Market Order of Internet Information Services (“Provisions”), in which it has stipulated the articles on how to collect, use and protect PI of users for internet information service providers (ISP), but Provisions mainly regulates ISP, other than other enterprises.

In order to deal with the events of “Confidential Leaks”, in Dec. 2012, the Standing Committee of the National People’s Congress adopted Decision, which has stipulated the basic scope of personal electronic information (i.e. “electronic information that identifies a citizen and involves a citizen’s privacy”), in addition, it has regulated the protection obligations for ISP and other entities on collecting and using PI.
However, the main object for protection in Decision is personal electronic information, and the obligations for enterprises to protect PI are more in the nature of a principle remained high. The main contents include: (a) the principle of a definite purpose. The enterprises shall explicitly state the purposes, manners and scopes of collecting and using information, when collecting and using personal electronic information. (b) the principle of obtaining the consent of those from whom information is collected. (c) the principle of publishing the collection and use rules. (d) the principle of strict confidentiality. The enterprises and their employees shall keep strictly confidential citizens’ personal electronic information collected during their business activities, not divulge, distort, or damage the data, and not sell or provide the data to others illegally. (e) the principle of ensuring the personal electronic information’s security. The relevant enterprises shall adopt technological measures and other necessary measures to ensure information security; when divulging, damage to or loss of information occurs or may occur, remedial measures shall be adopted immediately.

For an enterprise, it becomes an important topic on how to comprehensively and properly carry out PI protection obligations, in order to avoid the occurrence of leaks of PI.

It is highly recommended that the enterprises can refer to Information security technology – Guideline for PI Protection within Information System for Public and Commercial Services (a recommended standard, come into force on Feb. 1, 2013) which is promulgated almost at the same period as Decision, combine their own management situations, and set up the enterprises’ own PI protection systems. This system may mainly include 2 aspects:

(a) Measures that can be taken for the protection of employees’ PI, including: to inform employees of the scope and purpose of the collection of PI, and to allow employees to choose on whether disclose certain sensitive PI; to require employees to sign an acknowledgment memo, in which stated that he/she approves the employer to collect and use PI provided by the employee; to define the personnel, conditions and procedures on safe keeping and using of PI, and strictly supervise the execution.

(b) Measures that can be taken for the protection of clients’ PI, including: to draft an unified collective rules on clients’ PI collection, and publish the rules through company’s web site, manual, consultation section and other reasonable channels; to require clients to sign the letter of consent on information collection, and strictly manage the file archive for those information; to define the scope of employees whom can access to clients’ PI, and sign the confidential agreement with the employees, in which shall stipulate the liabilities; to establish a comprehensive system on the use, management, examination and approval of clients’ PI; to establish the system on a regular check and delete of clients’ PI.