At the end of last year, the draft of the Personal Information Protection Law (“The Draft”) was released for public comment. As a fundamental law, the Personal Information Protection Law（”The Law”） is likely to be introduced this year. What kind of enterprise will the Law impact? Who needs to pay special attention to the legality of personal information processing? How to handle personal information legally? Please refer to this guide.
Q1. Which enterprises should pay attention to the legal supervision of personal information processing?
A1. The idea that only internet companies need to pay special attention to personal information processing is a mere misconception. In fact, from traditional industries to industries with emerging business formats, almost every enterprise touches on the processing of personal information during business.
Activities such as facial recognition, fingerprint access control, collection of personal information during recruitment, providing user information form to stores that you first visit, collecting participant information via H5 event registration link, and so on.
As a result, most enterprises are subject to the Law.
Q2. What personal information processing activities are subject to legal supervision?
A2. To answer what activities are subject to legal supervision, one needs to understand the definition of personal information and the definition of personal information processing.
Q2.1. What is personal information?
A2.1. The draft generally defines personal information as “all kinds of information related to the identified or identifiable natural person”. With the rapid development of technology, personal information is no longer limited to information such as name, ID number and telephone number. Data that can identify personal consumption record, search record, IP address and other data may also be included in the scope of legal protection.
Q2. What are personal information processing activities?
A2.2. Within the legal protection scope, the processing of personal information includes collection, storage, use, fabrication, transmission, provision, disclosure and other activities of personal information.
In other words, all activities involving the information life cycle of individuals are regulated by the law.
Q3. How to handle personal information legally?
A3. The draft requires that personal information should be handled in a legal and legitimate manner, with clear objectives and minimum scope, open and transparent processing rules, accurate and timely updates, security protection, and accountable control. In principle, the enterprise shall implement “informing & consent” in the whole stage of collection, use, processing, supply and disclosure of personal information. One must inform the processing rules, and only obtain the information after having the fully informed, voluntary and explicit consent of the relevant subject.
Q3.1. How is personal information collected?
A3.1. Collection of personal information is based on “informing & consent” principle, and channels for the withdrawal of authorization shall be provided in the mean time. The scope of collection should be determined according to the purpose of collection, and the information processing rules shall be publicly informed and easy to access and save.
Q3.1.1. What to do in the online environment?
In addition, based on requirements of clear objectives and minimum scope, when Apps manage to obtain permissions on users’ address book, position information, camera and microphone, etc., Apps shall only obtain those related to their business provided, and inform the users with the purpose of use. Unless required, users have the right to refuse such permissions and use the App as usual.
Cases such as
For Apps that provide financial lending services, the collection of users’ address book information is generally not the necessary information for financial lending services. If users refuse to provide address book information, financial institutions shall not refuse to provide financial lending services.
Q3.1.2. What to do in offline business?
A3.1.2. Internally, every enterprise will touch on collection of personal information during processes of recruitment and employment. Externally, the provision of services for individual customers or the sale of products in foreign business operations may also involve the collection of personal information.
Cases such as
First-time customer to the store filling in the information form
Filling in the job application information form and employment registration information
Collecting employees’ fingerprints or facial information to record attendance
Public processing rules may be less common in the offline collection of personal information, but they are just as important. It is suggested that enterprises should classify information collection behaviors according to different purposes of information collection and establish a public system of processing rules respectively. For example: the back of the personal information registration form attached to the personal information processing rules, a separate personal information processing rules notice, etc.
Q3.2. How is personal information used?
A3.2. In principle, the enterprise shall use personal information according to the processing method and processing scope agreed by the information subject. The online and offline businesses are different in how they use personal information, the focus of use is also different.
Q3.2.1. What to do in the online environment
A3.2.1. In an online environment, the use of personal information through “automated decision making” is common. In the information age, most enterprises should focus on the transparency of automated decisions, and the fairness and reasonability of the results. Meanwhile, enterprises should provide users with remedy approach when the results of decisions have a significant impact on the rights and interests of users.
Cases such as
In case of determining personal loan limit via automatic decision, users shall be informed of the existence of such automatic decision, its basic operation logic, its impact on individuals, and the option to shut down such automatic decision setting. In the event that an individual refuses to accept an amount determined only by automatic decision making, a manual review of the loan amount shall be conducted.
Q3.2.2. What to do in offline business
A3.2.2. In offline operations, it is more common for enterprises to provide personal information to third parties, such provision has a tendency to be ignored.
Cases such as
Entrust a third party with non-core affairs such as background investigation of incoming job candidates and employee social security payment.
Provide individual customer/supplier/employee information to group companies.
If an enterprise provides the collected personal information to a third party in the process of using it, it shall obtain the separate consent of the information subject. At the same time, the rights, obligations and responsibilities of both parties regarding the protection of personal information should be accurately distinguished through the contract of mandate.
Q3.3. How does one restore personal information?
A3.3. Online or offline, enterprises have the obligation to properly restore the collected personal information. Enterprises should encrypt the storage media and de-label the storage media, clarify the operation authority of relevant posts, and strengthen the training of information management posts. In accordance with the shortest time necessary to achieve the purpose of information processing, and comply with the provisions of laws and regulations on the period of storage. Therefore, it is recommended that enterprises classify the expired personal information according to the storage period and delete it in time according to law.
Cases such as
Financial institutions are required to keep customer service information for at least five years in accordance with the AML;
The enterprise shall, in accordance with the Labor Contract Law, keep the text of the terminated or rescinded labor contract for at least two years for future reference.
Personal information processing is everywhere, and the legal requirements for personal information processing contain all aspects. Habitual behaviors may imply illegal consequences. Enterprises, as information processers, should establish risk awareness according to the business model as soon as possible, apply screening processes for every link of operation and management, establish personal information processing systems for different information processing methods, all to avoid being caught unprepared after the implementation of the Law.