China has drafted a new set of guidelines on personal data protection.

“Personal Data Protection Guidelines for Public and Commercial Service Information Systems” has been audited by a panel of experts and submitted for review before becoming a national standard.

China Software Testing Centre (CSTC), an institution affiliated to the Ministry of Industry and Information Technology (MIIT), coordinated the drafting of the standard, which involved more than 30 different organisations.

Ouyang Wu, Deputy Director General for Information Security at MIIT, explains that the current situation for personal data protection in China is ‘very concerning’. Criminal organisations have been exploiting the data they obtain from government and commercial databases.

A number of personal data leakage incidents last year have significantly raised public awareness of the issue.

The guidelines cover gathering, processing, transmitting and removing of data. Ouyang says that organisations adhering to the guidelines need to follow eight principles: a clear purpose for data collection, minimum amount of personal data possible, prior notification of the collection, user consent, security, trust and accountability.

‘Minimum amount’ means that the service provider will only collect information sufficient for their use. In other words, for a small transaction the users should not be asked to provide home address and phone number.

The guidelines also require online service providers to have stringent internal security policies and practices, as CSTC estimates that 70 to 80 per cent of personal information thefts in China come from insiders. Currently many service providers allow their employees to access customer information without proper authorization.

The guidelines also require organisations to delete personal information once the purpose for its collection has been met.

The guidelines, which are expected to be published ‘soon’, is not mandatory.

Currently, there are more than 200 laws and regulations which touch upon the area of personal data protection. However, there is no comprehensive legal framework governing this area.

In 2009, the revised penal code added a new category of crimes on “selling or illegally provisioning of citizens’ personal data. However, the articles did not clearly define what would qualify as criminal activities in this category.

Moreover, legal experts believe that punishments are not sufficient, and the government needs to regulate the entire flow of personal information.

A proposal for a dedicated legislation was submitted in 2005 but did not enter the proceedings of the legislature. Yang says that as the public concern on personal data protection keeps growing, the legislation process will start soon.

Source:china.org.cn