What security obligations are imposed on data controllers and data processors?
Security requirements may not always be included in the data protection law, but are key to guaranteeing lawful processing of personal data. The entity processing the data must take all useful precautions with respect to the nature of the data and the risk presented by the processing, to preserve the security of the data and, prevent alteration, corruption or access by unauthorized third parties. Appropriate technical and organizational measures should be implemented to ensure a level of security appropriate to the risk.
China’s Personal Information Security Specification includes recommended security practices such as: data breach response plans; trainings; annual data breach drills; and, risk/security assessments prior to partnering with third party data processors and before transferring data internationally.
Under the Specification, sensitive personal information should include additional measures, such as encryption. In the event that personal biometric information is collected, the information should only be stored after technical processing to limit the data collection (ex., storing only a summary, or deleting an original image of the biometric information after usage). In addition, personal biometric identification information should be stored separately from the personal identification information.
In terms of personal data protection in the employment sector, the Regulation on Employment Service and Employment Management (2015 Amendment) (≪就业服务与就业管理规定（2015年修订）》) provides that employers must keep employee personal information confidential. Disclosing any employee's personal data to the public requires the employee's written consent.
The Personal Information Protection Law provides that data controllers (such as employers) adopt necessary measures to ensure that personal information processing complies with the provisions of Chinese laws and regulations and prevents unauthorized access or personal information leakage, tampering, and loss of personal information, such as:
- formulating internal management systems and operating procedures;
- implementing classified management of personal information;
- adopting appropriate technical security measures, such as encryption and de-identification;
- reasonably determining operational limits for personal information processing and regularly conducting employee security education and training;
- formulating and organizing the implementation of information security incident response plans; and,
- other measures provided by Chinese laws and regulations.
Data controllers are required to conduct regular compliance audits and assessments of the impact of personal information protection. Risk assessments shall include: (1) whether the processing purpose and processing method of personal information are legal, proper, and necessary; (2) the impact on personal rights and security risks; and, (3) whether protective measures adopted are legal, effective and compatible with the degree of risk. The risk assessment report and processing records should be retained for at least three years.
The Data Security Law (DSL), was promulgated in June 10, 2021, and effective on September 1, 2021. The primary purpose of the DSL is to regulate data processing activities, safeguard data security, promote data development and usage, protect the legitimate rights and interests of individuals and entities, and safeguard state sovereignty, state security, and development interests. The most significant element of the law (Art. 21) is the establishment, by relevant government agencies, of a data classification and hierarchical protection system that categorizes data into different levels of protection according to the importance of the data in economic and social development, national security, and public interest and requires key protection for important data.
In addition, entities that process personal information that is categorized as “important data” are required to (a) designate personnel responsible for data security; (b) engage in risk monitoring and address identified vulnerabilities; (c) respond to data security incidents promptly, notify individuals and report to relevant regulatory departments.; and, (d) periodically conduct risk assessments and submit reports to relevant regulatory authorities.
The Draft Network Data Security Management Regulations was made available for public comment on November 14, 2021, and sets protection measures for personal data and important data based on a categorized and hierarchical system. Under the Draft Regulations, there are three main categories of data: general data, important data and core data. The category of the data determines the level of protection required.
The Draft Measures on Security Assessment of Cross-border Data Transfer was made available for public comment on October 29, 2021. The Draft Measures include a detailed description of when data that would be transferred out of China would be subject to a security assessment by the CAC. Under the Draft Measures, a CAC security assessment would be required when:
- the personal and important data was collected by operators of Critical Information Infrastructure;
- the data is considered important data;
- the employer (or other data controller) is processing information on more than 1 million individuals;
- data of more than 100,000 individuals or sensitive personal data of more than 10,000 individuals is being processed; or,
- other circumstances to be determined by the CAC.
HR Best Practices: Employers should take necessary measures to ensure the security of personal information, prevent leakage or loss of personal information and take remedial measures immediately when leakage or loss of information occurs.