The Personal Information Protection Law (“PIPL”), which came into effect on November 1, 2021, provides for the protection of personal information in terms of the processing of personal information, the cross-border provision of personal information, the rights of individuals with respect to personal information, the obligations of those who process personal information, etc. The PIPL further provides for heightened requirements for the processing of sensitive personal information. This article briefly explains the provisions of this law regarding the processing of sensitive personal information.
I. Definition and common types of sensitive personal information
Pursuant to Article 28 of the PIPL, sensitive personal information refers to personal information that, if leaked or illegally used, could easily lead to the violation of a natural person’s human dignity or endanger the safety of his or her body or property, including biometric, religious beliefs, specific identity, medical and healthcare, financial accounts, location, and other information, as well as the personal information of minors under the age of 14.
In addition to the PIPL, the State Administration for Market Regulation and the Standardization Administration promulgated the Information Security Technology – Personal Information Security Specification (the “Security Specification”) provides a similar definition for sensitive personal information and gives more detailed examples as below which can be referred to for interpreting the scope of the sensitive personal information under the PIPL.
Table B.1: Examples of Sensitive Personal Information
Personal property information | Bank accounts, identification information (password information), deposit information (including the amount of funds, payment and receipt records, etc.), property information, credit records, credit information, transaction and consumption records, flow records, etc., and virtual property information such as virtual currencies, virtual transactions, game type exchange codes, etc. |
Personal health and physiological information | Records related to medical treatment of individuals, such as symptoms, hospital inpatient medical records, medical orders, test reports, surgery and anesthesia records, nursing records, medication records, drug and food allergy information, birth information, past medical history, medical treatment, family medical history, current medical history, infectious disease history, etc. |
Personal biometric identification information | Personal genetic, fingerprint, voice print, palm print, ear, iris, facial recognition features, etc. |
Personal identification information | ID card, military officer certificate, passport, driver’s license, work permit, social security card, residence permit, etc. |
Other information | Sexual orientation, marriage history, religious belief, undisclosed legal violation and criminal records, communications records and contents, directory, list of friends, group list, whereabouts, web browsing records, accommodation information, precise location information, etc. |
II. Requirements for processing sensitive personal information
Where a personal information processor processes sensitive personal information, it shall (1) have a specific purpose and sufficient necessity, (2) conduct a personal information protection impact assessment before processing such information, (3) implement strict protection measures, and (4) maintain a record of the processing.
Further, the PIPL contains a special “informed consent” requirement for the processing of sensitive personal information.
1. Individual consent: Individual consent shall be obtained for the processing of sensitive personal information, and if laws or administrative regulations specifically provide that written consent shall be obtained for the processing of sensitive personal information, such provisions shall apply.
2. Additional notification: If sensitive personal information is processed, the sensitive information processor shall inform the individuals of the necessity for processing sensitive personal information and the impact on their personal rights and interests in addition to the matters to be notified for the processing of general personal information as stipulated under Article 17, Paragraph 1 of the PIPL.
3. The manner in which a minor’s consent is obtained: If a personal information processor processes the personal information of a minor under the age of 14, it shall obtain the consent of the minor’s parents or other guardians and shall establish special rules for such personal information
III. Precautions to be taken by enterprises for processing sensitive personal information
In addition to regulating the processing of general personal information, the PIPL also imposes higher requirements on sensitive personal information processors, such as requiring enterprises to process sensitive personal information only when necessary. These enterprises need to review and adjust their compliance with the processing of sensitive personal information from the following perspectives:
1. Accurate identification and special management
Before processing personal information, enterprises are required to identify the nature of personal information and determine whether the information to be processed is sensitive personal information. The determination criteria can be based on the principles defined in Article 28 of the PIPL, and the common sensitive personal information enumerated in the Security Specification can be referenced. Meanwhile, since the personal information of minors under 14 years of age is all sensitive personal information, enterprises also need to identify the age of the individuals to whom the personal information pertains.
2. Sufficient notification and individual consent
As for the notification before sensitive personal information is processed, not only the name and contact information of the processor, the purpose of processing, the manner of processing, the type of personal information to be processed, the retention period, the manner and procedure of exercising rights, and other general notification matters but also the necessity for processing sensitive personal information and the impact on individual rights and interests should be communicated.
For the consent required before sensitive personal information is processed, an enterprise should also set up a separate consent mechanism instead of obtaining the individual consent together with the individual consent to general personal information. Enterprises should also design special mechanisms for obtaining the consent of parents or guardians for processing the information of minors under the age of 14.
3. Impact assessment and retention of records
As processors of personal information, enterprises should establish a sound mechanism for processing personal information, and if the information so processed involves sensitive personal information, they should specifically assess the purpose and manner of processing personal information, the impact on the rights and interests of individuals, security risks, protection measures, etc., and properly retain the assessment records and the processing circumstances for at least three years.
For further information, please contact:
Teresa Huang, Partner, Lee Tsai & Partners
lawtec@leetsai.com
[1] The authors are lawyer and of-counsel at Shanghai Lee, Tsai & Partners. However, the contents of this article are personal opinions and do not represent the position of the law firm. The following article briefly explains the provisions of the Act regarding the handling of sensitive personal information.