14 January, 2019
On November 30, 2018, one month after the Provisions on Internet Security Supervision and Inspection by Public Security Authorities came into effect, the Cybersecurity Protection Bureau of the Ministry of Public Security released the Guideline for Internet Personal Information Security Protection (the " Guideline") for public comment, which provides guidance to internet companies in establishing and improving their management systems, sets out various technical measures to protect the security of personal information, and details the processes that businesses can take from technical, management and business perspectives as summarized below.
I. Management Systems
The first paragraph of Article 21 of the Cybersecurity Law outlines the general principle that network operators should "develop internal security management systems and operational procedures, determine the persons responsible for network security, and implement the responsibility for network security protection." On the basis of these general principles, the Guideline specifies the requirements for the content, formulation, issuance, implementation, evaluation and improvement of management systems. It also details personnel requirements for organizations in terms of elements including the overall employment structure, staffing, recruitment, dismissal, and performance assessment.
II. Technical Measures
The Guideline explicitly requires internet companies to protect personal information to at least the Level Three requirements of the national standard Information Security Technology Basic Requirements for Security Level Protection of Information Systems (GB/T22239-2008.7) ("Classified Protection Requirements"), and places particular emphasis upon the following three aspects of network security:
1. Network and communication security
The Guideline is very similar to the Classified Protection Requirements. It reiterates, from the perspective of personal information processing systems, some of the specific requirements relating to network structures, data transmission, border protection, access control, intrusion prevention, malicious code, spam, and security audits. For example, the Guideline explicitly requires companies to provide separate network areas for those systems that process personal information, and to base the assignment of addresses to various network areas upon the principles of convenient management and control. Security audits are to be conducted at network boundaries and at key network nodes within the personal information processing system. Audits should encompass every user, all major user activities and significant security incidents.
2. Equipment and calculations
The Guideline for the most part applies Level Three protection requirements to personal information systems, specifying details for items including identity authentication, access control, security audits, intrusion prevention, malicious code prevention, credible program execution, and resource control. The Guideline provides details from various perspectives, requiring, for example, that users logging in to a personal information processing system should be authenticated, that the authentication information should be sophisticated and be regularly updated, and that there should be at least two authentication techniques required for access. There should be clearly delineated levels of access, with administrators requiring minimum authorization to access both the personal information processing system and the equipment that is used to store personal information.
3. Application and data
The Guideline requires that verification or password technology should be adopted to ensure the integrity of important data, including but not limited to authentication and personal information, during its transmission. It requires the provision of local data backup and recovery function for personal information, as well as a remote real-time backup function. Any storage space used for authentication or personal information should be completely cleared before being released or reallocated.
III. Business Process
Section 6 (Business Process) of the Guideline sets out the specific compliance requirements for each step of the data life cycle in accordance with the data protection principles stipulated in the Cybersecurity Law, compared with the Personal Information Security Specification (PI Specification):
1. Personal information collection
The Guideline emphasizes the need for security in the collection of personal information. Prior to collecting personal information, it is necessary to confirm the identity of a person. Personal information should be encrypted during transmission, and kept secure. Detection and filtering mechanisms should be implemented and the submission of illegal content should be prevented.
2. Saving and deleting personal information
Taking as its basis the PI Specification, the Guideline specifies that the holder of personal information should take appropriate management measures. The main equipment used to store personal information should provide backup and recovery functions, there should be at least one means of backup and different types of backup. Technical measures should be taken to prevent any data deleted under normal circumstances from being restored. Data on any storage equipment that has been decommissioned should be removed before the equipment’s disposal.
3. Third party entrustment
The Guideline indicates that any entrusting party shall sign relevant agreements with the trustee and the entrusting party shall evaluate the data security capability of the trustee.
IV. Our Observations
While the Guideline is broadly consistent in terms of approach and content with laws, regulations and standards such as the Cybersecurity Law, the Classified Protection Requirements and the PI Specification, in certain respects, it goes further, by specifying, explaining and clarifying the relevant regulations. It provides Internet companies with more targeted responsibilities and compliance guidelines in their protection of personal information.
Of some significance, for the first time, the Guideline makes it clear that internet companies’ information systems that relate to personal information will be required to follow at least the Level Three technical and management protection measures of the Classified Protection Requirements. In doing so, it provides clearer, stricter requirements for the management system within a company and for overall security when storing personal information, including position setting and staffing.
It remains to be seen how the Guideline will be finalized, and once issued, applied in practice, and whether the public security authorities will undertake inspections to ascertain whether companies are complying with the network security requirements of the Guideline.
