New America
Cybersecurity Initiative

Public Security Ministry Aligns With Chinese Data Protection Regime in Draft Rules

New personal information security rules span longstanding programs and newer governance trends
Blog Post
Shutterstock.com
By 

Samm Sacks

Mingli Shi

Rogier Creemers

Cindy L

, and 

Paul Triolo

Dec. 3, 2018

The foreword below is by Samm Sacks, Mingli Shi, and Paul Triolo. The full-text translation that follows it is by Rogier Creemers, Mingli Shi, Cindy L., and Samm Sacks. –Ed.

FOREWORD

The November 30 release of the “Internet Personal Information Security Protection Guideline (Comment-seeking Draft)” (translated in full below and hereafter called “the Guidelines”) was the latest development in the Chinese government’s build-out of an increasingly comprehensive data governance system.

The new draft guidelines represent the prominent Ministry of Public Security (MPS)’s first major foray into a major area of data governance: personal information protection.

Over the past year, China’s government has accelerated efforts to flesh out regulations and standards for data, looking to other international practices for reference. This process has been complicated by interagency disputes over authority, jurisdiction, and how to incorporate existing systems into an wide-ranging new data governance framework.

While China’s data governance system is still in its early stages, the Chinese government has laid the groundwork for implementing concepts like user consent as well as other requirements for collecting, processing, and sharing personal data. This emerging system has broad implications, including for Chinese Internet users, companies, and the development of technologies like artificial intelligence (AI).

How the emerging regime will affect personal data protection and privacy are not yet clear, and debates are ongoing. Still, significant moves emerged over the past year, including the release of a pivotal document in this effort, the Personal Information Security Specification (“the Specification”). A further Security Impact Assessment Guide for Personal Information (translated by DigiChina) came out in June, calling for organizations to systematically consider the privacy implications of various activities, ranging from business operations to government administration.

The new draft Guidelines, issued by the MPS Office of Cybersecurity, cites the Specification as an “indispensable” reference, and they both lay out recommendations for technical and management processes companies can use to protect personal data. The Specification in general focuses more on individual data rights (i.e., consent to collect), while the Guidelines are geared more toward technical administrative steps data handlers should use to secure personal information (although the Guidelines do specify that people have a right to access and a right to rectify personal data).

Even once the Guidelines reach final form, neither it nor the Specification is technically binding under Chinese law. Still, the Specification has already been used as a reference in government enforcement actions, indicating that the Guidelines may have considerable practical force. These draft Guidelines have been published along with a solicitation for comment, and the presence of several obvious drafting errors suggests this draft may be further from the final form than some.

The Ministry of Public Security Comes to the Table

While the MPS has long been involved in data security, primarily through its Multi-Level Protection System (MLPS). MLPS dates to 2007 but is now moving toward an update after the publication of draft regulations for a “MLPS 2.0” this summer.

Despite its deep background in cybersecurity, MPS has been relatively absent from the personal information protection regime, and the new guidelines mark its full arrival in the interagency mix, as well as a connection between MLPS and other personal information regulatory efforts. (The foundational MLPS standard is cited alongside the Specification as another “indispensable” reference.)

Other major players include the National Information Security Standardization Committee, know as TC260, which published the Specification. TC260 sits under the Cyberspace Administration of China (CAC), even though it long predates it, and it draws legitimacy from CAC’s interagency coordinating role under the recently elevated Central Commission for Cybersecurity and Informatization.

The new Guidelines may allow MPS to ensure that its forthcoming MLPS 2.0 (which has also been referred to as “cyber-MLPS” due to its expanded scope) is consistent with TC260’s specifications. Given MPS’ long efforts on the MLPS, it has at times appeared in tension with the often overlapping regime under China’s 2017 Cybersecurity Law, in which MLPS is only one of six major regulatory systems.

Data Governance Marches On

These are only a few pieces of the emerging data governance regime under construction in China. DigiChina is tracking finalized rules on cross-border data transfer, a regulation on “important data,” and progress on drafting a Personal Information Protection Law, among other developments.

FULL TRANSLATION

[Chinese-language original]

Internet Personal Information Security Protection Guidelines (Comment-seeking Draft)

Table of Contents

  • Introduction
  • 1 Scope
  • 2 Cited Normative Documents
  • 3 Terminology and Definitions
  • 4 Management Mechanisms
    • 4.1 Management Rules
    • 4.2 Management Bodies
    • 4.3 Management Personnel
  • 5 Technical measures
    • 5.1 Basic Requirements
    • 5.2 Enhanced Requirements
  • 6 Business Workflows
    • 6.1 Collection
    • 6.2 Storage
    • 6.3 Usage
    • 6.4 Deletion
    • 6.5 Third-party Entrusted Processing
    • 6.6 Sharing and Transfer
    • 6.7 Public Disclosure
    • 6.8 Emergency Response Processing

Introduction

In order to guide Internet enterprises in establishing and completing management structures and technical measures for citizens' personal information security protection; to effectively prevent unlawful conduct infringing citizens' personal information; and to guarantee the security of online data and the lawful rights and interests of citizens; the public security bodies have combined the conditions gathered through the investigation of cyber-criminal cases of citizens' personal information infringement with security supervision and management work; and organized relevant experts from the Beijing Municipal Online Business Association, the Beijing University of Posts and Telecommunications, and the 3rd Research Institute of the Ministry of Public Security; to research and draft the "Internet Personal Information Security Protection Guidelines (Comment-seeking Draft)".

With regard to specific items within the Guidelines, where laws or regulations provide other rules, items must be implemented in compliance with them.

Guidelines for Personal Information Security Protection

1 Scope

These Guidelines regulate the security management mechanisms, the technical security measures, and the security of business workflows for personal information security protection.

These Guidelines apply as guidance for personal information holders to conduct security protection work in the process of handling the lifecycle of personal information, and they apply as reference for departments with cybersecurity supervision and management tasks to conduct supervision and inspection of personal information protection according to the law.

2 Cited Normative Documents

The following documents are indispensable for the application of this document. For all cited documents carrying a date, only the specific dated version applies to this document. For all cited documents not carrying a date, the most recent version (including all amendments) applies to this document.

GB/T 22239-2008 Information Security Technology - Basic Requirements for Information System Security Multi-Level Protection

GB/T 25069-2010 Information Security Technology - Terminology

GB/T 35273-2017 Information Security Technology - Personal Information Security Specification

3 Terminology and Definitions

3.1 Personal information

All kinds of information recorded using electronic or other methods, by which it is possible alone or in combination with other information to identify a specific natural person or reveal the activities of a specific natural person.

Note: Personal information includes full names, dates of birth, identity card numbers, personal biological distinguishing information, addresses, telecommunications contact methods, telecommunications records and contents, account passwords, asset information, credit information, location tracing, accommodation information, health and physiological information, transaction information, etc.

[GB/T 35273-2017, Definitions 3.1]

3.2 Personal data subject

The natural person whom personal information indicates.

[GB/T 35273-2017, Definitions 3.3]

3.3 Personal information life cycle

The complete life process of personal information, including collection, storage, usage, entrusted processing, sharing, transfer, public disclosure, and deletion of personal information.

3.4 Personal information holder

The organization or individual that controls and processes personal information.

3.5 Personal information holding

Activities or acts in conducting the planning, organization, coordination, or control of personal information and related resources, environments or management systems, etc.

3.6 Personal information collection

The act by personal information holders of obtaining personal information.

3.7 Personal information use

Conducting manipulation of personal information through automated or non-automated means, for instance through collection, recording, organization, arrangement, storage, revision or updating, retrieval, consultation, use, disclosure, dissemination, protection, or other such methods to provide, structure or group, limit, delete, or destroy [data].

3.8 Personal information deletion

The act of removing personal information from systems involved in conducting daily business functions, ensuring they are in a state where they cannot be retrieved or accessed.

[GB/T 35273-2017, Definitions 3.9]

4 Management Mechanisms

4.1 Management Rules

4.1.1 Content of management rules

a) Regulations and documents concerning the overall policies, security strategies, etc., of personal information protection should be formulated. They should include explanations concerning the entity’s personal information protection work objectives, scope, principles, security framework, etc.;

a) [sic.] Personal information protection management rules should be formulated, including content on the personal information lifecycle;

b) Operational rules should be formulated for work personnel's daily management of personal information;

c) Personal information management structures should be established, including security strategies, management rules, operational rules, and record tables and forms;

d) Personal information security incident response preparation plans should be formulated.

4.1.2 Formulation and publication of management rules

a) Specialized departments or personnel should be appointed to take responsibility for the formulation of security management rules;

b) The formulation process and publication method for security management rules should be clearly indicated, formulated security management rules should be subject to elucidation and examination, and elucidation and examination records should be made;

c) The scope of publication of the management rules should be clearly indicated, and the issued document as well as the affirmation situation will be registered and recorded.

4.1.3 Execution and implementation of management rules

a) The implementation situation of relevant rules should be examined, approved, and registered;

b) Records and documents should be preserved, and it should be ensured that the actual workflows and content of corresponding management rules are in concordance;

c) The implementation situation of management rules should be regularly reported and summarized.

4.1.4 Revision and improvement of management rules

a) Security management rules should be regularly examined, and where insufficiencies exist or improvement is required, they should be revised; security management rules should be regularly examined, and where the insufficiencies are discovered or improvement is necessary, revision should be conducted in a timely fashion;

b) Security management rule examination should be documented, if revisions are made to rules, all corresponding issued security management regulations should be updated.

4.2 Management Bodies

4.2.1 Establishing posts in management bodies

a) Work bodies to guide and manage personal information protection should be established, and all bodies' duties and responsibilities shall be clearly defined;

b) The highest manager or the highest manager [sic.] should create specialized positions to engage in personal information protection work;

c) Responsible persons for all aspects of security control and security management, machine room management personnel, systems management personnel, network management personnel, security management personnel, etc., should be clearly appointed, and the scope of their duties and responsibilities should be distinctly and clearly defined.

4.2.2 The personnel allocation of management bodies

a) An allocation of personnel in security management posts should be determined, including quantities, as well as full-time or part-time situations; specialist personnel should be allocated to be responsible for data protection;

b) An information roster for personnel in security management posts should be established, registering information about personnel in important posts such as machine room managers, system managers, database managers, network managers, security managers, etc. Security managers should not concurrently hold positions such as network manager, systems manager, and database manager.

4.3 Management Personnel

4.3.1 The hiring of management personnel

a) Specialized departments or personnel should be established to be responsible for personnel hiring work;

b) Personnel conditions and requirements should be clarified at the time of personnel hiring; the identity, background, and specialized qualifications of hired personnel should be examined; and the technological skills of technical personnel should be assessed;

c) After hiring, a secrecy preservation agreement concerning personal information should be signed;

d) Management files should be established, explaining the conditions that hired personnel must meet (such as academic records and degree requirements, the specialized technical levels that technical personnel should meet, the security management knowledge that management personnel should possess, etc.);

e) The identity, background, specialized qualifications, etc., of hired personnel should be recorded; and examination content and examination results, etc., should be recorded;

f) The skills assessment files or records of employed personnel at the time of hiring should be recorded; and assessment content and assessment results, etc., should be recorded;

g) A secrecy preservation agreement should be concluded, with content including the scope of secrecy preservation, secrecy preservation responsibilities, liability for breach of the agreement, the period of validity of the agreement, the signature of the responsible person, etc.

4.3.2 The departure of management personnel

a) When personnel leave employment, termination formalities should be fulfilled, and a post-termination letter of commitment concerning personal information secrecy preservation should be signed;

b) There should be control methods for personnel about to leave employment. All access privileges of the departing personnel should be ended in a timely fashion. Their identity authentication devices should be returned, for instance identity documents, keys, badges as well as software or hardware devices provided by the organization;

c) A security handling record should be created for the departing personnel (for instance recording return of identity proof, devices, etc.);

d) Records should be made that termination formalities were concluded according to departure procedures.

4.3.3 The assessment of management personnel

a) Specialized personnel should be established, who are responsible for comprehensive and strict regular security examination, knowledge assessment, and skills assessment of personnel involved with personal information and data work;

b) Assessment files should be created on the basis of the assessment cycle, and assessed personnel should include personnel from all posts.

4.3.4 Education and training of management personnel

a) A training plan should be created, and employees of each position should receive the basic security awareness education and job skill training according to the plan;

b) Sanctions should be imposed on employees in violation of the security strategies and requirements;

c) The security management personnel, the system management personnel, and the network management personnel should be tested regularly for their understanding of the basic information security knowledge, the security responsibility, and the sanctions related to their job;

d) Documents should be made for security education and training, clarifying the training method, content, time, location, etc., and the training content should include the basic knowledge of information security and the operating rules of the related position;

e) Records should be made for security education and training, with the information including the trainers, the training content and result, etc.

4.3.5 External personnel access

a) Security measures should be established regarding external personnel access in the physical environment:

  1. Rules should be established regarding the authorized equipment, areas, and information which can be accessed by external personnel;
  2. External personnel should submit a written application prior to access;
  3. After the external personnel access is approved, specific persons should be assigned to accompany and supervise the whole process;
  4. External personnel access should be registered and filed.

b) Security measures should be established regarding external personnel access through the network channels:

  1. External personnel should undergo identity authentication at time of access;
  2. The access permissions and the access contents should vary according to the different identities of the external personnel;
  3. Time limits should be set up for external personnel access;
  4. The manipulation of personal information by the external staff should be recorded.

5 Technical Measures

5.1 Basic Requirements

Protection should occur in accordance with the physical security, network security, host security, application security, data security, and backup recovery needs of [GB/T 22239—2008 7.1 Level 3], and meet the following requirements:

5.1.1 Network and communication security

5.1.1.1 Network Architecture

a) Different network zones should be assigned for networks in which personal information processing systems are located, and addresses should be assigned to each network zone in accordance with the principles of convenient management and control;

a) [sic.] Personal information processing systems and equipment that stores personal information should be deployed as critical areas with border protection measures.

5.1.1.2 Communication and transmission

a) Verification or cryptographic technologies should be used to ensure the integrity of personal information during the transmission process;

b) Password technology should be used to ensure the confidentiality of personal information segments, or the entire message during the transmission process.

5.1.1.3 Boundary protection

It should be ensured that access across boundaries and personal information is communicated via controlled interfaces provided by the boundary service.

5.1.1.4 Access control

Access control rules should be set at the boundaries of personal information processing systems according to access control policies.

5.1.1.5 Intrusion prevention

Intrusion prevention devices should be deployed at the boundaries of personal information processing systems to detect, prevent, or limit external and internal cyber attacks.

5.1.1.6 Defense against malicious code and spam

Malicious code should be detected and cleaned at the network boundary of personal information processing systems, and upgrades and updates of malware protection mechanisms should be maintained.

5.1.1.7 Security audit

a) Security audits should be conducted at network boundaries and important network nodes of personal information processing systems. The audits should cover every user and should audit important user behavior and important security incidents;

b) Audit records should include the date and time of an incident, the user, incident type, whether the incident was successful, and other audit-related information;

c) Audit records should be safeguarded, regularly backed up, and protected from unintended deletion, modification, or overwriting;

d) The retention period of audit records should comply with the requirements of laws and regulations;

e) It should be possible to conduct separate behavioral audits and data analysis on remote access and internet usage behaviors, among others.

5.1.2 Equipment and computation

5.1.2.1 Identification and differentiation

a) Users logging into personal information and processing systems should be identified and differentiated;

b) It should ensured that identity authentication cannot be easily misappropriated;

c) Identity authentication details should be replaced periodically with certain degrees of complexity;

d) Personal information processing systems and devices storing personal information should enable login failure features, provide measures to end sessions, limit the number of illegal logins, and perform automatic exits;

e) When personal information processing systems and devices storing personal information are managed remotely, measures should be taken to prevent identity authentication details from being intercepted during the network transmission process;

f) Personal information processing systems and devices storing personal information should use a combination of two or more authentication technologies such as passwords, cryptographic technology, or biometric verifications to identify the user, and at least one of the authentication methods used should contain cryptographic techniques.

5.1.2.2 Access control

a) Accounts and permissions should be assigned to users who log in to personal information processing systems and devices that store personal information;

a) [sic.] Personal information processing systems and devices storing personal information should rename or delete default accounts and modify the default passwords of those accounts;

b) Personal information processing systems and devices storing personal information should promptly delete or disable excess or expired accounts and avoid the occurrence of shared accounts;

c) Personal information processing systems and devices storing personal information should have allocated roles, and grant the minimum privileges required for the management of users, to realize the separation of privileges in user management;

d) Personal information processing systems and devices storing personal information should allow the authorized subject to configure access control policy, and the access control policy should specify the rules for a subject’s access to an object;

e) Personal information processing systems and devices storing personal information should have a granularity of access control in which the subject is at the user or operation level, while the object is at the file and database level.

f) Personal information processing systems and devices that store personal information should set security markings for personal information and control subjects’ access to security marked materials.

5.1.2.3 Security audit

a) Personal information processing and storage devices should employ security auditing and extend audits to each user to cover important user behavior and important security incidents;

b) Audit records should include the date and time of an incident, the user, incident type, whether the incident was successful, and other audit-related information;

c) Audit records should be safeguarded, regularly backed up, and protected from unintended deletion, modification, or overwriting;

d) The retention period of the audit records should comply with relevant laws and regulations;

e) The audit process should be protected against unauthorized suspensions.

5.1.2.4 Intrusion prevention

a) Personal information processing and storage devices should follow minimum installation principles and only install required components and applications;

b) Personal information processing and storage devices should shut down unnecessary system services, as well as default sharing and high-risk ports;

c) Personal information processing and storage devices should impose limitations on the terminals managed through the network by setting terminal access procedures and web address ranges;

d) Personal information processing and storage devices should be able to detect known vulnerabilities and repair those vulnerabilities in a timely fashion following thorough testing and evaluation;

e) Personal information processing and storage devices should be able to detect intrusions of critical nodes and provide alerts in the event of a serious intrusion;

5.1.2.5 Malicious code prevention and implementation of trusted programs

Trusted verification of system programs, applications, and critical configuration files/parameters should be performed with technical measures and trusted authentication mechanisms that protect against malware attacks, and take remedial action when they detect that integrity has been compromised.

5.1.2.6 Resource control

a) The maximum utilization of personal information processing and storage device resources by individual users and processes should be limited;

b) Hardware redundancy should be provided for critical-node devices to ensure system usability;

c) Important nodes should be monitored, including for the use of resources such as CPU, hard disk, and memory;

d) Detection and alerts of reductions in the service quality of important nodes within a predetermined minimum value range should be possible.

5.1.3 Applications and data

5.1.3.1 Identity authentication

a) Personal information processing applications should identify and authenticate users that have logged in. The identification should be unique. The authentication details should be complex and require regular update;

b) Personal information processing applications should provide and enable login failure features, and take necessary protective measures after multiple login attempts;

c) Personal information processing applications should compel users to modify the default password after initial login;

d) When the user’s identity authentication information is lost or invalid, technical measures should be taken to ensure the security of the authentication information reset process;

e) The user should be authenticated by a combination of two or more authentication methods such as passwords or cryptographic or biometric verification techniques, using cryptography with one of those authentication methods.

5.1.3.2 Access control

a) Personal information processing applications should provide access control features and assign accounts and permissions to logged-in users;

b) Default accounts should be renamed or deleted, and the default passwords of those accounts should be modified;

c) Excess or expired accounts should be deleted or deactivated in a timely fashion, and shared accounts should be prevented;

d) Different accounts should be granted the minimum permissions required to complete their respective tasks, forming a system of checks and balances between them;

e) Access control policy should be formulated by an authorized subject, stipulating rules for subjects’ access to objects;

f) The granularity of access control should be such that a subject is at the user level while an object is at the file, database, record, or field level;

g) Personal information should be set up with security markings to control the subject’s access to resources labeled with such markings;

5.1.3.3 Security audit

a) Personal information processing applications should provide security auditing functions, and audits should cover each user, including important user behavior and important security incidents;

b) Audit records should include the date and time of an incident, the user, the type of incident, whether the incident was successful, and other audit-related information;

c) Audit records should be protected, backed-up regularly, and protected from unexpected deletion, modification, or overwriting;

d) The retention period of the audit records should comply with relevant laws and requirements;

e) The audit process should be protected against unauthorized suspension.

5.1.3.4 Software fault tolerance

a) The capability to verify validity of personal information should be provided to ensure that content uploaded through either human-machine or communication interfaces conforms to the setting requirements of the information processing application;

b) Identification of known vulnerabilities that may exist in the personal information processing application should be possible, and there should be an ability to fix the vulnerabilities in a timely fashion following adequate testing and evaluation;

c) There should be the ability to continue to carry out some functions in the event of a crash and to implement necessary remedies.

5.1.3.5 Resource control

a) When one party fails to respond for a period of time, the other party should be able to automatically terminate the session;

b) The maximum number of concurrent sessions for personal information processing systems should be limited;

c) It should be possible to limit multiple concurrent sessions for a single user.

5.1.3.6 Data integrity

a) Verification and cryptographic technology should be employed to ensure the integrity of important data during transmission, including but not limited to authentication data and personal information;

b) Verification and cryptographic technology should be used to ensure the integrity of important data during storage, including but not limited to authentication data and personal information;

5.1.3.7 Data confidentiality

a) Cryptographic technology should be used to ensure the confidentiality of important data during transmission, including but not limited to authentication data and personal information;

b) Cryptographic technology should be used to ensure the confidentiality of important data during storage, including but not limited to authentication data and personal information.

5.1.3.8 Data backup and recovery

a) Local data backup and recovery functions for personal information should be provided;

b) Real-time backup in different locations should be provided, and important data should be backed up in real-time to the backup site using communication networks;

c) Hot redundancy of important data processing systems should be provided to ensure high system usability.

5.1.3.9 Residual information protection

a) Ensure that the storage space containing authentication data is completely cleared before being released or redistributed;

b) Ensure that the storage space containing personal information is completely cleared before being released or redistributed.

5.2 Enhanced Requirements

5.2.1 Enhanced requirements for cloud computing security

a) Verification technology or cryptographic technology should be applied to ensure the integrity of personal information during the migration process of the virtual machines, and the necessary recovery measures should be adopted when damage to the integrity has been detected;

b) Cryptographic technology shall be applied to ensure the confidentiality of the personal information during the migration process of the virtual machines to avoid data leakage during the migration process;

5.2.2 Enhanced requirements for the security expansion of the Internet of Things

Cryptographic technology should be applied to the return of data collected by Internet of Things sensor nodes to ensure the confidentiality of the personal information during the communication process.

6 Business Workflows

6.1 Collection

The collection of personal information should satisfy the following requirements:

a) Before the personal information is collected, the entity should disclose to the data subject whose personal information will be collected information regarding the collection, including the purposes, the scope, the method and means, the processing method, etc.;

b) The consent and authorization of the data subject of the personal information should be obtained for the collection of personal information;

c) The collection of personal information should follow the agreements and contracts signed before collection and not exceed the agreed scope;

d) The process security of personal information collection should be ensured:

  1. Before the personal information is collected, a mechanism should be established for identity authentication of the data subjects and the mechanism should be of appropriate security;
  2. When the personal information is collected, the information should be protected in manners such as encryption during the transmission process;
  3. The system of personal information collection should follow the requirements of cybersecurity multi-level protection;
  4. When personal information is collected, there should be a mechanism for security review and filtering of the contents to be collected to avoid illegal contents.

6.2 Storage

The storage of personal information should satisfy the following requirements:

a) The collected personal information should be processed with appropriate security procedures such as encrypted storage;

b) Appropriate storage time limits should be set up for the stored personal information according to the purposes of the collection and the usage, and the authorization of the data subject;

c) The stored personal information should be deleted after the time limit expires;

d) The major equipment for the personal information storage should have functions for data backup and recovery, ensure the frequency of data backup and time interval, and adopt at least one of the following methods:

  1. Have the function of local data backup;
  2. The backup medium can be stored offsite;
  3. Have the function of offsite data backup.

6.3 Use

The use of personal information should satisfy the following requirements:

a) The use of personal information should follow the relevant contracts and requirements signed with the data subject of the personal information and not exceed the agreed scope.

Note: Personal information data that has been anonymized or desensitized can be used for historical, statistical, or scientific purposes beyond the scope of the relevant contract and agreement signed by the data subject, but appropriate security measures should be adopted.

b) The data subject of personal information should have the right to control the personal information, including:

  1. right to access the personal information;
  2. right to the rectification of personal information, including the right to correct inaccurate or incomplete data;

c) Appropriate measures to limit access should be applied to those who have access to personal information, including:

  1. The authorization to access personal information should follow the principle of minimization to allow the minimum access and the minimum privileges to process the data as required by the job responsibility;
  2. Internal review process should be set up for the important processing of personal information, such as bulk editing, copying, and downloading;
  3. The appropriate person-in-charge or institution should be arranged to review any specific personnel’s data processing beyond the limit, and such conduct should be recorded.
  4. Personal information should be de-identified if the information needs to be presented via an interface.

6.4 Deletion

a) Personal information on relevant storage devices should be deleted after the time limit has been exceeded for saving personal information;

b) Measures should be taken to prevent recovery by technical means of personal information after deletion of personal information data;

c) When storing new information on devices that have stored personal information previously, all previous content should be deleted;

d) Discarded storage devices should undergo processing after deletion has been carried out.

6.5 Third-Party Entrusted Processing

a) When entrusting [another entity with] personal information processing, the scope should not exceed that which was authorized by the information subject;

b) When entrusting the relevant processing of personal information to be carried out, an evaluation should be carried out on the data security capabilities of the trustee;

c) When carrying out entrusted processing of personal information, an agreement should be executed requiring that the trustee follow this specification [sic.].

d) Privileges should be granted for the trustee to use and access personal information data.

e) When the trustee has completed processing of personal information relevant data, [they] should carry out deletion of the stored personal information data content.

6.6 Sharing and Transfer

The sharing and transfer of personal information should satisfy the following requirements:

a) The process of sharing and/or transfer should undergo an assessment for legitimacy and necessity;

b) When personal information is shared and/or transferred, an assessment of the security impact should be carried out, including an assessment on the data security competency of the data recipient, and effective measures should be adopted based on the assessment results to protect data subjects;

c) Prior to the sharing and/or transfer, the data subject should be informed of the purposes of the transfer and the type of the data recipients, and other information;

d) Prior to the sharing and/or transfer, the authorization and consent of the data subject should be obtained;

e) The sharing and/or transfer of the information should be recorded, with the registration of information including the dates of the sharing and/or transfer, the amount of the data, the purposes, and the basic information of the data recipients;

f) After sharing and/or transfer, how the data recipients store and use the personal information, and the rights of the data subjects, such as the right to access, rectification, erasure, and deactivation, should be understood.

6.7 Public Disclosure

In principle, personal information must not be disclosed publicly. If it occurs, the following requirements should be met:

a) Public disclosure should be assessed for legality and necessity;

b) A security impact assessment of the behavior should be conducted, and effective measures to protect personal information in accordance with assessment results should be taken;

c) The subject should be informed of the purpose, type, etc., of the disclosure before it takes place;

d) The subject’s consent should be obtained before public disclosure;

e) The disclosed information contents should be recorded, and details including the date of public disclosure, the amount of data, and the motive and the basic information of the data recipient shall be recorded.

6.8 Emergency Response

a) A cybersecurity risk assessment and emergency response mechanism should be established and improved;

b) An emergency plan for cybersecurity incidents should be developed;

c) Relevant personal information incident and security incident drills should be organized regularly;

d) Relevant institutional information should be developed to have a mechanism for reporting to relevant authorities when an emergency event occurs during the processing of personal information;

e) Emergency response training and drills should be conducted for relevant internal personnel who handle and process personal information;

f) Emergency response strategies and procedures should be understood;

g) Details regarding information security incidents should be recorded, and details of the incident should be recorded after an emergency occurs, including the personnel who discovered the event, the personal information and the number of people implicated, etc.;

h) The impact of the incident should be assessed, and necessary steps to control the situation should be taken;

i) The circumstances of the incident should be communicated to the personal information subject(s) affected.