What Are the Key Recommendations in China's Draft Internet Personal Information Security Guidelines?

Guideline for Internet Personal Information Security Protection (Draft)

This document, prepared by the Ministry of Public Security’s Cybersecurity Protection Bureau together with experts from the Beijing Network Industry Association, Beijing University of Posts and Telecommunications, and the Ministry’s Third Research Institute, aims to guide internet enterprises in establishing robust personal information security management systems and technical measures, in accordance with the Cybersecurity Law.

The public is invited to review the draft on the National Internet Security Management Service Platform (http://www.beian.gov.cn) and submit comments via email ([email protected]) or fax (010‑66262319).

1. Scope

The guideline defines security management mechanisms, technical measures, and business‑process safeguards for personal information protection. It applies to personal information holders throughout the data lifecycle and to cybersecurity supervisory authorities conducting inspections.

2. Normative References

Relevant standards include GB/T 22239‑2008 (Information System Security Level Protection), GB/T 25069‑2010 (Security Terminology), and GB/T 35273‑2017 (Personal Information Security Specification).

3. Terms and Definitions

Personal information : any electronic or other recorded data that can identify a natural person alone or in combination with other information.

Examples: name, birthdate, ID number, biometric data, address, contact details, communication records, account passwords, financial information, credit data, location traces, health data, transaction records, etc.

Personal data subject : the natural person identified by the personal information.

Personal information lifecycle : collection, storage, use, entrusted processing, sharing, transfer, disclosure, and destruction of personal data.

Personal information holder : the organization or individual that controls and processes personal information.

Personal information hold : planning, organizing, coordinating, and controlling activities related to personal data and its environment.

Collection of personal information : the act of acquiring personal data by the holder.

Usage of personal information : any operation on personal data such as recording, storing, modifying, retrieving, disclosing, protecting, or destroying.

Removal of personal information : actions that render personal data unretrievable and inaccessible.

4. Management Mechanisms

4.1 Management System

Establish overall policies, security strategies, and detailed rules covering objectives, scope, principles, and frameworks.

Define procedures for daily management of personal data.

Create a systematic management framework that includes policies, procedures, and record forms.

Develop an emergency response plan for personal information security incidents.

4.2 Management Institution

Set up dedicated units with clearly defined responsibilities for personal information protection.

Appoint senior management and specialized roles (security officer, system administrator, network administrator, etc.).

Ensure staffing levels, full‑time dedication, and separation of duties (e.g., security administrators should not double as network or system administrators).

4.3 Management Personnel

Recruit staff through a dedicated department, verify qualifications, and conduct technical skill assessments.

Require signed confidentiality agreements covering scope, responsibilities, breach liability, and term.

Maintain documentation of personnel qualifications, assessment results, and confidentiality commitments.

Handle off‑boarding by revoking access, retrieving credentials and equipment, and recording the process.

Conduct regular security awareness, competence, and performance evaluations.

Provide training plans covering basic security knowledge, operational procedures, and role‑specific skills, and keep training records.

Regulate external personnel access with written requests, supervision, and logging.

5. Technical Measures

5.1 Basic Requirements

Follow GB/T 22239‑2008 level‑3 requirements for physical, network, host, application, data security, and backup/recovery.

Network and communication security: segment networks, protect boundary zones, use encryption and integrity checks, enforce access control, deploy intrusion‑prevention systems, and conduct security auditing.

Device and computing security: implement strong identity authentication, multi‑factor verification, password complexity, account management, role‑based access control, and audit logging.

Application and data security: enforce authentication, password policies, encryption for data in transit and at rest, integrity verification, backup, redundancy, and secure deletion.

5.2 Enhanced Requirements

Cloud computing: protect VM migration integrity and confidentiality with cryptographic techniques.

IoT: ensure sensor‑node communications encrypt personal data.

6. Business Processes

6.1 Collection

Publish purpose, scope, methods, and handling procedures before collection.

Obtain consent from the data subject.

Ensure collection complies with prior agreements and does not exceed scope.

Secure the collection process with authentication, encryption, compliance with security level protection, and content filtering.

6.2 Storage

Encrypt stored personal data.

Set retention periods based on purpose and consent.

Delete data after the retention period expires.

Provide backup and recovery, using local backup, off‑site storage, or remote backup solutions.

6.3 Use

Use personal data only within the scope of agreements with the data subject.

Allow data subjects to access and correct their information.

Implement least‑privilege access controls and internal approval for bulk operations.

De‑identify data displayed on user interfaces.

6.4 Deletion

Delete data after retention expires and ensure it cannot be recovered.

Wipe storage media before repurposing or disposal.

6.5 Third‑Party Processing

Process only within the authorized scope.

Assess third‑party security capabilities.

Require contractual compliance with the guideline.

Authorize access and ensure post‑processing deletion.

6.6 Sharing and Transfer

Conduct legality and necessity assessments.

Perform security impact assessments and evaluate recipient capabilities.

Inform data subjects of purpose, recipient type, and obtain consent.

Record details of sharing/transfer events.

6.7 Public Disclosure

Disclose only after legal and necessity assessments.

Conduct security impact assessment and obtain explicit consent.

Record disclosure details.

6.8 Emergency Response

Establish risk assessment and emergency mechanisms.

Develop incident response plans and conduct regular drills.

Report incidents to supervisory authorities.

Train personnel and maintain records of incident details, impact assessment, and notifications to affected data subjects.

(Source: Ministry of Public Security, Cybersecurity Protection Bureau)