China Formulates Data Acquisition Guidelines

The "code of conduct" for data acquisition and personal data protection has been submitted for approval, said Gao Lin, secretary general of the China National Information Security Standardisation Technical Committee.

Internet users suffer serious information leaks in China. According to the 2015 Report on the Protection of Chinese Internet Users' Rights and Interests released by the Internet Society of China, 63.4% of Internet users had encountered leaks of information about their online activities, including call logs and online shopping records, and 78.2% of Internet users even experienced personal identity information leaks, including their name, address, identity card number and place of work.

Gao Lin spoke of two issues that need to be tackled in the formulation of national standards for cybersecurity, including personal information security guidelines and protection guide. First, reasonable restrictions must be imposed on the acquisition of users' personal information and "not all data can be collected". Second, the data collected must be properly managed. How to strike a balance between the promotion of business development and personal data protection is a hard nut to crack in the formulation of information security standards.

Gao Lin disclosed that draft data acquisition standards have now been submitted for approval. The new standards will set the bottom line for corporate conduct but will not be mandatory. The work of drafting standards for managing big data safety also will "get started soon".

There is every need to ensure personal data protection in this cyber age. Besides formulating and enforcing the relevant standards, it is also necessary to improve upon relating laws and regulations, said Gao Lin.

Information protection is accorded primary importance in China's first Cyber Security Law (draft). The draft law stipulates that an Internet operator must clearly state its purpose, method and scope of collection and use of user personal information, obtain the consent of the user, and make public its rules for the collection and use of such information. The information collected must be kept strictly confidential and may not be disclosed, tampered with or damaged, nor sold or provided illegally to other parties.