China lays out rules to protect customer data

In the first non-legally binding guideline, some rules implemented by the government include companies deleting data after use and setting up on internal system to manage and protect customer data.
Written by Ellyne Phneah, Contributor

The Chinese government has set out rules and guidelines which companies must observe when they process personal data.

The non-legally binding code came into effect on Friday, according to China Daily. Companies and institutions have been instructed to delete customer information after use. Data should also be collected with the permission of the user and must be deleted as soon as possible after its usage.

Some rules for consumer data protection include companies deleting data and setting up internal systems to manage data.

The guidelines also allow companies to collect private data only for a specific and reasonable purpose, which cannot be altered or amended during the process. The code also requires companies to follow "the minimal principle", which means companies can only collect data sufficient for the specific purpose, and no fishing of information is permitted.

Companies must also set up an internal protection system to manage personal data and the person responsible for information protection must be clearly stated.

According to Gao Chiyang, deputy director of China Software Testing Center, which is affiliated with the Ministry of Industry and Information Technology (MIIT), 80 percent of personal information leaks took place from the inside. Employees working for companies also can easily access a large amount of personal information.

To better safeguard this, employees working for telecom companies, financial institutions, schools and hospitals also face up to three years in prison if they illegally provide personal information to others.

The Chinese police force had been pushing for more regulated and clearly defined parameters on crime involving the theft of personal data, as existing ones have been hampering its efforts to obtain conviction since July last year.

Other Asian nations have also stepped up data protection measures. Singapore's Data Protection Law came into effect in October last year, Malaysia's Personal Data Protection Act was launched in April 2010, while the Indian government in 2007 enacted the country's Do-Not-Call directive.





Editorial standards