Comparing the definition of “personal information” under the Cyber Security Law with that under the Specification, the latter expressly expands the scope of personal information to cover (in addition to the personal identity information) information reflecting the activities of certain individuals, including the personal location, personal correspondence records, online browsing history and so forth.
The expanded definition is consistent with the definition of “personal information” used in several newly-drafted regulations, such as the draft Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data (which remains in draft as at the date of this client update). The expanded scope reflects a trend among the relevant authorities of providing more comprehensive criteria as to what constitutes personal information, casting the net more widely.An appendix attached to the Specification sets out typical examples of what constitutes personal information as a practical guidance in relation to screening personal data.
The Specification introduces a concept of “sensitive personal information”, distinguishing such information from other personal information. Sensitive personal information is any personal information which, if lost or misused, may endanger personal security or property, cause damage to personal reputation, mental health and physical health, or lead to discriminatory treatment.
Under the Specification, sensitive personal information includes ID card numbers, biological identifying information, bank accounts, religious belief, sexual orientation (other typical sensitive personal information is listed in the appendix to the Specification). In addition, personal information relating to minors under 14 years old is generally deemed to be sensitive personal information.
The Specification sets out different rules regarding the collection and use of personal sensitive information. We set the details out below.