How to say goodbye to personal information streaking from paper to reality

The Personal Information Protection Law gives special protection to sensitive personal information

How to get from paper to reality

Say goodbye to personal information streaking

　　□ Our reporter Zhu Ningning

　　From November 1st, the personal information protection law, which has received much attention, came into effect.

　　In the era of network information, chaos in the field of personal information protection is raging. Some enterprises, institutions and even individuals collect, illegally acquire, overuse, and illegally buy and sell personal information, which infringes on the peace of life of the people and endangers the lives and health of the people and the safety of their property.

The protection of personal information has become the most concerned, most direct, and most realistic interest issue of the broad masses of people.

　　The promulgation of a special personal information protection law has also become the strongest legislative call from all walks of life in the society in recent years.

How to protect personal information, how to build a strong legal deterrent, and how to effectively curb violations of laws and regulations that infringe on the rights and interests of personal information are issues that need to be resolved urgently by legislation.

After three deliberations, on August 20, the 30th meeting of the Standing Committee of the 13th National People's Congress voted to pass the Personal Information Protection Law.

　　As a basic and specialized law in the field of personal information protection, the Personal Information Protection Law, the Civil Code, the Data Security Law, the E-commerce Law and other laws are woven into a personal information protection network.

It is worth mentioning that, in the context of the gradual increase in the awareness of personal information security in the whole society, although the broad masses of people have always maintained a high degree of enthusiasm for personal information protection, they also generally lack relevant scientific and legal knowledge.

The personal information protection law truly changed from a paper-based legal provision to a powerful weapon in the hands of rights protection, and it did not happen overnight.

Distinguish between sensitive and non-sensitive information

　　For ordinary people, which personal information is protected by the Personal Information Protection Law, especially which personal information will be specially protected by the law, is undoubtedly the most important question to understand.

　　One of the highlights of the Personal Information Protection Law is that for the first time in the law, personal information is divided into sensitive and non-sensitive. A generalized and enumerated definition method is adopted to define "sensitive personal information" as "once it is leaked or used illegally, it is likely to cause natural persons Personal information whose personal dignity has been infringed or personal and property safety have been compromised", and the handling of sensitive personal information shall be subject to special and stricter regulations.

　　In accordance with the provisions of the Personal Information Protection Law, biometrics, religious beliefs, specific identities, medical health, financial accounts, whereabouts, and personal information of minors under the age of fourteen are classified as "sensitive" personal information.

Compared with other personal information, sensitive personal information will be more strictly protected.

　　Talking about why it is necessary to provide special legal protection for sensitive personal information, Cheng Xiao, deputy dean of the School of Law of Tsinghua University, pointed out that on the one hand, sensitive personal information is extremely closely related to the basic rights of natural persons such as personal dignity and freedom of personality and major personal property rights and interests. Link.

Regardless of legal or illegal processing of such information, significant risks and even direct damages will be generated.

For example, by mastering biological identification information such as natural person's genes, fingerprints, voiceprints, palmprints, facial features, etc., a specific natural person can be permanently identified.

If the processor is hollowing out and thinking about how to use this information for profit, it will be difficult to predict and control the dangers that may be caused to the individual.

On the other hand, in the era of network information, it is obviously impossible to completely prohibit the use of personal information. How to delimit the boundary between protection and fair use becomes the core of the problem.

The distinction between sensitive and non-sensitive helps to delimit this boundary more scientifically.

In addition, distinguishing and clearly enumerating sensitive personal information is very necessary for natural persons, personal information processors, and related functional departments.

　　"This distinction can make natural persons more fully aware of the importance of sensitive personal information, take more effective self-protection actions, be more cautious, and promptly report violations once they are discovered, and can also reduce the personal information processor’s obligation to perform Compliance costs increase the predictability of the legality of processing behaviors. Functional departments can also concentrate resources on accurate and effective law enforcement activities to improve law enforcement efficiency." Cheng Xiao said.

Leakage of sensitive information is extremely harmful

　　The core feature of sensitive personal information is sensitivity.

　　"This kind of sensitivity refers to the ease of infringement or harming the consequences." Cheng Xiao said that there are two kinds of consequences for infringing or harming sensitive personal information. One is the infringement of personal dignity.

For example, disclosing personal information such as race, ethnicity, political views, sexual orientation, disease, etc., or illegal use of such personal information will cause the individual to be discriminated against or be treated unfairly, which is an infringement of human dignity.

The second is that the personal and property safety of natural persons is endangered.

For example, disclosure of the individual's whereabouts, being known by lawbreakers, leading to the killing of the victim; disclosure of bank account information, leading to the theft of bank funds, etc.

　　Of particular concern is that face recognition, as a type of sensitive personal information, can easily cause great harm to the personal and property safety of individuals once it is leaked, and may also threaten public safety. Therefore, its collection and use have always been widely concerned.

　　Article 26 of the Personal Information Protection Law stipulates that the installation of image collection and personal identification equipment in public places shall be necessary to maintain public safety, comply with relevant national regulations, and set up prominent reminders.

The collected personal images and identification information can only be used for the purpose of maintaining public safety and shall not be used for other purposes; except for those with individual consent.

　　It is reported that at present, apart from the anti-terrorism law, there are no corresponding laws and regulations regarding the installation of image collection and personal identification equipment in public places. Only a few local governments have formulated government regulations, for example, from April 1, 2007. Implementation of "Beijing Municipal Public Security Image Information System Management Measures", and "Shaanxi Province Public Security Image Information System Management Measures" that came into effect on August 1, 2011, etc.

However, these local government regulations were promulgated earlier, and they have not adapted to the requirements of reality.

　　In view of this, Cheng Xiao suggested that after the personal information protection law is implemented, the relevant laws and regulations of the public security video image system should be improved as soon as possible from the top-level design level to better coordinate the maintenance of public security and the protection of personal information.

Take the initiative to take up legal weapons to defend rights

　　So, as the right holder of personal information, what should he do to effectively protect his personal information, especially sensitive information?

The China Consumers Association has recently given 5 "reminders":

　　Actively study the personal information protection law and other legal regulations.

Including understanding of personal information and sensitive personal information processing rules, their own rights, personal information processors should bear the obligations and personal information rights and interests infringement of relief methods, etc.

　　To develop the good habit of "non-essentially not providing."

In addition to carefully reading the terms of the privacy agreement, the adequacy of the reasons for processing personal information and the necessity of providing personal information should also be considered, and personal information should be provided or authorized only when it is absolutely necessary.

　　It is necessary to keep track of the personal information authorized or provided by oneself.

If you do not agree to continue processing your personal information, you must actively exercise the right to "withdraw consent" and request the other party to stop processing or delete their personal information in a timely manner.

　　Attention should be paid to destroying the receipts and materials with personal information to prevent the leakage of personal information due to random discarding, improper use, etc.

If you properly handle non-desensitized express receipts and other documents and materials with personal information, they should be destroyed in time after use, or key information should be smeared before discarding; some electronic data with personal sensitive information, such as ID photos, etc. , It is recommended to delete it when used up or store it in encrypted mode.

　　We must take the initiative to take up legal weapons to safeguard legitimate rights and interests.

When their personal information rights are infringed or are found to have illegally handled personal information, they must take the initiative to make complaints and reports, provide clues to the case and relevant evidence, and protect their legitimate rights and interests.

Where does the stock of personal information go?

　　With the implementation of the Personal Information Protection Law, there is another issue that deserves attention, that is, where to go with the stock of personal information.

　　The so-called inventory of personal information refers to the various types of personal information that the personal information processor has collected and stored before the implementation of the Personal Information Protection Law.

Among them, some personal information processors may collect and store a large amount of personal information including sensitive personal information in a way that does not comply with the law.

　　Due to the continuous nature of personal information processing, after the implementation of the Personal Information Protection Law, such personal information may continue to be used in practice.

"This kind of processing should be regulated in a timely manner." Zhang Xinbao, a professor at Renmin University of China Law School, pointed out that because there is still a lack of clear legal policy guidelines, improving the legal compliance governance of stock personal information is after the implementation of the Personal Information Protection Law. Problems to be solved.

　　In Zhang Xinbao's view, if there are violations of laws and regulations in the handling of stock personal information, how to determine the nature of the behavior requires a judicial policy decision.

He argued that the date of the formal implementation of the Personal Information Protection Law should be used as the time node to distinguish between the two situations before and after the implementation.

　　Zhang Xinbao suggested the introduction of relevant regulations or judicial interpretations to make clear provisions on this issue.

"If the processing activities of the personal information processor fail to meet the standardized standards stipulated by the Personal Information Protection Law, the relevant functional department shall order it to make corrections or obtain supplementary consent, or order it not to carry out other than storing and taking necessary security protection measures. Processing."