PBOC’s first data privacy and security regulations issued

Who are regulated?

The PBOC Data Rules apply to licensed financial institutions and other institutions whose incorporation is subject to the approval of the PBOC or which are otherwise recognised by the PBOC (the Data Handlers).

What is regulated?

Network data generated and collected within the PBOC supervised business areas, which must not involve state secrets, is regulated (the Business Data). 

Business areas are not further defined in the PBOC Data Rules. However, according to PBOC officers’ public response to reporters, such business areas refer to monetary credit, macro-prudential oversight, cross-border RMB, inter-bank market, comprehensive statistics of financial industry, payment and settlement, RMB issuance and circulation, treasury management, credit investigation and credit rating, and anti-money laundering. Clearly, this is a pretty wide scope which will have broad implications on the business operations of all types of financial institutions and most non-financial institutions carrying out designated financial services related business in China.

Categorisation of Business Data

The PBOC Data Rules classify the Business Data into three levels: general data, important data and core data. This generally aligns with the data classification under the NFRA Data Rules (although the NFRA Data Rules further classify the general data into sensitive data and other general data). 

“Core data” and “important data” are generally defined same under the PBOC Data Rules and the NFRA Data Rules, i.e. “core data” refers to important data with high coverage in respect of fields, groups or regions, or with high accuracy, a relatively large scale and a certain depth, which, once illegally used or shared, may directly affect political security, and “important data” refers to data of specific fields, specific groups or specific regions, or data reaching a certain level of accuracy and scale, which, once tampered with, destroyed, leaked or illegally accessed or used, may directly endanger national security, economic operation, social stability, public health and security.     

As the NFRA Data Rules, both “core data” and “important data” defined under the PBOC Data Rules fall within the “important data” category under China’s existing cybersecurity and data privacy regime (the Existing Data Regime), and therefore processing these data will be subject to stringent requirements and obligations. Also, unless otherwise specified, all protection obligations applied on “important data” under these PBOC Data Rules shall be extended to “core data”.

The PBOC will determine the specific catalogue of “important data”, based on which a Data Handler is required to accurately identify and declare whether all its stored business data fall within the scope of “core data” or “important data”. After the PBOC collects and reconciles all information received from the Data Handlers, the PBOC will determine who are the Data Handlers of “important data” and notify the relevant Data Handlers accordingly. 

Business Data Catalogue

Each Data Handler must establish a catalogue of Business Data which must be updated annually and classified on the basis of business relevance, sensitivity and usability:

• Business relevance: Data Handlers shall identify whether each data item is personal information, whether such data item is collected externally, the list of the information systems storing such data item and the associated business categories.
• Sensitivity: Business Data shall be classified based on the potential degree of harm caused to lawful or public interests of individuals and organisations when any Business Data is leaked, accessed without authorisation or misused. Sensitive personal information falling within the PBOC supervised business areas, clients' business information that may involve business secrets, and business information which is subject to strictly controlled access right, shall be marked as highly sensitive data.
• Usability: Data Handlers shall clarify the data recovery point objectives of different information system based on the impact level of falsification or destruction of the Business Data.

Data Handlers’ key obligations when managing Business Data

Pursuant to the PBOC Data Rules, Data Handlers are subject to the following requirements when managing the entire lifecycle of Business Data: 

• Account authority: Data Handlers shall strictly manage the authority of privileged accounts (e.g. accounts for administrators) and various business processing accounts in their information systems relating to Business Data.
• Data collection: When collecting Business Data, Data Handlers shall adopt the various security protection management measures such as obtaining the consent of individuals or authorization of organizations, and fulfilling notification obligations.
• Data storage: Data Handlers shall, in light of business needs, specify the storage period of Business Data.
• Data processing: Data Handlers shall fulfil the various obligations before, during and after the processing of data, e.g. examining whether the purpose of processing Business Data is consistent with the agreement on Business Data collection, specifying the security protection measures and fulfilling required internal approval process when processing highly sensitive data. 

• Data transmission: Except for the transmission to an individual of the Business Data particularly relevant to such individual upon his/her request, Data Handlers shall not, in principle, use email, instant messaging, online file storage and other Internet information services or mobile media to transmit highly sensitive data. 
• Provision of data: When engaging in Business Data provision activities pursuant to business needs requirement, Data Handlers must verify the identity of the data recipient and take necessary security protection management measures.
• Cross-Border Data export: Where a Data Handler needs to transfer data to outside of China, it shall strictly comply with the Existing Data Regime (e.g. security assessment, standard contract clauses etc.); if there are any additional domestic storage requirements, the Business Data shall also be stored within China concurrently. 
• Data disclosure: Data Handlers shall disclose Business Data through specified official channels in principle. Data Handlers shall not disclose data items used for identity authentication, and the disclosure of other highly sensitive data shall, in principle, be subject to desensitization.
• Data deletion: Data Handlers shall delete the Business Data under specified circumstances. If the deletion is difficult to be achieved technically, Data Handlers shall cease Business Data processing activities (other than for storage purpose or taking necessary security protection measures) and conduct review at least once a year to confirm that the relevant Business Data cannot be used.
• Outsourcing: Similar to the NFRA Data Rules, the PBOC Data Rules make it clear that outsourcing of Business Data processing is included as one of the financial IT outsourcing services, which is subject to statutory requirements (such as fulfilling regulatory procedures, selecting a qualified third party supplier, and entering into agreements containing statutorily required provisions etc.). In terms of certain business functions which are explicitly prohibited from being outsourced, the processing of such relevant Business Data shall be prohibited from being outsourced as well.
• Safety technical requirements: In addition to the above security management requirements, Data Handlers are also subject to the various detailed safety technical requirements that need to be particularly noted. For example, the information system storing important data and core data shall respectively meet the requirements of Multi-Level Protection Scheme at Grade 3 and at Grade 4 (or the requirements for critical information infrastructure protection).

Data Handlers’ obligations to manage security risk and incidents

The PBOC Data Rules have also set out clear guidance on how Data Handlers shall deal with security risks and incidents relating to the Business Data. These will require Data Handlers to strengthen their risk monitoring of Business Data processing activities and fulfill the required reporting or assessment/audit procedures. For example: 

• Risk assessment: Data Handlers of important data shall, themselves or by engaging a third-party assessment agency, carry out a risk assessment of Business Data once a year and submit the risk assessment report for the previous year to the PBOC or its local counterpart before 15 January each year. 

• Data security incidents: In the case of the occurrence of a Business Data security incident, Data Handlers shall immediately adopt disposal measures, inform the users on a timely basis, and report the incident as per PBOC’s requirements in a timely, accurate and complete manner. Data Handlers of important data shall conduct emergency drills for Business Data security incidents at least once a year, and other Data Handlers shall conduct such emergency drills at least once every three years.
• Compliance audit: Data Handlers shall carry out a security compliance audit of ordinary Business Data at least once every three years. In the case of important data, Data Handlers will need to carry out a security compliance audit at least once a year.