Privacy & Cybersecurity Law Blog

Recently, the National Information Security Standardization Technical Committee of China published a draft document entitled Information Security Technology – Guidelines for De-Identifying Personal Information (the “Draft Guidelines”). The Draft Guidelines are open for comment from the general public until October 9, 2017.

The Draft Guidelines provide a voluntary technical specification, the purpose of which is to provide guidance to data processers on the de-identification of personal information. The Draft Guidelines specify the purposes, principles and procedures for the de-identification of personal information. They also provide an introduction to common de-identification technologies, such as sampling, aggregation and cryptographical tools, and an introduction to common de-identification models, such as the K-anonymity model and the differential privacy model.

According to the Draft Guidelines, the de-identification of personal information should follow the following principles:

• the de-identification must be in compliance with laws and regulations in relation to the protection of personal information;
• the protection of personal information has priority over the use of the de-identified data;
• measures should be adopted that reflect both technical and management approaches when conducting a de-identification of personal information;
• software tools should be used; and
• after the de-identification of personal information has been completed, regular reassessments should be adopted.

The Draft Guidelines also provide key steps for the de-identification of personal information, including isolating the identifiers using methods such as manual analysis, choosing models for the de-identification of personal information, verifying the security and usefulness of the data after its de-identification, and supervising the process of de-identification.