What Schools In China Can Do in Light of The New PIPL
By Caleb Johnson - September 23, 2021
On August 20th, the National People’s Congress of China enacted the Personal Information Protection Law (PIPL), which will become effective on November 1st 2021. The provisions of the PIPL uplift the rights and freedoms of data subjects including your school’s staff, students, and parents. The PIPL does not replace the existing privacy laws in China, but it acts as the primary, nation-wide law regulating the processing of personal information. It is important to understand what the PIPL means for international schools that reside in China and what they can do to achieve and maintain compliance.
What does the PIPL entail?
The PIPL somewhat reflects the attributes of the GDPR in the sense of protecting the rights and freedoms of natural persons effectively. In correlating their data protection regulations with the GDPR, China is setting a new standard for businesses that process personal data. For instance, schools are expected, among other things, to obtain informed, voluntary and explicit consent from data subjects before the processing of their personal information takes place, and also to develop specific internal handling rules that regulate the processing of sensitive information including financial accounts, individual location and personal information of minors under 14.
PIPL’s new auditing requirement allows companies to ensure that they can carry out proactive internal monitoring of processing activities, allowing them to steer clear of criminal activities that involve personal information.
Key Processing Principles
The key principles noted in the privacy law include:
Transparency - By providing individuals with information about the processing activities, including purpose, method, and scope.
Necessity - Personal information may only be collected to the extent necessary to fulfil the purpose of processing.
Purpose limitation - Collecting data for explicit, legitimate, and specified purposes, ensuring that it is not processed under any other circumstances.
Accuracy - The personal information must be accurate so as to avoid adverse effects on individuals’ rights and interests.
Accountability - Businesses are accountable for their processing activities, and must adopt the necessary measures to safeguard the personal information in their control.
Individuals must be allowed to withdraw their consent previously provided through an easy mechanism. Other newly established rights include the ability to limit/refuse the processing, and to request information about the extent of the processing and internal handling rules, and to request correction, deletion, and a copy of their personal information.
These rights extend to a deceased person’s next of kin who exercises them for their own lawful, legitimate interests.
Personal Information Impact Assessment (PIIA)
PIIAs are required when the processing involves (must be retained for at least 3 years):
sensitive personal information;
providing personal information to other organisations;
transferring personal information abroad; and
other activities with a major impact on individuals.
At this moment in time, it has not been disclosed which authorities are responsible for the enforcement of PIPL requirements. However, there are severe sanctions for schools and organisations that do not comply with the new provisions. Inability to comply with the PIPL may lead to administrative fines of up to CNY 50 million or 5% of the annual turnover. Those directly responsible may also be subject to fines and more significantly, they may be prohibited from pursuing managerial positions in similar organisations for a period of time.
Read our Education Privacy Magazine for current data privacy and cybersecurity trends worldwide.
The provisions set out by the PIPL have extraterritorial reach, meaning that non-Chinese international schools offering their services to China residents are called to comply with certain provisions of the law as well. The PIPL applies to the handling of personal information of natural persons within China, and to handling activities outside the borders:
where the purpose is to provide products or services to natural persons in China;
where analysing or assessing activities of natural persons in China;
other circumstances provided in laws or administrative regulations.
What should schools in China be doing in light of the PIPL?
Schools should, at a minimum, (1) review data protection policies and procedures to understand the ways in which they need to be changed or the ones that need to be developed, (2) ensure these policies and procedures are fully implemented within the organisation, (3) ensure that the roles and responsibilities of staff are well allocated and known across the organisation, and (3) make cybersecurity a priority to prevent any security incidents.
How 9ine can help schools impacted by the PIPL?
Schools can book a free one hour workshop on how to implement change in their school in order to comply with the PIPL. Workshops are hosted by 9ines in-house experts, ensuring that instructional information can be supplied to senior leadership so that compliance can be managed and understood at an executive level. Commitment from senior leadership reassures staff that responsibility for compliance is shared cross departmentally, and internal support is accessible. In participating in one of 9ine’s strategic workshops, your school will be better equipped in tackling the implementation of new privacy provisions in China.
If you would like to speak directly with one of 9ine's consultants about what your school can do to prepare for the PIPL
Let’s Stay in Touch
Subscribe to our newsletter to receive product announcements & other updates.