Compliance and security guidelines for Minivision's online verification business

Introduction

In 2019, the Office of the Central Cybersecurity and Information Technology Commission of the Communist Party of China (the "Cyberspace Office"), the Ministry of Industry and Information Technology (the "Ministry of Industry and Information Technology"), in conjunction with the Ministry of Public Security and the State Administration for Market Regulation, formulated the "Identification Method for the Illegal and Illegal Collection and Use of Personal Information on Apps" to guide law enforcement departments such as local Cyberspace Offices and Information Management Bureaus (i.e. the branches of the Ministry of Industry and Information Technology located in various regions) to implement the "Rules for the Unpublished Collection and Use of Apps" Law enforcement work is carried out in a disorderly manner, such as "not explicitly stating the purpose, method, and scope of collecting and using personal information" and "collecting and using personal information without the user's consent". At the same time, entrusted by four departments, the National Information Security Standardization Technical Committee ("Information Security Standardization Committee"), the China Consumers Association, the China Internet Association, and the China Cyberspace Security Association have established a special governance working group for illegal collection and use of personal information on apps ("App Special Governance Working Group") to specifically promote the law enforcement work of illegal collection and use of personal information on apps.

Since 2019, Methods for Identifying the Behavior of Illegal and Illegal Collection and Use of Personal Information on Apps, Guidelines for Self Assessment of Illegal and Illegal Collection and Use of Personal Information on Apps, Guidelines for Application and Use of App System Permissions, Guidelines for Network Security Practice - Essential Information Specification for Basic Business Functions of Mobile Internet Applications, Guidelines for Network Security Practice - Guidelines for Security of Software Development Kits (SDKs) Used in Mobile Internet Applications (Apps) The "Information Security Technology Mobile Internet Application (App) SDK Security Guide" and other documents have been successively released, providing reference for the App Special Governance Working Group to identify the illegal collection and use of personal information by apps. It also provides guidance for self inspection and self correction by app developers, operators, SDK providers, and other entities.

In the process of law enforcement work, the Ministry of Industry and Information Technology has issued multiple "App notifications on infringement of user rights and interests" to carry out law enforcement work against the illegal collection, use, and sharing of personal information by apps. The Cyberspace Office has also carried out multiple special law enforcement activities such as the "Qinglang Action" and "Jianwang Action" to crack down on the illegal collection, use, and sharing of personal information by apps. It can be foreseen that with the formulation and implementation of basic laws in the field of personal information protection such as the Personal Information Protection Law and the Data Security Law, the frequency of personal information protection law enforcement activities will gradually increase.

In the process of conducting online verification business, Minivision will transmit the data and verification results to downstream customers (collectively referred to as "you") through API. In order to facilitate you to have a clearer understanding and understanding of the compliance and security measures adopted by Minivision's online verification business in personal information protection, and to guide you in legally and compliant cooperation with Minivision in providing online verification business, we have compiled this "Xiaoshi's Online Verification Business Compliance and Security Guide" (the "Guide") for your reference.

To avoid ambiguity, the "compliance requirements", "precautions" and other contents in this Guide are drafted by Minivision based on its own understanding of relevant national laws, regulations, policies, and standards. They are provided to you as reference only and do not constitute or should be considered as authoritative interpretations, legal opinions, or legal suggestions for any laws, regulations, policies, and standards, nor do they constitute any commitment or guarantee from Minivision to the outside world. At the same time, Xiaoshi does not guarantee or guarantee whether the apps or other products you develop and operate comply with the compliance requirements in this Guide. On the basis of reading this guide in its entirety, we strongly recommend that you have a thorough understanding of existing and potentially updated laws, regulations, policies, standards, and enforcement inspection requirements related to personal information protection.

It should be noted that our downstream customers are divided into two categories. One type of customer operates apps or provides products mainly aimed at end users ("direct customers"), and the other type of customer operates apps or provides products mainly aimed at corporate and other legal users ("non direct customers"). The "Guide" will provide different compliance recommendations for the characteristics of the two types of customers.

Guide Text:

This guide mainly includes the following three aspects. If you have any questions, please contact us via email【 nicetomeetyou@minivision.cn 】Contact Minivision:
1、 As a personal information processor, the compliance points for personal information protection that you need to pay attention to when operating apps or providing other products;
2、 In the process of conducting online verification business cooperation with Minivision, you need to pay attention to the compliance points of personal information protection, mainly including the self inspection work you should carry out and the review requirements that Minivision may propose;
3、 The personal information protection capabilities of Minivision include the internal control system for personal information protection established by Minivision, and the protective measures taken.


1、 As a personal information processor, you need to pay attention to the key points of personal information protection compliance

This section mainly focuses on the personal information protection obligations that you, as an independent personal information processor, need to fulfill when developing or operating apps or other products. If you need to use the online verification services provided by Minivision, the content includes how to obtain authorization for personal information processing activities, how to fulfill the obligation to inform the personal information subject, etc. Please note that this section does not cover all compliance points in applicable laws and regulations such as the Personal Information Protection Law. You also need to pay attention to other compliance points in the process of processing personal information to mitigate related risks.


(1) Compliance points that direct customers need to pay attention to
1. Compliance documents that need to be displayed to end users for apps or other products
The app you operate or the products you provide requires the development of an independent "Privacy Policy" (or similar name for personal information protection policy) to explain the collection and use of your personal information, and to seek authorization from users to process personal information. The specific content of this Privacy Policy can be found in the "GB/T35273-2020 Information Security Technology Personal Information Security Specification" (you can check the content of this document through the national standard full text disclosure system), http://openstd.samr.gov.cn/ )Appendix A to Appendix D in, where:
Appendix A: Example of Personal Information
Appendix B: Examples of Sensitive Personal Information
Appendix C: How to Protect the Option of Personal Information Subject
Appendix D: Privacy Policy Template
In addition to the Privacy Policy, you also need to develop a separate "Personal Information Sharing List" (or a similar name for personal information provided to the public) and disclose Minivision as the recipient of personal information.


2. The Personal Information Sharing List requires disclosure of Xiaoshi's information
Before sharing user personal information with Minivision, you need to inform the user of Minivision's name, contact information, purpose of processing personal information, processing method, and personal information fields. Based on our observation of general market practices, we suggest that you choose one of the following two methods in the "Personal Information Sharing List": disclosing personal information sharing between users and Xiaoshi.
Method 1: Table format


Recipient Name

Shared Field Type

Shared Purpose

Sharing method

Contact information

Minivision Technology (Jiangsu) Co., Ltd

Supplement the types of shared personal information fields according to the actual situation

Supplement the purpose of sharing personal information according to the actual situation

How to supplement and share personal information according to the actual situation

According to the actual situation, fill in the Minivision privacy policy link or customer service phone number


Method 2: Text Form
You can also inform users of personal information sharing through text. It should be clarified that the content you inform users in written form should be consistent with the table.
If you wish to inform users of Minivision's personal information protection strategy and measures taken, you can refer to the third part of this guide, "Minivision's Personal Information Protection Capability.


3. The basic characteristics that your Privacy Policy needs to meet
Your display of the Privacy Policy should comply with the requirements of national laws, regulations, policies, and national standards. The Privacy Policy you display must at least meet the following characteristics:
(1) Independence: You should ensure that your Privacy Policy is independently written and not part of the User Agreement or other documents;
(2) Prefabrication: You should ensure that users are required to check the Privacy Policy before actually processing their personal information. Special attention should be paid here to avoid collecting personal information such as clipboards, WiFi, Mac addresses, etc. that are easily overlooked without the user's consent;
(3) Readability: Your Privacy Policy should be in Simplified Chinese and ensure the fluency and fluency of its language. At the same time, you should ensure that the cleanliness, brightness, and layout of the privacy policy display interface do not affect the user's reading experience;
(4) Convenience: You should ensure that users can access the content of the Privacy Policy in a convenient way. If you display the Privacy Policy through the app, you should ensure that users can access it with no more than 4 clicks and swipes;
(5) Non mandatory: The Privacy Policy should be freely chosen by end users whether to agree or not, and user authorization should not be obtained through default checkboxes or deceptive inducements.


4. How do you obtain authorization for personal information sharing from users
After completing the drafting of the Privacy Policy and Personal Information Sharing Checklist, we suggest that you choose one of the following four options to obtain the consent of the personal information subject for sharing personal information with Xiaoshi:
(1) You can display the 'Minivision Official Website Privacy Policy' in the login interface of your app or product through pop-up windows, independent pages, etc;
(2) You can briefly introduce the types and purposes of Minivision's collection of user personal information in the "Third Party Personal Information Sharing" section of your app or product's Privacy Policy;
(3) You can embed a link to the "Minivision Official Website Privacy Policy" in the "Third Party Personal Information Sharing" section of your app or product's "Privacy Policy";
(4) You can briefly introduce the types and purposes of collecting user personal information by Minivision in the "Third Party Personal Information Sharing" section of your app or product's Privacy Policy, and embed a link to the "Minivision Official Website Privacy Policy".


(2) Compliance points that non direct customers need to pay attention to
For non direct customers, as you do not directly provide apps or other products to end users, you often rely on indirectly collecting personal information from cooperating companies ("personal information providers"), and you cannot directly display your Privacy Policy and other authorization documents related to personal information processing to end users. Based on the above facts, we propose the following compliance recommendations to you:

1. Revise the cooperation agreement signed between you and the personal information provider
Considering that you will indirectly collect user personal information from the personal information provider, we suggest adding the following clauses to the contract signed with the personal information provider to require them to make a commitment to the legality of the source of personal information and clearly require them to obtain authorization from the personal information subject for collecting personal information for verification services:
[Note: In the following terms, Party A is the personal information provider and Party B is you. The specific expression can be adjusted according to the signing of the agreement]
The first party promises that the data it provides to the second party comes from legitimate channels, and at the same time, the first party shall ensure that the personal information subject authorizes the first party to provide the personal information provided by the personal information subject to the second party and the partners (including the second party's partners) who cooperate or entrust due to the necessity of the service, and provide data verification services for the personal information subject.

2. Review the authorization obtained by the personal information provider for personal information sharing
In addition to revising the cooperation agreement signed between you and the personal information provider, we also recommend that you conduct a substantive review of whether the personal information provider solicits authorization from individuals for personal information sharing, in order to avoid assuming liability for fault under Article 69 of the Personal Information Protection Law if the personal information provider shares personal information without authorization. The review strategies you can adopt include:
(1) Arrange for your employees to test the personal information provider's App or other products to determine whether they have obtained the user's separate consent for personal information sharing;
(2) Request the personal information provider to provide you with the user's operation log statistics in their app or other products, in order to determine whether the user has checked the "Personal Information Sharing List" to authorize personal information sharing activities;
(3) Require personal information providers to provide IT audit reports issued by third-party audit companies.


2、 Compliance precautions you should pay attention to when using Minivision online services

1. Self inspection of compliance ability before using Minivision online verification service
When using the Minivision online verification service, you should carefully read the "Minivision Official Website Privacy Policy" and "Minivision Online Verification Business Compliance and Security Guide" published on the Minivision official website, and conduct a review based on the personal information collected and used by your app or product. Please ensure that the following requirements are met before using Minivision online verification services:
(1) You have fully demonstrated to the users the Privacy Policy and Third Party Personal Information Sharing List you have developed, and have obtained full authorization from the users to share personal information with Minivision;
(2) Comply with and will continue to comply with applicable laws, regulations, and regulatory requirements, including but not limited to developing and publishing relevant policies related to personal information protection;
(3) Provide easy to operate selection mechanisms to end users, explain how and when they can exercise their choice rights, and explain how and when they can modify or withdraw the choice after exercising their choice rights;
(4) Provide feasible and convenient ways for end users to exercise their personal information related rights.


2. Minivision's compliance review of you
Please be aware that in order to ensure that you effectively obtain authorization from end users and that you have met the clear requirements mentioned above, Minivision may conduct necessary data compliance due diligence and risk assessment on you, depending on the specific situation, before entering into an agreement, conducting cooperation, or during the cooperation process, including but not limited to:
(1) Require you to provide proof of the legitimate source of the shared personal information;
(2) Refer to text files such as user agreements/service terms and privacy policies available on your official website and other public channels;
(3) Try your app to review and approve authorization and notification mechanisms. If Minivision discovers non-compliance, you may be required to add or supplement relevant compliance measures. If you fail to add or supplement on time, Minivision has the right to refuse your use of the service.
Please be aware that such due diligence and risk assessment are necessary compliance procedures within Xiaoshi and do not constitute any form of commitment or guarantee, and do not have legal effect on external counterparties.


3、 Minivision's data protection measures

Minivision attaches great importance to the protection of your personal information and has taken different measures to ensure data security at various stages of the data lifecycle, as follows:
1. Data collection security
In the process of conducting verification business, Minivision will indirectly collect multiple data from downstream customers. When indirectly collecting data, Minivision adheres to the principle of minimum necessity and requires downstream customers to make a commitment to the legality of the data source. At the same time, Minivision will review whether downstream customers have solicited separate consent from users for personal information sharing.
2. Data encryption and isolation security
After Minivision completes data collection, it will take physical isolation measures between the collected facial information and non facial information. In addition, non facial information is stored on Alibaba Cloud ECS servers after being desensitized and encrypted using an irreversible algorithm (sha256 encryption). Facial information is encrypted using reversible algorithms (AES encryption) and stored on Alibaba Cloud OSS servers, with keys stored on Alibaba Cloud ECS servers.
3. Data disaster recovery backup security
During the process of conducting online verification services, Minivision stores the collected data on Alibaba Cloud and regularly backs up accounting data to prevent potential consequences such as data loss, damage, and computer system damage that may result in data quality degradation.
4. Computer Information System Security
The AIOT system currently running by Minivision has commissioned a professional organization to conduct computer information system grading evaluation, and the evaluation results have been submitted to the public security department to complete the three-level guarantee filing of the computer information system.
5. Construction of internal control system
Minivision has established numerous internal control systems to regulate its data processing behavior, including but not limited to:


Serial NumberSystem typeSystem Name
1. Data security protection system

Data Lifecycle Security Protection System
Sensitive Data Information Management System
Data Classification Management System

2. Network security protection systemManagement Measures for Network Information Security
3. Emergency system for network security incidentsEmergency Management System for Network Security and Data Information Security Events
4. Information Security Accountability SystemInformation Security Accountability Management System
5. Data Security Training SystemData Security Education and Training System