Companies, institutions instructed to delete information after use

Banks and telecom companies have to delete customer information after use as the first code of conduct for personal data protection comes into effect.

The code, not legally binding, came into force on Friday. It sets out rules and guidelines for companies to follow when they process personal data.

It allows companies to collect private data only for a specific and reasonable purpose. A key element of the code states categorically that the purpose cannot be altered or amended during the process.

Data can only be collected on the basis that the subject of the information has been informed, and it must be deleted as soon as possible after use.

The code also requires companies to follow what is called the minimal principle. This means companies can only collect data that is sufficient for the specific purpose. No fishing for information is permitted.

Huang Zihe, an information technology specialist, said it is potentially dangerous for some websites to ask for personal information, such as addresses and cell phone numbers.

"That goes against the minimal principle and poses a data security threat," he said.

Companies must set up an internal protection system, in which management procedure and the person responsible for information protection is clearly stated.

Gao Chiyang, deputy director of China Software Testing Center, an institute affiliated with the Ministry of Industry and Information Technology, said 80 percent of personal information leaks take place from the inside. Employees working for companies holding a large amount of personal information can easily access data.

Liu Tao, from China Software Testing Center, who helped draft the code, conceded that the code is not compulsory.

Individuals cannot file lawsuits on the basis of the code if their data is compromised.

In December 2011, about 40 million passwords at leading social networks were leaked. Another 6 million were exposed almost simultaneously on csdn.net, one of the country's biggest networks for software developers.

A report on the procedures followed by websites when processing passwords, conducted by Peking University last year, found only eight out of the 100 websites polled had used sufficient security measures.

Fifty-nine websites used no security measures during data transmission, and passwords were fully exposed in the network and the server.

Gong Xiaorui, a professor involved in the research, said 85 websites illegally obtained passwords. "This is very risky, especially when many netizens are accustomed to use the same passwords on different accounts," he said.

Taobao.com, an e-commerce website criticized for transmitting user data uncoded, has upgraded its system and all passwords are decoded before being recorded and transmitted, media officer Ma Ying said.

A survey of 2,500 people last year found that 60 percent of respondents said their personal information had been illegally obtained by others. Hu Gang, a salesman in Tianjin who travels to South China at least once a month, said he is concerned that his information encoded in the train ticket may be easily exposed.

Scanning the two-dimensional code on the ticket reveals the ticket owner's key data, including the identity card number. "But on the other hand, I don't really mind if the ticket website takes down my information and searching preference. It saves me a lot of time, especially if I am in a rush with an urgent task. But it should keep information only with my consent," he said.

Police arrested 1,152 suspects for allegedly disclosing and illegally dealing in personal information, the Ministry of Public Security said on Jan 18.

Police have broken up hundreds of groups that engaged in telecom scams, kidnapping, blackmail and other crimes after illegally obtaining personal information, the ministry said.

Crimes involving the illegal sale and purchase of personal data have increased rapidly in recent years.

Criminals collude with insiders working for telecom and financial firms to illegally obtain and trade personal data on the Internet.

Employees working for telecom companies, financial institutions, schools and hospitals face up to three years in prison if they illegally provide personal information to others.

Zheng Jinran contributed to this story.