social responsibility Back to list
Personal information protection system
SITC attaches high importance to the privacy of customers and employees. To protect personal information and customers’ privacy, the Company is in compliance with the “Personal Information Protection Law of the People’s Republic of China” and other applicable regulations relating to privacy when collecting, handling or using any personal information. Unless it is approved by the customers, the organization shall not disclose any personal information of the customers, shall not use any personal information of the customers on any purpose other than the agreed usage, and shall directly keep customers update of any changes in the information protection policy or measures.
1. Protection of Personal Information and Privacy
When customers receive products or services from the Company, the Company should inform customers our relevant protection policy relating to their personal information, privacy and rights. Personal information should only be used upon agreement with the relevant customers. It is stated under the “Personal Information Protection Policy and Declaration” published on the official website of SITC that apart from the aforesaid policies which are applicable to all employees of the Company, in case of any necessary outsourcing of personal information due to business needs, the Company will also request compliance with the relevant policy by the outsourced vendor and its officers. Other than the personal information protection clauses included in the contract with the outsourced vendor, guideline document in relation to management of outsourced vendors will be compiled. Evaluation on outsourced vendors and safety check on personal information will also be conducted on a regular basis.
2. Personal Information Management Structure
The executive officers of each business group under SITC act as the officer in charge of the protection of personal information safety and are responsible for formulation of personal information protection regulations in relation to the respective business. Regular reporting will be conducted to the operation management center of the Group. The operation management center will report to the sustainable development committee by submitting “Sustainable Development Report” every half year, and will provide recommendations to the Board. The reporting contents include but not limited to the result of personal information safety management and the improvement thereof, the handling and follow-up of any relevant cases or complaints.
3. Consultation Channel for Privacy Rights
A comprehensive personal information protection mechanism has been established by the Company to ensure the accuracy and safety of the personal information of the customers and the employees. It is stated under the ”Personal Information Protection Policy and Declaration” that personal information will be collected, handled or use in a reasonable and safe way within a scope for specific purpose as agreed by both parties. All activities involving personal information could only be proceeded upon agreement with the relevant parties, and the personal information should not be used on purposes other than the agreed usage. In case of secondary use, the relevant parties should be able to practically exercise their rights of enquiry, alternation, deletion, restriction on use of the personal information and withdrawal of consent as conferred by the personal information law and regulations.
4. Privacy Risk Evaluation Mechanism
To comply with the legal requirements relating to personal information and identify the relevant risk exposure during the process of handling personal information, the Company carries out various works including personal information check, impact of privacy protection, self-supervision and clean-up. Risk evaluation will be conducted annually according to the operating procedures. In case the risk exposure is too high, risk improvement plan should be suggested and executed in order to effectively implement personal information management system of “Plan–Do–Check–Act” (PDCA).
5. Response Mechanism of Privacy Incident
According to the ”Personal Information Protection Law of the People’s Republic of China” and the operating document under the internal “Personal Information Protection System”, rights of the parties whose personal information has been inappropriately accessed and disclosed will be protected by the Company in pursuance of the relevant law. For unauthorized use or damages of personal information, contingency plan for personal information incidents will be set up to expedite the internal authorization process based on the degree of influence, which in turn helps enhance the efficiency for subsequent follow-up process. Contingency simulation exercises will be conducted by the Company in each year according to the said regulations, and after which, any defects discovered during the simulation exercises will be reviewed and improved to ensure the effectiveness of the contingency mechanism and strengthen the horizontal communication and response competence of each unit. In addition, in respect of the outsourced personal information, clauses relating to the time frame for reporting of personal information incident, responsibility of recording the incident, compensation and penalties shall be stipulated under the contract with the outsourced vendor, with proof and records relating to the incident being properly kept.
6. Internal Inspection and Training of Privacy Policy
To review if the goal, management procedure and safety control mechanism in relation to personal information are implemented as planned, the Company performs regular inspection and evaluation of the execution of the personal information protection system. Annual regular internal inspection will be carried out to examine the personal information management in all groups and companies. Any breach of this system and the relevant laws and regulations will be handled according to the Company’s rules and the relevant laws and regulations.
The Company provides regular educations and trainings to all staff to strengthen their concept and code of conduct in terms of personal information protection. Members of the internal evaluation team will receive relevant education and trainings in relation to personal information management and inspection, and will report any latest major personal information matters among the industry and new regulatory information.