中华人民共和国个人信息保护法（第五十一条）

个人信息处理者应当根据个人信息的处理目的、处理方式、个人信息的种类以及对个人权益的影响、可能存在的安全风险等，采取下列措施确保个人信息处理活动符合法律、行政法规的规定，并防止未经授权的访问以及个人信息泄露、篡改、丢失：　　

（一）制定内部管理制度和操作规程；　　

（二）对个人信息实行分类管理；　　

（三）采取相应的加密、去标识化等安全技术措施；　

（四）合理确定个人信息处理的操作权限，并定期对从业人员进行安全教育和培训；　　

（五）制定并组织实施个人信息安全事件应急预案；　

（六）法律、行政法规规定的其他措施。

Personal Information Protection Law of the People's Republic of China, Article 51

Personal information processors shall, on the basis of thepurposes of the processing of personal information, processing methods,categories of personal information, the impacts on individuals’ rights andinterests, and potential security risks, among others, take the followingmeasures to ensure that personal information processing activities comply withthe provisions of laws and administrative regulations, and prevent unauthorizedaccess to as well as the leakage, tampering or loss of personal information:

(1) Developing internal management rules and operating procedures;

(2) Conducting classified management of personal information;

(3) Taking corresponding security technical measures such asencryption and de-identification;

(4) Determining in a reasonable manner the operation privilegesrelating to personal information processing, and providing security educationand trainings for employees on a regular basis;

(5) Developing and organizing the implementation of emergencyplans for personal information security incidents;

(6) Other measures asprovided by laws and administrative regulations.