INFO: Disclaimer
The below is intended purely as a supporting resource to assist schools to comply with Chinese data privacy laws when using IRIS Connect. It is not legal advice. We recommend you seek independent advice.
There are 3 laws that pertain to data privacy that we will look at:
1. Data Security Law (DSL)
Under the DSL, organisations must classify and protect data according to its potential impact on national security, public interests, and key strategic sectors. “Important data” is defined narrowly and typically covers datasets relating to areas such as national defence, public security, energy, transportation, finance, major infrastructure operations, or government statistical/administrative systems.
Classroom recordings used for teacher professional development are very unlikely to fall into any recognised DSL “important data” category. They contain only standard educational activity information and personal information (e.g., images, voices, interactions inside the classroom), none of which has strategic or national-level sensitivity. As a result, DSL’s strictest obligations—such as important-data filing, national-level reporting, and enhanced export controls—do not apply to IRIS Connect usage.
Schools only need to follow ordinary DSL requirements, such as applying reasonable security controls, managing access appropriately, and ensuring secure handling of personal information.
IRIS Connect’s platform already incorporates these controls through encryption, access restriction, secure processing, and data minimisation tools.
2. Cybersecurity Law (CSL)
The CSL establishes enhanced cybersecurity obligations for entities designated as Critical Information Infrastructure Operators (CIIOs)—organisations whose systems, if compromised, could endanger national security, economic stability, public health, or major social services. Examples include telecommunications, energy, transportation, finance, e-government platforms, and major public service systems.
Schools and teacher professional development platforms such as IRIS Connect are generally not classed as CIIOs, as they do not operate critical national services, nor would a disruption meaningfully impact national security or the broader economy. Therefore, the strict CIIO requirements—such as mandatory data localisation, specialised security audits, and government-led inspections—do not apply.
Instead, schools remain general “network operators” under the CSL, required to implement standard cybersecurity measures: user authentication, access control, network security management, personal information protection, and incident response procedures.
IRIS Connect’s security framework fully meets and exceeds these baseline CSL expectations, including encrypted transmission and storage, role-based access control, audit logging, secure development practices, regular vulnerability scanning, and strong organisational governance. These measures ensure that classroom recordings are handled safely and in full alignment with CSL’s general requirements.
3. Personal Information Protection Law (PIPL)
PIPL has 3 relevant areas that need considerations
i) Collecting consent for recording minors
Under PIPL, personal information of children under 14 is automatically classified as sensitive personal information. If any under-14s appear in the recording (image or voice), the processing triggers PIPL’s heightened protection requirements. This means schools must obtain separate, specific consent from a parent or legal guardian before collecting or using this information.
ii) PIPIA (DPIA)
Regardless of age, schools must also give clear notice explaining the purpose of recording, how the data will be processed, what information is collected, how long it will be retained, and who will have access. If the school changes the purpose, method, or scope of processing later, new consent must be obtained.
iii) Cross-boarder transfers
Additionally under PIPL, sending personal information outside Mainland China counts as a cross-border transfer. Schools must follow China’s export rules, which depend on how many individuals’ data is transferred each year — small volumes may be exempt, but larger volumes require a Standard Contract (SCC) filing or, for very large or sensitive volumes, a government security assessment.
Option 1 — Using IRIS Connect’s Anonymisation Filter
If recordings are made using IRIS Connect’s anonymisation filter and individuals cannot be identified, then the output no longer qualifies as personal information under PIPL.
In this case:
- No consent is required (because no PI is collected).
- Cross-border transfer rules do not apply.
- A PIPIA (DPIA) is not required, because no personal information is being processed (although completing one to evidence this conclusion is recommended).
This is the lowest-risk and simplest compliance route for schools.
Note - We recommend reviewing the recordings to ensure that no personal data is captured. If it is, then use of the edit feature can be used to remove certain sections if a data subject was identifiable. Setting a specific camera position can also be used alongside the anonymisation filter to avoid capturing PI.
Option 2 — Recording Without the Anonymisation Filter
If students remain identifiable (visually or audibly), the recording therefore contain personal information, and all PIPL obligations apply.
1) Legal basis for filming
- Under-14s: Their data is sensitive PI so schools must obtain separate parental/guardian consent before recording.
- Ages 14–17 and adults: A lawful basis is still required. Because PIPL does not allow a public task basis like under the GDPR, schools typically rely on the student’s own consent. Although contract could be used if
the contract or service agreement explicitly reflects the need for video/audio recording (i.e. recordings are integral to delivering the agreed-upon service — e.g. teacher development, assessment, learning review), and
the processing is proportionate: only what’s strictly needed, reasonably scoped, and clearly documented;
the school still provides clear notice (purpose, scope, retention, how recordings will be used), enables individuals’ rights, and treats recordings under PIPL’s usual obligations (security, access control, deletion, etc.).
2) Cross-border transfer to Ireland
Because IRIS Connect processes data in Ireland, the school will be exporting personal information outside Mainland China.
- If you are a non-CIIO exporting less than 100,000 individuals’ non-sensitive PI per year, you are exempt from SCC/cert/security assessment, provided you comply with general PIPL duties (consent/legal basis, PIPIA where required, notices, etc.).
- If exporting fewer than 10,000 individuals’ sensitive PI per year, and the school is not classed as a CIIO, the export mechanism required is either:
- CAC Standard Contract (SCC) filing, or
- Certification.
The filing is submitted through the central CAC online platform.
- Separate export consent:
If the school is relying on consent as the legal basis for processing, PIPL requires a stand-alone (“separate”) consent specifically for the cross-border transfer.
The notice must name IRIS Connect in Ireland, explain the purpose, processing method, categories of PI, retention, and how individuals can exercise their rights.
3) Notices, PIPIA, and record-keeping
Schools must:
- Update their privacy notice to identify IRIS Connect (Ireland) as the overseas data recipient.
- Conduct and retain a Personal Information Protection Impact Assessment (PIPIA) covering:
- necessity of recording,
- presence of minors/sensitive PI,
- security safeguards,
- chosen cross-border transfer mechanism.
(A PIPIA is also required as part of the SCC filing.)
- Maintain an export register tracking the number of unique individuals exported per calendar year to determine whether the school qualifies for de minimis, SCC, or security assessment thresholds.