Powered by Google www.ChineseStandard.net Database: 189759 (16 Jun 2024)

GB/T 35273-2017 PDF in English


GB/T 35273-2017 (GB/T35273-2017, GBT 35273-2017, GBT35273-2017)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 35273-2017English170 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Personal information security specification Obsolete
GB/T 35273-2020English405 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Personal information security specification Valid

PDF Preview

Standards related to: GB/T 35273-2017

GB/T 35273-2017: PDF in English (GBT 35273-2017)

GB/T 35273-2017
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology -
Personal information security specification
ISSUED ON: DECEMBER 29, 2017
IMPLEMENTED ON: MAY 01, 2018
Issued by: General Administration of Quality Supervision, Inspection and
Quarantine of PRC;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4 
Introduction ... 5 
1 Scope ... 6 
2 Normative references ... 6 
3 Terms and definitions ... 6 
4 Basic principles of personal information security ... 9 
5 Collection of personal information ... 10 
5.1 Legal requirements for collection of personal information ... 10 
5.2 Requirements for minimizing the collection of personal information ... 11 
5.3 Authorized consent when collecting personal information ... 11 
5.4 Exceptions for authorization of consent ... 12 
5.5 Explicit consent for the collection of personal sensitive information ... 13 
5.6 Content and release of privacy policy ... 13 
6 Preservation of personal information ... 15 
6.1 Minimizing the retention time of personal information ... 15 
6.2 De-identification processing ... 15 
6.3 Transmission and storage of personal sensitive information ... 15 
6.4 Business suspension of personal data controller ... 16 
7 Use of personal information ... 16 
7.1 Control measures for access of personal information ... 16 
7.2 Display restrictions on personal information ... 17 
7.3 Restrictions on the use of personal information ... 17 
7.4 Access to personal information ... 18 
7.5 Correction of personal information ... 18 
7.6 Deletion of personal information ... 18 
7.7 Personal data subject withdraws consent ... 19 
7.8 Personal data subject cancels account ... 19 
7.9 Personal data subject obtains a copy of personal information ... 19 
7.10 Constraint of information system’s automatic decision-making ... 20 
7.11 Responding to requests of personal data subject ... 20 
7.12 Management of appeal ... 21 
8 Entrusted processing, sharing, transfer of control, public disclosure of
personal information ... 21 
8.1 Entrusted processing ... 21 
8.2 Sharing and transfer of control of personal information ... 22 
8.3 Transfer of control of personal information during acquisition, merger and restructuring23 
8.4 Public disclosure of personal information ... 23 
8.5 Exceptions to prior authorization of consent, sharing, transfer of control, public disclosure
of personal information ... 24 
8.6 Common personal data controller ... 24 
8.7 Cross-border transmission requirements for personal information ... 25 
9 Handling of personal information security incident ... 25 
9.1 Emergency response and reporting of security incidents ... 25 
9.2 Notification of safety incidents ... 26 
10 Management requirements of organization ... 26 
10.1 Identify responsible departments and personnel ... 26 
10.2 Conducting impact assessment of personal information security ... 27 
10.3 Data security capabilities ... 29 
10.4 Personnel management and training ... 29 
10.5 Security audit ... 29 
Appendix A (Informative) Example of personal information ... 31 
Appendix B (Informative) Judgement of personal sensitive information ... 33 
Appendix C (Informative) Method for guaranteeing the right of personal data
subject to choose consent ... 35 
Appendix D (Informative) Template of privacy policy ... 41 
References ... 52 
Information security technology -
Personal information security specification
1 Scope
This standard specifies the principles and security requirements for the
processing activities of collection, preservation, use, sharing, transfer, public
disclosure of personal information.
This standard is applicable to regulate the personal information processing
activities of various organizations, it is also applicable to the supervision,
management and evaluation of personal information processing activities by
the competent regulatory authorities and third-party evaluation agencies.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 25069-2010 Information security technology - Glossary
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 as well as the
following terms and definitions apply to this document.
3.1
Personal information
Various information recorded electronically or otherwise that can identify a
particular natural person or reflect the activity of a particular natural person,
either alone or in combination with other information.
Note 1: Personal information includes name, date of birth, ID number,
personal biometric information, address, communication contact,
communication record and content, account password, property information,
credit information, whereabouts, accommodation information, health
information, transaction information, etc.
software provider, it does not belong to the personal information collection
behavior.
3.6
Explicit consent
The act of the personal data subject to make a definitive authorization for
the specific processing of its personal information through a written
statement or taking actively the affirmative action.
Note: Affirmative actions include the initiative of the personal data subject to
make a statement (electronic or paper form), active check, active click on
“agree”, “register”, “send”, “dial” and so on.
3.7
User profiling
The process of collecting, gathering, analyzing personal information to make
analysis and prediction of the personal characteristics of a particular natural
person, such as occupation, economy, health, education, personal
preferences, credit, behavior, etc., to form a personal feature model.
Note: The process of the direct use of personal information of a specific
natural person to form a feature model of the natural person is called a direct
user profiling. The use of personal information derived from other sources
than a specific natural person, such as the data of the group in which it is
located, to form a feature model of the natural person, is called an indirect
user profiling.
3.8
Personal information security impact assessment
For the personal information processing activities, the process of examining
the legal compliance level, determining the various risks that cause damage
to the legitimate rights and interests of the personal data subject, evaluating
the effectiveness of various measures used to protect the personal data
subject.
3.9
Delete
The act of removing personal information in a system involved in
implementing daily business functions, so that it remains in a state in which
it cannot be retrieved or accessed.
a) The principle of integration of powers and responsibilities - Undertake the
responsibility for the damage caused by the personal information
processing activities to the legitimate rights and interests of the personal
data subject.
b) The principle of clear purpose - Have the legal, legitimate, necessary, clear
personal information processing purposes.
c) The principle of selective consent - Express the purpose, method, scope,
rules, etc. of personal information processing to the personal data subject,
to solicit authorization and consent.
d) The principle of least sufficiency - Unless otherwise agreed with the
personal data subject, the type and amount of the minimum personal
information as required to satisfy the purpose of the consent of the
personal data subject. After the purpose is achieved, it shall delete the
personal information in time according to the agreement.
e) The principle of openness and transparency - The scope, purpose, rules,
etc. of processing the personal information in a clear, understandable,
reasonable manner and accepting external supervision.
f) The principle of ensuring security - Have the security capabilities that
match the security risks faced and take adequate management measures
and techniques, to protect the confidentiality, integrity, availability of
personal information.
g) The principle of subject participation - Provide personal data subjects with
access to, corrections, deletion of their personal information, as well as
withdrawal of consent and cancellation of accounts.
5 Collection of personal information
5.1 Legal requirements for collection of personal information
Requirements for personal data controllers include:
a) It shall not defraud, deceive, or force the personal data subjects to provide
their personal information;
b) It shall not conceal the functionality of the product or service to collect
personal information;
c) It shall not obtain personal information from illegal sources;
d) It shall not collect the personal information that is clearly prohibited by laws
etc. If the personal information processing activities required by the
organization to conduct business exceed the scope of the authorization,
it shall, within a reasonable period after obtaining the personal
information or before processing the personal information, it shall obtain
the explicit consent from the personal data subject.
5.4 Exceptions for authorization of consent
In the following cases, the personal data controller may collect and use personal
information without the authorization of the personal data subject:
a) Directly related to national security and national defense security;
b) Directly related to public safety, public health, major public interest;
c) Directly related to criminal investigation, prosecution, trial, execution of
judgments;
d) For the purpose of maintaining the material and legal rights, such as the
life and property, of the personal data subject or other individuals, but it is
difficult to obtain consent;
e) The personal information collected is proactively disclosed by the personal
data subject to the public;
f) Collect personal information from legally publicly disclosed information,
such as legitimate news reports, government information disclosure, etc.;
g) Where it is necessary to sign and fulfill the contract in accordance with the
requirements of the personal data subject;
h) Where it is necessary to maintain the safe and stable operation of the
products or services provided, such as the discovery, disposal of the faults
of products or services;
i) The personal data controller is a news unit and where it is necessary for
legal news reporting;
j) The personal data controller is an academic research institution that de-
identifies the personal information contained in the results when
conducting statistical or academic research for public interest and
providing academic research or description results;
k) Other circumstances as specified by laws and regulations.
include but is not limited to:
1) The basic situation of the personal data controller, including the
registration name, registered address, common business location,
contact information of the relevant person in charge;
2) The purpose of collecting and using personal information, as well as the
various business functions as covered by the purpose, such as the use
of personal information for pushing commercial advertisements, the use
of personal information for the formation of direct user profiling and their
uses;
3) Personal information collected by each business function, as well as
personal information processing rules such as collection method and
frequency, storage area, storage period, range of actually collected
personal information;
4) The purpose of external sharing, transfer of control, and public
disclosure of personal information, the type of personal information
involved, the type of third party receiving personal information, the
corresponding legal liabilities assumed;
5) Basic principles of personal information security followed, data security
capabilities, personal information security measures taken;
6) The rights and implementation mechanisms of the personal data subject,
such as access methods, correction methods, deletion methods,
methods for canceling accounts, methods for withdrawing consent,
methods for obtaining copies of personal information, methods of
restraining automatic decision-making of information systems, etc.
7) Security risks that may exist after the provision of personal information,
as well as the possible impact of not providing personal information;
8) Channels and mechanisms for handling the inquiry and complaint from
the personal data subject, as well as external dispute resolution
agencies and contact methods.
b) The information notified by the privacy policy shall be true, accurate,
complete;
c) The content of the privacy policy shall be clear and understandable, in line
with common language habits, use standardized figures, diagrams, etc.,
avoid using ambiguous language, provide abstracts at the beginning,
briefly describe the focus of the content;
d) The privacy policy shall be publicly available and easy to access, for
6.4 Business suspension of personal data controller
When a personal data controller ceases to operate its products or services, it
shall:
a) Stop the continued collection of personal information in time;
b) Notify the personal data subject in the form of one-by-one delivery or
announcement;
c) Delete or anonymize the personal information held by it.
7 Use of personal information
7.1 Control measures for access of personal information
Requirements for personal data controllers include:
a) Internal data operators who are authorized to access personal information
shall be able to access only the minimum amount of personal information
required for their duties, only have the minimum amount of data
manipulation required to perform their duties, in accordance with the
principle of minimum sufficiency;
b) It should set up an internal approval process for important operations of
personal information, such as batch modification, copying, downloading,
etc.;
c) It shall make separate settings for the roles of security administrators, data
operators, and auditors;
d) If it is necessary to authorize a specific person to handle personal
information beyond of authority because of the need of work, it shall be
examined and approved by the person responsible for personal
information protection or the personal information protection agency, and
recorded;
Note: For the determination of the person responsible for personal
information protection or the organization of personal information
protection, see 10.1.
e) For the access, modification and other behaviors of personal sensitive
information, it should trigger the operation authorization according to the
requirements of the business process on the basis of the authority control
of the role. For example, a complaint handler can access information
copy of the following types of personal information, or directly transmit a copy
of the following personal information to a third party if technically feasible:
a) Personal basic information, personal ID information;
b) Personal health and physiological information, personal education work
information.
7.10 Constraint of information system’s automatic decision-
making
When making decisions that significantly affect the subject matter of a personal
data subject based solely on the automatic decision-making of the information
system (e.g., determining personal credit and loan quota based on the user
profiling, or using the user profiling for interview screening), the personal data
controller shall provide a method of appeal to the personal data subject.
7.11 Responding to requests of personal data subject
Requirements for personal data controllers include:
a) After verifying the identity of the personal data subject, it shall respond
promptly to the request of the personal data subject as made based on
7.4 ~ 7.10, reply and make reasonable explanation within 30 days or within
the time limit prescribed by laws and regulations, inform the personal data
subject of the route to propose externally the dispute resolution;
b) In principle, it does not charge for the reasonable request. But for a
number of repeated requests within a certain period of time, it may charge
a certain cost as appropriate;
c) If the direct fulfillment of request from the personal data subject requires
high costs or has other significant difficulties, the personal data controller
shall provide other alternative methods to the personal data subject, to
protect the legitimate rights and interests of the personal data subject;
d) The following conditions may not respond to requests from the personal
data subject as made based on 7.4 ~ 7.10, including but not limited to:
1) Directly related to national security and national defense security;
2) Directly related to public safety, public health, and major public interests;
3) Directly related to criminal investigation, prosecution, trial and execution
of judgments;
personal data subject is based on 7.4 ~ 7.10;
4) If the entrusted person is unable to provide sufficient level of security
protection or has a security incident in the process of processing
personal information, it shall promptly feed back to the personal data
controller;
5) Personal information is no longer saved when the entrustment
relationship is lifted.
d) The personal data controller shall supervise the entrusted person by
means of, but not limited to:
1) Specify the responsibilities and obligations of the entrusted person by
means of contracts;
2) Audit the entrusted person.
e) The personal data controller shall accurately record and maintain the
circumstances of the entrusted processing of personal information.
8.2 Sharing and transfer of control of personal information
Personal information may not be shared or transferred of control in principle.
When personal data controllers need to share and transfer of control, they shall
pay full attention to risks. Sharing or transferring of control of personal
information, other than due to acquisition, merger, or restructuring, shall comply
with the following requirements:
a) Conduct impact assessment of personal information security in advance
and take effective measures to protect the personal data subject based
on the assessment results;
b) Inform the personal data subject of the purpose of sharing, transferring of
control of the personal information, the type of the data recipient, and
obtain the prior authorization from the personal data subject. The
exception is the sharing and transferring of control of the de-identified
personal information, meanwhile ensuring that the data recipient cannot
re-identify the personal data subject;
c) Before sharing and transferring of control of personal sensitive information,
in addition to the content notified in 8.2b), it shall also inform the personal
data subject of the type of personal sensitive information involved, the
identity of the data recipient, the data security capabilities, meanwhile
obtain the explicit consent from the personal data subject in advance;
the content of the personal sensitive information involved;
d) Accurately record and maintain the public disclosure of personal
information, including the date, size, purpose, scope of public disclosure;
e) Bear the corresponding responsibility for causing damage to the legitimate
rights and interests of the personal data subject due to the public
disclosure of personal information;
f) Do not publicly disclose personal biometric information.
8.5 Exceptions to prior authorization of consent, sharing,
transfer of control, public disclosure of personal information
In the following cases, personal data controllers may share, transfer of control,
publicly disclose personal information without prior authorization from the
personal data subject:
a) Directly related to national security and national defense security;
b) Directly related to public safety, public health, and major public interest;
c) Directly related to criminal investigation, prosecution, trial and execution
of judgments;
d) For the purpose of maintaining the material and legal rights of the personal
data subject or other individuals, but it is difficult to obtain the consent;
e) Personal information that the personal data subject discloses to the public
on its own;
f) Collect personal information from legally publicly disclosed information,
such as legitimate news reports, government information disclosure, other
channels and so on.
8.6 Common personal data controller
When the personal data controller and the third party are joint personal data
controllers (such as the service platform and the contracted merchant on the
platform), the personal data controller shall jointly determine the personal
information security requirements to be met with the third party through contract
or the like, as well as the responsibility and obligation of the individual and the
third party in terms of the personal information security, and shall be clearly
notified to the personal data subject.
a) Establish an impact assessment system for personal information security
and conduct impact assessments of personal information security on a
regular basis (at least once a year).
b) The impact assessment of personal information security shall mainly
assess the situation in which the processing activities follow the basic
principles of personal information security, as well as the impact of
personal information processing activities on the legitimate rights and
interests of personal data subjects, including but not limited to:
1) Whether the collection link of personal information follows the principles
of clear purpose, selective consent, minimum sufficiency;
2) Whether the processing of personal information may adversely affect
the legitimate rights and interests of the personal data subject, including
whether it will endanger personal and property safety, damage personal
reputation and physical and mental health, lead to discriminatory
treatment;
3) The effectiveness of personal information security measures;
4) The risk of re-identifying the personal data subject from the anonymized
or de-identified data set;
5) The possible adverse effects of sharing, transferring of control, publicly
disclosing personal information on the legitimate rights and interests of
the personal data subject;
6) In the event of a security incident, the adverse effect on the legitimate
rights and interests of the personal data subject.
c) In case of new requirements by laws and regulations, significant change
of business models, information systems, operating environments, or the
occurrence of significant personal information security incident, it shall
carry out the impact assessment of personal information security again.
d) Form an impact assessment report of personal information security and
take measures based on this to protect the personal data subject, to
reduce the risk to an acceptable level.
e) Properly retain an impact assessment report of personal information
security, to ensure that it may be accessed by relevant parties and made
public in an appropriate form.
10.3 Data security capabilities
Personal data controllers shall, according to the requirements of relevant
national standards, establish appropriate data security capabilities and
implement necessary management and technical measures, to prevent leakage,
damage, loss of personal information.
10.4 Personnel management and training
Requirements for personal data controllers include:
a) It shall sign a confidentiality agreement with relevant personnel engaged
in the post of personal information processing, conduct background
checks on a large number of persons who have access to personal
sensitive information;
b) It shall define the security duties of the internal posts involving personal
information processing, as well as penalty mechanism for security
incidents;
c) It shall request the relevant personnel on the personal information
processing position to continue to perform the confidentiality obligation
when transferring the post or terminating the labor contract;
d) It shall identify the personal information security requirements that external
service personnel who may access personal information shall comply with,
sign a confidentiality agreement with them, carry out supervision;
e) It shall, at regular interval (at least once a year) or in the event of major
changes in the privacy policy, carry out information security training and
assessment for the relevant personal in the personal information
processing positions, to ensure that the relevant personal are proficient in
privacy policies and related procedures.
10.5 Security audit
Requirements for personal data controllers include:
a) It shall audit the privacy policy and related procedures, as well as the
effectiveness of security measures;
b) It shall establish an automated audit system, to monitor and record
personal information processing activities;
c) The records resulting from the audit process shall support the handling of
Appendix B
(Informative)
Judgement of personal sensitive information
Personal sensitive information refers to personal information that, if leaked,
illegally provided or misused, may endanger personal and property safety, may
easily cause damage or discriminatory treatment to personal reputation,
physical and mental health. Usually, the personal information of children under
the age of 14 and the privacy information of natural persons are personal
sensitive information. It may be judged from the following points whether it is
personal sensitive information.
Disclosure: Once the personal information is disclosed, it will cause the
personal data subject and the organizations and institutions that collect and use
the personal information to lose control of the personal information, resulting in
the uncontrollable scope and use of the personal information. Certain personal
information may be directly used in violation of the willingness of the personal
data subject or be subjected to associated analysis with other information,
which may pose a significant risk to the mainstay interest of the personal data
subject and shall be determined as personal sensitive information. For example,
a copy of the ID card of the personal data subject is used by others for the real-
name registration of the mobile phone number card, the bank account opening
card, and the like.
Illegal provision: If certain personal information may cause significant risks to
the subject matter of personal data subject due to the spread outside the scope
of authorization of the personal data subject, it shall be judged as personal
sensitive information. For example, sexual orientation, deposit information,
history of infectious diseases, etc.
Abuse: If certain personal information is used beyond the reasonable limits of
authorization (such as the purpose of change processing, expanding the scope
of processing, etc.), it may pose a significant risk to the subject matter of
personal information subject, it shall be determined as personal sensitive
information. For example, when it is not authorized by the personal data subject,
the health information is used for insurance company marketing and
determining the individual premium level.
Table B.1 provides an example of personal sensitive information.
(3) Conduct internal audit, data analysis and research, to
improve our products or services [Note: examples]
(omitted)
(4)……
...
When we will use the information for other purposes not
covered by this policy, we will ask for your consent in
advance.
When we will use information collected for a specific purpose
for other purposes, we will ask for your consent in advance.
8. According to the use of personal
information, indicate the expected retention
time of different types of personal
information (such as: within 5 years from
the date of collection) and the deadline for
deletion or destruction (e.g., December 31,
2019 or when user cancels account).
9. When it is necessary to change the
purpose of collecting and using information,
it shall be stated that the user’s c......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.