GB/T 35273-2020 PDF in English
GB/T 35273-2020 (GB/T35273-2020, GBT 35273-2020, GBT35273-2020)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GB/T 35273-2020 | English | 405 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Information security technology -- Personal information security specification
| Valid |
GB/T 35273-2017 | English | 170 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Information security technology -- Personal information security specification
| Obsolete |
Standards related to (historical): GB/T 35273-2020
PDF Preview
GB/T 35273-2020: PDF in English (GBT 35273-2020) GB/T 35273-2020
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 35273-2017
Information security technology - Personal
information security specification
ISSUED ON: MARCH 06, 2020
IMPLEMENTED ON: OCTOBER 01, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 5
Introduction ... 7
1 Scope ... 8
2 Normative references ... 8
3 Terms and definitions ... 8
4 Basic principles of personal information security ... 12
5 Collection of personal information ... 13
5.1 Legality of collecting personal information ... 13
5.2 Minimum necessary to collect personal information ... 13
5.3 Independent choice of multiple business functions ... 14
5.4 Consent on collecting personal information ... 15
5.5 Personal information protection policy ... 16
5.6 Exceptions with authorized consent ... 18
6 Storage of personal information ... 19
6.1 Minimal storage time of personal information ... 19
6.2 De-identification... 19
6.3 Transmission and storage of personal sensitive information ... 19
6.4 Personal information controller ceases operations ... 20
7 Use of personal information ... 20
7.1 Access control measures for personal information ... 20
7.2 Restrictions on the display of personal information ... 21
7.3 Restrictions on the purpose of using personal information ... 21
7.4 Restrictions on the use of user profiling ... 22
7.5 Use of personalized displays ... 23
7.6 Convergence and fusion of personal information collected for different
business purposes ... 24
7.7 Use of information system’s automatic decision-making mechanism ... 24
8 Rights of personal information subjects ... 24
8.1 Inquiry of personal information ... 24
8.2 Correction of personal information ... 25
8.3 Deletion of personal information ... 25
8.4 Personal information subject withdraws consent ... 26
8.5 Personal information subject cancels account ... 26
8.6 Personal information subject obtains a copy of personal information ... 27
8.7 Responding to requests from personal information subjects ... 27
8.8 Complaint management ... 29
9 Entrusted processing, sharing, transfer, public disclosure of personal
information ... 29
9.1 Entrusted processing ... 29
9.2 Sharing and transfer of personal information ... 30
9.3 Transfer of personal information during acquisition, merger, reorganization,
bankruptcy ... 32
9.4 Public disclosure of personal information ... 32
9.5 Exceptions to prior consent obtained when sharing, transferring or publicly
disclosing personal information ... 33
9.6 Joint personal information controller ... 33
9.7 Third-party access management ... 34
9.8 Cross-border transmission of personal information ... 35
10 Handling of personal information security incidents ... 35
10.1 Emergency handling and reporting of personal information security incidents
... 35
10.2 Notification of security incidents ... 36
11 Personal information security management requirements of the organization
... 37
11.1 Identify responsible departments and personnel ... 37
11.2 Personal information security engineering ... 38
11.3 Records for personal information processing activity ... 38
11.4 Conduct personal information’s security impact assessment ... 39
11.5 Data security capabilities ... 40
11.6 Personnel management and training ... 40
11.7 Security audit ... 41
Appendix A (Informative) Examples of personal information ... 42
Appendix B (Informative) Determination of personal sensitive information ... 44
Appendix C (Informative) Method for realizing self-intention of personal
information subject ... 46
Appendix D (Informative) Template of personal information protection policy 52
References ... 63
Information security technology - Personal
information security specification
1 Scope
This standard specifies the principles and security requirements for carrying out
personal information processing activities such as collection, storage, use,
sharing, transfer, public disclosure, deletion, etc.
This standard is applicable to regulate personal information processing
activities of various organizations, as well as the supervision, management and
evaluation of personal information processing activities by organizations such
as competent regulatory authorities and third-party evaluation agencies.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 25069-2010 Information security technology - Glossary
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 as well as the
following terms and definitions apply to this document.
3.1
Personal information
Various information recorded electronically or in other ways that can identify
the identity of a particular natural person or reflect the activities of a particular
natural person, alone or in combination with other information.
Note 1: Personal information includes name, date of birth, ID number, personal
biometric information, address, communication contact information, communication
records and content, account password, property information, credit information,
whereabouts, accommodation information, health physiology Information,
transaction information, etc.
The act of gaining control of personal information.
Note 1: This includes activities such as being actively provided by personal
information subjects, automatic collection activities such as interacting with
personal information subjects or recording the activities of personal information
subjects, as well as indirectly acquiring personal information through sharing,
transfer, and collection of public information.
Note 2: If the provider of the product or service provides tools for the use of personal
information subjects, whilst the provider does not access personal information, it
does not belong to the collection referred to in this standard. For example, after the
offline navigation software obtains the personal information subject’s position
information from the terminal, if it does not transfer it back to the software provider,
it does not belong to the collection of personal information subject’s position
information.
3.6
Explicit consent
The personal information subject actively makes statements in paper or
electronic form in written, oral, etc., or autonomously makes affirmative
actions, to make explicit authorization for the specific processing of their
personal information.
Note: Affirmative actions include active selection of personal information subjects,
active clicks on "agree", "register", "send" and "dial", active filling or providing, etc.
3.7
Consent
Subjects of personal information make specific authorizations for specific
processing of their personal information.
Note: Including authorization through active actions (i.e., explicit consent),
or authorization through negative omissions (e.g., personal information
subjects in the information collection area did not leave the area after being
informed of the information collection behavior).
3.8
User profiling
The process of collecting, aggregating and analyzing personal information,
analyzing or predicting individual characteristics of a specific natural person,
such as occupation, economy, health, education, personal preferences,
credit, behavior, etc., to form its personal characteristic model.
The process of processing personal information so that the personal
information subject cannot be identified or associated, meanwhile the
processed information cannot be recovered.
Note: The information obtained after anonymizing personal information is not
personal information.
3.15
De-identification
The process of technical processing of personal information, to make it is
impossible to identify or associate the personal information subject without
resorting to additional information.
Note: De-identification is based on the individual, retains the individual granularity,
uses pseudonyms, encryption, hash functions and other technical means to replace
the identification of personal information.
3.16
Personalized display
Based on personal information such as the web browsing history, interests
and hobbies, consumption records and habits of a specific personal
information subject, the activities of displaying information content and
providing search results for goods or services, etc. to the personal
information subject.
3.17
Business function
The type of service that meets the specific use needs of personal information
subjects.
Note: Such as map navigation, online car booking, instant messaging, online
community, online payment, news information, online shopping, express delivery,
transportation ticketing, etc.
4 Basic principles of personal information security
Personal information controllers shall follow the legal, legitimate and necessary
principles for carrying out personal information processing activities, including:
a) Consistent rights and responsibilities - Take technical and other necessary
measures to ensure the security of personal information; take
a) The type of personal information collected shall be directly related to the
realization of the business function of the product or service; direct
association means that without the participation of the above personal
information, the function of the product or service cannot be realized.
b) The frequency of automatically collecting personal information shall be the
minimum frequency necessary to realize the business function of the
product or service.
c) The amount of indirect access to personal information shall be the
minimum amount necessary to realize the business function of the product
or service.
5.3 Independent choice of multiple business functions
When a product or service provides multiple business functions that require the
collection of personal information, the personal information controller shall not
violate the autonomous will of the personal information subject and force the
personal information subject to accept the business function provided by the
product or service and the corresponding personal information collection
request. Requirements for personal information controllers include:
a) The personal information subject shall not be required to accept and
authorize the request for the collection of personal information for
business functions that have not been applied for or used at one time by
bundling various business functions of products or services.
b) Affirmative actions independently made by the personal information
subject, such as active click, check and fill-in shall be used as the enabling
conditions for specific business functions of products or services. The
personal information controller shall start collecting personal information
only after the personal information subject starts the business function.
c) The way or method of closing or withdrawing the business function shall
be as convenient as the way or method the personal information subject
chooses to use the business function. After the personal information
subject chooses to close or withdraw from a specific business function,
the personal information controller shall stop the collection of personal
information for that business function.
d) If the personal information subject does not authorize the consent to use,
shut down or withdraw from a specific business function, the authorized
consent of the personal information subject shall not be frequently sought.
e) If the personal information subject does not authorize the consent to use,
shut down or withdraw from a specific business function, it shall not
Note 3: When the personal information subject first turns on a product or service,
registers an account, etc., it should actively display the main or core content of the
personal information protection policy to him in the form of a pop-up window, etc.
to help the personal information subject understand the scope and rules for
processing personal information of this product or service, thereby deciding
whether to continue to use the product or service.
5.6 Exceptions with authorized consent
In the following situations, the personal information controller does not need to
obtain the consent of the personal information subject to collect and use
personal information:
a) Relevant to the personal information controller's performance of its
obligations under laws and regulations;
b) Directly related to national security and national defense security;
c) Directly related to public security, public health, major public interests;
d) Directly related to criminal investigation, prosecution, trial and judgment
execution;
e) Out of the protection of the important legal rights and interests of the
personal information subject or other individuals' lives, property, etc., but
it is difficult to obtain consent;
f) The personal information involved is disclosed to the public by the personal
information subject;
g) Necessary to sign and perform the contract according to the requirements
of the personal information subject;
Note: The main function of the personal information protection policy is to disclose
the scope and rules for the collection and use of personal information by the
personal information controller; it should not be regarded as a contract.
h) Collect personal information from legally publicly disclosed information,
such as legal news reports, government information disclosure and other
channels;
i) Necessary to maintain the secure and stable operation of the products or
services provided, such as discovering and handling failures of products
or services;
j) The personal information controller is a news organization, meanwhile it is
necessary to carry out legal news reports;
1) Only store summary information of personal biometric information;
2) Use personal biometric information directly in the collection terminal to
achieve functions such as identity recognition and authentication;
3) When using facial recognition features, fingerprints, palm prints, irises,
etc. to realize identity recognition, authentication and other functions,
delete the original image wherein the personal biometric information
can be extracted.
Note 2: The summary information is usually irreversible and cannot be traced back
to the original information.
Note 3: Except for the situation where the personal information controllers fulfill their
obligations under laws and regulations.
6.4 Personal information controller ceases operations
When the personal information controller stops operating its products or
services, it shall:
a) Stop collecting personal information in time;
b) Notify the personal information subject in the form of one-by-one delivery
or announcement;
c) Delete or anonymize the personal information it holds.
7 Use of personal information
7.1 Access control measures for personal information
Requirements for personal information controllers include:
a) For those authorized to access personal information, a minimum
authorized access control strategy shall be established, so that they can
only access the minimum necessary personal information required for
their duties, meanwhile only have the minimum data operation authority
required to complete their duties;
b) Set up internal approval processes for important operations of personal
information, such as batch modification, copying, downloading and other
important operations;
c) Separately set the roles of security management personnel, data
information can identify the identity of a specific natural person or reflect
the activities of a specific natural person, alone or in combination with
other information, it shall be considered as personal information. It shall
be handled within the scope of the consent obtained when collecting
personal information.
Note 2: If the personal information generated by processing is personal sensitive
information, its processing must meet the requirements for personal sensitive
information.
7.4 Restrictions on the use of user profiling
Requirements for personal information controllers include:
a) The description of the characteristics of the personal information subject
in the user profiling shall not:
1) Contains obscenity, pornography, gambling, superstition, terror,
violence;
2) Express content that discriminates against ethnicity, race, religion,
disability, disease.
b) Those who use user profiling in business operations or foreign business
cooperation shall not:
1) Infringe upon the lawful rights and interests of citizens, legal persons
and other organizations;
2) Endanger national security, honor and interests; incite overturning state
power, overthrowing the socialist system; incite to split the country;
undermine national unity; promote terrorism, extremism, national
hatred, ethnic discrimination; spread violent and obscene pornographic
information; make up and disseminate false information to disturb
economic and social order.
c) In addition to being necessary for the purpose of authorized use of the
personal information subject, the use of personal information shall
eliminate clear identity orientation and avoid precise positioning to specific
individuals. For example, in order to accurately evaluate personal credit
status, direct user profiling can be used; for the purpose of pushing
commercial advertisements, it should use indirect user profiling.
7.6 Convergence and fusion of personal information collected
for different business purposes
Requirements for personal information controllers include:
a) It shall comply with the requirements of 7.3;
b) It shall, according to the purpose for which personal information is
aggregated and infused, carry out an impact assessment of personal
information security; take effective personal information protection
measures.
7.7 Use of information system’s automatic decision-making
mechanism
The information system used by the personal information controller's business
operations shall, when it has an automatic decision-making mechanism and
can significantly affect the rights of personal information subjects (for example,
automatic determination of personal credit and loan quotas, or automated
screening for interviewers, etc.):
a) Carry out personal information’s security impact assessment at the
planning and design stage or before the first use; take effective measures
to protect the personal information subject according to the assessment
results;
b) Regularly (at least once a year) conduct a personal information’s security
impact assessment during the use process; improve the measures for
protecting the personal information subject based on the assessment
results;
c) Provide personal information subjects with complaint channels for
automatic decision-making results and support manual review of
automatic decision-making results.
8 Rights of personal information subjects
8.1 Inquiry of personal information
The personal information controller shall provide the personal information
subject with a method to query the following information:
8.6 in a timely manner. It shall, within 30 days or within the time limit
prescribed by laws and regulations, make a response and reasonable
explanation; meanwhile notify the personal information subject of the
resolution of external disputes.
b) If interactive pages (such as websites, mobile Internet applications, client
software, etc.) are used to provide products or services, it should directly
set up convenient interactive pages to provide functions or options, so that
personal information subjects can exercise their rights of access,
correction, deletion, withdrawal of consent, cancellation of accounts, etc.
c) In principle, no fee is charged for reasonable requests; however, for
repeated requests within a certain period of time, a certain cost may be
charged as appropriate.
d) If directly fulfilling the request of the personal information subject requires
high costs or causes other significant difficulties, the personal information
controller shall provide an alternative method to the personal information
subject, to protect the legitimate rights and interests of the personal
information subject.
e) In the following cases, it may not respond to requests from personal
information subjects based on 8.1 ~ 8.6, including:
1) Related to the personal information controller's fulfillment of obligations
under laws and regulations;
2) Directly related to national security and national defense security;
3) Directly related to public security, public health, major public interests;
4) Directly related to criminal investigation, prosecution, trial and
execution of judgments;
5) The personal information controller has sufficient evidence that the
personal information subject is subjectively malicious or abuses his
rights;
6) Out of the protection of the significant legal rights and interests of the
personal information subject or other individuals' lives, property, etc.,
but it is difficult to obtain his consent;
7) Responding to the request of the personal information subject will result
in serious damage to the legal rights of the personal information subject
or other individuals and organizations;
8) Involving trade secrets.
personal information, it shall promptly feed back to the personal
information controller.
5) No more personal information will be stored when the entrusting
relationship is released.
d) The personal information controller shall supervise the entrusted party, in
a way including but not limited to:
1) Specifying the responsibilities and obligations of the entrusted party
through contracts and other means;
2) Auditing the entrusted party.
e) The personal information controller shall accurately record and store the
entrusted processing of personal information.
f) If the personal information controller learns or finds that the entrusted party
does not process the personal information in accordance with the
entrusted requirements, or fails to effectively fulfill the security protection
responsibility for personal information, it shall immediately request the
entrusted party to stop the relevant actions; take or request the entrusted
party to take effective remedy measures (such as changing passwords,
recovering permissions, disconnecting network connections, etc.) to
control or eliminate the security risks faced by personal information. When
necessary, the personal information controller shall terminate the
business relationship with the entrusted party, meanwhile request the
entrusted party to delete the personal information obtained from the
personal information controller in a timely manner.
9.2 Sharing and transfer of personal information
When personal information controllers share and transfer personal information,
they shall pay full attention to risks. The sharing and transfer of personal
information, not due to acquisition, merger, reorganization, or bankruptcy, shall
meet the following requirements:
a) Conduct a personal information’s security impact assessment in advance;
take effective measures to protect the personal information subject based
on the assessment results.
b) Inform the personal information subject about the purpose of sharing and
transferring personal information, the type of data receiver and possible
consequences; obtain the prior authorization of the personal information
subject. Except for sharing and transferring personal information that has
been de-identified, meanwhile ensuring that the data receiver cannot re-
9.3 Transfer of personal information during acquisition, merger,
reorganization, bankruptcy
When the personal information controller is subject to changes such as
acquisition, merger, reorganization, bankruptcy, etc., the requirements for the
personal information controller include:
a) Inform relevant information to the personal information subject;
b) The changed personal information controller shall continue to fulfill the
responsibilities and obligations of the original personal information
controller. If the purpose of using personal information is changed, it shall
obtain the explicit consent of the personal information subject again;
c) If bankruptcy and no undertaking, delete the data.
9.4 Public disclosure of personal information
In principle, personal information shall not be publicly disclosed. When the
personal information controller is authorized by law or has reasonable grounds
for public disclosure, it shall meet the following requirements:
a) Conduct a personal information’s security impact assessment in advance;
take effective measures to protect the personal information subject based
on the assessment results;
b) Inform the personal information subject of the purpose and type of public
disclosure of personal information; obtain the explicit consent of the
personal information subject in advance;
c) Before publicly disclosing personal sensitive information, in addition to the
content notified in b), the personal information subject shall be informed
of the content of personal sensitive information involved;
d) Accurately record and store the public disclosure of personal information,
including the date, scale, purpose, scope of public disclosure;
e) Bear the corresponding responsibility for the damage to the legitimate
rights and interests of the personal information subject as caused by the
public disclosure of personal information;
f) Personal biometric information shall not be publicly disclosed;
g) The analysis results of personal sensitive data such as race, ethnicity,
political views, religious beliefs of our citizens shall not be publicly
information controller shall bear the responsibility for personal information
security caused by the third party.
Note: If the personal information controller deploys a third-party plug-in that collects
personal information in the process of providing products or services (for example,
website operators and deployed statistical analysis tools in applications, software
development kit SDKs, call map API interface), meanwhile the third party does not
separately obtain the consent of the personal information subject to collect personal
information, then the personal information controller and the third party are joint
personal information controllers at the stage of personal information collection.
9.7 Third-party access management
When a personal information controller accesses a thir......
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|