HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (16 Mar 2025)

GB/T 41819-2022 PDF English


Search result: GB/T 41819-2022
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 41819-2022English180 Add to Cart 0-9 seconds. Auto-delivery. Information security technology - Security requirements of face recognition data Valid


PDF Preview: GB/T 41819-2022


GB/T 41819-2022: PDF in English (GBT 41819-2022)

GB/T 41819-2022 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.030 CCS L 80 Information security technology - Security requirements of face recognition data ISSUED ON. OCTOBER 12, 2022 IMPLEMENTED ON. MAY 01, 2023 Issued by. State Administration for Market Regulation; Standardization Administration of PRC. Table of Contents Foreword... 3 1 Scope... 4 2 Normative references... 4 3 Terms and definitions... 4 4 Overview... 5 5 General security requirements... 5 6 Requirements for face recognition data collection... 9 7 Requirements for face recognition data storage... 9 8 Requirements for the use of face recognition data... 10 9 Requirements for face recognition data transmission... 10 10 Provision and disclosure requirements for face recognition data... 10 11 Requirements for face recognition data deletion... 11 References... 13 Information security technology - Security requirements of face recognition data 1 Scope This document stipulates the general security requirements for face recognition data, as well as the security requirements for specific processing activities such as collection, storage, use, transmission, provision, disclosure, deletion. This document is suitable for data processors to securely carry out face recognition data processing activities. 2 Normative references The contents of the following documents constitute essential provisions of this document through normative references in the text. Among them, for dated reference documents, only the version corresponding to the date applies to this document; for undated reference documents, the latest version (including all amendments) applies to this document. GB/T 35273 Information security technology - Personal information security specification GB/T 37988 Information security technology - Data security capability maturity model GB/T 39335 Information security technology - Guidance for personal information security impact assessment GB/T 40660 Information security technology - General requirements for biometric information protection GB/T 41479 Information security technology - Network data processing security requirements 3 Terms and definitions The terms and definitions defined in GB/T 35273 GB/T 40660, as well as the following terms and definitions, apply to this document. 3.1 b) Face recognition shall only be used for identity recognition, when it is more secure or convenient than non-face recognition methods. Both face recognition and non- face recognition methods shall be provided at the same time, for the natural person to choose. Example. When performing identity verification at airports and train stations, the use of non-face recognition methods will lead to a significant decrease in the convenience of related services. c) Natural persons shall not be induced to use face recognition methods, including but not limited to using face recognition as the preferred or default method of identity recognition, setting up obstacles to make it difficult for natural persons to choose to use non-face recognition methods, etc. d) After a natural person refuses to use the face recognition method, frequent prompts shall not be made to obtain the natural person's consent to the face recognition method, for example, more than one prompt within 48 hours. e) It shall comply with the requirements of GB/T 35273, GB/T 40660, GB/T 41479, as well as the requirements specified in GB/T 37988 for data security capability maturity level 3. f) Before processing face recognition data, it shall conduct a personal information protection impact assessment yourself or entrust a third-party agency, in accordance with the requirements of GB/T 39335.The assessment content includes but is not limited to. 1) Whether it complies with the mandatory requirements of laws, administrative regulations, national standards; whether it complies with public order and good customs; 2) Whether it has a specific purpose and sufficient necessity; 3) Whether it has the accuracy and precision requirements required to achieve the purpose; 4) Whether security protection measures appropriate to the security risks faced are taken to prevent security risks such as face recognition data leakage, tampering, loss, damage, or illegal acquisition or illegal use; 5) Whether measures have been taken to effectively reduce possible damage and adverse effects on the rights and interests of data subjects. g) When the following circumstances occur, the personal information protection impact assessment shall be re-conducted. 1) The purpose and method of processing face recognition data change; 2) Security incidents such as leakage, tampering, loss, damage, or illegal acquisition or illegal use of face recognition data indicate that existing security measures are unable to effectively prevent security risks. h) If face recognition is used to identify minors under the age of fourteen, separate consent from their guardians shall be obtained; special personal information protection rules and user agreements for minors shall be set up; a dedicated person responsible for the minors shall be designated for the protection of personal information of minors. i) Face recognition data shall not be used to evaluate or predict the data subject, including but not limited to evaluating or predicting the data subject's work performance, economic status, health status, preferences, interests, consumption behavior, activity trajectories, etc., unless otherwise agreed by the data subject separately or in writing. j) Face images shall not be stored except with the separate consent or written consent of the data subject. k) Face recognition data's protection requirements shall be clarified in the personal information security management system, including but not limited to. 1) Management regulations and operating procedures for face recognition data; 2) Processing rules for face recognition data; 3) Permission to process face recognition data, as well as regular security education and training for relevant personnel; 4) Security protection measures taken to prevent security risks such as face recognition data leakage, tampering, loss, damage, or illegal acquisition or illegal use. l) For data processors that handle face recognition data of more than 100000 people, a special personal information protection agency and personal information protection personnel shall be set up to conduct security background checks on personal information protection personnel and key personnel; make the contact information of the person in charge of personal information protection public. m) Face recognition data's processing rules shall include but not be limited to. 1) The purpose, method, scope of collecting, using, storing face recognition data, as well as the storage period of face recognition data; 2) Possible damage and adverse effects on the rights and interests of data subjects, as well as the consequences of refusing to provide; 6 Requirements for face recognition data collection The requirements for data processors to collect face recognition data are as follows. a) When collecting face recognition data, the data subject shall be informed of the relevant matters of the face recognition data, including but not limited to the name and contact information of the data processor, the name and contact information of the person in charge of personal information protection, processing rules, necessity basis, etc.; obtain the separate consent or written consent of the data subject. The face images collected without the separate consent of the data subject shall be deleted immediately and ensured that they are irrecoverable; b) If the data subject does not agree to the collection of face recognition data, the data subject shall not be denied access to basic business functions; c) Measures that require the active cooperation of the data subject shall be adopted to collect face recognition data; the data subject shall be continuously informed of the purpose of verification during the recognition process, meanwhile prompts shall be given to the data subject through language, text, etc.; Note. Measures that require the active cooperation of the data subject include requiring the data subject to look directly at the collection device and make eye gazes, specific gestures, expressions, or through a dedicated collection channel marked with text, diagrams, icons or symbols of face recognition applications, etc. d) Only the minimum number and minimum image types of face images required to generate facial features shall be collected; e) Security measures shall be taken to ensure the authenticity, integrity, consistency of face recognition data and prevent face recognition data from being leaked or tampered with during the collection process. 7 Requirements for face recognition data storage The requirements for data processors to store face recognition data are as follows. a) Physical or logical isolation shall be used to store face recognition data and personal identity information, respectively; b) Security measures such as encrypted storage shall be adopted to store face recognition data; c) Information technology products, that are owned by the data subject personally and have face recognition capabilities, including but not limited to mobile smart terminals, smart home devices, etc.; face recognition data shall be stored in the information technology products and can be deleted by the data subject. 8 Requirements for the use of face recognition data The requirements for data processors to use face recognition data are as follows. a) The face image used for identification shall be deleted, immediately after face recognition data is used to identify a natural person; b) Facial features shall be updateable, irreversible, unlinkable; Note 1.Updatable means that when a specific facial feature is leaked or invalidated, facial features different from the feature can be extracted from the same face image. Irreversible means that the corresponding face image cannot be recovered from the facial features. Unlinkable means that there is no correlation between different facial features, which are extracted from the same face image. c) When both local and remote face recognition methods are applicable, local face recognition shall be used first; Note 2.Local face recognition is the process of collecting and using face recognition data in the terminal device. In this method, the processing of face recognition data is completed on the terminal device. Remote face recognition is the process of collecting face recognition data on the terminal device and using the face recognition data on the server side. In this method, the processing of face recognition data is performed on the terminal device and the server side, respectively. d) The use of face recognition data shall be audited. 9 Requirements for face recognition data transmission Data processors shall take measures, such as two-way identity authentication, data integrity verification, data encryption, to ensure the transmission security of face recognition data. 10 Provision and disclosure requirements for face recognition data The requirements for data processors to provide and disclose face recognition data are as follows. a) Face recognition data shall not be disclosed except with the separate consent or written consent of the data subject. ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.