GB/T 41391-2022 English PDFUS$969.00 ยท In stock
Delivery: <= 7 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 41391-2022: Information security technology - Basic requirements for collecting personal information in mobile internet applications Status: Valid
Basic dataStandard ID: GB/T 41391-2022 (GB/T41391-2022)Description (Translated English): Information security technology - Basic requirements for collecting personal information in mobile internet applications Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Word Count Estimation: 50,526 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 41391-2022: Information security technology - Basic requirements for collecting personal information in mobile internet applications---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. ICS 35.030 CCSL80 National Standards of People's Republic of China Released on 2022-04-15 2022-11-01 Implementation State Administration for Market Regulation Released by the National Standardization Management Committee 1 ScopeThis document specifies the basic requirements for apps to collect personal information, and gives the scope and usage requirements of common service types of apps. This document applies to App operators to regulate their personal information collection activities, and also applies to regulatory authorities, third-party evaluation agencies, etc. Monitor, manage and evaluate App personal information collection activities.5 App function divisionThe requirements for the App to collect personal information are closely related to its functions. The basic business functions and functions of the App should be clearly divided according to the following requirements. Extended business functions. a) It should be clear that the service type of the business function that realizes the user's main purpose of use belongs to the type of the App; b) When the App type belongs to the common service type given in Appendix A, it should be divided according to the corresponding service type in Appendix A The basic business functions of the App; Note 1.Appendix A gives the basic business of Apps of common service types in accordance with the "Regulations on the Scope of Necessary Personal Information of Common Types of Mobile Internet Applications" Functions and scope of necessary personal information, as well as requirements for the use of necessary personal information. Among them, the basic business functions, necessary The scope of personal information is consistent with the "Regulations on the scope of necessary personal information for common types of mobile Internet applications". c) When the App type does not belong to the common service types given in Appendix A, the business functions that realize the main purpose of use of the user shall be divided For the basic business functions of the App, the business functions other than the basic business functions provided by the App are divided into extended business functions; Note 2.If the App provides multiple types of services, the service types other than the App type are called "other service types", and the business functions of other service types are extended business functions. For example, map navigation apps also provide online shopping and online car-hailing services, so the business functions of online shopping and online car-hailing services All functions are extended business functions. d) Business functions that are only for the purpose of improving service quality, improving user experience, directional push information, and developing new products should be divided into To expand business functions; e) The business functions provided by external third parties or affiliated companies should be divided into extended business functions, the common service types given in Appendix A Except for the basic business functions of the App; f) If there are multiple optional implementation methods for basic business functions, the implementation methods that have a greater impact on the user's personal rights and interests should be classified as extended business functions. Note 3.New implementation methods of basic business functions due to technological development, if the new method collects more sensitive personal information than the traditional method, Those with greater impact on rights and interests can be regarded as extended business functions, and are usually used as optional replacements and supplements to basic business functions. For example, due to biometric New methods of identity identification (such as face recognition, voiceprint recognition, fingerprint recognition, etc.) emerging from the development of technology, collect biometric information instead of passwords, and Human rights have a greater impact.6 Basic Requirements for Apps to Collect Personal Information6.1 Minimum necessary collection App collection of personal information should comply with the following requirements on the basis of meeting the requirements of 5.1 and 5.2 in GB/T 35273-2020. a) The personal information collected should have a clear, reasonable and specific purpose of processing personal information; b) The personal information collected shall be limited to the minimum scope necessary to achieve the purpose of processing; Note 1 to entry. The scope usually involves the type, frequency, quantity, precision, etc. of collecting personal information. c) Personal information should be collected in a way that has the least impact on personal rights; Note 2.The impact on personal rights and interests is usually related to the sensitivity of personal information. The more sensitive the personal information, the greater the impact on the personal rights and interests of the processing activities. See GB/T 39335-2020 for evaluation. Note 3.When the collection of general personal information or sensitive personal information can meet the purpose of App services, the collection of general personal information is a method that has little impact on personal rights and interests. d) the personal information collected shall be directly related to the purpose of processing; e) The personal information required by the business function should be collected only when the user is using the business function. Note 4.When a user uses a business function, it usually starts when the user clicks to trigger the business function or switches to the business function page, and the user operates the business in the foreground. The business function or business function provides necessary services in the background, and ends when the purpose of the business function is completed or the user actively closes or exits the business function. 6.2 Necessary personal information App should determine the scope of necessary personal information and meet the following requirements. a) When the App type belongs to the common service type given in Appendix A, it should be determined according to the corresponding service type in Appendix A The scope of the necessary personal information of the App, and the use of the necessary personal information shall comply with the requirements of Appendix A; Note. The scope of necessary personal information in Appendix A mainly refers to the personal information of users on the consumption side, and does not include the personal information of users on the service supply side. b) When the App type does not belong to the common service types given in Appendix A, the basic business functions and extensions shall be divided according to Chapter 5 Business functions, and then determine the personal information necessary to ensure the normal operation of the basic business functions of the App as necessary personal information; c) The personal information that users must provide should not exceed the scope of necessary personal information; d) When the basic business functions of the App can be provided without collecting the user's personal information, it should be ensured that the user does not provide personal information. Under these circumstances, the basic business functions of the App can be used normally. 6.3 Certain types of personal information Apps that collect specific types of personal information should meet the requirements of Appendix C. 6.4 Informed Consent 6.4.1 General requirements The collection of personal information by the app should meet the requirements of 5.3, 5.4, and 5.5 in GB/T 35273-2020, and also meet the following notification and consent requirements. a) The core content of the personal information protection policy (such as the provided Basic business functions, necessary personal information, etc.), remind users to read the personal information protection policy, and obtain the user's express consent; b) The app's basic business functions, extended business functions, and the scope of necessary personal information should be clearly indicated to users, and the necessary and non-essential information should be clearly distinguished. necessary personal information; Note 1."Non-essential personal information" referred to in this document refers to "non-essential but related personal information", see Appendix B. c) Consent that necessary personal information and non-essential personal information of the App should be split; d) When the user agrees to collect the necessary personal information of the app, it should be guaranteed that the user can refuse or withdraw the consent to collect non-essential personal information, And the user should not be refused to use the basic business functions of the App because the user refuses or withdraws his consent to provide non-essential personal information; Note 2.For example, buttons such as "Exit", "Back", "Close" and "Cancel" are provided for users to refuse the collection of personal information. e) Extended business functions should be enabled by the user's own choice. If the user refuses to use, close or exit the extended business function, it should not affect Users use basic business functions; Note 3.Opening actions made by the user independently are self-selecting opening actions, such as active clicking, checking, filling, etc. f) It should not be induced, Force users to agree to personal information collection requests at one time; g) When personal information is collected due to laws and regulations, the specific provisions of the laws and regulations on which it is based should be clearly stated, and it should only be used for the purposes stipulated by laws and regulations; h) The user shall be provided with a query method for the type of personal information that has been collected, and the query should be displayed through the independent interface of the App; i) For personal information collected in an indirect manner, it is advisable to provide users with a query method for obtaining the source of personal information. 6.4.2 Sensitive personal information informed consent Apps that collect sensitive personal information should meet the following notification and consent requirements. a) When collecting sensitive personal information such as biometrics, religious beliefs, specific identities, medical health, financial accounts, whereabouts, etc., it should be synchronized Inform the user of the purpose of collection and use, the description of the purpose should be clear, specific, easy to understand, and obtain the separate consent of the user. b) To collect personal information of minors under the age of 14, special rules for handling personal information should be formulated, which should include but not limited to. 1) The name or name and contact information of the App operator; 2) The purpose and method of processing personal information of minors; 3) The types and retention periods of personal information of minors processed; 4) Ways and procedures for users to exercise their personal information rights; 5) Necessity to process personal information of minors; 6) The impact on the personal rights and interests of minors. c) The collection of personal information of minors under the age of 14 should obtain the separate consent of the minor's parents or other guardians. 6.4.3 Informed Consent for Multiple Service Types When the App provides multiple types of services, the App shall meet the following notification and consent requirements when collecting personal information. a) Personal information protection policies should be formulated according to the type of service, clearly stating the purpose, method, and scope, etc., of processing personal information for various services. Note 1.The personal information protection policy of various services can be a separate personal information protection policy for each service, or it can be summarized according to the type of service Personal information collection and use rules. b) The user shall apply for consent to process personal information according to the type of service. c) Service types other than the App type should be enabled by the user's own choice. When the user uses it for the first time, the enhanced The way of notification expresses the personal information processing rules of the service type, and obtains the user's express consent. Note 2.Enhanced notices are usually used to help users understand specific personal information processing rules, using special pages or separate steps that are not easy for users to bypass To inform the user, please refer to the relevant standards of personal information notification and consent for details. d) If other service types provided by the App belong to the common service types given in Appendix A, other service types shall follow Appendix A Determine the corresponding types of basic business functions and the scope of necessary personal information, while meeting the requirements of 6.4.1d) and e). 6.4.4 User refusal or withdrawal of consent When the user refuses or withdraws the app's consent to the collection of personal information, permission application, or use of business functions, the app should meet the following requirements. a) The app should not be forced to quit or close. b) Should not refuse to provide basic business functions of the App or affect the use of other unrelated business functions, unless the user refuses to agree to the necessary Request personal information or essential business functions. c) Frequent application for authorization should not interfere with the normal use of the user, unless the user actively triggers the business function and does not have the personal information or rights Limited participation in this business function cannot be realized. "Frequent" forms include, but are not limited to. 1) In a single scenario, after the user refuses to authorize, the pop-up window prompts the user to open the permission more than once within 48 hours; 2) Whenever the user reopens the App or uses unrelated business functions, the user will be asked for authorization or prompted again The relevant authorization is missing. 6.5 System permissions 6.5.1 Permission application To apply for permission to collect personal information, the app should meet the following requirements. a) Only declare and apply for the minimum range of system permissions to achieve the purpose of the App's service, and should not apply for system permissions that are not related to the App's business functions; Note 1.Declaration refers to explaining to the operating system in the application manifest file (such as AndroidManifest.xml file for Android, Info.plist for iOS, etc.) Required system permissions. Note 2.See Appendix D for the scope of authority to collect personal information. The "Accessible Personal Information" in Table D.1 and Table D.2 shows the personal information that may be accessed through the authority. For information scope, "Examples of business functions" in Table D.1 gives examples of business functions that need to apply for permissions. Note 3.Appendix E gives Android system permissions that are less relevant to common service types. b) When the user is not using the relevant business functions, he should not apply for permissions unrelated to the current business functions in advance; c) When applying for permission, the user should be notified of the purpose of the permission application. The purpose should be clear, specific and easy to understand, without any fraud or inducement. Defraud or mislead user authorization descriptions; d) The user should not be required to agree to open multiple system permissions at one time in a bundled manner; Note 4.The target API level of the Android App is lower than 23 (targetSdkVersion< 23) is a common case of bundled authorization. e) If the operating system supports it, users should be provided with the option of single authorization when applying for permission to collect personal information such as cameras, locations, and microphones; f) If the user refuses or withdraws his or her consent to the system authority authorization, it is advisable to provide the user with an alternative solution that can realize business functions without system authority. Note 5.Alternative solutions, such as when the user refuses the location permission, can still use related services by entering the address independently. 6.5.2 Use of permissions App use can collect personal information permissions, should meet the following requirements. a) Without the user's consent, the user's system permissions and business function settings should not be changed. Note 1.In the case of unauthorized changes, such as restoring the user's permission to collect personal information to the default state without the user's consent after the app is updated, Or open a business function that can collect personal information that the user has turned off. b) The frequency of collecting personal information after permission application authorization should be within the minimum reasonable frequency range necessary to realize the business functions of the App. c) After the permission application is authorized, only the minimum personal information that meets the needs of business functions should be accessed, and when the relevant functions are realized, there is no need to return Personal information should not be sent back to the background server. Note 2.For example, when reading the address book, if only specific contacts need to be read to realize relevant business functions, all contacts should not be read. d) If the usage purpose and usage scenarios of the permissions change, the user should be informed again and consent obtained. e) The personal information and capabilities obtained by the app through permissions should not be provided to third parties connected to the app without the consent of the user. Apps or embedded third-party SDKs. f) The following operations should be actively triggered by the user, and should be performed with the user's knowledge. 1) Perform operations such as making calls and sending text messages; 2) Turn on or off Bluetooth, positioning, wireless LAN, and obtain information about other devices in the wireless LAN; 3) Shooting, audio recording, screen capture, screen recording, etc.; 4) Read and write user text messages, contacts, photo albums and other personal information. g) To apply for permission to use the device manager, auxiliary functions, monitor notification bars, floating window permissions, etc., there should be clear business function requirements. Request, explain the purpose of the application to the user in detail, and obtain the user's separate consent. Note 3.Permissions such as device manager, auxiliary functions, monitoring notification bar, floating window permissions, etc., involve the security and user experience of devices, systems, and other apps. Obtained by malicious apps may violate user privacy or device security. Usually, only a few apps apply for such permissions in specific scenarios. Applying for such permissions usually requires It is necessary to provide a separate management interface to describe the purpose of the application in detail, and appropriately increase the barrier design to avoid user misoperation. 6.6 Third-party collection management 6......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 41391-2022_English be delivered?Answer: Upon your order, we will start to translate GB/T 41391-2022_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 7 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 41391-2022_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 41391-2022_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. |
