GB/T 35273-2020_English: PDF (GB/T35273-2020)
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 35273-2020 | English | 405 |
Add to Cart
|
0--9 seconds. Auto-delivery
|
Information security technology -- Personal information security specification
| Valid |
GB/T 35273-2020
|
| GB/T 35273-2017 | English | 170 |
Add to Cart
|
0--9 seconds. Auto-delivery
|
Information security technology -- Personal information security specification
| Obsolete |
GB/T 35273-2017
|
| Standard ID | GB/T 35273-2020 (GB/T35273-2020) | | Description (Translated English) | Information security technology -- Personal information security specification | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.040 | | Word Count Estimation | 34,321 | | Date of Issue | 2020-03-06 | | Date of Implementation | 2020-10-01 | | Older Standard (superseded by this standard) | GB/T 35273-2017 | | Quoted Standard | GB/T 25069-2010 | | Drafting Organization | China Electronics Standardization Institute, Beijing Information Security Evaluation Center, Yixin Technology Co., Ltd., Sichuan University, Tsinghua University, China Academy of Information and Communications Technology, the First Research Institute of the Ministry of Public Security, China Network Security Review Technology and Certification Center, Shenzhen Tencent Computer System Co., Ltd., Shanghai Institute of International Studies, Alibaba (Beijing) Software Service Co., Ltd., CLP Great Wall Internet System Application Co., Ltd., Alibaba Cloud Computing Co., Ltd., Huawei Technologies Co., Ltd., Qiangyun Data Technology Co., Ltd. | | Administrative Organization | National Information Security Standardization Technical Committee (SAC/TC 260) | | Proposing organization | National Information Security Standardization Technical Committee (SAC/TC 260) | | Issuing agency(ies) | State Administration for Market Regulation, National Standardization Administration | | Summary | This standard specifies the principles and security requirements for personal information processing activities such as collection, storage, use, sharing, transfer, public disclosure, and deletion. This standard applies to regulating the personal information processing activities of various organizations, and also applies to the supervision, management and evaluation of personal information processing activities by competent regulatory authorities, third-party evaluation agencies and other organizations. | | Standard ID | GB/T 35273-2017 (GB/T35273-2017) | | Description (Translated English) | Information security technology -- Personal information security specification | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.040 | | Word Count Estimation | 34,395 | | Date of Issue | 2017-12-29 | | Date of Implementation | 2018-05-01 | | Drafting Organization | Beijing Information Security Assessment Center, China Electronics Standardization Institute, Yixin Technology Co., Ltd., Sichuan University, Peking University, Tsinghua University, China Institute of Information Security Research Institute, the First Institute of Public Security, Shanghai Institute of International Studies, Ali Baba (Beijing) Software Services Co., Ltd., Shenzhen Tencent Computer System Co., Ltd., CLP Great Wall Internet System Application Co., Ltd., Ali Cloud Computing Co., Ltd., Huawei Technologies Co., Ltd., Strong Yun Data Technology Co., Ltd. | | Administrative Organization | National Information Security Standardization Technical Committee (SAC/TC 260) | | Proposing organization | National Information Security Standardization Technical Committee (SAC / TC 260) | | Issuing agency(ies) | People's Republic of China General Administration of Quality Supervision, Inspection and Quarantine, China National Standardization Administration |
GB/T 35273-2020
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 35273-2017
Information security technology - Personal
information security specification
ISSUED ON: MARCH 06, 2020
IMPLEMENTED ON: OCTOBER 01, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 5
Introduction ... 7
1 Scope ... 8
2 Normative references ... 8
3 Terms and definitions ... 8
4 Basic principles of personal information security ... 12
5 Collection of personal information ... 13
5.1 Legality of collecting personal information ... 13
5.2 Minimum necessary to collect personal information ... 13
5.3 Independent choice of multiple business functions ... 14
5.4 Consent on collecting personal information ... 15
5.5 Personal information protection policy ... 16
5.6 Exceptions with authorized consent ... 18
6 Storage of personal information ... 19
6.1 Minimal storage time of personal information ... 19
6.2 De-identification... 19
6.3 Transmission and storage of personal sensitive information ... 19
6.4 Personal information controller ceases operations ... 20
7 Use of personal information ... 20
7.1 Access control measures for personal information ... 20
7.2 Restrictions on the display of personal information ... 21
7.3 Restrictions on the purpose of using personal information ... 21
7.4 Restrictions on the use of user profiling ... 22
7.5 Use of personalized displays ... 23
7.6 Convergence and fusion of personal information collected for different
business purposes ... 24
7.7 Use of information system’s automatic decision-making mechanism ... 24
8 Rights of personal information subjects ... 24
8.1 Inquiry of personal information ... 24
8.2 Correction of personal information ... 25
8.3 Deletion of personal information ... 25
8.4 Personal information subject withdraws consent ... 26
8.5 Personal information subject cancels account ... 26
8.6 Personal information subject obtains a copy of personal information ... 27
8.7 Responding to requests from personal information subjects ... 27
8.8 Complaint management ... 29
9 Entrusted processing, sharing, transfer, public disclosure of personal
information ... 29
9.1 Entrusted processing ... 29
9.2 Sharing and transfer of personal information ... 30
9.3 Transfer of personal information during acquisition, merger, reorganization,
bankruptcy ... 32
9.4 Public disclosure of personal information ... 32
9.5 Exceptions to prior consent obtained when sharing, transferring or publicly
disclosing personal information ... 33
9.6 Joint personal information controller ... 33
9.7 Third-party access management ... 34
9.8 Cross-border transmission of personal information ... 35
10 Handling of personal information security incidents ... 35
10.1 Emergency handling and reporting of personal information security incidents
... 35
10.2 Notification of security incidents ... 36
11 Personal information security management requirements of the organization
... 37
11.1 Identify responsible departments and personnel ... 37
11.2 Personal information security engineering ... 38
11.3 Records for personal information processing activity ... 38
11.4 Conduct personal information’s security impact assessment ... 39
11.5 Data security capabilities ... 40
11.6 Personnel management and training ... 40
11.7 Security audit ... 41
Appendix A (Informative) Examples of personal information ... 42
Appendix B (Informative) Determination of personal sensitive information ... 44
Appendix C (Informative) Method for realizing self-intention of personal
information subject ... 46
Appendix D (Informative) Template of personal information protection policy 52
References ... 63
Information security technology - Personal
information security specification
1 Scope
This standard specifies the principles and security requirements for carrying out
personal information processing activities such as collection, storage, use,
sharing, transfer, public disclosure, deletion, etc.
This standard is applicable to regulate personal information processing
activities of various organizations, as well as the supervision, management and
evaluation of personal information processing activities by organizations such
as competent regulatory authorities and third-party evaluation agencies.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 25069-2010 Information security technology - Glossary
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 as well as the
following terms and definitions apply to this document.
3.1
Personal information
Various information recorded electronically or in other ways that can identify
the identity of a particular natural person or reflect the activities of a particular
natural person, alone or in combination with other information.
Note 1: Personal information includes name, date of birth, ID number, personal
biometric information, address, communication contact information, communication
records and content, account password, property information, credit information,
whereabouts, accommodation information, health physiology Information,
transaction information, etc.
The act of gaining control of personal information.
Note 1: This includes activities such as being actively provided by personal
information subjects, automatic collection activities such as interacting with
personal information subjects or recording the activities of personal information
subjects, as well as indirectly acquiring personal information through sharing,
transfer, and collection of public information.
Note 2: If the provider of the product or service provides tools for the use of personal
information subjects, whilst the provider does not access personal information, it
does not belong to the collection referred to in this standard. For example, after the
offline navigation software obtains the personal information subject’s position
information from the terminal, if it does not transfer it back to the software provider,
it does not belong to the collection of personal information subject’s position
information.
3.6
Explicit consent
The personal information subject actively makes statements in paper or
electronic form in written, oral, etc., or autonomously makes affirmative
actions, to make explicit authorization for the specific processing of their
personal information.
Note: Affirmative actions include active selection of personal information subjects,
active clicks on "agree", "register", "send" and "dial", active filling or providing, etc.
3.7
Consent
Subjects of personal information make specific authorizations for specific
processing of their personal information.
Note: Including authorization through active actions (i.e., explicit consent),
or authorization through negative omissions (e.g., personal information
subjects in the information collection area did not leave the area after being
informed of the information collection behavior).
3.8
User profiling
The process of collecting, aggregating and analyzing personal information,
analyzing or predicting individual characteristics of a specific natural person,
such as occupation, economy, health, education, personal preferences,
credit, behavior, etc., to form its personal characteristic model.
The process of processing personal information so that the personal
information subject cannot be identified or associated, meanwhile the
processed information cannot be recovered.
Note: The information obtained after anonymizing personal information is not
personal information.
3.15
De-identification
The process of technical processing of personal information, to make it is
impossible to identify or associate the personal information subject without
resorting to additional information.
Note: De-identification is based on the individual, retains the individual granularity,
uses pseudonyms, encryption, hash functions and other technical means to replace
the identification of personal information.
3.16
Personalized display
Based on personal information such as the web browsing history, interests
and hobbies, consumption records and habits of a specific personal
information subject, the activities of displaying information content and
providing search results for goods or services, etc. to the personal
information subject.
3.17
Business function
The type of service that meets the specific use needs of personal information
subjects.
Note: Such as map navigation, online car booking, instant messaging, online
community, online payment, news information, online shopping, express delivery,
transportation ticketing, etc.
4 Basic principles of personal information security
Personal information controllers shall follow the legal, legitimate and necessary
principles for carrying out personal information processing activities, including:
a) Consistent rights and responsibilities - Take technical and other necessary
measures to ensure the security of personal information; take
a) The type of personal information collected shall be directly related to the
realization of the business function of the product or service; direct
association means that without the participation of the above personal
information, the function of the product or service cannot be realized.
b) The frequency of automatically collecting personal information shall be the
minimum frequency necessary to realize the business function of the
product or service.
c) The amount of indirect access to personal information shall be the
minimum amount necessary to realize the business function of the product
or service.
5.3 Independent choice of multiple business functions
When a product or service provides multiple business functions that require the
collection of personal information, the personal information controller shall not
violate the autonomous will of the personal information subject and force the
personal information subject to accept the business function provided by the
product or service and the corresponding personal information collection
request. Requirements for personal information controllers include:
a) The personal information subject shall not be required to accept and
authorize the request for the collection of personal information for
business functions that have not been applied for or used at one time by
bundling various business functions of products or services.
b) Affirmative actions independently made by the personal information
subject, such as active click, check and fill-in shall be used as the enabling
conditions for specific business functions of products or services. The
personal information controller shall start collecting personal information
only after the personal information subject starts the business function.
c) The way or method of closing or withdrawing the business function shall
be as convenient as the way or method the personal information subject
chooses to use the business function. After the personal information
subject chooses to close or withdraw from a specific business function,
the personal information controller shall stop the collection of personal
information for that business function.
d) If the personal information subject does not authorize the consent to use,
shut down or withdraw from a specific business function, the authorized
consent of the personal information subject shall not be frequently sought.
e) If the personal information subject does not authorize the consent to use,
shut down or withdraw from a specific business function, it shall not
Note 3: When the personal information subject first turns on a product or service,
registers an account, etc., it should actively display the main or core content of the
personal information protection policy to him in the form of a pop-up window, etc.
to help the personal information subject understand the scope and rules for
processing personal information of this product or service, thereby deciding
whether to continue to use the product or service.
5.6 Exceptions with authorized consent
In the following situations, the personal information controller does not need to
obtain the consent of the personal information subject to collect and use
personal information:
a) Relevant to the personal information controller's performance of its
obligations under laws and regulations;
b) Directly related to national security and national defense security;
c) Directly related to public security, public health, major public interests;
d) Directly related to criminal investigation, prosecution, trial and judgment
execution;
e) Out of the protection of the important legal rights and interests of the
personal information subject or other individuals' lives, property, etc., but
it is difficult to obtain consent;
f) The personal information involved is disclosed to the public by the personal
information subject;
g) Necessary to sign and perform the contract according to the requirements
of the personal information subject;
Note: The main function of the personal information protection policy is to disclose
the scope and rules for the collection and use of personal information by the
personal information controller; it should not be regarded as a contract.
h) Collect personal information from legally publicly disclosed information,
such as legal news reports, government information disclosure and other
channels;
i) Necessary to maintain the secure and stable operation of the products or
services provided, such as discovering and handling failures of products
or services;
j) The personal information controller is a news organization, meanwhile it is
necessary to carry out legal news reports;
1) Only store summary information of personal biometric information;
2) Use personal biometric information directly in the collection terminal to
achieve functions such as identity recognition and authentication;
3) When using facial recognition features, fingerprints, palm prints, irises,
etc. to realize identity recognition, authentication and other functions,
delete the original image wherein the personal biometric information
can be extracted.
Note 2: The summary information is usually irreversible and cannot be traced back
to the original information.
Note 3: Except for the situation where the personal information controllers fulfill their
obligations under laws and regulations.
6.4 Personal information controller ceases operations
When the personal information controller stops operating its products or
services, it shall:
a) Stop collecting personal information in time;
b) Notify the personal information subject in the form of one-by-one delivery
or announcement;
c) Delete or anonymize the personal information it holds.
7 Use of personal information
7.1 Access control measures for personal information
Requirements for personal information controllers include:
a) For those authorized to access personal information, a minimum
authorized access control strategy shall be established, so that they can
only access the minimum necessary personal information required for
their duties, meanwhile only have the minimum data operation authority
required to complete their duties;
b) Set up internal approval processes for important operations of personal
information, such as batch modification, copying, downloading and other
important operations;
c) Separately set the roles of security management personnel, data
information can identify the identity of a specific natural person or reflect
the activities of a specific natural person, alone or in combination with
other information, it shall be considered as personal information. It shall
be handled within the scope of the consent obtained when collecting
personal information.
Note 2: If the personal information generated by processing is personal sensitive
information, its processing must meet the requirements for personal sensitive
information.
7.4 Restrictions on the use of user profiling
Requirements for personal information controllers include:
a) The description of the characteristics of the personal information subject
in the user profiling shall not:
1) Contains obscenity, pornography, gambling, superstition, terror,
violence;
2) Express content that discriminates against ethnicity, race, religion,
disability, disease.
b) Those who use user profiling in business operations or foreign business
cooperation shall not:
1) Infringe upon the lawful rights and interests of citizens, legal persons
and other organizations;
2) Endanger national security, honor and interests; incite overturning state
power, overthrowing the socialist system; incite to split the country;
undermine national unity; promote terrorism, extremism, national
hatred, ethnic discrimination; spread violent and obscene pornographic
information; make up and disseminate false information to disturb
economic and social order.
c) In addition to being necessary for the purpose of authorized use of the
personal information subject, the use of personal information shall
eliminate clear identity orientation and avoid precise positioning to specific
individuals. For example, in order to accurately evaluate personal credit
status, direct user profiling can be used; for the purpose of pushing
commercial advertisements, it should use indirect user profiling.
7.6 Convergence and fusion of personal information collected
for different business purposes
Requirements for personal information controllers include:
a) It shall comply with the requirements of 7.3;
b) It shall, according to the purpose for which personal information is
aggregated and infused, carry out an impact assessment of personal
information security; take effective personal information protection
measures.
7.7 Use of information system’s automatic decision-making
mechanism
The information system used by the personal information controller's business
operations shall, when it has an automatic decision-making mechanism and
can significantly affect the rights of personal information subjects (for example,
automatic determination of personal credit and loan quotas, or automated
screening for interviewers, etc.):
a) Carry out personal information’s security impact assessment at the
planning and design stage or before the first use; take effective measures
to protect the personal information subject according to the assessment
results;
b) Regularly (at least once a year) conduct a personal information’s security
impact assessment during the use process; improve the measures for
protecting the personal information subject based on the assessment
results;
c) Provide personal information subjects with complaint channels for
automatic decision-making results and support manual review of
automatic decision-making results.
8 Rights of personal information subjects
8.1 Inquiry of personal information
The personal information controller shall provide the personal information
subject with a method to query the following information:
8.6 in a timely manner. It shall, within 30 days or within the time limit
prescribed by laws and regulations, make a response and reasonable
explanation; meanwhile notify the personal information subject of the
resolution of external disputes.
b) If interactive pages (such as websites, mobile Internet applications, client
software, etc.) are used to provide products or services, it should directly
set up convenient interactive pages to provide functions or options, so that
personal information subjects can exercise their rights of access,
correction, deletion, withdrawal of consent, cancellation of accounts, etc.
c) In principle, no fee is charged for reasonable requests; however, for
repeated requests within a certain period of time, a certain cost may be
charged as appropriate.
d) If directly fulfilling the request of the personal information subject requires
high costs or causes other significant difficulties, the personal information
controller shall provide an alternative method to the personal information
subject, to protect the legitimate rights and interests of the personal
information subject.
e) In the following cases, it may not respond to requests from personal
information subjects based on 8.1 ~ 8.6, including:
1) Related to the personal information controller's fulfillment of obligations
under laws and regulations;
2) Directly related to national security and national defense security;
3) Directly related to public security, public health, major public interests;
4) Directly related to criminal investigation, prosecution, trial and
execution of judgments;
5) The personal information controller has sufficient evidence that the
personal information subject is subjectively malicious or abuses his
rights;
6) Out of the protection of the significant legal rights and interests of the
personal information subject or other individuals' lives, property, etc.,
but it is difficult to obtain his consent;
7) Responding to the request of the personal information subject will result
in serious damage to the legal rights of the personal information subject
or other individuals and organizations;
8) Involving trade secrets.
personal information, it shall promptly feed back to the personal
information controller.
5) No more personal information will be stored when the entrusting
relationship is released.
d) The personal information controller shall supervise the entrusted party, in
a way including but not limited to:
1) Specifying the responsibilities and obligations of the entrusted party
through contracts and other means;
2) Auditing the entrusted party.
e) The personal information controller shall accurately record and store the
entrusted processing of personal information.
f) If the personal information controller learns or finds that the entrusted party
does not process the personal information in accordance with the
entrusted requirements, or fails to effectively fulfill the security protection
responsibility for personal information, it shall immediately request the
entrusted party to stop the relevant actions; take or request the entrusted
party to take effective remedy measures (such as changing passwords,
recovering permissions, disconnecting network connections, etc.) to
control or eliminate the security risks faced by personal information. When
necessary, the personal information controller shall terminate the
business relationship with the entrusted party, meanwhile request the
entrusted party to delete the personal information obtained from the
personal information controller in a timely manner.
9.2 Sharing and transfer of personal information
When personal information controllers share and transfer personal information,
they shall pay full attention to risks. The sharing and transfer of personal
information, not due to acquisition, merger, reorganization, or bankruptcy, shall
meet the following requirements:
a) Conduct a personal information’s security impact assessment in advance;
take effective measures to protect the personal information subject based
on the assessment results.
b) Inform the personal information subject about the purpose of sharing and
transferring personal information, the type of data receiver and possible
consequences; obtain the prior authorization of the personal information
subject. Except for sharing and transferring personal information that has
been de-identified, meanwhile ensuring that the data receiver cannot re-
9.3 Transfer of personal information during acquisition, merger,
reorganization, bankruptcy
When the personal information controller is subject to changes such as
acquisition, merger, reorganization, bankruptcy, etc., the requirements for the
personal information controller include:
a) Inform relevant information to the personal information subject;
b) The changed personal information controller shall continue to fulfill the
responsibilities and obligations of the original personal information
controller. If the purpose of using personal information is changed, it shall
obtain the explicit consent of the personal information subject again;
c) If bankruptcy and no undertaking, delete the data.
9.4 Public disclosure of personal information
In principle, personal information shall not be publicly disclosed. When the
personal information controller is authorized by law or has reasonable grounds
for public disclosure, it shall meet the following requirements:
a) Conduct a personal information’s security impact assessment in advance;
take effective measures to protect the personal information subject based
on the assessment results;
b) Inform the personal information subject of the purpose and type of public
disclosure of personal information; obtain the explicit consent of the
personal information subject in advance;
c) Before publicly disclosing personal sensitive information, in addition to the
content notified in b), the personal information subject shall be informed
of the content of personal sensitive information involved;
d) Accurately record and store the public disclosure of personal information,
including the date, scale, purpose, scope of public disclosure;
e) Bear the corresponding responsibility for the damage to the legitimate
rights and interests of the personal information subject as caused by the
public disclosure of personal information;
f) Personal biometric information shall not be publicly disclosed;
g) The analysis results of personal sensitive data such as race, ethnicity,
political views, religious beliefs of our citizens shall not be publicly
information controller shall bear the responsibility for personal information
security caused by the third party.
Note: If the personal information controller deploys a third-party plug-in that collects
personal information in the process of providing products or services (for example,
website operators and deployed statistical analysis tools in applications, software
development kit SDKs, call map API interface), meanwhile the third party does not
separately obtain the consent of the personal information subject to collect personal
information, then the personal information controller and the third party are joint
personal information controllers at the stage of personal information collection.
9.7 Third-party access management
When a personal information controller accesses a thir......
......
GB/T 35273-2017
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology -
Personal information security specification
ISSUED ON: DECEMBER 29, 2017
IMPLEMENTED ON: MAY 01, 2018
Issued by: General Administration of Quality Supervision, Inspection and
Quarantine of PRC;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
4 Basic principles of personal information security ... 9
5 Collection of personal information ... 10
5.1 Legal requirements for collection of personal information ... 10
5.2 Requirements for minimizing the collection of personal information ... 11
5.3 Authorized consent when collecting personal information ... 11
5.4 Exceptions for authorization of consent ... 12
5.5 Explicit consent for the collection of personal sensitive information ... 13
5.6 Content and release of privacy policy ... 13
6 Preservation of personal information ... 15
6.1 Minimizing the retention time of personal information ... 15
6.2 De-identification processing ... 15
6.3 Transmission and storage of personal sensitive information ... 15
6.4 Business suspension of personal data controller ... 16
7 Use of personal information ... 16
7.1 Control measures for access of personal information ... 16
7.2 Display restrictions on personal information ... 17
7.3 Restrictions on the use of personal information ... 17
7.4 Access to personal information ... 18
7.5 Correction of personal information ... 18
7.6 Deletion of personal information ... 18
7.7 Personal data subject withdraws consent ... 19
7.8 Personal data subject cancels account ... 19
7.9 Personal data subject obtains a copy of personal information ... 19
7.10 Constraint of information system’s automatic decision-making ... 20
7.11 Responding to requests of personal data subject ... 20
7.12 Management of appeal ... 21
8 Entrusted processing, sharing, transfer of control, public disclosure of
personal information ... 21
8.1 Entrusted processing ... 21
8.2 Sharing and transfer of control of personal information ... 22
8.3 Transfer of control of personal information during acquisition, merger and restructuring23
8.4 Public disclosure of personal information ... 23
8.5 Exceptions to prior authorization of consent, sharing, transfer of control, public disclosure
of personal information ... 24
8.6 Common personal data controller ... 24
8.7 Cross-border transmission requirements for personal information ... 25
9 Handling of personal information security incident ... 25
9.1 Emergency response and reporting of security incidents ... 25
9.2 Notification of safety incidents ... 26
10 Management requirements of organization ... 26
10.1 Identify responsible departments and personnel ... 26
10.2 Conducting impact assessment of personal information security ... 27
10.3 Data security capabilities ... 29
10.4 Personnel management and training ... 29
10.5 Security audit ... 29
Appendix A (Informative) Example of personal information ... 31
Appendix B (Informative) Judgement of personal sensitive information ... 33
Appendix C (Informative) Method for guaranteeing the right of personal data
subject to choose consent ... 35
Appendix D (Informative) Template of privacy policy ... 41
References ... 52
Information security technology -
Personal information security specification
1 Scope
This standard specifies the principles and security requirements for the
processing activities of collection, preservation, use, sharing, transfer, public
disclosure of personal information.
This standard is applicable to regulate the personal information processing
activities of various organizations, it is also applicable to the supervision,
management and evaluation of personal information processing activities by
the competent regulatory authorities and third-party evaluation agencies.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 25069-2010 Information security technology - Glossary
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 as well as the
following terms and definitions apply to this document.
3.1
Personal information
Various information recorded electronically or otherwise that can identify a
particular natural person or reflect the activity of a particular natural person,
either alone or in combination with other information.
Note 1: Personal information includes name, date of birth, ID number,
personal biometric information, address, communication contact,
communication record and content, account password, property information,
credit information, whereabouts, accommodation information, health
information, transaction information, etc.
software provider, it does not belong to the personal information collection
behavior.
3.6
Explicit consent
The act of the personal data subject to make a definitive authorization for
the specific processing of its personal information through a written
statement or taking actively the affirmative action.
Note: Affirmative actions include the initiative of the personal data subject to
make a statement (electronic or paper form), active check, active click on
“agree”, “register”, “send”, “dial” and so on.
3.7
User profiling
The process of collecting, gathering, analyzing personal information to make
analysis and prediction of the personal characteristics of a particular natural
person, such as occupation, economy, health, education, personal
preferences, credit, behavior, etc., to form a personal feature model.
Note: The process of the direct use of personal information of a specific
natural person to form a feature model of the natural person is called a direct
user profiling. The use of personal information derived from other sources
than a specific natural person, such as the data of the group in which it is
located, to form a feature model of the natural person, is called an indirect
user profiling.
3.8
Personal information security impact assessment
For the personal information processing activities, the process of examining
the legal compliance level, determining the various risks that cause damage
to the legitimate rights and interests of the personal data subject, evaluating
the effectiveness of various measures used to protect the personal data
subject.
3.9
Delete
The act of removing personal information in a system involved in
implementing daily business functions, so that it remains in a state in which
it cannot be retrieved or accessed.
a) The principle of integration of powers and responsibilities - Undertake the
responsibility for the damage caused by the personal information
processing activities to the legitimate rights and interests of the personal
data subject.
b) The principle of clear purpose - Have the legal, legitimate, necessary, clear
personal information processing purposes.
c) The principle of selective consent - Express the purpose, method, scope,
rules, etc. of personal information processing to the personal data subject,
to solicit authorization and consent.
d) The principle of least sufficiency - Unless otherwise agreed with the
personal data subject, the type and amount of the minimum personal
information as required to satisfy the purpose of the consent of the
personal data subject. After the purpose is achieved, it shall delete the
personal information in time according to the agreement.
e) The principle of openness and transparency - The scope, purpose, rules,
etc. of processing the personal information in a clear, understandable,
reasonable manner and accepting external supervision.
f) The principle of ensuring security - Have the security capabilities that
match the security risks faced and take adequate management measures
and techniques, to protect the confidentiality, integrity, availability of
personal information.
g) The principle of subject participation - Provide personal data subjects with
access to, corrections, deletion of their personal information, as well as
withdrawal of consent and cancellation of accounts.
5 Collection of personal information
5.1 Legal requirements for collection of personal information
Requirements for personal data controllers include:
a) It shall not defraud, deceive, or force the personal data subjects to provide
their personal information;
b) It shall not conceal the functionality of the product or service to collect
personal information;
c) It shall not obtain personal information from illegal sources;
d) It shall not collect the personal information that is clearly prohibited by laws
etc. If the personal information processing activities required by the
organization to conduct business exceed the scope of the authorization,
it shall, within a reasonable period after obtaining the personal
information or before processing the personal information, it shall obtain
the explicit consent from the personal data subject.
5.4 Exceptions for authorization of consent
In the following cases, the personal data controller may collect and use personal
information without the authorization of the personal data subject:
a) Directly related to national security and national defense security;
b) Directly related to public safety, public health, major public interest;
c) Directly related to criminal investigation, prosecution, trial, execution of
judgments;
d) For the purpose of maintaining the material and legal rights, such as the
life and property, of the personal data subject or other individuals, but it is
difficult to obtain consent;
e) The personal information collected is proactively disclosed by the personal
data subject to the public;
f) Collect personal information from legally publicly disclosed information,
such as legitimate news reports, government information disclosure, etc.;
g) Where it is necessary to sign and fulfill the contract in accordance with the
requirements of the personal data subject;
h) Where it is necessary to maintain the safe and stable operation of the
products or services provided, such as the discovery, disposal of the faults
of products or services;
i) The personal data controller is a news unit and where it is necessary for
legal news reporting;
j) The personal data controller is an academic research institution that de-
identifies the personal information contained in the results when
conducting statistical or academic research for public interest and
providing academic research or description results;
k) Other circumstances as specified by laws and regulations.
include but is not limited to:
1) The basic situation of the personal data controller, including the
registration name, registered address, common business location,
contact information of the relevant person in charge;
2) The purpose of collecting and using personal information, as well as the
various business functions as covered by the purpose, such as the use
of personal information for pushing commercial advertisements, the use
of personal information for the formation of direct user profiling and their
uses;
3) Personal information collected by each business function, as well as
personal information processing rules such as collection method and
frequency, storage area, storage period, range of actually collected
personal information;
4) The purpose of external sharing, transfer of control, and public
disclosure of personal information, the type of personal information
involved, the type of third party receiving personal information, the
corresponding legal liabilities assumed;
5) Basic principles of personal information security followed, data security
capabilities, personal information security measures taken;
6) The rights and implementation mechanisms of the personal data subject,
such as access methods, correction methods, deletion methods,
methods for canceling accounts, methods for withdrawing consent,
methods for obtaining copies of personal information, methods of
restraining automatic decision-making of information systems, etc.
7) Security risks that may exist after the provision of personal information,
as well as the possible impact of not providing personal information;
8) Channels and mechanisms for handling the inquiry and complaint from
the personal data subject, as well as external dispute resolution
agencies and contact methods.
b) The information notified by the privacy policy shall be true, accurate,
complete;
c) The content of the privacy policy shall be clear and understandable, in line
with common language habits, use standardized figures, diagrams, etc.,
avoid using ambiguous language, provide abstracts at the beginning,
briefly describe the focus of the content;
d) The privacy policy shall be publicly available and easy to access, for
6.4 Business suspension of personal data controller
When a personal data controller ceases to operate its products or services, it
shall:
a) Stop the continued collection of personal information in time;
b) Notify the personal data subject in the form of one-by-one delivery or
announcement;
c) Delete or anonymize the personal information held by it.
7 Use of personal information
7.1 Control measures for access of personal information
Requirements for personal data controllers include:
a) Internal data operators who are authorized to access personal information
shall be able to access only the minimum amount of personal information
required for their duties, only have the minimum amount of data
manipulation required to perform their duties, in accordance with the
principle of minimum sufficiency;
b) It should set up an internal approval process for important operations of
personal information, such as batch modification, copying, downloading,
etc.;
c) It shall make separate settings for the roles of security administrators, data
operators, and auditors;
d) If it is necessary to authorize a specific person to handle personal
information beyond of authority because of the need of work, it shall be
examined and approved by the person responsible for personal
information protection or the personal information protection agency, and
recorded;
Note: For the determination of the person responsible for personal
information protection or the organization of personal information
protection, see 10.1.
e) For the access, modification and other behaviors of personal sensitive
information, it should trigger the operation authorization according to the
requirements of the business process on the basis of the authority control
of the role. For example, a complaint handler can access information
copy of the following types of personal information, or directly transmit a copy
of the following personal information to a third party if technically feasible:
a) Personal basic information, personal ID information;
b) Personal health and physiological information, personal education work
information.
7.10 Constraint of information system’s automatic decision-
making
When making decisions that significantly affect the subject matter of a personal
data subject based solely on the automatic decision-making of the information
system (e.g., determining personal credit and loan quota based on the user
profiling, or using the user profiling for interview screening), the personal data
controller shall provide a method of appeal to the personal data subject.
7.11 Responding to requests of personal data subject
Requirements for personal data controllers include:
a) After verifying the identity of the personal data subject, it shall respond
promptly to the request of the personal data subject as made based on
7.4 ~ 7.10, reply and make reasonable explanation within 30 days or within
the time limit prescribed by laws and regulations, inform the personal data
subject of the route to propose externally the dispute resolution;
b) In principle, it does not charge for the reasonable request. But for a
number of repeated requests within a certain period of time, it may charge
a certain cost as appropriate;
c) If the direct fulfillment of request from the personal data subject requires
high costs or has other significant difficulties, the personal data controller
shall provide other alternative methods to the personal data subject, to
protect the legitimate rights and interests of the personal data subject;
d) The following conditions may not respond to requests from the personal
data subject as made based on 7.4 ~ 7.10, including but not limited to:
1) Directly related to national security and national defense security;
2) Directly related to public safety, public health, and major public interests;
3) Directly related to criminal investigation, prosecution, trial and execution
of judgments;
personal data subject is based on 7.4 ~ 7.10;
4) If the entrusted person is unable to provide sufficient level of security
protection or has a security incident in the process of processing
personal information, it shall promptly feed back to the personal data
controller;
5) Personal information is no longer saved when the entrustment
relationship is lifted.
d) The personal data controller shall supervise the entrusted person by
means of, but not limited to:
1) Specify the responsibilities and obligations of the entrusted person by
means of contracts;
2) Audit the entrusted person.
e) The personal data controller shall accurately record and maintain the
circumstances of the entrusted processing of personal information.
8.2 Sharing and transfer of control of personal information
Personal information may not be shared or transferred of control in principle.
When personal data controllers need to share and transfer of control, they shall
pay full attention to risks. Sharing or transferring of control of personal
information, other than due to acquisition, merger, or restructuring, shall comply
with the following requirements:
a) Conduct impact assessment of personal information security in advance
and take effective measures to protect the personal data subject based
on the assessment results;
b) Inform the personal data subject of the purpose of sharing, transferring of
control of the personal information, the type of the data recipient, and
obtain the prior authorization from the personal data subject. The
exception is the sharing and transferring of control of the de-identified
personal information, meanwhile ensuring that the data recipient cannot
re-identify the personal data subject;
c) Before sharing and transferring of control of personal sensitive information,
in addition to the content notified in 8.2b), it shall also inform the personal
data subject of the type of personal sensitive information involved, the
identity of the data recipient, the data security capabilities, meanwhile
obtain the explicit consent from the personal data subject in advance;
the content of the personal sensitive information involved;
d) Accurately record and maintain the public disclosure of personal
information, including the date, size, purpose, scope of public disclosure;
e) Bear the corresponding responsibility for causing damage to the legitimate
rights and interests of the personal data subject due to the public
disclosure of personal information;
f) Do not publicly disclose personal biometric information.
8.5 Exceptions to prior authorization of consent, sharing,
transfer of control, public disclosure of personal information
In the following cases, personal data controllers may share, transfer of control,
publicly disclose personal information without prior authorization from the
personal data subject:
a) Directly related to national security and national defense security;
b) Directly related to public safety, public health, and major public interest;
c) Directly related to criminal investigation, prosecution, trial and execution
of judgments;
d) For the purpose of maintaining the material and legal rights of the personal
data subject or other individuals, but it is difficult to obtain the consent;
e) Personal information that the personal data subject discloses to the public
on its own;
f) Collect personal information from legally publicly disclosed information,
such as legitimate news reports, government information disclosure, other
channels and so on.
8.6 Common personal data controller
When the personal data controller and the third party are joint personal data
controllers (such as the service platform and the contracted merchant on the
platform), the personal data controller shall jointly determine the personal
information security requirements to be met with the third party through contract
or the like, as well as the responsibility and obligation of the individual and the
third party in terms of the personal information security, and shall be clearly
notified to the personal data subject.
a) Establish an impact assessment system for personal information security
and conduct impact assessments of personal information security on a
regular basis (at least once a year).
b) The impact assessment of personal information security shall mainly
assess the situation in which the processing activities follow the basic
principles of personal information security, as well as the impact of
personal information processing activities on the legitimate rights and
interests of personal data subjects, including but not limited to:
1) Whether the collection link of personal information follows the principles
of clear purpose, selective consent, minimum sufficiency;
2) Whether the processing of personal information may adversely affect
the legitimate rights and interests of the personal data subject, including
whether it will endanger personal and property safety, damage personal
reputation and physical and mental health, lead to discriminatory
treatment;
3) The effectiveness of personal information security measures;
4) The risk of re-identifying the personal data subject from the anonymized
or de-identified data set;
5) The possible adverse effects of sharing, transferring of control, publicly
disclosing personal information on the legitimate rights and interests of
the personal data subject;
6) In the event of a security incident, the adverse effect on the legitimate
rights and interests of the personal data subject.
c) In case of new requirements by laws and regulations, significant change
of business models, information systems, operating environments, or the
occurrence of significant personal information security incident, it shall
carry out the impact assessment of personal information security again.
d) Form an impact assessment report of personal information security and
take measures based on this to protect the personal data subject, to
reduce the risk to an acceptable level.
e) Properly retain an impact assessment report of personal information
security, to ensure that it may be accessed by relevant parties and made
public in an appropriate form.
10.3 Data security capabilities
Personal data controllers shall, according to the requirements of relevant
national standards, establish appropriate data security capabilities and
implement necessary management and technical measures, to prevent leakage,
damage, loss of personal information.
10.4 Personnel management and training
Requirements for personal data controllers include:
a) It shall sign a confidentiality agreement with relevant personnel engaged
in the post of personal information processing, conduct background
checks on a large number of persons who have access to personal
sensitive information;
b) It shall define the security duties of the internal posts involving personal
information processing, as well as penalty mechanism for security
incidents;
c) It shall request the relevant personnel on the personal information
processing position to continue to perform the confidentiality obligation
when transferring the post or terminating the labor contract;
d) It shall identify the personal information security requirements that external
service personnel who may access personal information shall comply with,
sign a confidentiality agreement with them, carry out supervision;
e) It shall, at regular interval (at least once a year) or in the event of major
changes in the privacy policy, carry out information security training and
assessment for the relevant personal in the personal information
processing positions, to ensure that the relevant personal are proficient in
privacy policies and related procedures.
10.5 Security audit
Requirements for personal data controllers include:
a) It shall audit the privacy policy and related procedures, as well as the
effectiveness of security measures;
b) It shall establish an automated audit system, to monitor and record
personal information processing activities;
c) The records resulting from the audit process shall support the handling of
Appendix B
(Informative)
Judgement of personal sensitive information
Personal sensitive information refers to personal information that, if leaked,
illegally provided or misused, may endanger personal and property safety, may
easily cause damage or discriminatory treatment to personal reputation,
physical and mental health. Usually, the personal information of children under
the age of 14 and the privacy information of natural persons are personal
sensitive information. It may be judged from the following points whether it is
personal sensitive information.
Disclosure: Once the personal information is disclosed, it will cause the
personal data subject and the organizations and institutions that collect and use
the personal information to lose control of the personal information, resulting in
the uncontrollable scope and use of the personal information. Certain personal
information may be directly used in violation of the willingness of the personal
data subject or be subjected to associated analysis with other information,
which may pose a significant risk to the mainstay interest of the personal data
subject and shall be determined as personal sensitive information. For example,
a copy of the ID card of the personal data subject is used by others for the real-
name registration of the mobile phone number card, the bank account opening
card, and the like.
Illegal provision: If certain personal information may cause significant risks to
the subject matter of personal data subject due to the spread outside the scope
of ......
......
|