|
|
||||||||||||
YD/T 3746-2020 PDF EnglishSearch result: YD/T 3746-2020
YD/T3746-2020 (YDT3746-2020): PDF in EnglishYD/T 3746-2020 NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.020 L 70 Specification of Internet of vehicle information service - User personal information protection ISSUED ON: AUGUST 31, 2020 IMPLEMENTED ON: OCTOBER 01, 2020 Issued by: Ministry of Industry and Information Technology of the People's Republic of China. Table of Contents Foreword ... 3 1 Scope ... 4 2 Normative references ... 4 3 Terms and definitions ... 4 4 Basic rules for subscriber personal information protection ... 5 5 Overview of subscriber personal information protection ... 6 5.1 Object of subscriber personal information protection ... 6 5.2 Processing links of subscriber personal information ... 6 5.3 Basic idea of subscriber personal information protection ... 7 6 Classification requirements for subscriber personal information ... 7 6.1 Classification methods for subscriber personal information ... 7 6.2 Classification examples for subscriber personal information ... 8 7 Grading requirements for subscriber personal information sensitivity ... 12 7.1 Grading methods for subscriber personal information sensitivity ... 12 7.2 Grading examples for subscriber personal information sensitivity ... 13 8 Protection requirements for subscriber personal information security ... 14 8.1 Protection requirements for personal general information security ... 14 8.2 Protection requirements for personal important information security ... 14 8.3 Protection requirements for personal sensitive information security ... 14 Bibliography ... 16 Specification of Internet of vehicle information service - User personal information protection 1 Scope This Standard specifies information content classification, sensitivity classification and classification protection requirements for subscriber personal information protection of Internet of vehicle information service. This Standard is applicable to subscriber personal information protection of automakers, parts and components suppliers, software providers, data content providers and service providers related to Internet of vehicle during the service providing process. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. GB/T 35273-2020, Information security technology - Personal information security specification 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 subscriber personal information of Internet of vehicle information service the information - which is collected by automakers, parts and components providers, software providers, data and content providers, and service providers related to the Internet of vehicle industry during the service providing process - that can identify subscribers individually or in combination with other information and involve subscribers' personal privacy NOTE: After the subscriber's personal information is processed to remove the subscriber's identity and personal privacy attributes, it is not included in the scope of protection of the personal information of the Internet of vehicle information service subscribers specified in this Standard. For example, the scale statistics of the subscription business of the Internet of vehicle information service, etc. 4 Basic rules for subscriber personal information protection The subscriber personal information protection of Internet of vehicle information service usually shall follow the requirements in GB/T 35273-2020, follow the principles of consistency of rights and responsibilities, clear purpose, selection under consent, enough for use, openness and transparency, safety ensuring, and subject participation, so as to use personal information reasonably. - Principle of consistency of rights and responsibilities: Take technical and other necessary measures to protect the security of personal information. It shall be liable for the damage caused by its personal information processing activities to the legitimate rights and interests of personal information subjects. - Principle of clear purpose: It has a legal, legitimate, necessary and clear purpose of personal information processing. - Principle of selection under consent: Clearly state the purpose, method, scope, rules, etc. of personal information processing to personal information subjects, and seek their authorization and consent. - Principle of enough for use: Only process the minimum type and amount of personal information necessary to satisfy the purposes for which the personal information subject has authorized and consented to it. After the purpose is achieved, personal information shall be deleted in a timely manner. - Principle of openness and transparency: Disclose the scope, purpose and rules of processing personal information in a clear, understandable and reasonable manner. Receive external oversight. - Principle of safety ensuring: It has security capabilities commensurate with the security risks faced. Take adequate management measures and technical means to protect the confidentiality, integrity and availability of personal information. - Principle of subject participation: Provide personal information subjects with methods to inquire, correct, delete their personal information, as well as withdraw, unify, cancel accounts, and lodge complaints. processing refers to entrusting the personal information controller of the Internet of vehicle subscribers to a third party to process the personal information of subscribers. Sharing refers to the process in which a subscriber's personal information controller provides personal information to other controllers, and both parties have independent control over the personal information. Transfer is the process of transferring control of personal information from one controller to another. Public disclosure refers to the act of releasing subscriber personal information to the society or unspecified groups of people. 5.3 Basic idea of subscriber personal information protection This Standard focuses on the classification and grading of subscriber personal information for the protection objects of subscriber personal information. It also puts forward corresponding security requirements around the processing links of the entire life cycle of subscriber personal information protection, so as to reduce the security risks related to the entire life cycle of subscriber personal information on the Internet of vehicle information service. Ensure that the Internet of vehicle information service provider shall standardize the collection, storage, use, entrusted processing, sharing, transfer and disclosure of subscriber personal information involved in the process of providing services, in accordance with the management requirements and technical requirements of the corresponding level. 6 Classification requirements for subscriber personal information 6.1 Classification methods for subscriber personal information Subscriber personal information refers to the data information closely related to subscribers in the process of Internet of vehicle information service such as data collection and transmission, use and destruction. These data information can identify the personal identity of the Internet of vehicle subscriber to a certain extent or reflect the personal activities of the subscriber. The subscriber personal information of Internet of vehicle information service is subdivided into three categories: subscriber identification information, subscriber data and service content information of Internet of vehicle information service, and subscriber service-related information. Subscriber identification information: Refers to the subscriber personal information that is closely related to the subscriber's natural person identity and identification information, the subscriber's virtual identity and authentication information in the process of the Internet of vehicle information service activities. 8 Protection requirements for subscriber personal information security 8.1 Protection requirements for personal general information security Basic protection requirements for personal general information security: Basic technical and management measures shall be implemented to ensure the security of access control to the personal information of Internet of vehicle subscribers. For example, necessary access control measures shall be implemented for subscribers' personal information. 8.2 Protection requirements for personal important information security Basic protection requirements for personal important information security: Necessary technical and management measures shall be implemented to protect subscribers' right to know and choose. Protect the confidentiality and integrity of subscribers' personal information. Ensure the security of access control to subscribers' personal information. Establish subscriber personal information security management specifications. For example, subscribers' consent shall be obtained when collecting and transferring personal information of subscribers. Necessary encryption measures shall be taken during the transmission process of information collection and transfer to ensure the confidentiality and integrity of data. Strict access control measures shall be implemented for information. Strict safety management specifications for each life cycle of subscribers' personal information (including information collection, storage, use, entrusted processing, sharing, transfer, and disclosure) shall be defined. An internal data approval process and system shall be set up. 8.3 Protection requirements for personal sensitive information security Basic protection requireme.......Source: https://www.ChineseStandard.net/PDF.aspx/YDT3746-2020 |