China Releases Cybersecurity Standards Practice Guidelines for Identifying Sensitive Personal Information
Published 26 September 2024
Sarah Xuan
On September 18, 2024, the Secretariat of the National Cybersecurity Standardization Technical Committee released the “Cybersecurity Standards Practice Guidelines — Guidelines for Identifying Sensitive Personal Information” (hereinafter referred to as the “Guidelines”). This document aims to enhance organizations’ capabilities in identifying and protecting sensitive personal information, ensuring compliance with relevant laws and regulations in their daily operations. Below is a brief overview of the Guidelines.
1. Scope of Application
These Guidelines apply to all organizations that handle personal information, regardless of their size. Whether government agencies, businesses, educational institutions, or non-profit organizations, all can utilize these Guidelines to improve their processing capabilities and risk management related to sensitive personal information.
2. Rules for Identifying Sensitive Personal Information
According to the Guidelines, personal information that meets any of the following conditions should be identified as sensitive personal information by the data processor:
1) Harm to Personal Dignity: If the information leaked or improperly used, it may damage an individual’s reputation, lead to discrimination, or result in other adverse consequences. Examples include “doxxing”, illegal intrusion into online accounts, telecom fraud, damage to personal reputation, and discriminatory treatment.2) Risk to Personal Safety: For instance, leaking or improperly using an individual’s tracking information could endanger the individual’s personal safety.3) Risk to Property Safety: For example, leaking or improperly using financial account information could result in financial losses for the individual.4) Analysis of Overall Attributes: When identifying sensitive personal information, it is essential to analyze the aggregated effect of multiple pieces of general personal information in addition to considering individual pieces. If the overall attributes meet the identification criteria outlined above, the aggregated information should be treated as sensitive personal information for protection.
3. Common Categories of Sensitive Personal Information
Previously, the national standard GB/T 35273 “Information Security Technology - Personal Information Security Specifications” provided examples for determining sensitive personal information in its informative annex. GB/T 35273 clearly defines sensitive personal information as information that, once leaked or improperly used, may infringe upon an individual’s dignity or endanger their personal or property safety. Based on this definition, the Guidelines enumerate common categories of sensitive personal information, refining, adjusting, and modifying the examples provided in GB/T 35273. For instance, religious beliefs and tracking information, previously categorized as “other information” in GB/T 35273, are now listed separately, while “personal identity information” has been adjusted to “specific identity information,” with further details added to the examples of medical health information and financial account information.
It is noteworthy that, compared to the “personal identity information” listed in GB/T 35273, the Guidelines narrow the scope to “specific identity information,” which includes information related to individuals with disabilities and professional identity information that is not suitable for public disclosure. Additionally, photographs of identification cards are categorized as other sensitive personal information. The Guidelines do not mention identification cards, passports, driver’s licenses, work permits, or residence permits referenced in GB/T 35273.
The Guidelines list several common categories of sensitive personal information, including but not limited to:
1) Biometric Information: Such as fingerprints, facial recognition, and voiceprints, which can uniquely identify an individual either on their own or in combination with other information. This specifically includes personal genetic data, facial images, voiceprints, gait, fingerprints, palm prints, iris patterns, and more.2) Religious Belief Information: Information related to an individual’s religious beliefs and activities. This includes details about the individual’s faith, membership in religious organizations, positions held within those organizations, participation in religious activities, and special religious customs.3) Specific Identity Information: Such as identity information of individuals with disabilities or professional identity information that may lead to social discrimination.4) Medical and Health Information: Information related to an individual’s physical or mental harm, diseases, disabilities, disease risks, or privacy. This includes symptoms, medical history, family medical history, infectious disease history, physical examination reports, reproductive information, and data collected during medical services such as medical records, test results, and treatment notes.5) Financial Account Information: Including bank, securities, fund, insurance, and provident fund account numbers and passwords, joint provident fund accounts, payment account data, and financial transaction details derived from account information.6) Tracking Information: Geographic location and activity trajectories over specific periods. This includes continuous precise location data, vehicle movement data, and individual activity tracking information.7) Minor Information: Specifically refers to information about individuals under the age of fourteen.8) Other Sensitive Information: Other information that may harm personal dignity, property, or personal safety, such as precise location data, identification photographs, sexual orientation, sexual activity, credit information, criminal records, and images or videos depicting sensitive personal areas.
[Comment]
The Guidelines provide a clear framework and operational guidance for identifying sensitive personal information, assisting organizations in better protecting individual privacy and information security in the digital age. Organizations can adopt the following specific measures to ensure compliance and security:
1) Develop and implement internal policies for processing and protecting sensitive personal information, ensuring all employees understand its importance and their legal responsibilities.2) Conduct regular employee training on identifying and protecting sensitive personal information to ensure the team is well-versed in the core contents of the Guidelines and relevant laws.3) Conduct comprehensive risk assessments of the organization’s current information processing processes to identify potential sensitive personal information and associated leakage risks, implementing appropriate control measures.4) Implement technical and management measures, such as data encryption, access control, and anonymization, to enhance the protection of sensitive personal information.5) Regularly monitor and audit the handling processes of sensitive information to ensure ongoing compliance with the Guidelines and promptly revise relevant policies as needed.
1. Scope of Application
These Guidelines apply to all organizations that handle personal information, regardless of their size. Whether government agencies, businesses, educational institutions, or non-profit organizations, all can utilize these Guidelines to improve their processing capabilities and risk management related to sensitive personal information.
2. Rules for Identifying Sensitive Personal Information
According to the Guidelines, personal information that meets any of the following conditions should be identified as sensitive personal information by the data processor:
1) Harm to Personal Dignity: If the information leaked or improperly used, it may damage an individual’s reputation, lead to discrimination, or result in other adverse consequences. Examples include “doxxing”, illegal intrusion into online accounts, telecom fraud, damage to personal reputation, and discriminatory treatment.2) Risk to Personal Safety: For instance, leaking or improperly using an individual’s tracking information could endanger the individual’s personal safety.3) Risk to Property Safety: For example, leaking or improperly using financial account information could result in financial losses for the individual.4) Analysis of Overall Attributes: When identifying sensitive personal information, it is essential to analyze the aggregated effect of multiple pieces of general personal information in addition to considering individual pieces. If the overall attributes meet the identification criteria outlined above, the aggregated information should be treated as sensitive personal information for protection.
3. Common Categories of Sensitive Personal Information
Previously, the national standard GB/T 35273 “Information Security Technology - Personal Information Security Specifications” provided examples for determining sensitive personal information in its informative annex. GB/T 35273 clearly defines sensitive personal information as information that, once leaked or improperly used, may infringe upon an individual’s dignity or endanger their personal or property safety. Based on this definition, the Guidelines enumerate common categories of sensitive personal information, refining, adjusting, and modifying the examples provided in GB/T 35273. For instance, religious beliefs and tracking information, previously categorized as “other information” in GB/T 35273, are now listed separately, while “personal identity information” has been adjusted to “specific identity information,” with further details added to the examples of medical health information and financial account information.
It is noteworthy that, compared to the “personal identity information” listed in GB/T 35273, the Guidelines narrow the scope to “specific identity information,” which includes information related to individuals with disabilities and professional identity information that is not suitable for public disclosure. Additionally, photographs of identification cards are categorized as other sensitive personal information. The Guidelines do not mention identification cards, passports, driver’s licenses, work permits, or residence permits referenced in GB/T 35273.
The Guidelines list several common categories of sensitive personal information, including but not limited to:
1) Biometric Information: Such as fingerprints, facial recognition, and voiceprints, which can uniquely identify an individual either on their own or in combination with other information. This specifically includes personal genetic data, facial images, voiceprints, gait, fingerprints, palm prints, iris patterns, and more.2) Religious Belief Information: Information related to an individual’s religious beliefs and activities. This includes details about the individual’s faith, membership in religious organizations, positions held within those organizations, participation in religious activities, and special religious customs.3) Specific Identity Information: Such as identity information of individuals with disabilities or professional identity information that may lead to social discrimination.4) Medical and Health Information: Information related to an individual’s physical or mental harm, diseases, disabilities, disease risks, or privacy. This includes symptoms, medical history, family medical history, infectious disease history, physical examination reports, reproductive information, and data collected during medical services such as medical records, test results, and treatment notes.5) Financial Account Information: Including bank, securities, fund, insurance, and provident fund account numbers and passwords, joint provident fund accounts, payment account data, and financial transaction details derived from account information.6) Tracking Information: Geographic location and activity trajectories over specific periods. This includes continuous precise location data, vehicle movement data, and individual activity tracking information.7) Minor Information: Specifically refers to information about individuals under the age of fourteen.8) Other Sensitive Information: Other information that may harm personal dignity, property, or personal safety, such as precise location data, identification photographs, sexual orientation, sexual activity, credit information, criminal records, and images or videos depicting sensitive personal areas.
[Comment]
The Guidelines provide a clear framework and operational guidance for identifying sensitive personal information, assisting organizations in better protecting individual privacy and information security in the digital age. Organizations can adopt the following specific measures to ensure compliance and security:
1) Develop and implement internal policies for processing and protecting sensitive personal information, ensuring all employees understand its importance and their legal responsibilities.2) Conduct regular employee training on identifying and protecting sensitive personal information to ensure the team is well-versed in the core contents of the Guidelines and relevant laws.3) Conduct comprehensive risk assessments of the organization’s current information processing processes to identify potential sensitive personal information and associated leakage risks, implementing appropriate control measures.4) Implement technical and management measures, such as data encryption, access control, and anonymization, to enhance the protection of sensitive personal information.5) Regularly monitor and audit the handling processes of sensitive information to ensure ongoing compliance with the Guidelines and promptly revise relevant policies as needed.