China Issues Draft Guidelines for Identifying Sensitive Personal Information for Comment
Published 21 June 2024
Sarah Xuan
To guide personal information handlers in identifying sensitive personal information and to regulate the processing, export, and protection of such information, the Secretariat of the National Information Security Standardization Technical Committee has developed the Guidelines for Network Security Standards Practice—Guidelines for Identifying Sensitive Personal Information (Draft for Public Consultation) (hereinafter referred to as the “Guidelines”). This has been done in accordance with the Personal Information Protection Law, the Cybersecurity Law, the Data Security Law, and other relevant laws and regulations, as well as by referencing the national standards on security requirements for handling sensitive personal information currently under development. The Guidelines were released on June 11, 2024, for public consultation, with the consultation period ending on June 24, 2024.
The Guidelines propose methods for identifying sensitive personal information and provide examples of common categories and instances of sensitive personal information to assist organizations in defining the scope of sensitive personal information. They also offer a reference for processing, exporting, and protecting sensitive personal information. The key contents of the Guidelines include the following:
1. Identification Methods
For identifying sensitive personal information, the Guidelines use a “definition + enumeration + derivation” approach. Any information meeting any of the following criteria should be identified as sensitive personal information:
1) Personal information should be identified as sensitive if it meets any of the following conditions:a) If the disclosure or illegal use of the personal information is likely to infringe on the dignity of the natural person, such as information regarding specific identities, religious beliefs, sexual orientation, etc., which may lead to discriminatory treatment.b) If the disclosure or illegal use of the personal information is likely to endanger the personal safety of the natural person, such as the disclosure of location tracking information, which may threaten the personal safety of the information subject.c) If the disclosure or illegal use of the personal information is likely to endanger the property safety of the natural person, such as the disclosure of financial account information, which may result in financial losses.2) Enumeration: Identifying collected or generated common sensitive personal information according to the categories and examples of common sensitive personal information (Appendix A of the Guidelines).3) Derivation: Considering both single sensitive personal information identification and the aggregated or fused general personal information, analyzing its potential impact on personal rights if disclosed or illegally used. If it meets the criteria mentioned in the definition, the aggregated or fused personal information should be treated as sensitive personal information for protection purposes.
2. Examples of Common Categories of Sensitive Personal Information
According to the guidelines, examples of common categories of sensitive personal information include the following:
1) Biometric Information: Including genetic, facial, voice, gait, fingerprint, palm print, eye pattern, auricle, iris, etc., which can be used to uniquely identify an individual;2) Religious Belief Information: Involving personal religious beliefs, membership in religious organizations, participation in religious activities, religious positions, and special religious customs;3) Specific Identity Information: Identity information that may affect personal dignity or social evaluation, such as the identity of persons with disabilities, or occupational identities not suitable for public disclosure (e.g., military personnel, police officers).4) Medical and Health Information: Covering an individual’s physical or mental health status, including medical history, physical examination reports, reproductive information, and data collected during medical services;5) Financial Account Information: Including bank, securities, insurance, and other account numbers, passwords, payment identifiers, and details of personal income;6) Location Tracking Information: Involving real-time personal location, GPS vehicle tracking, travel records, reflecting personal activity locations and trajectories;7) Personal Information of Minors under Fourteen Years of Age: Special protection for minors, including all their personal information;8) Other Sensitive Personal Information: Including but not limited to credit information, criminal records, and photos or videos displaying private parts of the body.
Comment
The release and implementation of the Guidelines is of great significance in advancing personal information protection efforts. By clearly defining the methods and categories for identifying sensitive personal information, the Guidelines provide personal information handlers with clear operational guidance, assisting them in adhering to laws and regulations and ensuring information security.
The Guidelines propose methods for identifying sensitive personal information and provide examples of common categories and instances of sensitive personal information to assist organizations in defining the scope of sensitive personal information. They also offer a reference for processing, exporting, and protecting sensitive personal information. The key contents of the Guidelines include the following:
1. Identification Methods
For identifying sensitive personal information, the Guidelines use a “definition + enumeration + derivation” approach. Any information meeting any of the following criteria should be identified as sensitive personal information:
1) Personal information should be identified as sensitive if it meets any of the following conditions:a) If the disclosure or illegal use of the personal information is likely to infringe on the dignity of the natural person, such as information regarding specific identities, religious beliefs, sexual orientation, etc., which may lead to discriminatory treatment.b) If the disclosure or illegal use of the personal information is likely to endanger the personal safety of the natural person, such as the disclosure of location tracking information, which may threaten the personal safety of the information subject.c) If the disclosure or illegal use of the personal information is likely to endanger the property safety of the natural person, such as the disclosure of financial account information, which may result in financial losses.2) Enumeration: Identifying collected or generated common sensitive personal information according to the categories and examples of common sensitive personal information (Appendix A of the Guidelines).3) Derivation: Considering both single sensitive personal information identification and the aggregated or fused general personal information, analyzing its potential impact on personal rights if disclosed or illegally used. If it meets the criteria mentioned in the definition, the aggregated or fused personal information should be treated as sensitive personal information for protection purposes.
2. Examples of Common Categories of Sensitive Personal Information
According to the guidelines, examples of common categories of sensitive personal information include the following:
1) Biometric Information: Including genetic, facial, voice, gait, fingerprint, palm print, eye pattern, auricle, iris, etc., which can be used to uniquely identify an individual;2) Religious Belief Information: Involving personal religious beliefs, membership in religious organizations, participation in religious activities, religious positions, and special religious customs;3) Specific Identity Information: Identity information that may affect personal dignity or social evaluation, such as the identity of persons with disabilities, or occupational identities not suitable for public disclosure (e.g., military personnel, police officers).4) Medical and Health Information: Covering an individual’s physical or mental health status, including medical history, physical examination reports, reproductive information, and data collected during medical services;5) Financial Account Information: Including bank, securities, insurance, and other account numbers, passwords, payment identifiers, and details of personal income;6) Location Tracking Information: Involving real-time personal location, GPS vehicle tracking, travel records, reflecting personal activity locations and trajectories;7) Personal Information of Minors under Fourteen Years of Age: Special protection for minors, including all their personal information;8) Other Sensitive Personal Information: Including but not limited to credit information, criminal records, and photos or videos displaying private parts of the body.
Comment
The release and implementation of the Guidelines is of great significance in advancing personal information protection efforts. By clearly defining the methods and categories for identifying sensitive personal information, the Guidelines provide personal information handlers with clear operational guidance, assisting them in adhering to laws and regulations and ensuring information security.