Foreword
This document is drafted in accordance with the provisions of GB/T 1.1-2020 "Guidelines for standardization work Part 1: Structure and drafting rules of standardization documents".
Please note that some of the contents of this document may involve patents. The issuing organization of this document does not assume the responsibility of identifying patents. This document is proposed and attributed by the National Technical Committee for Standardization of Information Security (SAC/TC260).
1 Scope
This document specifies the security requirements for data processing activities such as collection, storage, transmission, use, processing, provision, disclosure, deletion, and exit of instant messaging services.
This document applies to instant messaging service providers to regulate data processing activities, but also for regulatory authorities, third-party assessment agencies on instant messaging service data processing activities to monitor, management, assessment to provide reference.
2 Normative reference documents
The following documents constitute the essential provisions of this document through the normative references in the text. Among them, note the date of the reference document, only the date of the corresponding version applies to this document; do not note the date of the reference document, its latest version (including all the revision of the list) applies to this document.
GB/T 25069 Information security technical terms
GB/T 35273-2020 Information security technology: personal information security specification
GB/T 37964 Information security technology: personal information de-identified coffin south
GB/T 37988 Information security technology: data security can be nine ring familiarity model
GB/T 39335 Information security technology: personal information security impact assessment guide
GB/T 41391-2022 Information Security Technology: Secret Mobile Internet Applications (App) Collecting Personal Information Basic Requirements
GB/T 41479 Information security technology network around the teaching data processing security requirements
3 Terms and definitions
GB/T 25069 and GB/T 35273-2020 defined as well as the following terms and definitions apply to this document.
3.1
Instant messaging serviceinstant messaging service
Online real-time interactive service that provides users with the ability to send and receive information (text, images, files, audio and video, links, etc.) through client software such as computers and intelligent terminals, browsers, etc.
Note 1: This document refers to instant messaging services, mainly for the relevant commercial services, the organization's internal self-built or self-use services are not included.
Note 2: The typical application scenarios of instant messaging services referred to in this document include single chat (direct interaction between two users, users and administrators), group chat (sending and receiving instant messages in a group), chat room (a kind of online real-time conversation space for multiple people), instant messaging-based social networking, community, online customer service, organizational communication, etc.
3.2
Personal instant messaging serviceconsumer instant messaging service for individual users.
4 Abbreviations
The following abbreviations apply to this document:
SDK; Software Development Kit (SDK)
5 Overview
5.1 Instant messaging service service components
6 Basic Requirements
7 Data Collection
8 Data Storage and Transmission
8.1 Data Storage
8.1.1 Personal instant messaging service data storage
9 Data use and processing
9.1 Data Presentation
9.1.1 Personal instant messaging service data presentation
10 Data Provision and Disclosure
11 Data deletion
12 Data exit
13 Personal information subject rights
Appendix A (Informational) Instant Messaging Service Data Processing Activities and Security Risks
Appendix B (Informative) Instant Messaging Service Important Data Identification Reference Rules and Data Classification Examples
Appendix C (informative) Scope of personal information collected by common extended business functions of personal instant messaging services
Appendix D (informative) The scope of application and usage requirements for system permissions related to instant messaging service app
Bibliography
Foreword
1 Scope
2 Normative reference documents
3 Terms and definitions
4 Abbreviations
5 Overview
6 Basic Requirements
7 Data Collection
8 Data Storage and Transmission
9 Data use and processing
10 Data Provision and Disclosure
11 Data deletion
12 Data exit
13 Personal information subject rights
Appendix A (Informational) Instant Messaging Service Data Processing Activities and Security Risks
Appendix B (Informative) Instant Messaging Service Important Data Identification Reference Rules and Data Classification Examples
Appendix C (informative) Scope of personal information collected by common extended business functions of personal instant messaging services
Appendix D (informative) The scope of application and usage requirements for system permissions related to instant messaging service app
Bibliography