Foreword
This document is drafted in accordance with the provisions of GB/T 1.1-2020 "Guidelines for standardization work Part 1: Structure and drafting rules of standardization documents".
Please note that some of the contents of this document may involve patents. The issuing organization of this document does not assume the responsibility of identifying patents. This document is proposed and categorized by the National Information Security Standardization Technical Committee (SAC/TC 260).
1 Scope
This document specifies the security requirements for network audio and video services collection, storage, use, processing, transmission ﹑ provision, disclosure, deletion and other data processing activities.
This document applies to the network audio and video service providers to regulate data processing activities, but also for the regulatory authorities, third-party assessment agencies on the network audio and video service data processing activities to monitor, management, assessment to provide reference.
2 Normative reference documents
The content of the following documents through the normative references in the text and constitute the essential provisions of this document. Among them, note the date of the reference document, only the date of the corresponding version applies to this document; do not note the date of the reference document, its latest version (including all the revision of the list) applies to this document.
GB/T 25069 Information security technical terms
GB/T 35273-2020 Information security technology personal information security specification
GB/T 37988 Information security technology understanding data security can be large maturity model
GB/T 39335 Information security technology personal information security impact assessment guide
GB/T 41391-2022 Information security technology / mobile Internet applications (App) to collect personal information basic requirements
GB/T 41479 Information security technology net around the teaching data processing security requirements
3 Terms and definitions
GB/T 25069,GB/T 35273-2020 defined as well as the following terms and definitions apply to this document.
3.1
Network audio and video serviceonline audio and video service
Through Internet sites, applications and other network platforms, to provide the public with audio and video information production, distribution, dissemination of services.
Note 1: Also known as the network audio and video information services.
Note 2: Excluding audio and video editing tools, local players and online live (such as online meetings) services with instant communication properties. 3.2
Network audio and video service platformonline audio and video service platform
Information system that provides network audio and video services (3.1).
3.3
Network audio and video service provideronline audio and video service provider
To the public to provide network audio and video services (3.1) of the organization or individual.
Note 1: This document refers mainly to the owner of the network audio and video service platform, the manager.
Note 2: This document is referred to as "provider".
4 Acronyms
The following abbreviations apply to this document.
IoT: Internet of Things (Internet of Things)
IP: Internet Protocol (Internet Protocol)
5 Overview
5.1 Network audio and video services service components
Network audio and video services mainly include network audio services, network video services and network live services. Network audio services provide users with audio content production, distribution and dissemination services such as music, radio, music and art, audio books, radio dramas, audio of programs and events, and audio of news and information. Network video services provide users with short videos, movies, TV series, variety and entertainment, program and event videos, news and information videos, and other video information production, distribution and dissemination services. Webcast services provide users with real-time audio information, video information, graphic information and other content release and dissemination services.
6 Basic requirements
7 Data collection
7.1 Collection of personal information
Internet audio and video service providers to collect personal information should meet the requirements of GB/T 35273-2020 in 5.1, 5.2, 5.3, based on the following requirements.
8 data storage and transmission
9 data use and processing
10 data provision and disclosure
11 data exit
Internet audio and video service providers who provide data outside the country for business purposes shall, according to the business development and operation, conduct at least one data exit risk assessment each year by themselves or entrusted to a third-party organization.
12 personal information subject rights
Internet audio and video service providers in the protection of personal information subject rights, should comply with the requirements of Chapter 8 of GB/T 35273-2020, based on the following requirements.
13 Protection of minors
14 audio and video services related scenarios data security requirements
Appendix A (informative) network audio and video services data processing activities and security risks
Appendix B (Informative) Reference Rules for Identification of Important Data and Data Classification Examples for Network Audio and Video Services
Appendix C (informative) the scope of personal information collection and use requirements for common extended business functions of network audio and video services
Appendix D (informative) The scope of application and use requirements for system permissions related to network audio and video service app
Bibliography
Foreword
1 Scope
2 Normative reference documents
3 Terms and definitions
4 Acronyms
5 Overview
6 Basic requirements
7 Data collection
8 data storage and transmission
9 data use and processing
10 data provision and disclosure
11 data exit
12 personal information subject rights
13 Protection of minors
14 audio and video services related scenarios data security requirements
Appendix A (informative) network audio and video services data processing activities and security risks
Appendix B (Informative) Reference Rules for Identification of Important Data and Data Classification Examples for Network Audio and Video Services
Appendix C (informative) the scope of personal information collection and use requirements for common extended business functions of network audio and video services
Appendix D (informative) The scope of application and use requirements for system permissions related to network audio and video service app
Bibliography
前言
本文件按照GB/T 1.1-2020《标准化工作导则 第1部分:标准化文件的结构和起草规则》的规定起草。
请注意本文件的某些内容可能涉及专利。本文件的发布机构不承担识别专利的责任。本文件由全国信息安全标准化技术委员会(SAC/TC 260)提出并归口。
1范围
本文件规定了网络音视频服务收集、存储、使用、加工、传输﹑提供、公开、删除等数据处理活动的安全要求。
本文件适用于网络音视频服务提供者规范数据处理活动,也可为监管部门,第三方评估机构对网络音视频服务数据处理活动进行监督﹑管理、评估提供参考。
2规范性引用文件
下列文件中的内容通过文中的规范性引用而构成本文件必不可少的条款。其中,注日期的引用文件,仅该日期对应的版本适用于本文件;不注日期的引用文件,其最新版本(包括所有的修改单)适用于本文件。
GB/T 25069 信息安全技术术语
GB/T 35273-2020信息安全技术个人信息安全规范
GB/T 37988信息安全技术瞭数据安全能大成熟度模型
GB/T 39335信息安全技术个人信息安全影响评估指南
GB/T41391-2022信息安全技术/移动互联网应用程序(App)收集个人信息基本要求
GB/T 41479 信息安全技术 网绕教据处理安全要求
3术语和定义
GB/T 25069,GB/T 35273—2020界定的以及下列术语和定义适用于本文件。
3.1
网络音视频服务online audio and video service
通过互联网站,应用程序等网络平台,向社会公众提供音视频信息制作,发布,传播的服务。
注1:也称网络音视频信息服务。
注2:不包括音视频编辑工具、本地播放器和具有即时通信属性的在线直播(如在线会议)服务。3.2
网络音视频服务平台online audio and video service platform
提供网络音视频服务(3.1)的信息系统。
3.3
网络音视频服务提供者online audio and video service provider
向社会公众提供网络音视频服务(3.1)的组织或者个人。
注1:本文件中主要指网络音视频服务平台的所有者,管理者。
注2:本文件中简称“提供者”。
4缩略语
下列缩略语适用于本文件。
IoT:物联网(Internet of Things)
IP:互联网协议(Internet Protocol)
5概述
5.1网络音视频服务业务组成
网络音视频服务主要包括网络音频服务、网络视频服务以及网络直播服务。网络音频服务向用户提供音乐,广播、曲艺、有声读物,广播剧、节目赛事音频、新闻资讯音频等音频内容制作、发布、传播服务。网络视频服务向用户提供短视频、电影、电视剧,综艺娱乐、节目赛事视频、新闻资讯视频等视频信息制作、发布、传播服务。网络直播服务向用户提供实时音频信息,视频信息,图文信息等内容的发布、传播服务。
6基本要求
7数据收集
7.1收集个人信息
网络音视频服务提供者收集个人信息应在满足GB/T 35273-2020中 5.1,5.2,5.3的要求基础上,遵守以下要求。
8数据存储和传输
9数据使用和加工
10数据提供和公开
11数据出境
网络音视频服务提供者如因业务需要向境外提供数据,应根据业务发展和运营情况,每年自行或委托第三方机构对数据出境至少进行一次数据出境风险评估。
12个人信息主体权利
网络音视频服务提供者在保障个人信息主体权利方面,应在遵守GB/T 35273-2020第8章要求的基础上﹐遵守以下要求。
13未成年人保护
14音视频服务相关场景数据安全要求
附录A(资料性)网络音视频服务数据处理活动及安全风险
附录B(资料性)网络音视频服务重要数据识别参考规则及数据分类示例
附录C(资料性)网络音视频服务常见扩展业务功能的个人信息收集范围及使用要求
附录D(资料性)网络音视频服务App相关系统权限申请范围及使用要求
参考文献
