Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is developed in accordance with the rules given in GB/T 1.1-2009 Directives for standardization - Part 1: Structure and drafting of standards.
Attention is drawn to the possibility that some of the elements of this standard may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This standard was proposed by and is under the jurisdiction of the National Technical Committee on Information Security of Standardization Administration of China (SAC/TC 260).
Introduction
In recent years, with the rapid development of information technology and the popularity of Internet applications, more and more organizations collect and use personal information in large quantities, which has brought convenience to people's lives while, at the same time, has also resulted in illegal collection, abuse and disclosure of personal information. Personal information security is facing a serious threat.
This standard addresses the security issues faced by personal information and regulates the relevant behaviors of personal data controllers in the information processing links such as collection, preservation, use, sharing, transfer of control and public disclosure, aiming at restraining the illegal collection, abuse, disclosure, etc. of personal information so as to guarantee individual legitimate rights and interests of individuals and the public interest to the maximum extent.
The specific issues in this standard, if specified in laws and regulations otherwise, shall comply with such laws and regulations.
Information security technology - Personal information security specification
1 Scope
This standard regulates the principles and relevant security requirements which shall be followed by personal information processing activities like collection, preservation, use, sharing, transfer of control, public disclosure, etc.
This standard is applicable to the regulation of personal information processing activities of various organizations and also applicable to the supervision, management and evaluation of personal information processing activities by organizations such as competent supervision departments and third-party evaluation agencies.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 25069-2010 Information security technology - Glossary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069-2010 and the following apply.
3.1
personal information
various information recorded electronically or otherwise that can, either alone or in combination with other information, identify a particular natural person or reflect the activity of such a person
Note 1: Personal information includes name, date of birth, ID number, personal biometric identifying information, address, communication and contact information, communication record and content, account and password, property information, credit information, whereabouts, accommodation information, health and physiology information, transaction information.
Note 2: See Annex A for the scope and type of personal information.
3.2
personal sensitive information
personal information which, once disclosed, illegally provided or abused, will possibly endanger the personal and property safety and easily result in damages to personal reputation and physical and mental health or result in discriminatory treatment
Note 1: Personal sensitive information includes ID number, personal biometric identifying information, bank account, communication record and content, property information, credit information, whereabouts, accommodation information, health and physiology information, transaction information and personal information of children less than or equal to14 years old.
Note 2: See Annex B for the scope and type of personal sensitive information.
3.3
personal data subject
the natural person identified by personal information
3.4
personal data controller
organization or individual that has the right to determine the purpose, manner, etc. of the processing of the personal information
3.5
collect
behavior of obtaining the right of control over personal information, which includes positive collection through initiative provision by personal data subject, interaction with personal data subject or recording of personal information subject behavior as well as indirect acquisition through sharing, transfer of control and collection of public information
Note: If the product or service provider, who provides tools for use by the personal data subject, does not access personal information, it is not a collection behavior specified in this standard. For example, the offline navigation software, after obtaining the user location information from the terminal, does not return such information to the software provider, it is not a personal information collection behavior.
3.6
explicit consent
behavior, of a personal data subject, of explicit authorization in terms of the specific processing of his or her personal information through a written statement or making affirmative actions in an initiative manner
Note: Affirmative actions include statement, in either electronic or paper form, as well as selection of or click on "agree", "register", "send", "dial", etc. made by personal data subject in an initiative manner.
3.7
user profiling
process of personal characteristic model formation through analyzing or predicting the personal characteristics of a particular natural person, such as occupation, economy, health, education, personal preference, credit and behavior, on the basis of collecting, gathering, and analyzing personal information
Note: The characteristic model of certain natural person which is formed by directly using the personal information of such natural person is called direct user profiling. The characteristic model of certain natural person which is formed by using the personal information from other than such natural person, such as the data of the group in which such natural person is, is called indirect user profiling.
3.8
personal information security impact assessment
process of inspecting the extent to which the personal information processing activities are lawful and compliant, of determining the various risks of such activities that cause damage to legitimate rights and interests of personal data subject and of assessing the effectiveness of various measures used to protect personal data subject
3.9
delete
behavior of removing personal information in a system which is involved in realization of daily business functions so that such personal information is kept in a status making it cannot be retrieved or accessed
3.10
public disclosure
behavior of publishing information to society or an unspecified group of people
3.11
transfer of control
process of transferring the control right over personal information from one controller to another
3.12
sharing
process of providing personal information by a personal data controller to other controller, with the parties having independent control right over the personal information
3.13
anonymization
process of processing personal information in technical terms so that the personal data subject cannot be identified, with the processed information unable to be restored
Note: The information obtained from anonymization processing of personal information is not categorized as personal information.
3.14
de-identification
process of processing personal information in technical terms so that the personal data subject cannot be identified without additional information
Note: De-identification is based on the individual, retaining the individual granularity, and replacing the identification of personal information by adopting technical means like pseudonym, encryption, hash function, etc.
4 Basic principles of personal information security
The personal data controller, when conducting personal information processing activities, shall follow the following basic principles:
a) The principle of right and responsibility consistence——undertaking the responsibilities for the damage caused to the legitimate rights and interests of personal data subject by the personal information processing activities.
b) The principle of explicit purpose—— having lawful, legitimate, necessary and explicit personal information processing purpose.
c) The principle of consent based on selection——expressing the purpose, means, scope, rules, etc. of personal information processing to the personal data subject to ask for authorization and consent.
d) The principle of minimum and sufficiency——unless otherwise agreed with the personal data subject, only processing the minimum types and amount of personal information necessary for satisfying the purpose authorized and agreed by the personal data subject. After the purpose is achieved, the personal information shall be deleted in time according to the agreement.
e) The principle of openness and transparency——publicizing the scope, purpose, rules, etc. of personal information openly in a clear, understandable and reasonable manner, and accepting external supervision.
f) The principle of security ensurance——possessing the security capabilities that match the security risks confronted with, and taking adequate management measures and technical means to protect the confidentiality, integrity, and availability of the personal information.
g) The principle of subject participation——providing personal data subject with methods whereby he or she can access to, correct or delete his/her personal information, as well as withdraw the consent or close the account.
Foreword III
Introduction IV
1 Scope
2 Normative references
3 Terms and definitions
4 Basic principles of personal information security
5 Personal information collection
5.1 Legality requirements for collecting personal information
5.2 Minimization requirements for collecting personal information
5.3 Authorization and consent for personal information collection
5.4 Exceptions for authorization and consent obtaining
5.5 Explicit consent for personal sensitive information collection
5.6 Content and release of the privacy policy
6 Personal information preservation
6.1 Minimizing the retention time of personal information
6.2 De-identification processing
6.3 Transmission and storage of personal sensitive information
6.4 Stopping of product/service operation by personal data controller
7 Use of personal information
7.1 Personal information access control measures
7.2 Restrictions on display of personal information
7.3 Restrictions on use of personal information
7.4 Access to personal information
7.5 Correction of personal information
7.6 Deletion of personal information
7.7 Consent withdrawal of personal data subject
7.8 Account closure of personal data subject
7.9 The right of personal data subject to obtain a copy of their personal information
7.10 Constraints on the automatic decisions of information system
7.11 Responding the requests of personal data subject
7.12 Complaint management
8 Entrusted processing, sharing, transfer of control, and public disclosure of personal information
8.1 Entrusted processing
8.2 Sharing and transfer of control of personal information
8.3 Personal information transfer of control during acquisition, merger and restructuring
8.4 Public disclosure of personal information
8.5 Situations exempted from the acquisition of prior consent for the sharing, transfer of control, and public disclosure of personal information
8.6 Joint personal data controller
8.7 Requirements for the cross-border transfer of personal information
9 Handling of personal information security incident
9.1 Emergency responses and report for information security incident
9.2 Notification on safety incidents
10 Management requirements of the organization
10.1 Specifying responsible departments and personnel
10.2 Conducting personal information security impact assessment
10.3 Data security capabilities
10.4 Personnel management and training
10.5 Security audit
Annex A (Informative) Example of personal information
Annex B (informative) Determination of personal sensitive information
Annex C (Informative) Method for guaranteeing individual data subjects’ right to select to consent
Annex D (Informative) Privacy policy template
Bibliography