Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is one of the series of standards Personal health information code which is composed of:
——GB/T 38961-2020 Personal health information code - Reference model;
——GB/T 38962-2020 Personal health information code - Data format;
——GB/T 38963-2020 Personal health information code - Application interface.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This standard was proposed by the E-government Office of the General Office of the State Council.
This standard is under the jurisdiction of SAC/TC 28 National Technical Committee on Information Technology of Standardization Administration of China.
Introduction
In the process of preventing, controlling and eliminating the hazards of public health emergencies [such as novel coronavirus-infected pneumonia (COVID-19)], it is necessary to collect, store and process personal health information to achieve various management purposes, including:
——quickly obtaining relevant information about personal health;
——statistics of information about an epidemic or disease;
——managing the personnel flow between different regions;
——mutual recognition of health information service levels.
In the process of prevention and control of COVID-19 epidemic and resumption of work and production since February 2020, the pandemic prevention health information code provided by the national integrated online government service platform (hereinafter referred to as "integrated platform”) and the "PHI-code" established and used by some provinces (autonomous regions and municipalities), as an important form of personal health information code, have become an effective way to quickly collect, store and process personal health information. In the practical application of personal health information code, there are some problems, such as inconsistent code system composition, inconsistent data format, lack of data sharing and mutual recognition mechanism, which restrict the cross-regional flow of personnel and goods. Therefore, from the perspective of the current practice and long-term application requirements, it is necessary to achieve the consistent standards of personal health information codes. In addition to the emergency handling of public health emergencies, personal health information codes are also applicable in the management process of personal medical treatment, health care or other major public activities.
If the specific matters specified herein are otherwise stipulated by laws and regulations (such as the Cybersecurity Law of the People's Republic of China and the Law of the People's Republic of China on Prevention and Treatment of Infectious Diseases), such provisions shall be complied with.
Personal health information code - Reference model
1 Scope
This standard specifies the composition and structure, code system and presentation form, application system reference model and application requirements of personal health information code.
This standard is applicable to the design, development and system integration of personal health information code related application systems, and may be referred to by other application systems related to authorized release, inquiry and utilization of personal health information.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 2260 Codes for the administrative divisions of the Peoples Republic of China
GB/T 2659 Codes for the representation of names of countries and regions
GB/T 22239-2019 Information security technology - Baseline for classified protection of cybersecurity
GB/T 27766-2011 Two-dimensional barcode - Grid matrix code
GB/T 33560-2017 Information security technology - Cryptographic application identifier criterion specification
GB/T 35273-2020 Information security technology - Personal information security specification
GB/T 35274-2017 Information security technology - Security capability requirements for big data services
GB/T 38962-2020 Personal health information code - Data format
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
personal information
various information recorded electronically or otherwise that can, either alone or in combination with other information, identify a particular natural person or reflect the activity of such a person
Note 1: Personal information includes name, date of birth, ID number, personal biometric identifying information, address, communication and contact information, communication record and content, account and password, property information, credit information, whereabouts, accommodation information, health and physiology information, and transaction information.
Note 2: The information formed by the personal information controller by processing personal information or other information, such as user profiling or features, labels, is regarded as personal information if it can be used to, either alone or in combination with other information, identify a particular natural person or reflect the activity of such a person.
[GB/T 35273-2020, Definition 3.1]
3.2
personal health information
personal information related to the health status of identified or identifiable natural person
3.3
personal information subject
natural person identified by or connected to personal information, i.e., the subject of personal data
Note: It is revised from GB/T 35273-2020, Definition 3.3.
3.4
personal information controller
organization or individual that has the power to determine the purpose, manner, etc. of the processing of the personal information
[GB/T 35273-2020, Definition 3.4]
3.5
explicit consent
behavior, of a personal information subject, of explicit authorization in terms of the specific processing of his or her personal information through a written or oral statement, in either electronic or paper form, or making affirmative actions in an initiative manner
[GB/T 35273-2020, Definition 3.6]
3.6
consent
behavior, of a personal information subject, of explicit authorization in terms of the specific processing of his or her personal information
[GB/T 35273-2020, Definition 3.7]
3.7
cyber trusted identity
CTID
electronic documents used to prove residents' personal identity in cyberspace, which has a one-to-one correspondence with resident identity documents
3.8
cyber identifier
code issued by the CTID online authentication service system to the CTID application system to identify the resident's personal identity
Note 1: In the same CTID application system, there is a one-to-one correspondence between the cyber identifier and the resident's real identity.
Note 2: The same resident has different cyber identifiers in different CTID application systems.
3.9
personal health information code
PHI-code
a sequence of numbers or letters bound to the cyber trusted identity, expressing that the user authorizes others or organizations to temporarily access his/her specific personal health information, for which two-dimensional barcode is usually used as the storage medium
3.10
PHI-code service
service of providing the users who have passed identity authentication with production, distribution and verification of PHI-codes containing specific application authorization information or their corresponding two-dimensional barcodes
3.11
PHI-code application
application software providing or identifying the PHI-codes used
Example: "PHI-code of XX Province” and "PHI-code of XX City".
3.12
personal health information service
service of, under the premise of user authorization, providing personal health information declared by individuals voluntarily or legally owned by related organizations
3.13
PHI-code application system
generic term for software and hardware systems that support the collection, query and use of personal health information, generally consisting of PHI-code service, PHI-code application, and personal health information service
3.14
personal health information list
summary result formed via cleaning and processing to comprehensively reflect the personal health status, which is generally provided to superior department for collection and use
4 Composition of PHI-code
4.1 Structure of PHI-code
PHI-code consists of numbers and/or letters, and its structure is shown in Figure 1.
Figure 1 Structure of PHI-code
PHI-code consists of three segments, i.e., A, B and S, as follows:
a) Segment A is the user identity, which needs to be obtained upon real-person authentication with a real name, and represents the identity of the personal information subject. The CTID data may be used, and the CTID may be used to realize cross-system identity intercommunication and mutual recognition. The first two bytes of the data are 16-bit big-endian unsigned integers, representing the length of Segment A.
b) Segment B is service data, which represents the code type, code making platform identifier, code expiration time, and summary of authorization record of information subject:
1) Part 1 is length and version, of which the first two bytes are 16-bit big-endian unsigned integers, representing the length of Segment B, and the last two bytes represent the version number;
2) Part 2 is the code type declaration consisting of 4 letters or digits, which is also designated as "JKM1" in this standard;
3) Part 3 is the identifier assigned when various PHI-code services are registered in the mutual recognition mechanism, which consists of 6 digits and should use the codes for the administrative divisions specified in GB/T 2260;
4) Part 4 is the expiration time (UTC time) of the PHI-code;
5) Part 5 is the summary of authorization record of information subject. The algorithm meeting the national cryptography administration requirements shall be used during summarization, see the algorithm marked as "1.2.156.10197.1.401" in GB/T 33560-2017.
c) Segment S is the digital signature value for the A+B content. The algorithm meeting the national cryptography administration requirements shall be used when signing, see the algorithm marked as "1.2.156.10197.1.501" in GB/T 33560-2017.
Parts 2 and 3 (code type and platform identifier) of Segment B in the PHI-code are used to prompt the PHI-code processor to accurately identify and route to the PHI-code service that generates the PHI-code, which are the basis of establishing intercommunication and mutual recognition of PHI-codes. The code expiration time may be used to quickly identify expired authorizations.
4.2 Authorization record
Authorization record shall fully express the authorization of personal information subjects to their personal information and processing methods. The main elements include authorization subject information, authorization validity period, authorized subject information, personal information controller information, category or index of personal information authorized to operate, etc., as detailed in Table 1.
Table 1 Elements of personal information authorization record
Element name Short name Constraint Description
Authorization subject SQZT Mandatory It refers to an individual issuing authorization, which shall be the subject with full capacity for civil conduct. Sufficient and necessary relevant information shall be provided, such as name, certificate type and number and nationality
Validity period YXQX Mandatory It includes the time when the authorization is issued and the starting and ending time of the validity period of the authorization
Authorized subject BSQZT Optional It refers to an individual or organization authorized to access or operate personal information, which shall provide sufficient and necessary identification information. For individuals, it is necessary to provide name, certificate type and number, nationality, etc.; for organizations, it is necessary to provide the organization name, certificate type and number, etc.
Personal information controller XXKZZ Optional Various application systems for storing and managing personal information and their classification information. In certain scenarios, there may be default settings
Authorized information category XXLB Optional Determined according to the application goal, such as the category or group of personal information. In certain scenarios, there may be default settings
Authorized information index XXSY Optional Index information needed to query information, such as personal information subject information and information identifier, among which the personal information subject may be the authorization subject by default
Authorized operation authority CZQX Optional Operation that may be performed on the information obtained, such as read-only, retaining query voucher, downloading and dumping, which is read-only by default
For the PHI-code used for traffic, the information authorized to access (its data format shall conform to GB/T 38962-2020) and the authorized object (not specified explicitly, but generally the inspector of each traffic control checkpoint) are clear, so it is only necessary to record the summary information of the authorization subject. The plaintext of authorization status is composed of the name, ID number, ID type, etc. of the personal health information subject, which are spliced in the form of "B1|B2|B3|B4^B5":
a) B1 is the name of the personal health information subject;
b) B2 is the ID number of the personal health information subject;
c) B3 is the ID type code of the personal health information subject, of which the value is shown in Annex A;
d) B4 is the country or region code of the personal health information subject, which shall adopt the "three-letter code" specified in GB/T 2659;
e) B5 is the authorization time of the personal health information subject, which shall be in the format of YYYYMMDDHHMMSS.
4.3 Coding and subsequent processing
After the PHI-code is generated, it may be coded into a two-dimensional barcode image according to the corresponding code system in the PHI-code service or PHI-code application. Digital watermarks may be embedded or traceability identifiers may be added in two-dimensional barcode images to enhance the use safety of two-dimensional barcodes.
Foreword II
Introduction III
1 Scope
2 Normative references
3 Terms and definitions
4 Composition of PHI-code
4.1 Structure of PHI-code
4.2 Authorization record
4.3 Coding and subsequent processing
5 Code system and presentation form
5.1 PHI-code terminal application
5.2 PHI-code emergency management
6 PHI-code application system reference model
6.1 System composition
6.2 PHI-code use process
6.3 Mutual recognition of PHI-codes
7 PHI-code application requirements
7.1 General
7.2 Identity authentication requirements
7.3 Application interfacing requirements
7.4 Information protection requirements
7.5 Safety requirements
Annex A (Normative) Code sets
Annex B (Informative) Pandemic prevention health information service system scheme for national integrated online government service platform
Annex C (Informative) PHI-code application scenarios
Bibliography
个人健康信息码 参考模型
1 范围
本标准规定了个人健康信息码的组成结构、码制和展现形式、应用系统参考模型和应用要求。
本标准适用于个人健康信息码相关应用系统的设计、开发和系统集成。其他有关个人健康信息授权发布、查询利用的应用系统可参照执行。
2 规范性引用文件
下列文件对于本文件的应用是必不可少的。凡是注日期的引用文件,仅注日期的版本适用于本文件。凡是不注日期的引用文件,其最新版本(包括所有的修改单)适用于本文件。
GB/T 2260 中华人民共和国行政区划代码
GB/T 2659 世界各国和地区名称代码
GB/T 22239—2019 信息安全技术 网络安全等级保护基本要求
GB/T 27766—2011 二维条码 网格矩阵码
GB/T 33560—2017 信息安全技术 密码应用标识规范
GB/T 35273—2020 信息安全技术 个人信息安全规范
GB/T 35274—2017 信息安全技术 大数据服务安全能力要求
GB/T 38962—2020 个人健康信息码 数据格式
3 术语和定义
下列术语和定义适用于本文件。
3.1
个人信息 personal information
以电子或者其他方式记录的能够单独或者与其他信息结合识别特定自然人身份或者反映特定自然人活动情况的各种信息。
注1:个人信息包括姓名、出生日期、身份证件号码、个人生物识别信息、住址、通信通讯联系方式、通信记录和内容、账号密码、财产信息、征信信息、行踪轨迹、住宿信息、健康生理信息、交易信息等。
注2:个人信息控制者通过个人信息或其他信息加工处理后形成的信息,例如,用户画像或特征标签,能够单独或者与其他信息结合识别特定自然人身份或者反映特定自然人活动情况的,属于个人信息。
[GB/T 35273—2020,定义3.1]
3.2
个人健康信息 personal health information
涉及已标识或可标识自然人健康情况的个人信息。
3.3
个人信息主体 personal information subject
个人信息所标识或者关联的自然人,即个人数据的主体。
注:改写GB/T 35273—2020,定义3.3。
3.4
个人信息控制者 personal information controller
有能力决定个人信息处理目的、方式等的组织或个人。
[GB/T 35273—2020,定义3.4]
3.5
明示同意 explicit consent
个人信息主体通过书面、口头等方式主动作出纸质或电子形式的声明,或者自主作出肯定性动作,对其个人信息进行特定处理作出明确授权的行为。
[GB/T 35273—2020,定义3.6]
3.6
授权同意 consent
个人信息主体对其个人信息进行特定处理作出明确授权的行为。
[GB/T 35273—2020,定义3.7]
3.7
居民身份网络可信凭证 cyber trusted identity;CTID
网证
用于在网络空间中证明居民个人身份的电子文件,与居民身份证件具有一一对应关系。
3.8
居民身份网络标识 cyber identifier
由居民身份网络认证服务系统派发给网证应用系统,用于标识居民个人身份的代码。
注1:同一网证应用系统中,居民身份网络标识与居民真实身份一一对应。
注2:同一居民在不同网证应用系统的居民身份网络标识不同。
3.9
个人健康信息码 personal health information code;PHI-code
健康码
与居民身份网络可信凭证绑定,表达用户授权他人或组织临时访问特定个人健康信息的一串数字或字母的序列。通常使用二维条码作为其存贮媒体。
3.10
健康码服务 PHI-code service
对通过身份验证的用户提供生产、分发和验证包含特定应用授权信息的健康码或其对应的二维条码的服务。
3.11
健康码应用 PHI-code application
提供或识别使用健康码的应用软件。
示例:“××省健康码”“××市健康码”。
3.12
个人健康信息服务 personal health information service
在用户授权的前提下,提供个人自愿申报或相关组织合法拥有的个人健康信息的服务。
3.13
健康码应用系统 PHI-code-application system
支持个人健康信息的采集、查询和使用的软硬件系统的统称,一般由健康码服务、健康码应用和个人健康信息服务组成。
3.14
个人健康信息目录 personal health information list
经过清洗、加工后形成的综合反映个人健康状态的概要结果,一般提供给上级部门汇集和使用。
4 健康码的组成
4.1 健康码的结构
健康码由数字和/或字母组成,其结构见图1。
健康码的结构
长度及版本
码类型
平台标识
截止时间
个人信息主体授权记录摘要
A段——代表身份
B段——代表业务
S段——A+B内容的签名
图1 健康码的结构
健康码由A、B、S三段构成。其中:
a) A段是用户身份标识,需经实名实人认证后取得,代表个人信息主体的身份。可使用网证数据,网证可用于实现跨系统身份互通互认,其数据前两个字节为16位大端序无符号整数,代表A段内容的长度。
b) B段是业务数据,代表码的类型、制码平台标识、码的截止时间和信息主体授权记录摘要,其中:
1) 第1部分是长度及版本,前两个字节是16位大端序无符号整数,表示B段内容的长度,后两个字节表示版本号;
2) 第2部分是码类型声明,4位字母或数字,本标准中同定为“JKM1”;
3) 第3段是各类健康码服务在互认机制中注册时分配的标识,6位数字,宜使用GB/T 2260中规定的行政区划代码;
4) 第4段是该健康码的截止时间(UTC时间);
5) 第5段是信息主体授权记录的摘要,摘要时应使用符合国家密码管理要求的算法,见GB/T 33560—2017中标识为“1.2.156.10197.1.401”的算法。
c) S段是针对A+B内容的数字签名值。签名时应使用符合国家密码管理要求的算法,见GB/T 33560—2017中标识为“1.2.156.10197.1.501”的算法。
健康码B段的第2部分、第3部分(码类型及平台标识)用来提示健康码的处理者准确识别和路由到生成该码的健康码服务,是建立健康码互通互认的基础。码的截止时间可用来快速识别已过期的授权。
4.2 授权记录
授权记录应完整表达个人信息主体对其个人信息及处理方式的授权情况,主要要素包括授权主体信息、授权有效期限、被授权主体信息、个人信息控制者信息、被授权操作的个人信息类别或索引等,其要素见表1。
表1 个人信息授权记录的要素
要素名称 短名 约束 说明
授权主体 SQZT 必选 发出授权的个人,应是具有完全民事行为能力的主体。需提供充分和必要的相关信息,如姓名、证件类型和号码、国籍等
有效期限 YXQX 必选 包括发出授权的时间以及该授权有效期限的起止时间
被授权主体 BSQZT 可选 被授权的访问或操作个人信息的个人或组织,需提供充分和必要的标识信息。对于个人来说,需提供姓名、证件类型和号码、国籍等;对于组织来说,需提供组织机构名称、证件类型和号码等
个人信息控制者 XXKZZ 可选 存储和管理个人信息的各种应用系统及其分类信息。在特定场景下,可有默认设定
被授权的信息类别 XXLB 可选 根据应用目标确定,如个人信息的类别或组别等。在特定场景下,可有默认设定
被授权的信息索引 XXSY 可选 查询信息所需的索引信息,如个人信息主体信息、信息的标识等。其中个人信息主体可默认为授权主体
被授权的操作权限 CZQX 可选 获得信息后可对该信息执行何种操作,如只读、保留查询凭证、下载、转储等。默认为只读
对于用于通行的健康码,被授权访问的信息(其数据格式应符合GB/T 38962—2020)和被授权对象(未明确指定,但一般是各通行卡口的检查人员)均已明确,因此仅需记录授权主体的概要信息。授权情况的明文由个人健康信息主体的姓名、身份证件号码、身份证件类型等组成,并按“B1|B2|B3|B4^B5”的形式拼接:
a) B1为个人健康信息主体的姓名;
b) B2为个人健康信息主体的身份证件号码;
c) B3为个人健康信息主体的身份证件类型的代码,其取值见附录A;
d) B4为个人健康信息主体的国家或地区代号,应采用GB/T 2659中规定的“三字母代码”;
e) B5为个人健康信息主体的授权时间,应按YYYYMMDDHHMMSS的格式组织。
4.3 编码和后续处理
健康码生成后可在健康码服务或健康码应用中按相应码制编码成二维条码图像。可在二维条码图像中嵌入数字水印或增加溯源标识等,增强条码的使用安全性。
5 码制和展现形式
5.1 健康码的终端应用
将健康码编码为条码图像时应使用GB/T 27766—2011规定的二维条码码制,以及其他有关国家标准规定的主流二维条码码制。
健康码宜采用图2所示的展现形式。
姓名 强
类别 居民身份证
身份信息
证件号码
请出示给对方扫一扫识读
健康码标志
二维条码
提示信息
健康信息自查
信息申报入口
健康风险等级为 低
我的健康信息详情
行程申报 今日已申报
健康打卡 今日已打卡
健康码JKM
图2 健康码在移动终端中的展现示例
在展现健康码二维条码的同时,应同时提供信息业务等级文字或符号提示。宜同时提供脱敏的身份信息、个人健康信息自查和个人健康信息申报等入口。一般在二维条码展示界面中还应提供操作提示和切换操作入口。
其中:
a) 脱敏的身份信息应提供核对个人登录情况所需的必要信息;
b) 出示二维条码时,健康码应用应在二维条码中心处添加统一健康码标志,并可根据信息业务等级改变条码色块和边框的颜色;
c) 除以二维条码色块、框线等形式标识信息业务等级外,还应以明显的文字或符号进行提示;
d) 用户可自行查看本人申报的健康信息和被授权访问的情况,从而了解本人的健康信息业务等级;
e) 信息申报入口提供用户自行申报或为家人等申报健康信息(如体温、相关症状等)和行程信息的功能;
f) 统一健康码标志应清晰鲜明,其覆盖二维条码图像的面积比例应在10%以下。
健康码应设定有效期,在健康码应用中点击二维条码图像可手动刷新。
5.2 健康码应急管理
信息主体查询本人健康信息时,可根据查询所得的信息结合不同场景的应用需要赋予二维条码不同的颜色,以便快速标识健康信息业务等级,提升检查和通行效率。二维条码的不同颜色标识示例见图3。在特殊情况下可增加其他颜色。
红码(颜色值#FB382D)
黄码(颜色值#FF8F1F)
绿码(颜色值#57AC6C)
健康码JKM
图3 二维条码的不同涂色示例
除二维条码涂色以外,健康信息业务等级的标识还应配合容易识别的文字或符号提示信息使用。
6 健康码应用系统参考模型
6.1 系统组成
健康码服务不应直接参与个人健康信息的处理,其与具体的个人健康信息服务应在逻辑上做显著区分。健康码应用系统参考模型见图4,参考模型中给出了健康码服务与各类个人健康信息服务的集成关系。
健康码应用(扫码端)
3)出示
健康码应用(亮码端)
7)个人健康信息
4)健康码
查询
2)健康码
1)制码请求
申领
申报
实名实人认证
××健康信息服务
健康信息或目录
5)验码请求
健康码服务
健康码引擎
A平台
B平台
6)查询索引
制码和验码记录
其他个人信息
身份验证
一体化平台统一身份认证
出入境身份认证平台
居民身份网络可信凭证平台
图4 健康码应用系统参考模型
在图4中,各组成部分的功能和协作关系如下:
a) 健康码服务主要提供制码、验码功能,还可为应用端提供个人授权使用情况查询;
b) 健康码服务主要的功能模块是健康码引擎,用以生成和验证健康码;制码和验证的记录应保留一段时间以供查询;
c) 个人健康信息服务系统是个人信息的控制者,应根据个人信息主体(健康码应用的用户)的身份凭证或授权来响应个人健康信息查询请求;
d) 个人健康信息服务可采用分级管理模式,采用分级管理时,对外的信息服务由顶层健康信息目录库统一提供,各子级平台负责本区域人员的健康信息更新和质量保障;
e) 个人健康信息服务可与其他个人信息控制者建立联系,采用接口调用等方式在个人信息主体授权下查询其他信息并作为本服务的数据来源或参考值;
f) 健康码的申领、出示、验证等应通过健康码应用完成;
g) 健康码的使用应先进行可信的用户身份认证,身份认证的范围应能覆盖可能使用个人健康信息服务的各人群,包括大陆居民、港澳台人士、华侨和外籍人员等。
防疫健康信息服务系统示例参见附录B。
