GB/T 41819-2022 Information security technology - Security requirements of face recognition data
1 Scope
This document specifies the general security requirements for face recognition data and the security requirements for specific processing activities such as collection, storage, use, transmission, provision, disclosure and deletion.
This document is applicable to data processors to carry out face recognition data processing activities securely.
2 Normative references
The following documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 35273 Information security technology - Personal information security specification
GB/T 37988 Information security technology - Data security capability maturity model
GB/T 39335 Information security technology - Guidance for personal information security impact assessment
GB/T 40660 Information security technology - General requirements for biometric information protection
GB/T 41479 Information security technology - Network data processing security requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 35273 and GB/T 40660 and the following apply.
3.1
face image
analog or digital representation of facial information of a natural person
Note: The face images may be collected from devices or obtained through videos, digital photos, etc. The main types include visible light images, non-visible light images (such as infrared images) and three-dimensional images.
3.2
face feature
parameter extracted from face image that reflects the facial information feature of a natural person
3.3
face recognition data
face image or face feature that can identify a natural person
3.4
face recognition data subject
natural person identified by or connected to face recognition data
Note: The face recognition data subject is referred to as data subject for short.
4 General
The face recognition data is mainly used to identify the natural persons, and typically used at airports and railway stations for witness comparison, by mobile intelligent terminals and applications for unlocking, payment and other functions, and in parks and residential areas for verification of the identity of personnel.
5 General security requirements
The general security requirements for the data processors to process face recognition data are as follows:
a) The non-face recognition method shall be preferred if it may be used to achieve the same purpose or meet the same security requirements.
b) The face recognition method shall be used for identity recognition only when it is safer or more convenient than the non-face recognition method; the face recognition and non-face recognition methods shall be provided at the same time for natural persons to choose.
Example: When conducting witness comparison at airports and railway stations, the use of non-face recognition method will lead to a significant decline in the convenience of related services.
c) The natural persons shall not be induced to use face recognition methods, including but not limited to using face recognition method as the preferred or default method of identity recognition and setting up obstacles to make it difficult for natural persons to choose to use non-face recognition methods.
d) After the natural person refuses to use the face recognition method, frequent prompts
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 General
5 General security requirements
6 Collection requirements of face recognition data
7 Storage requirements of face recognition data
8 Use requirements of face recognition data
9 Transmission requirements of face recognition data
10 Provision and disclosure requirements of face recognition data
11 Deletion requirements of face recognition data
Bibliography