Forword
This document is drafted in accordance with GB/T1.1-2020 Guidelines for Standardization: Part 1: Structure and Drafting Rules of Standardization Documents.
Please note that some of the contents of this document may involve patents. The issuing agency of this document does not assume the responsibility of identifying the patent. This document is proposed and under the jurisdiction of the National Technical Committee for Information Security Standardization (SAC/TC260).
1 Scope
This document specifies the general safety requirements, external data safety requirements, cockpit data safety requirements and management safety requirements for vehicle data processors to collect and transmit vehicle data.
This document is applicable to the automobile data processing activities carried out by automobile data processors, the design, production, sales, use and operation and maintenance of automobiles, as well as the supervision, management and evaluation of automobile data processing activities by competent regulatory authorities and third-party evaluation institutions.
2 Normative References
The contents in the following documents, through normative references, constitute indispensable provisions of this document. For dated references, only the version corresponding to that date is applicable to this document; For undated references, the latest version (including all amendments) is applicable to this document.
GB/T 35273 Information Security Technology Personal Information Security Specification
GB/T 40660 Information Security Technology - Basic Requirements for Biometric Information Protection
3 Terms and definitions
The following terms and definitions apply to this document.
three point one
Motor vehicle data
Personal information data and important data involved in the process of automobile design, production, sales, use, operation and maintenance.
three point two
Personal information
All kinds of information related to identified or recognizable vehicle owners, drivers, passengers, and people outside the vehicle recorded by electricity or other means do not include anonymous information.
three point three
Sensitive personal information
Once disclosed or illegally used, personal information that may lead to discrimination against the owner, driver, passengers, people outside the vehicle, or serious harm to personal and property safety.
Note: Sensitive personal information includes personal information such as track, audio, video, image, medical health, religious belief, biometric information such as fingerprint, rhythm, voice print, and local identification features, personal identity information that can identify specific identity, bank account, authentication information (password) Financial account and other personal property information, as well as personal information of minors less than 14 weeks old.
three point four
Important data
Data that may endanger national security, public interests or the legitimate rights and interests of individuals and organizations once it is tampered, destroyed, disclosed or illegally obtained or used.
Note: Important data include geographic information, personnel flow, vehicle flow and other data in important sensitive areas such as military management areas, national defense science and industry units, and party and government organs at or above the county level. Vehicle flow, logistics and other data reflect economic operation. Vehicle charging network operation data includes video and image data outside the vehicle including face information, license plate information, and personal information involving more than 100000 personal information subjects, Other 6 types of data identified by relevant departments that may endanger national security, public interests or the legitimate rights and interests of individuals and organizations.
three point five
Motor vehicle data processor
Organizations that carry out automobile data processing activities, including automobile manufacturers, parts and software suppliers, dealers, maintenance agencies and travel service enterprises.
three point six
Cabin data
Data that may contain personal information collected from the car cabin through cameras, infrared sensors, fingerprint sensors or microphones and other components, as well as data generated after processing.
4 General safety requirements
four point one
The automobile data processor shall process personal information in accordance with the following requirements.
All requirements in GB/T 35273 shall be met.
Individual consent should be communicated to the individual in at least one significant way. Notable methods include separate chapter and article prompts in the user manual, voice playback, separate pop-up prompts in the on-board display panel, interaction of relevant applications for automobile use, separate chapter and article prompts in the automobile sales agreement, separate chapter and article prompts in the maintenance service agreement, or interaction of travel service applications.
The specific situation and necessity of collecting personal information shall be explained to the personal information subject in clear and understandable words.
When informing the personal information subject of the retention period of various types of personal information, it should be specific and clear, such as 30 days or 1 year. When the personal information subject is informed of the storage location of his/her personal information, the location of the storage location shall be accurate to the prefecture level city and all storage locations shall be informed.
The personal information subject shall be provided with convenient access, copy, deletion and other personal information management functions; When the products or services provided support interactive operation, such as providing websites, on-board applications or mobile communication terminal applications, the personal information management function shall be interactive, and its function entrance shall be at a prominent position easily perceived by the personal information subject.
The vehicle data processor shall process sensitive personal information in accordance with the following requirements.
Individual consent should be obtained from the personal information subject for each sensitive personal information. Consents should not be obtained for multiple sensitive personal information or multiple processing activities at one time.
Note: The car data processor needs to process voice data to provide voice recognition function for the driver. The driver's consent can be obtained by popping up a window for this function separately, and the driver's consent can be obtained by checking the individual options for this function in the notification consent.
When obtaining the individual consent of the personal information subject • The consent period for handling sensitive personal information should not be set as "always allowed" or "permanent".
Note: The automobile data processor needs to process voice data for the voice recognition function. With the individual consent of the personal information subject, it can provide the personal information subject with options such as single time, seven days, three months and one year.
In order to complete the deletion within ten working days after receiving the request for deletion of personal information • In principle, a structured directory of personal information shall be established to realize the traceability management of personal information.
In principle, sensitive personal information should not be processed for the purpose of improving service quality, enhancing user experience and developing new products.
The vehicle data processor's continuous collection of sensitive personal information meets the following notification requirements.
a) The collection status shall be indicated by flashing or lighting of on-board display panel icon or signal bone mounting indicator.
b) When continuously prompting to collect sensitive personal information, clear and understandable prompts should be set according to different types of information.
Note: The camera icon flashes or lights up for a long time to indicate that video data in the car is being collected. The recording icon flashes or lights up for a long time to indicate that voice data in the car is being collected. The oblique upward triangle icon flashes or lights up for a long time to indicate that position data is being collected.
The automobile data processor shall process biometric feature information such as face, voice print or fingerprint in accordance with the following requirements.
a) It shall assess whether it is necessary to increase or decrease the traffic safety.
Note: The purpose of enhancing traffic safety funds includes identity verification and status monitoring of rolling drivers.
b) All requirements of GBT 40660 shall be met.
4.5 The user rights and interests affairs contacts set by the automobile data processor in terms of personal information protection shall meet the following requirements.
They should have professional knowledge in personal information protection and personal rights protection.
Complaints and reports on personal information protection shall be accepted and handled in a timely manner.
The accurate and effective name and contact information shall be informed externally. The contact information includes telephone number, email address, website or instant messaging platform account, etc; If it is inconvenient to inform the real name, the long-term and fixed alias shall be informed.
4.6 Personal information involving cabin data, position track data, video and image data outside the vehicle, as well as personal information involving more than 100000 personal information subjects, shall be stored in the People's Republic of China by vehicle data processors according to law.
4.7 The vehicle data processor shall process important data, and generally conduct other processing after completing desensitization processing; Personal information shall be processed after anonymization or de identification.
5 Safety requirements for external data
The anonymization of the data outside the vehicle by the vehicle data processor meets the following requirements.
a) The data outside the vehicle shall not be provided outside the vehicle before anonymous processing.
b) The anonymized video and image cannot be restored and cannot be associated with the personal information subject, including the following implementations:
1) Complete deletion: when processing the image, the image containing personal information such as face and license plate will be deleted directly; When processing video, delete all video frames containing personal information such as face and license plate;
2) Local contour processing: completely erase the video and image areas containing personal information such as face and license plate, or replace these areas with other images that cannot be associated with personal information subjects and cannot be restored.
c) In the process of anonymization, in addition to analyzing and determining the areas containing personal information such as face and license plate, and deleting or local contour processing of these areas, face comparison, gait analysis, speech recognition and other processing shall not be conducted. d) After anonymization, process data shall be deleted immediately and shall not be provided outside the vehicle.
6 Cabin Data Security Requirements
Except for the driver's main setting, the car should be set to not collect cockpit data by default, including not turning on the camera, microphone, infrared sensor, fingerprint sensor and other components in the car. The collection can only be started after the driver actively selects through physical keys or touch keys. The car can maintain the state selected by the driver or restore the default state according to the driver's settings.
6.2 The vehicle shall not provide cabin data outside the vehicle, except for the following circumstances.
In order to realize the voice recognition function to judge the vehicle control command in real time, the voice command data is processed outside the vehicle and the consent of the personal information subject is obtained. After the function is realized, the original data and processing results are deleted immediately.
In order to realize the function of remote viewing of in car conditions or cloud storage, provide users with data, obtain the consent of the personal information subject, and take security measures. Other organizations and individuals other than users cannot access.
Road transport vehicles shall transmit data to the monitoring platform, public management platform and regulatory authority of their transport enterprises according to relevant regulations. Operating vehicles such as taxis and buses transmit data to regulators.
After the road traffic accident, the data shall be transmitted according to the requirements of the law enforcement department.
6.3 The vehicle data processor shall provide a convenient way to stop collecting cockpit data, including physical buttons, voice control, touch buttons, and applications related to vehicle use. Under the condition of ensuring driving safety and personal safety, the driver should turn off the microphone and camera in the vehicle and other components collecting cockpit data after choosing to stop collection. To ensure driving safety and personal safety, relevant parts may not be closed under the following conditions:
a) Road transport vehicles providing road operation services continuously collect cockpit data:
b) Buses providing travel services continuously collect cockpit data.
7 Management safety requirements
7.1 The automobile data processor shall carry out automobile data risk assessment. The assessment content generally includes automobile data identification, number recognition according to processing activities, automobile data security risk identification and risk analysis and assessment, which can be conducted in the form of self-assessment or third-party assessment.
7.2 The person in charge of automobile data security management shall be the main person in charge of automobile data processing or the person in charge of data security, and shall be familiar with China's data security and personal information protection policies and regulations, and have security management experience.
7.3 The vehicle data processor shall establish and improve the emergency response mechanism for safety incidents. At least one emergency drill shall be carried out every year, and it is advisable to support the evidence collection and analysis after the occurrence of safety incidents through vehicle data storage, vehicle data traceability and other mechanisms.
7.4 The automobile data processor shall accept the complaint about the security of the automobile data through telephone or instant messaging platform, and generally handle it within 10 working days after receiving the complaint, and make a complete record of the processing process and the processing results.
7.5 The automobile manufacturer shall fully master the data collection and transmission of all parts contained in the whole vehicle produced by it. It shall restrict and supervise the behavior of parts suppliers in processing automobile data. The complete information of automobile data transmission to the outside shall be disclosed to the user every year or in case of major changes.
8 Exceptions
Except where necessary, the requirements of this document do not apply to the following data processing activities:
Data processing activities of police cars, fire engines, ambulances and engineering rescue vehicles when performing emergency tasks;
Vehicle data processing activities when operating vehicles with special equipment or appliances are engaged in operating activities in a closed place;
Vehicle data processing activities when testing vehicles carry out scientific research, type approval test and other activities in a closed field.
Forword
1 Scope
2 Normative References
3 Terms and definitions
4 General safety requirements
5 Safety requirements for external data
6 Cabin Data Security Requirements
7 Management safety requirements
8 Exceptions